aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md37
-rw-r--r--app/.gitignore1
-rw-r--r--app/README.md52
-rw-r--r--app/backup/build/backup-consul/Dockerfile (renamed from app/build/backup-consul/Dockerfile)0
-rwxr-xr-xapp/backup/build/backup-consul/do_backup.sh (renamed from app/build/backup-consul/do_backup.sh)0
-rw-r--r--app/backup/deploy/backup.hcl (renamed from app/deployment/backup.hcl)0
-rw-r--r--app/build/README.md8
-rwxr-xr-xapp/build/blog-quentin/.dockerenv0
-rw-r--r--app/build/blog-quentin/Dockerfile16
-rw-r--r--app/build/blog-quentin/README.md1
-rw-r--r--app/build/coturn/Dockerfile8
-rw-r--r--app/build/coturn/README.md17
-rw-r--r--app/build/landing/README.md3
-rw-r--r--app/build/static/Dockerfile9
-rw-r--r--app/build/static/README.md5
m---------app/build/static/goStatic0
-rw-r--r--app/build/webpull/.gitignore1
-rw-r--r--app/build/webpull/Dockerfile.nodejs9
-rw-r--r--app/build/webpull/Dockerfile.ruby12
-rw-r--r--app/build/webpull/README.md23
-rw-r--r--app/build/webpull/main.go100
-rw-r--r--app/config/configuration/email/dkim/smtp.private.sample0
-rw-r--r--app/config/configuration/email/dkim/smtp.txt.sample0
-rw-r--r--app/config/configuration/seafile/ccnet/mykey.peer.sample0
-rw-r--r--app/config/configuration/seafile/conf/mykey.peer.sample0
-rw-r--r--app/config/secrets/.gitignore11
-rw-r--r--app/config/secrets/chat/coturn/static-auth.sample0
-rw-r--r--app/config/secrets/chat/fb2mx/as_token.sample0
-rw-r--r--app/config/secrets/chat/fb2mx/db_url.sample1
-rw-r--r--app/config/secrets/chat/fb2mx/hs_token.sample0
-rw-r--r--app/config/secrets/chat/synapse/homeserver.tls.crt.sample0
-rw-r--r--app/config/secrets/chat/synapse/homeserver.tls.dh.sample0
-rw-r--r--app/config/secrets/chat/synapse/homeserver.tls.key.sample0
-rw-r--r--app/config/secrets/chat/synapse/ldap_binddn.sample0
-rw-r--r--app/config/secrets/chat/synapse/ldap_bindpw.sample0
-rw-r--r--app/config/secrets/chat/synapse/postgres_db.sample0
-rw-r--r--app/config/secrets/chat/synapse/postgres_pwd.sample0
-rw-r--r--app/config/secrets/chat/synapse/postgres_user.sample0
-rw-r--r--app/config/secrets/chat/synapse/registration_shared_secret.sample0
-rw-r--r--app/config/secrets/email/dkim/smtp.private.sample0
-rw-r--r--app/config/secrets/email/dovecot/dovecot.crt.sample0
-rw-r--r--app/config/secrets/email/dovecot/dovecot.key.sample0
-rw-r--r--app/config/secrets/email/dovecot/ldap_binddn.sample0
-rw-r--r--app/config/secrets/email/dovecot/ldap_bindpwd.sample0
-rw-r--r--app/config/secrets/email/postfix/postfix.crt.sample0
-rw-r--r--app/config/secrets/email/postfix/postfix.key.sample0
-rw-r--r--app/config/secrets/email/sogo/ldap_binddn.sample0
-rw-r--r--app/config/secrets/email/sogo/ldap_bindpw.sample0
-rw-r--r--app/config/secrets/email/sogo/postgre_auth.sample0
-rw-r--r--app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample0
-rw-r--r--app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample0
-rw-r--r--app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample0
-rw-r--r--app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample0
-rw-r--r--app/config/secrets/mariadb/main/ldap_binddn.sample0
-rw-r--r--app/config/secrets/mariadb/main/ldap_bindpwd.sample0
-rw-r--r--app/config/secrets/mariadb/main/mysql_pwd.sample0
-rw-r--r--app/config/secrets/platoo/bddpw.sample0
-rwxr-xr-xapp/config/secrets/plume/pgsql_pw.sh2
-rwxr-xr-xapp/config/secrets/plume/secret_key.sh2
-rw-r--r--app/config/secrets/postgres/keeper/pg_repl_pwd.sample0
-rw-r--r--app/config/secrets/postgres/keeper/pg_repl_username.sample0
-rw-r--r--app/config/secrets/postgres/keeper/pg_su_pwd.sample0
-rw-r--r--app/config/secrets/seafile/conf/mykey.peer.sample0
-rw-r--r--app/config/secrets/web/home_token.sample0
-rw-r--r--app/config/secrets/web/quentin.dufour.io_token.sample0
-rw-r--r--app/core/deploy/core.hcl (renamed from app/deployment/core.hcl)0
-rw-r--r--app/deployment/web_static.hcl117
-rw-r--r--app/directory/config/bottin/config.json (renamed from app/config/configuration/directory/bottin/config.json)0
-rw-r--r--app/directory/config/guichet/config.json.tpl (renamed from app/config/configuration/directory/guichet/config.json.tpl)0
-rw-r--r--app/directory/deploy/directory.hcl (renamed from app/deployment/directory.hcl)4
-rw-r--r--app/docker-compose.yml (renamed from app/build/docker-compose.yml)46
-rw-r--r--app/dummy/secrets/dummy/test_cmd1
-rw-r--r--app/dummy/secrets/dummy/test_const1
-rw-r--r--app/dummy/secrets/dummy/test_const_long5
-rw-r--r--app/dummy/secrets/dummy/test_service_dn1
-rw-r--r--app/dummy/secrets/dummy/test_service_password1
-rw-r--r--app/dummy/secrets/dummy/test_user1
-rw-r--r--app/email/build/alps/Dockerfile (renamed from app/build/alps/Dockerfile)0
-rw-r--r--app/email/build/alps/skipverify.patch (renamed from app/build/alps/skipverify.patch)0
-rw-r--r--app/email/build/dovecot/.gitignore (renamed from app/build/dovecot/.gitignore)0
-rw-r--r--app/email/build/dovecot/Dockerfile (renamed from app/build/dovecot/Dockerfile)0
-rw-r--r--app/email/build/dovecot/README.md (renamed from app/build/dovecot/README.md)0
-rw-r--r--app/email/build/dovecot/conf/all_before.sieve (renamed from app/build/dovecot/conf/all_before.sieve)0
-rw-r--r--app/email/build/dovecot/conf/dovecot-ldap.sample.conf (renamed from app/build/dovecot/conf/dovecot-ldap.sample.conf)0
-rw-r--r--app/email/build/dovecot/conf/dovecot.conf (renamed from app/build/dovecot/conf/dovecot.conf)0
-rw-r--r--app/email/build/dovecot/conf/report-ham.sieve (renamed from app/build/dovecot/conf/report-ham.sieve)0
-rw-r--r--app/email/build/dovecot/conf/report-spam.sieve (renamed from app/build/dovecot/conf/report-spam.sieve)0
-rwxr-xr-xapp/email/build/dovecot/entrypoint.sh (renamed from app/build/dovecot/entrypoint.sh)0
-rw-r--r--app/email/build/opendkim/Dockerfile (renamed from app/build/opendkim/Dockerfile)0
-rw-r--r--app/email/build/opendkim/README.md (renamed from app/build/opendkim/README.md)0
-rw-r--r--app/email/build/opendkim/opendkim.conf (renamed from app/build/opendkim/opendkim.conf)0
-rw-r--r--app/email/build/postfix/Dockerfile (renamed from app/build/postfix/Dockerfile)0
-rw-r--r--app/email/build/postfix/README.md (renamed from app/build/postfix/README.md)0
-rwxr-xr-xapp/email/build/postfix/entrypoint.sh (renamed from app/build/postfix/entrypoint.sh)0
-rw-r--r--app/email/build/sogo/Dockerfile (renamed from app/build/sogo/Dockerfile)0
-rw-r--r--app/email/build/sogo/README.md (renamed from app/build/sogo/README.md)0
-rwxr-xr-xapp/email/build/sogo/entrypoint (renamed from app/build/sogo/entrypoint)0
-rw-r--r--app/email/build/sogo/sogo.nginx.conf (renamed from app/build/sogo/sogo.nginx.conf)0
-rw-r--r--app/email/config/dkim/keytable (renamed from app/config/configuration/email/dkim/keytable)0
-rw-r--r--app/email/config/dkim/signingtable (renamed from app/config/configuration/email/dkim/signingtable)0
-rw-r--r--app/email/config/dkim/trusted (renamed from app/config/configuration/email/dkim/trusted)0
-rwxr-xr-xapp/email/config/dovecot/certs.gen (renamed from app/config/configuration/email/dovecot/certs.gen)0
-rw-r--r--app/email/config/dovecot/dovecot-ldap.conf.tpl (renamed from app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl)0
-rwxr-xr-xapp/email/config/postfix/certs.gen (renamed from app/config/configuration/email/postfix/certs.gen)0
-rw-r--r--app/email/config/postfix/dynamicmaps.cf (renamed from app/config/configuration/email/postfix/dynamicmaps.cf)0
-rw-r--r--app/email/config/postfix/header_checks (renamed from app/config/configuration/email/postfix/header_checks)0
-rw-r--r--app/email/config/postfix/ldap-account.cf.tpl (renamed from app/config/configuration/email/postfix/ldap-account.cf.tpl)0
-rw-r--r--app/email/config/postfix/ldap-alias.cf.tpl (renamed from app/config/configuration/email/postfix/ldap-alias.cf.tpl)0
-rw-r--r--app/email/config/postfix/ldap-virtual-domains.cf.tpl (renamed from app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl)0
-rw-r--r--app/email/config/postfix/main.cf (renamed from app/config/configuration/email/postfix/main.cf)0
-rw-r--r--app/email/config/postfix/master.cf (renamed from app/config/configuration/email/postfix/master.cf)0
-rw-r--r--app/email/config/postfix/transport (renamed from app/config/configuration/email/postfix/transport)0
-rw-r--r--app/email/config/postfix/transport.db (renamed from app/config/configuration/email/postfix/transport.db)bin12288 -> 12288 bytes
-rw-r--r--app/email/config/sogo/sogo.conf.tpl (renamed from app/config/configuration/email/sogo/sogo.conf.tpl)0
-rw-r--r--app/email/deploy/email.hcl (renamed from app/deployment/email.hcl)26
-rw-r--r--app/email/secrets/email/dkim/smtp.private1
-rw-r--r--app/email/secrets/email/dovecot/dovecot.crt1
-rw-r--r--app/email/secrets/email/dovecot/dovecot.key1
-rw-r--r--app/email/secrets/email/dovecot/ldap_binddn1
-rw-r--r--app/email/secrets/email/dovecot/ldap_bindpwd1
-rw-r--r--app/email/secrets/email/postfix/postfix.crt1
-rw-r--r--app/email/secrets/email/postfix/postfix.key1
-rw-r--r--app/email/secrets/email/sogo/ldap_binddn1
-rw-r--r--app/email/secrets/email/sogo/ldap_bindpw1
-rw-r--r--app/email/secrets/email/sogo/postgre_auth1
-rw-r--r--app/garage/config/garage.toml (renamed from app/config/configuration/garage/garage.toml)11
-rw-r--r--app/garage/deploy/garage.hcl (renamed from app/deployment/garage.hcl)5
-rw-r--r--app/im/build/matrix-synapse/Dockerfile (renamed from app/build/matrix-synapse/Dockerfile)0
-rwxr-xr-xapp/im/build/matrix-synapse/entrypoint.sh (renamed from app/build/matrix-synapse/entrypoint.sh)0
-rw-r--r--app/im/build/riotweb/Dockerfile (renamed from app/build/riotweb/Dockerfile)6
-rw-r--r--app/im/config/coturn/turnserver.conf.tpl (renamed from app/config/configuration/chat/coturn/turnserver.conf.tpl)0
-rw-r--r--app/im/config/easybridge/config.json.tpl (renamed from app/config/configuration/chat/easybridge/config.json.tpl)0
-rw-r--r--app/im/config/easybridge/registration.yaml.tpl (renamed from app/config/configuration/chat/easybridge/registration.yaml.tpl)0
-rw-r--r--app/im/config/fb2mx/config.yaml (renamed from app/config/configuration/chat/fb2mx/config.yaml)0
-rw-r--r--app/im/config/fb2mx/registration.yaml (renamed from app/config/configuration/chat/fb2mx/registration.yaml)0
-rw-r--r--app/im/config/riot_web/config.json (renamed from app/config/configuration/chat/riot_web/config.json)0
-rw-r--r--app/im/config/synapse/conf.d/report_stats.yaml (renamed from app/config/configuration/chat/synapse/conf.d/report_stats.yaml)0
-rw-r--r--app/im/config/synapse/conf.d/server_name.yaml (renamed from app/config/configuration/chat/synapse/conf.d/server_name.yaml)0
-rw-r--r--app/im/config/synapse/homeserver.yaml (renamed from app/config/configuration/chat/synapse/homeserver.yaml)0
-rw-r--r--app/im/config/synapse/log.yaml (renamed from app/config/configuration/chat/synapse/log.yaml)0
-rw-r--r--app/im/deploy/im.hcl (renamed from app/deployment/im.hcl)20
-rw-r--r--app/im/secrets/chat/coturn/static-auth1
-rw-r--r--app/im/secrets/chat/fb2mx/as_token1
-rw-r--r--app/im/secrets/chat/fb2mx/db_url1
-rw-r--r--app/im/secrets/chat/fb2mx/hs_token1
-rw-r--r--app/im/secrets/chat/synapse/homeserver.tls.crt1
-rw-r--r--app/im/secrets/chat/synapse/homeserver.tls.dh1
-rw-r--r--app/im/secrets/chat/synapse/homeserver.tls.key1
-rw-r--r--app/im/secrets/chat/synapse/ldap_binddn1
-rw-r--r--app/im/secrets/chat/synapse/ldap_bindpw1
-rw-r--r--app/im/secrets/chat/synapse/postgres_db1
-rw-r--r--app/im/secrets/chat/synapse/postgres_pwd1
-rw-r--r--app/im/secrets/chat/synapse/postgres_user1
-rw-r--r--app/im/secrets/chat/synapse/registration_shared_secret1
-rw-r--r--app/jitsi/build/jitsi-conference-focus/Dockerfile (renamed from app/build/jitsi-conference-focus/Dockerfile)0
-rwxr-xr-xapp/jitsi/build/jitsi-conference-focus/jicofo (renamed from app/build/jitsi-conference-focus/jicofo)0
-rw-r--r--app/jitsi/build/jitsi-conference-focus/sip-communicator.properties (renamed from app/build/jitsi-conference-focus/sip-communicator.properties)0
-rw-r--r--app/jitsi/build/jitsi-meet/Dockerfile (renamed from app/build/jitsi-meet/Dockerfile)0
-rw-r--r--app/jitsi/build/jitsi-meet/config.js (renamed from app/build/jitsi-meet/config.js)0
-rwxr-xr-xapp/jitsi/build/jitsi-meet/entrypoint.sh (renamed from app/build/jitsi-meet/entrypoint.sh)0
-rw-r--r--app/jitsi/build/jitsi-videobridge/Dockerfile (renamed from app/build/jitsi-videobridge/Dockerfile)0
-rwxr-xr-xapp/jitsi/build/jitsi-videobridge/jvb_run (renamed from app/build/jitsi-videobridge/jvb_run)0
-rw-r--r--app/jitsi/build/jitsi-xmpp/Dockerfile (renamed from app/build/jitsi-xmpp/Dockerfile)0
-rw-r--r--app/jitsi/build/jitsi-xmpp/external_components.cfg.lua (renamed from app/build/jitsi-xmpp/external_components.cfg.lua)0
-rwxr-xr-xapp/jitsi/build/jitsi-xmpp/xmpp_conf (renamed from app/build/jitsi-xmpp/xmpp_conf)0
-rwxr-xr-xapp/jitsi/build/jitsi-xmpp/xmpp_gen (renamed from app/build/jitsi-xmpp/xmpp_gen)0
-rwxr-xr-xapp/jitsi/build/jitsi-xmpp/xmpp_run (renamed from app/build/jitsi-xmpp/xmpp_run)0
-rw-r--r--app/jitsi/config/global_env.tpl (renamed from app/config/configuration/jitsi/global_env.tpl)0
-rw-r--r--app/jitsi/deploy/jitsi.hcl (renamed from app/deployment/jitsi.hcl)14
-rw-r--r--app/jitsi/integratio/01_gen_certs.yml (renamed from app/integration/jitsi/01_gen_certs.yml)0
-rw-r--r--app/jitsi/integratio/02_run.yml (renamed from app/integration/jitsi/02_run.yml)0
-rw-r--r--app/jitsi/integratio/README.md (renamed from app/integration/jitsi/README.md)0
-rw-r--r--app/jitsi/integratio/dev.env (renamed from app/integration/jitsi/dev.env)0
-rw-r--r--app/jitsi/integratio/jitsi-certs/.gitignore (renamed from app/integration/jitsi/jitsi-certs/.gitignore)0
-rw-r--r--app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt1
-rw-r--r--app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key1
-rw-r--r--app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt1
-rw-r--r--app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key1
-rw-r--r--app/nextcloud/build/nextcloud/Dockerfile (renamed from app/build/nextcloud/Dockerfile)0
-rwxr-xr-xapp/nextcloud/build/nextcloud/container-setup.sh (renamed from app/build/nextcloud/container-setup.sh)0
-rwxr-xr-xapp/nextcloud/build/nextcloud/entrypoint.sh (renamed from app/build/nextcloud/entrypoint.sh)0
-rw-r--r--app/nextcloud/config/config.php.tpl (renamed from app/config/configuration/nextcloud/config.php.tpl)0
-rw-r--r--app/nextcloud/deploy/nextcloud.hcl (renamed from app/deployment/nextcloud.hcl)2
-rw-r--r--app/nextcloud/integration/README.md20
-rw-r--r--app/nextcloud/integration/bottin.json (renamed from app/integration/plume/bottin.json)0
-rw-r--r--app/nextcloud/integration/docker-compose.yml27
-rw-r--r--app/platoo/deploy/platoo.hcl (renamed from app/deployment/platoo.hcl)0
-rw-r--r--app/platoo/secrets/platoo/bddpw1
-rw-r--r--app/plume/build/plume/Dockerfile (renamed from app/build/plume/Dockerfile)4
-rw-r--r--app/plume/build/plume/README.md (renamed from app/build/plume/README.md)0
-rwxr-xr-xapp/plume/build/plume/plm-start (renamed from app/build/plume/plm-start)0
-rw-r--r--app/plume/config/app.env (renamed from app/config/configuration/plume/app.env)0
-rw-r--r--app/plume/deploy/plume.hcl (renamed from app/deployment/plume.hcl)4
-rw-r--r--app/plume/integration/bottin.json31
-rw-r--r--app/plume/integration/docker-compose.yml (renamed from app/integration/plume/docker-compose.yml)0
-rw-r--r--app/plume/integration/plume.env (renamed from app/integration/plume/plume.env)0
-rw-r--r--app/plume/secrets/plume/pgsql_pw1
-rw-r--r--app/plume/secrets/plume/secret_key1
-rw-r--r--app/postgres/build/postgres/Dockerfile (renamed from app/build/postgres/Dockerfile)0
-rw-r--r--app/postgres/build/postgres/README.md (renamed from app/build/postgres/README.md)0
-rw-r--r--app/postgres/build/postgres/postgresql.conf (renamed from app/build/postgres/postgresql.conf)0
-rwxr-xr-xapp/postgres/build/postgres/start.sh (renamed from app/build/postgres/start.sh)0
-rw-r--r--app/postgres/config/keeper/env.tpl (renamed from app/config/configuration/postgres/keeper/env.tpl)0
-rw-r--r--app/postgres/deploy/postgres.hcl (renamed from app/deployment/postgres.hcl)2
-rw-r--r--app/postgres/secrets/postgres/keeper/pg_repl_pwd1
-rw-r--r--app/postgres/secrets/postgres/keeper/pg_repl_username1
-rw-r--r--app/postgres/secrets/postgres/keeper/pg_su_pwd1
-rw-r--r--app/requirements.txt3
-rw-r--r--app/science/deploy/science.hcl (renamed from app/deployment/science.hcl)0
-rw-r--r--app/seafile/build/mariadb/60-disable-dialog.cnf (renamed from app/build/mariadb/60-disable-dialog.cnf)0
-rw-r--r--app/seafile/build/mariadb/60-ldap.cnf (renamed from app/build/mariadb/60-ldap.cnf)0
-rw-r--r--app/seafile/build/mariadb/60-remote.cnf (renamed from app/build/mariadb/60-remote.cnf)0
-rw-r--r--app/seafile/build/mariadb/Dockerfile (renamed from app/build/mariadb/Dockerfile)0
-rw-r--r--app/seafile/build/mariadb/README.md (renamed from app/build/mariadb/README.md)0
-rwxr-xr-xapp/seafile/build/mariadb/entrypoint.sh (renamed from app/build/mariadb/entrypoint.sh)0
-rw-r--r--app/seafile/build/mariadb/nsswitch.conf (renamed from app/build/mariadb/nsswitch.conf)0
-rw-r--r--app/seafile/build/mariadb/pam-mariadb (renamed from app/build/mariadb/pam-mariadb)0
-rw-r--r--app/seafile/build/seafile/Dockerfile (renamed from app/build/seafile/Dockerfile)0
-rw-r--r--app/seafile/build/seafile/README.md (renamed from app/build/seafile/README.md)0
-rwxr-xr-xapp/seafile/build/seafile/seadocker (renamed from app/build/seafile/seadocker)0
-rwxr-xr-xapp/seafile/build/seafile/seaenv (renamed from app/build/seafile/seaenv)0
-rw-r--r--app/seafile/config/ccnet/seafile.ini (renamed from app/config/configuration/seafile/ccnet/seafile.ini)0
-rw-r--r--app/seafile/config/conf/ccnet.conf.tpl (renamed from app/config/configuration/seafile/conf/ccnet.conf.tpl)0
-rw-r--r--app/seafile/config/conf/gunicorn.conf (renamed from app/config/configuration/seafile/conf/gunicorn.conf)0
-rw-r--r--app/seafile/config/conf/seafdav.conf (renamed from app/config/configuration/seafile/conf/seafdav.conf)0
-rw-r--r--app/seafile/config/conf/seafile.conf.tpl (renamed from app/config/configuration/seafile/conf/seafile.conf.tpl)0
-rw-r--r--app/seafile/config/conf/seahub_settings.py.tpl (renamed from app/config/configuration/seafile/conf/seahub_settings.py.tpl)0
-rw-r--r--app/seafile/config/mariadb/main/env.tpl (renamed from app/config/configuration/mariadb/main/env.tpl)0
-rw-r--r--app/seafile/deploy/seafile.hcl (renamed from app/deployment/seafile.hcl)14
-rw-r--r--app/seafile/secrets/mariadb/main/ldap_binddn1
-rw-r--r--app/seafile/secrets/mariadb/main/ldap_bindpwd1
-rw-r--r--app/seafile/secrets/mariadb/main/mysql_pwd1
-rw-r--r--app/seafile/secrets/seafile/conf/mykey.peer1
-rwxr-xr-xapp/secretmgr.py369
-rw-r--r--app/traefik/config/traefik.toml (renamed from app/config/configuration/traefik/traefik.toml)0
-rw-r--r--app/traefik/deploy/traefik.hcl (renamed from app/deployment/traefik.hcl)2
-rw-r--r--os/config/roles/consul/tasks/main.yml2
-rw-r--r--os/config/roles/nomad/tasks/main.yml2
238 files changed, 653 insertions, 443 deletions
diff --git a/README.md b/README.md
index 26a7856..5bf9f58 100644
--- a/README.md
+++ b/README.md
@@ -5,21 +5,25 @@ deuxfleurs.fr
## Our abstraction stack
-We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.):
-
- * ansible (physical node conf)
- * nomad (schedule containers)
- * consul (distributed key value store / lock / service discovery)
- * garage/glusterfs (file storage)
- * stolon + postgresql (distributed relational database)
- * docker (container tool)
- * bottin (LDAP server, auth)
+We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.), we develop our own tools when needed:
+
+ * **[garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster)
+ * **[diplonat](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd)
+ * **[bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
+ * **[guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators
+ * **ansible:** physical node configuration
+ * **nomad:** schedule containers and handle their lifecycle
+ * **consul:** distributed key value store + lock + service discovery
+ * **stolon + postgresql:** distributed relational database
+ * **docker:** package, distribute and isolate applications
Some services we provide:
- * Chat (Matrix/Riot)
- * Email (Postfix/Dovecot/Sogo)
- * Storage (Seafile)
+ * **Websites:** garage (static) + fediverse blog (plume)
+ * **Chat:** Synapse + Element Web (Matrix protocol)
+ * **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail (legacy) | Alps webmail (experimental)
+ * **Storage:** Seafile (legacy) | Nextcloud (experimental)
+ * **Visio:** Jitsi
As a generic abstraction is provided, deploying new services should be easy.
@@ -40,14 +44,6 @@ To ease the development, we make the choice of a fully integrated environment
## Start hacking
-### Clone the repository
-
-```
-git clone https://gitlab.com/superboum/deuxfleurs.fr.git
-git submodule init
-git submodule update
-```
-
### Deploying/Updating new services is done from your machine
*The following instructions are provided for ops that already have access to the servers.*
@@ -82,6 +78,7 @@ alias bind_df="ssh \
-L 8500:127.0.0.1:8500 \
-L 8082:traefik-admin.service.2.cluster.deuxfleurs.fr:8082 \
-L 5432:psql-proxy.service.2.cluster.deuxfleurs.fr:5432 \
+ -L 1389:bottin2.service.2.cluster.deuxfleurs.fr:389 \
<a server from the cluster>"
```
diff --git a/app/.gitignore b/app/.gitignore
new file mode 100644
index 0000000..bee8a64
--- /dev/null
+++ b/app/.gitignore
@@ -0,0 +1 @@
+__pycache__
diff --git a/app/README.md b/app/README.md
new file mode 100644
index 0000000..3049cac
--- /dev/null
+++ b/app/README.md
@@ -0,0 +1,52 @@
+## Understand this folder hierarchy
+
+This folder contains the following hierarchy:
+
+- `<module>/build/<image_name>/`: folders with dockerfiles and other necessary resources for building container images
+- `<module>/config/`: folder containing configuration files, referenced by deployment file
+- `<module>/secrets/`: folder containing secrets, which can be synchronized with Consul using `secretmgr.py`
+- `<module>/deploy/`: folder containing the HCL file(s) necessary for deploying the module
+- `<module>/integration/`: folder containing files for integration testing using docker-compose
+
+## How to install `secretmgr.py` dependencies
+
+How to install its dependencies:
+
+```bash
+# on fedora:
+dnf install -y openldap-devel
+# on ubuntu:
+apt-get install -y libldap2-dev
+
+# for eveyrone:
+pip3 install --user --requirement requirements.txt
+```
+
+## How to use `secretmgr.py`
+
+Check that all secrets are correctly deployed for app `dummy`:
+
+```bash
+./secretmgr.py check dummy
+```
+
+Generate secrets for app `dummy` if they don't already exist:
+
+```bash
+./secretmgr.py gen dummy
+```
+
+Rotate secrets for app `dummy`, overwriting existing ones (be careful, this is dangerous!):
+
+```bash
+./secretmgr.py regen dummy
+```
+
+## How to upgrade our packaged apps to a new version?
+
+ 1. Edit `docker-compose.yml`
+ 2. Change the `VERSION` variable to the desired version
+ 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
+ 4. Run `docker-compose build`
+ 5. Run `docker-compose push`
+ 6. Done
diff --git a/app/build/backup-consul/Dockerfile b/app/backup/build/backup-consul/Dockerfile
index 0a5c38f..0a5c38f 100644
--- a/app/build/backup-consul/Dockerfile
+++ b/app/backup/build/backup-consul/Dockerfile
diff --git a/app/build/backup-consul/do_backup.sh b/app/backup/build/backup-consul/do_backup.sh
index a34e7b7..a34e7b7 100755
--- a/app/build/backup-consul/do_backup.sh
+++ b/app/backup/build/backup-consul/do_backup.sh
diff --git a/app/deployment/backup.hcl b/app/backup/deploy/backup.hcl
index 08fd923..08fd923 100644
--- a/app/deployment/backup.hcl
+++ b/app/backup/deploy/backup.hcl
diff --git a/app/build/README.md b/app/build/README.md
deleted file mode 100644
index a877cfa..0000000
--- a/app/build/README.md
+++ /dev/null
@@ -1,8 +0,0 @@
-## How to upgrade our packaged apps to a new version?
-
- 1. Edit `docker-compose.yml`
- 2. Change the `VERSION` variable to the desired version
- 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
- 4. Run `docker-compose build`
- 5. Run `docker-compose push`
- 6. Done
diff --git a/app/build/blog-quentin/.dockerenv b/app/build/blog-quentin/.dockerenv
deleted file mode 100755
index e69de29..0000000
--- a/app/build/blog-quentin/.dockerenv
+++ /dev/null
diff --git a/app/build/blog-quentin/Dockerfile b/app/build/blog-quentin/Dockerfile
deleted file mode 100644
index 61f5c40..0000000
--- a/app/build/blog-quentin/Dockerfile
+++ /dev/null
@@ -1,16 +0,0 @@
-FROM amd64/debian:stretch as builder
-
-COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile
-
-WORKDIR /root/quentin.dufour.io
-
-RUN apt-get update && \
- apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \
- bundle install
-
-COPY ./quentin.dufour.io/ /root/quentin.dufour.io/
-RUN bundle exec jekyll build
-
-FROM superboum/amd64_webserver:v2
-COPY --from=builder /root/quentin.dufour.io/_site /srv/http
-
diff --git a/app/build/blog-quentin/README.md b/app/build/blog-quentin/README.md
deleted file mode 100644
index 25ac463..0000000
--- a/app/build/blog-quentin/README.md
+++ /dev/null
@@ -1 +0,0 @@
-sudo docker build -t superboum/amd64_blog:v19 .
diff --git a/app/build/coturn/Dockerfile b/app/build/coturn/Dockerfile
deleted file mode 100644
index 0d23161..0000000
--- a/app/build/coturn/Dockerfile
+++ /dev/null
@@ -1,8 +0,0 @@
-FROM amd64/debian:buster
-
-RUN apt-get update && \
- apt-get dist-upgrade -y && \
- apt-get install -y \
- coturn
-
-CMD ["/usr/bin/turnserver"]
diff --git a/app/build/coturn/README.md b/app/build/coturn/README.md
deleted file mode 100644
index e882146..0000000
--- a/app/build/coturn/README.md
+++ /dev/null
@@ -1,17 +0,0 @@
-
-## Génère l'image
-```
-sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 .
-```
-
-## Run bash dans le container
-```
-sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash
-sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
-```
-
-## Used ports
-- udp/tcp 3478 3479
-
-## Publish
-sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
diff --git a/app/build/landing/README.md b/app/build/landing/README.md
deleted file mode 100644
index 5d2cb2b..0000000
--- a/app/build/landing/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-```
-docker build -t superboum/amd64_landing:v8 .
-```
diff --git a/app/build/static/Dockerfile b/app/build/static/Dockerfile
deleted file mode 100644
index cdba59a..0000000
--- a/app/build/static/Dockerfile
+++ /dev/null
@@ -1,9 +0,0 @@
-FROM golang:1.11.1-stretch as builder
-
-COPY ./goStatic /goStatic
-WORKDIR /goStatic
-RUN CGO_ENABLED=0 go build -a -o web-server .
-
-FROM scratch
-COPY --from=builder /goStatic/web-server /
-ENTRYPOINT ["/web-server"]
diff --git a/app/build/static/README.md b/app/build/static/README.md
deleted file mode 100644
index d50390c..0000000
--- a/app/build/static/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-
-```
-sudo docker build -t superboum/amd64_webserver:v3 .
-sudo docker push superboum/amd64_webserver:v3
-```
diff --git a/app/build/static/goStatic b/app/build/static/goStatic
deleted file mode 160000
-Subproject 3f97f57aaee09a142afe3ca0f1a5d51acd85643
diff --git a/app/build/webpull/.gitignore b/app/build/webpull/.gitignore
deleted file mode 100644
index ba2906d..0000000
--- a/app/build/webpull/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-main
diff --git a/app/build/webpull/Dockerfile.nodejs b/app/build/webpull/Dockerfile.nodejs
deleted file mode 100644
index acc7e74..0000000
--- a/app/build/webpull/Dockerfile.nodejs
+++ /dev/null
@@ -1,9 +0,0 @@
-FROM node:13.8-buster
-
-RUN apt-get update && \
- apt-get install -y git
-
-COPY ./main /srv/httpd
-WORKDIR /srv
-CMD ["/srv/httpd"]
-
diff --git a/app/build/webpull/Dockerfile.ruby b/app/build/webpull/Dockerfile.ruby
deleted file mode 100644
index 7578cca..0000000
--- a/app/build/webpull/Dockerfile.ruby
+++ /dev/null
@@ -1,12 +0,0 @@
-FROM fedora:32
-
-ENV LC_ALL=C.UTF-8
-ENV LANG=C.UTF-8
-ENV LANGUAGE=en_US.UTF-8
-ENV RUBYOPT --disable-did_you_mean
-
-RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel
-
-COPY ./main /srv/httpd
-WORKDIR /srv
-CMD ["/srv/httpd"]
diff --git a/app/build/webpull/README.md b/app/build/webpull/README.md
deleted file mode 100644
index 5d17d17..0000000
--- a/app/build/webpull/README.md
+++ /dev/null
@@ -1,23 +0,0 @@
-# webpull
-
-Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL
-
-You need to specify a secret token at boot:
-
-```
-WEBPULL_TOKEN=s3cr3et ./webpull
-```
-
-## Node.js version
-
-```
-go build ./main.go
-sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 .
-```
-
-## Ruby version
-
-```
-go build ./main.go
-sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 .
-```
diff --git a/app/build/webpull/main.go b/app/build/webpull/main.go
deleted file mode 100644
index 46c90b9..0000000
--- a/app/build/webpull/main.go
+++ /dev/null
@@ -1,100 +0,0 @@
-package main
-
-import (
- "fmt"
- "errors"
- "io"
- "os/exec"
- "os"
- "log"
- "net/http"
- "strings"
-)
-
-func myexec(w io.Writer, main string, params ...string) error {
- cmd := exec.Command(main, params...)
- cmd.Stdout = w
- cmd.Stderr = w
- err := cmd.Run()
- if err != nil {
- fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " "))
- }
- return err
-}
-
-func update(w io.Writer) error {
- fmt.Fprintf(w, "Start update...\n")
- _, err := os.Stat("./.git")
- if err != nil {
- fmt.Fprintf(w, ".git folder does not exist, creating it...\n")
- err := myexec(w, "git", "init")
- if err != nil {
- return err
- }
- }
-
- err = myexec(w, "git", "remote", "get-url", "origin")
- if err != nil {
- repo, exists := os.LookupEnv("WEBPULL_REPO")
- if !exists {
- fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n")
- return errors.New("Missing environment variable WEBPULL_REPO")
- }
- fmt.Fprintf(w, "git remote is not yet set...\n")
- err := myexec(w, "git", "remote", "add", "origin", repo)
- if err != nil {
- return err
- }
- }
-
- err = myexec(w, "git", "pull", "origin", "master")
- if err != nil {
- fmt.Fprintf(w, "Failed to pull...\n")
- return err
- }
-
- _, err = os.Stat("./.webpull")
- if err != nil {
- fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n")
- return err
- }
-
- err = myexec(w, "./.webpull")
- if err != nil {
- fmt.Fprintf(w, "An error occured during script execution\n")
- return err
- }
-
- fmt.Fprintf(w, "Success.\n")
- return nil
-}
-
-func main() {
- token, exists := os.LookupEnv("WEBPULL_TOKEN")
- if !exists {
- log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined")
- }
-
- if update(os.Stdout) != nil {
- log.Fatal("Initial 'update' failed")
- }
-
- fs := http.FileServer(http.Dir("./static"))
- http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) {
- keys, ok := r.URL.Query()["token"]
- if !ok || len(keys[0]) < 1 {
- http.Error(w, "Missing 'token' query parameter", 401)
- return
- }
-
- if keys[0] != token {
- http.Error(w, "Wrong token", 401)
- return
- }
-
- update(w)
- })
- http.Handle("/", fs)
-
- log.Fatal(http.ListenAndServe(":8080", nil))
-}
diff --git a/app/config/configuration/email/dkim/smtp.private.sample b/app/config/configuration/email/dkim/smtp.private.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/configuration/email/dkim/smtp.private.sample
+++ /dev/null
diff --git a/app/config/configuration/email/dkim/smtp.txt.sample b/app/config/configuration/email/dkim/smtp.txt.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/configuration/email/dkim/smtp.txt.sample
+++ /dev/null
diff --git a/app/config/configuration/seafile/ccnet/mykey.peer.sample b/app/config/configuration/seafile/ccnet/mykey.peer.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/configuration/seafile/ccnet/mykey.peer.sample
+++ /dev/null
diff --git a/app/config/configuration/seafile/conf/mykey.peer.sample b/app/config/configuration/seafile/conf/mykey.peer.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/configuration/seafile/conf/mykey.peer.sample
+++ /dev/null
diff --git a/app/config/secrets/.gitignore b/app/config/secrets/.gitignore
deleted file mode 100644
index 2ff3cd5..0000000
--- a/app/config/secrets/.gitignore
+++ /dev/null
@@ -1,11 +0,0 @@
-# Blacklist everything cleverly
-*
-!*/
-
-# Whitelist some patterns
-!*.sample
-!*.gen
-!*.sh
-!.gitignore
-
-# Whitelist specific files
diff --git a/app/config/secrets/chat/coturn/static-auth.sample b/app/config/secrets/chat/coturn/static-auth.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/coturn/static-auth.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/fb2mx/as_token.sample b/app/config/secrets/chat/fb2mx/as_token.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/fb2mx/as_token.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/fb2mx/db_url.sample b/app/config/secrets/chat/fb2mx/db_url.sample
deleted file mode 100644
index aff4635..0000000
--- a/app/config/secrets/chat/fb2mx/db_url.sample
+++ /dev/null
@@ -1 +0,0 @@
-postgres://username:password@hostname/dbname
diff --git a/app/config/secrets/chat/fb2mx/hs_token.sample b/app/config/secrets/chat/fb2mx/hs_token.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/fb2mx/hs_token.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/homeserver.tls.crt.sample b/app/config/secrets/chat/synapse/homeserver.tls.crt.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/homeserver.tls.crt.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/homeserver.tls.dh.sample b/app/config/secrets/chat/synapse/homeserver.tls.dh.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/homeserver.tls.dh.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/homeserver.tls.key.sample b/app/config/secrets/chat/synapse/homeserver.tls.key.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/homeserver.tls.key.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/ldap_binddn.sample b/app/config/secrets/chat/synapse/ldap_binddn.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/ldap_binddn.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/ldap_bindpw.sample b/app/config/secrets/chat/synapse/ldap_bindpw.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/ldap_bindpw.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/postgres_db.sample b/app/config/secrets/chat/synapse/postgres_db.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/postgres_db.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/postgres_pwd.sample b/app/config/secrets/chat/synapse/postgres_pwd.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/postgres_pwd.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/postgres_user.sample b/app/config/secrets/chat/synapse/postgres_user.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/postgres_user.sample
+++ /dev/null
diff --git a/app/config/secrets/chat/synapse/registration_shared_secret.sample b/app/config/secrets/chat/synapse/registration_shared_secret.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/chat/synapse/registration_shared_secret.sample
+++ /dev/null
diff --git a/app/config/secrets/email/dkim/smtp.private.sample b/app/config/secrets/email/dkim/smtp.private.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/dkim/smtp.private.sample
+++ /dev/null
diff --git a/app/config/secrets/email/dovecot/dovecot.crt.sample b/app/config/secrets/email/dovecot/dovecot.crt.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/dovecot/dovecot.crt.sample
+++ /dev/null
diff --git a/app/config/secrets/email/dovecot/dovecot.key.sample b/app/config/secrets/email/dovecot/dovecot.key.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/dovecot/dovecot.key.sample
+++ /dev/null
diff --git a/app/config/secrets/email/dovecot/ldap_binddn.sample b/app/config/secrets/email/dovecot/ldap_binddn.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/dovecot/ldap_binddn.sample
+++ /dev/null
diff --git a/app/config/secrets/email/dovecot/ldap_bindpwd.sample b/app/config/secrets/email/dovecot/ldap_bindpwd.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/dovecot/ldap_bindpwd.sample
+++ /dev/null
diff --git a/app/config/secrets/email/postfix/postfix.crt.sample b/app/config/secrets/email/postfix/postfix.crt.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/postfix/postfix.crt.sample
+++ /dev/null
diff --git a/app/config/secrets/email/postfix/postfix.key.sample b/app/config/secrets/email/postfix/postfix.key.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/postfix/postfix.key.sample
+++ /dev/null
diff --git a/app/config/secrets/email/sogo/ldap_binddn.sample b/app/config/secrets/email/sogo/ldap_binddn.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/sogo/ldap_binddn.sample
+++ /dev/null
diff --git a/app/config/secrets/email/sogo/ldap_bindpw.sample b/app/config/secrets/email/sogo/ldap_bindpw.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/sogo/ldap_bindpw.sample
+++ /dev/null
diff --git a/app/config/secrets/email/sogo/postgre_auth.sample b/app/config/secrets/email/sogo/postgre_auth.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/email/sogo/postgre_auth.sample
+++ /dev/null
diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample
+++ /dev/null
diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample
+++ /dev/null
diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample
+++ /dev/null
diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample
+++ /dev/null
diff --git a/app/config/secrets/mariadb/main/ldap_binddn.sample b/app/config/secrets/mariadb/main/ldap_binddn.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/mariadb/main/ldap_binddn.sample
+++ /dev/null
diff --git a/app/config/secrets/mariadb/main/ldap_bindpwd.sample b/app/config/secrets/mariadb/main/ldap_bindpwd.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/mariadb/main/ldap_bindpwd.sample
+++ /dev/null
diff --git a/app/config/secrets/mariadb/main/mysql_pwd.sample b/app/config/secrets/mariadb/main/mysql_pwd.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/mariadb/main/mysql_pwd.sample
+++ /dev/null
diff --git a/app/config/secrets/platoo/bddpw.sample b/app/config/secrets/platoo/bddpw.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/platoo/bddpw.sample
+++ /dev/null
diff --git a/app/config/secrets/plume/pgsql_pw.sh b/app/config/secrets/plume/pgsql_pw.sh
deleted file mode 100755
index 519a30a..0000000
--- a/app/config/secrets/plume/pgsql_pw.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-openssl rand -base64 32 > pgsql_pw
diff --git a/app/config/secrets/plume/secret_key.sh b/app/config/secrets/plume/secret_key.sh
deleted file mode 100755
index f4bbee5..0000000
--- a/app/config/secrets/plume/secret_key.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-openssl rand -base64 32 > secret_key
diff --git a/app/config/secrets/postgres/keeper/pg_repl_pwd.sample b/app/config/secrets/postgres/keeper/pg_repl_pwd.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/postgres/keeper/pg_repl_pwd.sample
+++ /dev/null
diff --git a/app/config/secrets/postgres/keeper/pg_repl_username.sample b/app/config/secrets/postgres/keeper/pg_repl_username.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/postgres/keeper/pg_repl_username.sample
+++ /dev/null
diff --git a/app/config/secrets/postgres/keeper/pg_su_pwd.sample b/app/config/secrets/postgres/keeper/pg_su_pwd.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/postgres/keeper/pg_su_pwd.sample
+++ /dev/null
diff --git a/app/config/secrets/seafile/conf/mykey.peer.sample b/app/config/secrets/seafile/conf/mykey.peer.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/seafile/conf/mykey.peer.sample
+++ /dev/null
diff --git a/app/config/secrets/web/home_token.sample b/app/config/secrets/web/home_token.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/web/home_token.sample
+++ /dev/null
diff --git a/app/config/secrets/web/quentin.dufour.io_token.sample b/app/config/secrets/web/quentin.dufour.io_token.sample
deleted file mode 100644
index e69de29..0000000
--- a/app/config/secrets/web/quentin.dufour.io_token.sample
+++ /dev/null
diff --git a/app/deployment/core.hcl b/app/core/deploy/core.hcl
index 5b17b8e..5b17b8e 100644
--- a/app/deployment/core.hcl
+++ b/app/core/deploy/core.hcl
diff --git a/app/deployment/web_static.hcl b/app/deployment/web_static.hcl
deleted file mode 100644
index 01de23e..0000000
--- a/app/deployment/web_static.hcl
+++ /dev/null
@@ -1,117 +0,0 @@
-job "web_static" {
- datacenters = ["dc1"]
- type = "service"
-
- constraint {
- attribute = "${attr.cpu.arch}"
- value = "amd64"
- }
-
- group "landing" {
- network {
- port "deuxfleurs_port" { to = 8080 }
- }
-
- task "server" {
- driver = "docker"
- config {
- image = "superboum/amd64_webpull_pug:v4"
- ports = [ "deuxfleurs_port" ]
- }
-
- template {
- data = <<EOH
-WEBPULL_REPO="https://git.deuxfleurs.fr/Deuxfleurs/site.git"
-WEBPULL_TOKEN="{{ key "secrets/web/home_token" | trimSpace }}"
-EOH
- destination = "secrets/env"
- env = true
- }
-
- resources {
- memory = 200
- }
-
- service {
- tags = [
- "webstatic",
- "traefik.enable=true",
- "traefik.frontend.entryPoints=https,http",
- "traefik.frontend.rule=Host:deuxfleurs.fr,www.deuxfleurs.fr,deuxfleurs.org,www.deuxfleurs.org;PathPrefix:/",
- "traefik.frontend.priority=10"
- # Ideally we would have a rewrite regex like this https://regex101.com/r/WHrABU/1
- # See how it does not handle "http://deuxfleurs.fr/"? Not a big deal since HTTPS is redirected somewhere else
- #"traefik.frontend.redirect.regex=^https?://(www\.deuxfleurs\.fr|deuxfleurs\.org|www\.deuxfleurs\.org)(.*)$",
- #"traefik.frontend.redirect.replacement=https://deuxfleurs.fr/$${2}",
- # Only set permanent redirect when it is guaranteed to work
- #"traefik.frontend.redirect.permanent=true",
- ]
- port = "deuxfleurs_port"
- address_mode = "host"
- name = "landing"
- check {
- type = "tcp"
- port = "deuxfleurs_port"
- interval = "60s"
- timeout = "5s"
- check_restart {
- limit = 3
- grace = "90s"
- ignore_warnings = false
- }
- }
- }
- }
- }
-
- group "quentin" {
- network {
- port "quentin_port" { to = 8080 }
- }
-
- task "server" {
- driver = "docker"
- config {
- image = "superboum/amd64_webpull_ruby:v1"
- ports = [ "quentin_port" ]
- }
-
- template {
- data = <<EOH
-WEBPULL_REPO="https://git.deuxfleurs.fr/quentin/quentin.dufour.io.git"
-WEBPULL_TOKEN="{{ key "secrets/web/quentin.dufour.io_token" | trimSpace }}"
-EOH
- destination = "secrets/env"
- env = true
- }
-
- resources {
- memory = 500
- }
-
- service {
- tags = [
- "webstatic",
- "traefik.enable=true",
- "traefik.frontend.entryPoints=https",
- "traefik.frontend.rule=Host:quentin.dufour.io,www.quentin.dufour.io;PathPrefix:/"
- ]
- port = "quentin_port"
- address_mode = "host"
- name = "blog-quentin"
- check {
- type = "tcp"
- port = "quentin_port"
- interval = "60s"
- timeout = "5s"
- check_restart {
- limit = 3
- grace = "90s"
- ignore_warnings = false
- }
- }
- }
- }
- }
-}
-
diff --git a/app/config/configuration/directory/bottin/config.json b/app/directory/config/bottin/config.json
index 7867ff0..7867ff0 100644
--- a/app/config/configuration/directory/bottin/config.json
+++ b/app/directory/config/bottin/config.json
diff --git a/app/config/configuration/directory/guichet/config.json.tpl b/app/directory/config/guichet/config.json.tpl
index 98e2297..98e2297 100644
--- a/app/config/configuration/directory/guichet/config.json.tpl
+++ b/app/directory/config/guichet/config.json.tpl
diff --git a/app/deployment/directory.hcl b/app/directory/deploy/directory.hcl
index 0acc08f..a6eb885 100644
--- a/app/deployment/directory.hcl
+++ b/app/directory/deploy/directory.hcl
@@ -35,7 +35,7 @@ job "directory" {
}
template {
- data = file("../config/configuration/directory/bottin/config.json")
+ data = file("../config/bottin/config.json")
destination = "secrets/config.json"
}
@@ -78,7 +78,7 @@ job "directory" {
}
template {
- data = file("../config/configuration/directory/guichet/config.json.tpl")
+ data = file("../config/guichet/config.json.tpl")
destination = "secrets/config.json"
}
diff --git a/app/build/docker-compose.yml b/app/docker-compose.yml
index de2c229..df7fee4 100644
--- a/app/build/docker-compose.yml
+++ b/app/docker-compose.yml
@@ -3,7 +3,7 @@ services:
mariadb:
build:
- context: ./mariadb
+ context: ./seafile/build/mariadb
args:
VERSION: 4 # fake for now
image: superboum/amd64_mariadb:v4
@@ -11,24 +11,24 @@ services:
# Instant Messaging
riot:
build:
- context: ./riotweb
+ context: ./im/build/riotweb
args:
# https://github.com/vector-im/riot-web/releases
- VERSION: 1.7.14
- image: particallydone/amd64_riotweb:v18
+ VERSION: 1.7.16
+ image: superboum/amd64_riotweb:v19
synapse:
build:
- context: ./matrix-synapse
+ context: ./im/build/matrix-synapse
args:
# https://github.com/matrix-org/synapse/releases
- VERSION: 1.24.0
- image: particallydone/amd64_synapse:v39
+ VERSION: 1.25.0
+ image: superboum/amd64_synapse:v40
# Email
sogo:
build:
- context: ./sogo
+ context: ./email/build/sogo
args:
# fake for now
VERSION: 5.0.0
@@ -36,7 +36,7 @@ services:
alps:
build:
- context: ./alps
+ context: ./email/build/alps
args:
VERSION: 5cef0aaff2b8b6ee3e00b566123517e241d8cfb8
image: superboum/amd64_alps:v1
@@ -44,48 +44,48 @@ services:
# VoIP
jitsi-meet:
build:
- context: ./jitsi-meet
+ context: ./jitsi/build/jitsi-meet
args:
# https://github.com/jitsi/jitsi-meet
PREFIXV: stable/jitsi-meet_
- VERSION: 4966
- image: superboum/amd64_jitsi_meet:v2
+ VERSION: 5390
+ image: superboum/amd64_jitsi_meet:v3
jitsi-conference-focus:
build:
- context: ./jitsi-conference-focus
+ context: ./jitsi/build/jitsi-conference-focus
args:
# https://github.com/jitsi/jicofo
PREFIXV: stable/jitsi-meet_
- VERSION: 4966
- image: superboum/amd64_jitsi_conference_focus:v5
+ VERSION: 5390
+ image: superboum/amd64_jitsi_conference_focus:v6
jitsi-videobridge:
build:
- context: ./jitsi-videobridge
+ context: ./jitsi/build/jitsi-videobridge
args:
# https://github.com/jitsi/jitsi-videobridge
PREFIXV: stable/jitsi-meet_
- VERSION: 4966
- image: superboum/amd64_jitsi_videobridge:v15
+ VERSION: 5390
+ image: superboum/amd64_jitsi_videobridge:v16
jitsi-xmpp:
build:
- context: ./jitsi-xmpp
+ context: ./jitsi/build/jitsi-xmpp
args:
VERSION: 0.11.2-1
image: superboum/amd64_jitsi_xmpp:v8
plume:
build:
- context: ./plume
+ context: ./plume/build/plume
args:
- VERSION: 0cd26dfbf4ab7be467325ed77230cf371147a98e
- image: superboum/plume:v1
+ VERSION: 0.6.0
+ image: superboum/plume:v2
postfix:
build:
- context: ./postfix
+ context: ./email/build/postfix
args:
# https://packages.debian.org/fr/buster/postfix
VERSION: 3.4.14-0+deb10u1
diff --git a/app/dummy/secrets/dummy/test_cmd b/app/dummy/secrets/dummy/test_cmd
new file mode 100644
index 0000000..0c1593f
--- /dev/null
+++ b/app/dummy/secrets/dummy/test_cmd
@@ -0,0 +1 @@
+CMD head -c 10 /dev/urandom | base64
diff --git a/app/dummy/secrets/dummy/test_const b/app/dummy/secrets/dummy/test_const
new file mode 100644
index 0000000..ac68954
--- /dev/null
+++ b/app/dummy/secrets/dummy/test_const
@@ -0,0 +1 @@
+CONST this is a constant
diff --git a/app/dummy/secrets/dummy/test_const_long b/app/dummy/secrets/dummy/test_const_long
new file mode 100644
index 0000000..f5c2b0a
--- /dev/null
+++ b/app/dummy/secrets/dummy/test_const_long
@@ -0,0 +1,5 @@
+CONST_LONG
+this is a
+constant
+on several
+lines
diff --git a/app/dummy/secrets/dummy/test_service_dn b/app/dummy/secrets/dummy/test_service_dn
new file mode 100644
index 0000000..dbc90f0
--- /dev/null
+++ b/app/dummy/secrets/dummy/test_service_dn
@@ -0,0 +1 @@
+SERVICE_DN dummy Dummy service for testing secretmgr.py
diff --git a/app/dummy/secrets/dummy/test_service_password b/app/dummy/secrets/dummy/test_service_password
new file mode 100644
index 0000000..f788a50
--- /dev/null
+++ b/app/dummy/secrets/dummy/test_service_password
@@ -0,0 +1 @@
+SERVICE_PASSWORD dummy
diff --git a/app/dummy/secrets/dummy/test_user b/app/dummy/secrets/dummy/test_user
new file mode 100644
index 0000000..b1ab993
--- /dev/null
+++ b/app/dummy/secrets/dummy/test_user
@@ -0,0 +1 @@
+USER Test user value
diff --git a/app/build/alps/Dockerfile b/app/email/build/alps/Dockerfile
index 647d90d..647d90d 100644
--- a/app/build/alps/Dockerfile
+++ b/app/email/build/alps/Dockerfile
diff --git a/app/build/alps/skipverify.patch b/app/email/build/alps/skipverify.patch
index 14e14cb..14e14cb 100644
--- a/app/build/alps/skipverify.patch
+++ b/app/email/build/alps/skipverify.patch
diff --git a/app/build/dovecot/.gitignore b/app/email/build/dovecot/.gitignore
index 71a04e2..71a04e2 100644
--- a/app/build/dovecot/.gitignore
+++ b/app/email/build/dovecot/.gitignore
diff --git a/app/build/dovecot/Dockerfile b/app/email/build/dovecot/Dockerfile
index 9b87627..9b87627 100644
--- a/app/build/dovecot/Dockerfile
+++ b/app/email/build/dovecot/Dockerfile
diff --git a/app/build/dovecot/README.md b/app/email/build/dovecot/README.md
index 8c9f372..8c9f372 100644
--- a/app/build/dovecot/README.md
+++ b/app/email/build/dovecot/README.md
diff --git a/app/build/dovecot/conf/all_before.sieve b/app/email/build/dovecot/conf/all_before.sieve
index 7d2e57e..7d2e57e 100644
--- a/app/build/dovecot/conf/all_before.sieve
+++ b/app/email/build/dovecot/conf/all_before.sieve
diff --git a/app/build/dovecot/conf/dovecot-ldap.sample.conf b/app/email/build/dovecot/conf/dovecot-ldap.sample.conf
index 472d5e8..472d5e8 100644
--- a/app/build/dovecot/conf/dovecot-ldap.sample.conf
+++ b/app/email/build/dovecot/conf/dovecot-ldap.sample.conf
diff --git a/app/build/dovecot/conf/dovecot.conf b/app/email/build/dovecot/conf/dovecot.conf
index 0d5068c..0d5068c 100644
--- a/app/build/dovecot/conf/dovecot.conf
+++ b/app/email/build/dovecot/conf/dovecot.conf
diff --git a/app/build/dovecot/conf/report-ham.sieve b/app/email/build/dovecot/conf/report-ham.sieve
index c5a994a..c5a994a 100644
--- a/app/build/dovecot/conf/report-ham.sieve
+++ b/app/email/build/dovecot/conf/report-ham.sieve
diff --git a/app/build/dovecot/conf/report-spam.sieve b/app/email/build/dovecot/conf/report-spam.sieve
index 1be7389..1be7389 100644
--- a/app/build/dovecot/conf/report-spam.sieve
+++ b/app/email/build/dovecot/conf/report-spam.sieve
diff --git a/app/build/dovecot/entrypoint.sh b/app/email/build/dovecot/entrypoint.sh
index 2165d8f..2165d8f 100755
--- a/app/build/dovecot/entrypoint.sh
+++ b/app/email/build/dovecot/entrypoint.sh
diff --git a/app/build/opendkim/Dockerfile b/app/email/build/opendkim/Dockerfile
index 70a39e4..70a39e4 100644
--- a/app/build/opendkim/Dockerfile
+++ b/app/email/build/opendkim/Dockerfile
diff --git a/app/build/opendkim/README.md b/app/email/build/opendkim/README.md
index e146125..e146125 100644
--- a/app/build/opendkim/README.md
+++ b/app/email/build/opendkim/README.md
diff --git a/app/build/opendkim/opendkim.conf b/app/email/build/opendkim/opendkim.conf
index 0d6465f..0d6465f 100644
--- a/app/build/opendkim/opendkim.conf
+++ b/app/email/build/opendkim/opendkim.conf
diff --git a/app/build/postfix/Dockerfile b/app/email/build/postfix/Dockerfile
index 0c74fdc..0c74fdc 100644
--- a/app/build/postfix/Dockerfile
+++ b/app/email/build/postfix/Dockerfile
diff --git a/app/build/postfix/README.md b/app/email/build/postfix/README.md
index ac44fc0..ac44fc0 100644
--- a/app/build/postfix/README.md
+++ b/app/email/build/postfix/README.md
diff --git a/app/build/postfix/entrypoint.sh b/app/email/build/postfix/entrypoint.sh
index fcf1a66..fcf1a66 100755
--- a/app/build/postfix/entrypoint.sh
+++ b/app/email/build/postfix/entrypoint.sh
diff --git a/app/build/sogo/Dockerfile b/app/email/build/sogo/Dockerfile
index 46880dd..46880dd 100644
--- a/app/build/sogo/Dockerfile
+++ b/app/email/build/sogo/Dockerfile
diff --git a/app/build/sogo/README.md b/app/email/build/sogo/README.md
index ea12245..ea12245 100644
--- a/app/build/sogo/README.md
+++ b/app/email/build/sogo/README.md
diff --git a/app/build/sogo/entrypoint b/app/email/build/sogo/entrypoint
index 8b39def..8b39def 100755
--- a/app/build/sogo/entrypoint
+++ b/app/email/build/sogo/entrypoint
diff --git a/app/build/sogo/sogo.nginx.conf b/app/email/build/sogo/sogo.nginx.conf
index ad920a5..ad920a5 100644
--- a/app/build/sogo/sogo.nginx.conf
+++ b/app/email/build/sogo/sogo.nginx.conf
diff --git a/app/config/configuration/email/dkim/keytable b/app/email/config/dkim/keytable
index f4ac7cd..f4ac7cd 100644
--- a/app/config/configuration/email/dkim/keytable
+++ b/app/email/config/dkim/keytable
diff --git a/app/config/configuration/email/dkim/signingtable b/app/email/config/dkim/signingtable
index 60d66ff..60d66ff 100644
--- a/app/config/configuration/email/dkim/signingtable
+++ b/app/email/config/dkim/signingtable
diff --git a/app/config/configuration/email/dkim/trusted b/app/email/config/dkim/trusted
index a01170d..a01170d 100644
--- a/app/config/configuration/email/dkim/trusted
+++ b/app/email/config/dkim/trusted
diff --git a/app/config/configuration/email/dovecot/certs.gen b/app/email/config/dovecot/certs.gen
index f26e917..f26e917 100755
--- a/app/config/configuration/email/dovecot/certs.gen
+++ b/app/email/config/dovecot/certs.gen
diff --git a/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl b/app/email/config/dovecot/dovecot-ldap.conf.tpl
index 9fb1ea6..9fb1ea6 100644
--- a/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl
+++ b/app/email/config/dovecot/dovecot-ldap.conf.tpl
diff --git a/app/config/configuration/email/postfix/certs.gen b/app/email/config/postfix/certs.gen
index f25439b..f25439b 100755
--- a/app/config/configuration/email/postfix/certs.gen
+++ b/app/email/config/postfix/certs.gen
diff --git a/app/config/configuration/email/postfix/dynamicmaps.cf b/app/email/config/postfix/dynamicmaps.cf
index 32d8f62..32d8f62 100644
--- a/app/config/configuration/email/postfix/dynamicmaps.cf
+++ b/app/email/config/postfix/dynamicmaps.cf
diff --git a/app/config/configuration/email/postfix/header_checks b/app/email/config/postfix/header_checks
index cad52ec..cad52ec 100644
--- a/app/config/configuration/email/postfix/header_checks
+++ b/app/email/config/postfix/header_checks
diff --git a/app/config/configuration/email/postfix/ldap-account.cf.tpl b/app/email/config/postfix/ldap-account.cf.tpl
index 2575f10..2575f10 100644
--- a/app/config/configuration/email/postfix/ldap-account.cf.tpl
+++ b/app/email/config/postfix/ldap-account.cf.tpl
diff --git a/app/config/configuration/email/postfix/ldap-alias.cf.tpl b/app/email/config/postfix/ldap-alias.cf.tpl
index 775c0ad..775c0ad 100644
--- a/app/config/configuration/email/postfix/ldap-alias.cf.tpl
+++ b/app/email/config/postfix/ldap-alias.cf.tpl
diff --git a/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl b/app/email/config/postfix/ldap-virtual-domains.cf.tpl
index e013953..e013953 100644
--- a/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl
+++ b/app/email/config/postfix/ldap-virtual-domains.cf.tpl
diff --git a/app/config/configuration/email/postfix/main.cf b/app/email/config/postfix/main.cf
index 4204cb4..4204cb4 100644
--- a/app/config/configuration/email/postfix/main.cf
+++ b/app/email/config/postfix/main.cf
diff --git a/app/config/configuration/email/postfix/master.cf b/app/email/config/postfix/master.cf
index 53bc601..53bc601 100644
--- a/app/config/configuration/email/postfix/master.cf
+++ b/app/email/config/postfix/master.cf
diff --git a/app/config/configuration/email/postfix/transport b/app/email/config/postfix/transport
index 68f62c5..68f62c5 100644
--- a/app/config/configuration/email/postfix/transport
+++ b/app/email/config/postfix/transport
diff --git a/app/config/configuration/email/postfix/transport.db b/app/email/config/postfix/transport.db
index 487f394..487f394 100644
--- a/app/config/configuration/email/postfix/transport.db
+++ b/app/email/config/postfix/transport.db
Binary files differ
diff --git a/app/config/configuration/email/sogo/sogo.conf.tpl b/app/email/config/sogo/sogo.conf.tpl
index ab4f8f5..ab4f8f5 100644
--- a/app/config/configuration/email/sogo/sogo.conf.tpl
+++ b/app/email/config/sogo/sogo.conf.tpl
diff --git a/app/deployment/email.hcl b/app/email/deploy/email.hcl
index 3d9e15b..bef7268 100644
--- a/app/deployment/email.hcl
+++ b/app/email/deploy/email.hcl
@@ -131,7 +131,7 @@ job "email" {
}
template {
- data = file("../config/configuration/email/dovecot/dovecot-ldap.conf.tpl")
+ data = file("../config/dovecot/dovecot-ldap.conf.tpl")
destination = "secrets/conf/dovecot-ldap.conf"
perms = "400"
}
@@ -200,15 +200,15 @@ job "email" {
}
template {
- data = file("../config/configuration/email/dkim/keytable")
+ data = file("../config/dkim/keytable")
destination = "secrets/dkim/keytable"
}
template {
- data = file("../config/configuration/email/dkim/signingtable")
+ data = file("../config/dkim/signingtable")
destination = "secrets/dkim/signingtable"
}
template {
- data = file("../config/configuration/email/dkim/trusted")
+ data = file("../config/dkim/trusted")
destination = "secrets/dkim/trusted"
}
@@ -329,42 +329,42 @@ job "email" {
}
template {
- data = file("../config/configuration/email/postfix/ldap-account.cf.tpl")
+ data = file("../config/postfix/ldap-account.cf.tpl")
destination = "secrets/postfix/ldap-account.cf"
}
template {
- data = file("../config/configuration/email/postfix/ldap-alias.cf.tpl")
+ data = file("../config/postfix/ldap-alias.cf.tpl")
destination = "secrets/postfix/ldap-alias.cf"
}
template {
- data = file("../config/configuration/email/postfix/ldap-virtual-domains.cf.tpl")
+ data = file("../config/postfix/ldap-virtual-domains.cf.tpl")
destination = "secrets/postfix/ldap-virtual-domains.cf"
}
template {
- data = file("../config/configuration/email/postfix/dynamicmaps.cf")
+ data = file("../config/postfix/dynamicmaps.cf")
destination = "secrets/postfix/dynamicmaps.cf"
}
template {
- data = file("../config/configuration/email/postfix/header_checks")
+ data = file("../config/postfix/header_checks")
destination = "secrets/postfix/header_checks"
}
template {
- data = file("../config/configuration/email/postfix/main.cf")
+ data = file("../config/postfix/main.cf")
destination = "secrets/postfix/main.cf"
}
template {
- data = file("../config/configuration/email/postfix/master.cf")
+ data = file("../config/postfix/master.cf")
destination = "secrets/postfix/master.cf"
}
template {
- data = file("../config/configuration/email/postfix/transport")
+ data = file("../config/postfix/transport")
destination = "secrets/postfix/transport"
}
@@ -450,7 +450,7 @@ job "email" {
}
template {
- data = file("../config/configuration/email/sogo/sogo.conf.tpl")
+ data = file("../config/sogo/sogo.conf.tpl")
destination = "secrets/sogo.conf"
}
diff --git a/app/email/secrets/email/dkim/smtp.private b/app/email/secrets/email/dkim/smtp.private
new file mode 100644
index 0000000..3aa3621
--- /dev/null
+++ b/app/email/secrets/email/dkim/smtp.private
@@ -0,0 +1 @@
+RSA_PRIVATE_KEY dkim
diff --git a/app/email/secrets/email/dovecot/dovecot.crt b/app/email/secrets/email/dovecot/dovecot.crt
new file mode 100644
index 0000000..7229cfc
--- /dev/null
+++ b/app/email/secrets/email/dovecot/dovecot.crt
@@ -0,0 +1 @@
+SSL_CERT dovecot deuxfleurs.fr
diff --git a/app/email/secrets/email/dovecot/dovecot.key b/app/email/secrets/email/dovecot/dovecot.key
new file mode 100644
index 0000000..0d42c79
--- /dev/null
+++ b/app/email/secrets/email/dovecot/dovecot.key
@@ -0,0 +1 @@
+SSL_KEY dovecot
diff --git a/app/email/secrets/email/dovecot/ldap_binddn b/app/email/secrets/email/dovecot/ldap_binddn
new file mode 100644
index 0000000..da380f2
--- /dev/null
+++ b/app/email/secrets/email/dovecot/ldap_binddn
@@ -0,0 +1 @@
+SERVICE_DN dovecot Dovecot IMAP server
diff --git a/app/email/secrets/email/dovecot/ldap_bindpwd b/app/email/secrets/email/dovecot/ldap_bindpwd
new file mode 100644
index 0000000..068f663
--- /dev/null
+++ b/app/email/secrets/email/dovecot/ldap_bindpwd
@@ -0,0 +1 @@
+SERVICE_PASSWORD dovecot
diff --git a/app/email/secrets/email/postfix/postfix.crt b/app/email/secrets/email/postfix/postfix.crt
new file mode 100644
index 0000000..f004d67
--- /dev/null
+++ b/app/email/secrets/email/postfix/postfix.crt
@@ -0,0 +1 @@
+SSL_CERT postfix deuxfleurs.fr
diff --git a/app/email/secrets/email/postfix/postfix.key b/app/email/secrets/email/postfix/postfix.key
new file mode 100644
index 0000000..2cf1706
--- /dev/null
+++ b/app/email/secrets/email/postfix/postfix.key
@@ -0,0 +1 @@
+SSL_KEY postfix
diff --git a/app/email/secrets/email/sogo/ldap_binddn b/app/email/secrets/email/sogo/ldap_binddn
new file mode 100644
index 0000000..df627d3
--- /dev/null
+++ b/app/email/secrets/email/sogo/ldap_binddn
@@ -0,0 +1 @@
+SERVICE_DN sogo SoGo email frontend
diff --git a/app/email/secrets/email/sogo/ldap_bindpw b/app/email/secrets/email/sogo/ldap_bindpw
new file mode 100644
index 0000000..8d2f35b
--- /dev/null
+++ b/app/email/secrets/email/sogo/ldap_bindpw
@@ -0,0 +1 @@
+SERVICE_PASSWORD sogo
diff --git a/app/email/secrets/email/sogo/postgre_auth b/app/email/secrets/email/sogo/postgre_auth
new file mode 100644
index 0000000..4f66253
--- /dev/null
+++ b/app/email/secrets/email/sogo/postgre_auth
@@ -0,0 +1 @@
+USER SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)
diff --git a/app/config/configuration/garage/garage.toml b/app/garage/config/garage.toml
index 51ae81f..4d08cf2 100644
--- a/app/config/configuration/garage/garage.toml
+++ b/app/garage/config/garage.toml
@@ -8,7 +8,12 @@ rpc_bind_addr = "[::]:3901"
consul_host = "consul.service.2.cluster.deuxfleurs.fr:8500"
consul_service_name = "garage-rpc"
-bootstrap_peers = [ ]
+bootstrap_peers = []
+
+max_concurrent_rpc_requests = 12
+data_replication_factor = 3
+meta_replication_factor = 3
+meta_epidemic_fanout = 3
[rpc_tls]
ca_cert = "/garage/garage-ca.crt"
@@ -19,3 +24,7 @@ node_key = "/garage/garage.key"
s3_region = "garage"
api_bind_addr = "[::]:3900"
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ".web.deuxfleurs.fr"
+index = "index.html"
diff --git a/app/deployment/garage.hcl b/app/garage/deploy/garage.hcl
index d4c7c9e..1be68aa 100644
--- a/app/deployment/garage.hcl
+++ b/app/garage/deploy/garage.hcl
@@ -12,13 +12,14 @@ job "garage" {
network {
port "s3" { static = 3900 }
port "rpc" { static = 3901 }
+ port "web" { static = 3902 }
}
task "server" {
driver = "docker"
config {
advertise_ipv6_address = true
- image = "lxpz/garage_amd64:4"
+ image = "lxpz/garage_amd64:v0.1.1b"
network_mode = "host"
volumes = [
"/mnt/storage/garage/data:/garage/data",
@@ -31,7 +32,7 @@ job "garage" {
}
template {
- data = file("../config/configuration/garage/garage.toml")
+ data = file("../config/garage.toml")
destination = "secrets/garage.toml"
}
diff --git a/app/build/matrix-synapse/Dockerfile b/app/im/build/matrix-synapse/Dockerfile
index b8480d5..b8480d5 100644
--- a/app/build/matrix-synapse/Dockerfile
+++ b/app/im/build/matrix-synapse/Dockerfile
diff --git a/app/build/matrix-synapse/entrypoint.sh b/app/im/build/matrix-synapse/entrypoint.sh
index b93a702..b93a702 100755
--- a/app/build/matrix-synapse/entrypoint.sh
+++ b/app/im/build/matrix-synapse/entrypoint.sh
diff --git a/app/build/riotweb/Dockerfile b/app/im/build/riotweb/Dockerfile
index 862e2e5..c768e87 100644
--- a/app/build/riotweb/Dockerfile
+++ b/app/im/build/riotweb/Dockerfile
@@ -5,9 +5,9 @@ WORKDIR /root
RUN apt-get update && \
apt-get install -y wget && \
- wget https://github.com/vector-im/riot-web/releases/download/v${VERSION}/riot-v${VERSION}.tar.gz && \
- tar xf riot-v${VERSION}.tar.gz && \
- mv riot-v${VERSION}/ riot/
+ wget https://github.com/vector-im/element-web/releases/download/v${VERSION}/element-v${VERSION}.tar.gz && \
+ tar xf element-v${VERSION}.tar.gz && \
+ mv element-v${VERSION}/ riot/
FROM superboum/amd64_webserver:v3
COPY --from=builder /root/riot /srv/http
diff --git a/app/config/configuration/chat/coturn/turnserver.conf.tpl b/app/im/config/coturn/turnserver.conf.tpl
index f867ac0..f867ac0 100644
--- a/app/config/configuration/chat/coturn/turnserver.conf.tpl
+++ b/app/im/config/coturn/turnserver.conf.tpl
diff --git a/app/config/configuration/chat/easybridge/config.json.tpl b/app/im/config/easybridge/config.json.tpl
index 40ecc44..40ecc44 100644
--- a/app/config/configuration/chat/easybridge/config.json.tpl
+++ b/app/im/config/easybridge/config.json.tpl
diff --git a/app/config/configuration/chat/easybridge/registration.yaml.tpl b/app/im/config/easybridge/registration.yaml.tpl
index ec098fd..ec098fd 100644
--- a/app/config/configuration/chat/easybridge/registration.yaml.tpl
+++ b/app/im/config/easybridge/registration.yaml.tpl
diff --git a/app/config/configuration/chat/fb2mx/config.yaml b/app/im/config/fb2mx/config.yaml
index 964c681..964c681 100644
--- a/app/config/configuration/chat/fb2mx/config.yaml
+++ b/app/im/config/fb2mx/config.yaml
diff --git a/app/config/configuration/chat/fb2mx/registration.yaml b/app/im/config/fb2mx/registration.yaml
index c3d8c05..c3d8c05 100644
--- a/app/config/configuration/chat/fb2mx/registration.yaml
+++ b/app/im/config/fb2mx/registration.yaml
diff --git a/app/config/configuration/chat/riot_web/config.json b/app/im/config/riot_web/config.json
index 9c898f0..9c898f0 100644
--- a/app/config/configuration/chat/riot_web/config.json
+++ b/app/im/config/riot_web/config.json
diff --git a/app/config/configuration/chat/synapse/conf.d/report_stats.yaml b/app/im/config/synapse/conf.d/report_stats.yaml
index cb95cc3..cb95cc3 100644
--- a/app/config/configuration/chat/synapse/conf.d/report_stats.yaml
+++ b/app/im/config/synapse/conf.d/report_stats.yaml
diff --git a/app/config/configuration/chat/synapse/conf.d/server_name.yaml b/app/im/config/synapse/conf.d/server_name.yaml
index 540ce45..540ce45 100644
--- a/app/config/configuration/chat/synapse/conf.d/server_name.yaml
+++ b/app/im/config/synapse/conf.d/server_name.yaml
diff --git a/app/config/configuration/chat/synapse/homeserver.yaml b/app/im/config/synapse/homeserver.yaml
index 7f313f6..7f313f6 100644
--- a/app/config/configuration/chat/synapse/homeserver.yaml
+++ b/app/im/config/synapse/homeserver.yaml
diff --git a/app/config/configuration/chat/synapse/log.yaml b/app/im/config/synapse/log.yaml
index eb69d8f..eb69d8f 100644
--- a/app/config/configuration/chat/synapse/log.yaml
+++ b/app/im/config/synapse/log.yaml
diff --git a/app/deployment/im.hcl b/app/im/deploy/im.hcl
index cb14144..c9591e6 100644
--- a/app/deployment/im.hcl
+++ b/app/im/deploy/im.hcl
@@ -15,7 +15,7 @@ job "im" {
driver = "docker"
config {
- image = "particallydone/amd64_synapse:v39"
+ image = "superboum/amd64_synapse:v40"
network_mode = "host"
readonly_rootfs = true
ports = [ "client_port", "federation_port" ]
@@ -35,27 +35,27 @@ job "im" {
}
template {
- data = file("../config/configuration/chat/synapse/homeserver.yaml")
+ data = file("../config/synapse/homeserver.yaml")
destination = "secrets/conf/homeserver.yaml"
}
template {
- data = file("../config/configuration/chat/easybridge/registration.yaml.tpl")
+ data = file("../config/easybridge/registration.yaml.tpl")
destination = "secrets/conf/easybridge_registration.yaml"
}
template {
- data = file("../config/configuration/chat/synapse/log.yaml")
+ data = file("../config/synapse/log.yaml")
destination = "secrets/conf/log.yaml"
}
template {
- data = file("../config/configuration/chat/synapse/conf.d/server_name.yaml")
+ data = file("../config/synapse/conf.d/server_name.yaml")
destination = "secrets/conf/server_name.yaml"
}
template {
- data = file("../config/configuration/chat/synapse/conf.d/report_stats.yaml")
+ data = file("../config/synapse/conf.d/report_stats.yaml")
destination = "secrets/conf/report_stats.yaml"
}
@@ -152,12 +152,12 @@ job "im" {
}
template {
- data = file("../config/configuration/chat/easybridge/registration.yaml.tpl")
+ data = file("../config/easybridge/registration.yaml.tpl")
destination = "secrets/conf/registration.yaml"
}
template {
- data = file("../config/configuration/chat/easybridge/config.json.tpl")
+ data = file("../config/easybridge/config.json.tpl")
destination = "secrets/conf/config.json"
}
@@ -220,7 +220,7 @@ job "im" {
task "server" {
driver = "docker"
config {
- image = "particallydone/amd64_riotweb:v18"
+ image = "superboum/amd64_riotweb:v19"
ports = [ "web_port" ]
volumes = [
"secrets/config.json:/srv/http/config.json"
@@ -228,7 +228,7 @@ job "im" {
}
template {
- data = file("../config/configuration/chat/riot_web/config.json")
+ data = file("../config/riot_web/config.json")
destination = "secrets/config.json"
}
diff --git a/app/im/secrets/chat/coturn/static-auth b/app/im/secrets/chat/coturn/static-auth
new file mode 100644
index 0000000..d23be29
--- /dev/null
+++ b/app/im/secrets/chat/coturn/static-auth
@@ -0,0 +1 @@
+USER cotorn static-auth (what is this?)
diff --git a/app/im/secrets/chat/fb2mx/as_token b/app/im/secrets/chat/fb2mx/as_token
new file mode 100644
index 0000000..20b76d4
--- /dev/null
+++ b/app/im/secrets/chat/fb2mx/as_token
@@ -0,0 +1 @@
+USER fb2mx API server token
diff --git a/app/im/secrets/chat/fb2mx/db_url b/app/im/secrets/chat/fb2mx/db_url
new file mode 100644
index 0000000..f06e265
--- /dev/null
+++ b/app/im/secrets/chat/fb2mx/db_url
@@ -0,0 +1 @@
+USER fb2mx database URL, format: postgres://username:password@hostname/dbname
diff --git a/app/im/secrets/chat/fb2mx/hs_token b/app/im/secrets/chat/fb2mx/hs_token
new file mode 100644
index 0000000..8808f8f
--- /dev/null
+++ b/app/im/secrets/chat/fb2mx/hs_token
@@ -0,0 +1 @@
+USER fb2mx homeserver token
diff --git a/app/im/secrets/chat/synapse/homeserver.tls.crt b/app/im/secrets/chat/synapse/homeserver.tls.crt
new file mode 100644
index 0000000..b696093
--- /dev/null
+++ b/app/im/secrets/chat/synapse/homeserver.tls.crt
@@ -0,0 +1 @@
+SSL_CERT synapse im.deuxfleurs.fr
diff --git a/app/im/secrets/chat/synapse/homeserver.tls.dh b/app/im/secrets/chat/synapse/homeserver.tls.dh
new file mode 100644
index 0000000..0231fed
--- /dev/null
+++ b/app/im/secrets/chat/synapse/homeserver.tls.dh
@@ -0,0 +1 @@
+USER_LONG DH parameters for matrix ssl key? how does this work?
diff --git a/app/im/secrets/chat/synapse/homeserver.tls.key b/app/im/secrets/chat/synapse/homeserver.tls.key
new file mode 100644
index 0000000..feee544
--- /dev/null
+++ b/app/im/secrets/chat/synapse/homeserver.tls.key
@@ -0,0 +1 @@
+SSL_KEY synapse im.deuxfleurs.fr
diff --git a/app/im/secrets/chat/synapse/ldap_binddn b/app/im/secrets/chat/synapse/ldap_binddn
new file mode 100644
index 0000000..2631bef
--- /dev/null
+++ b/app/im/secrets/chat/synapse/ldap_binddn
@@ -0,0 +1 @@
+SERVICE_DN matrix Matrix chat server
diff --git a/app/im/secrets/chat/synapse/ldap_bindpw b/app/im/secrets/chat/synapse/ldap_bindpw
new file mode 100644
index 0000000..ba07446
--- /dev/null
+++ b/app/im/secrets/chat/synapse/ldap_bindpw
@@ -0,0 +1 @@
+SERVICE_PASSWORD matrix
diff --git a/app/im/secrets/chat/synapse/postgres_db b/app/im/secrets/chat/synapse/postgres_db
new file mode 100644
index 0000000..74eefa7
--- /dev/null
+++ b/app/im/secrets/chat/synapse/postgres_db
@@ -0,0 +1 @@
+CONST synapse
diff --git a/app/im/secrets/chat/synapse/postgres_pwd b/app/im/secrets/chat/synapse/postgres_pwd
new file mode 100644
index 0000000..ba07446
--- /dev/null
+++ b/app/im/secrets/chat/synapse/postgres_pwd
@@ -0,0 +1 @@
+SERVICE_PASSWORD matrix
diff --git a/app/im/secrets/chat/synapse/postgres_user b/app/im/secrets/chat/synapse/postgres_user
new file mode 100644
index 0000000..b08e86a
--- /dev/null
+++ b/app/im/secrets/chat/synapse/postgres_user
@@ -0,0 +1 @@
+CONST matrix
diff --git a/app/im/secrets/chat/synapse/registration_shared_secret b/app/im/secrets/chat/synapse/registration_shared_secret
new file mode 100644
index 0000000..395cccc
--- /dev/null
+++ b/app/im/secrets/chat/synapse/registration_shared_secret
@@ -0,0 +1 @@
+USER Shared secret for homeserver registrations (?)
diff --git a/app/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile
index e2c459c..e2c459c 100644
--- a/app/build/jitsi-conference-focus/Dockerfile
+++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile
diff --git a/app/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo
index 2bc6e3f..2bc6e3f 100755
--- a/app/build/jitsi-conference-focus/jicofo
+++ b/app/jitsi/build/jitsi-conference-focus/jicofo
diff --git a/app/build/jitsi-conference-focus/sip-communicator.properties b/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties
index 53c32e2..53c32e2 100644
--- a/app/build/jitsi-conference-focus/sip-communicator.properties
+++ b/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties
diff --git a/app/build/jitsi-meet/Dockerfile b/app/jitsi/build/jitsi-meet/Dockerfile
index feef115..feef115 100644
--- a/app/build/jitsi-meet/Dockerfile
+++ b/app/jitsi/build/jitsi-meet/Dockerfile
diff --git a/app/build/jitsi-meet/config.js b/app/jitsi/build/jitsi-meet/config.js
index 18ff319..18ff319 100644
--- a/app/build/jitsi-meet/config.js
+++ b/app/jitsi/build/jitsi-meet/config.js
diff --git a/app/build/jitsi-meet/entrypoint.sh b/app/jitsi/build/jitsi-meet/entrypoint.sh
index 1cd96dc..1cd96dc 100755
--- a/app/build/jitsi-meet/entrypoint.sh
+++ b/app/jitsi/build/jitsi-meet/entrypoint.sh
diff --git a/app/build/jitsi-videobridge/Dockerfile b/app/jitsi/build/jitsi-videobridge/Dockerfile
index c17fb4f..c17fb4f 100644
--- a/app/build/jitsi-videobridge/Dockerfile
+++ b/app/jitsi/build/jitsi-videobridge/Dockerfile
diff --git a/app/build/jitsi-videobridge/jvb_run b/app/jitsi/build/jitsi-videobridge/jvb_run
index b86c911..b86c911 100755
--- a/app/build/jitsi-videobridge/jvb_run
+++ b/app/jitsi/build/jitsi-videobridge/jvb_run
diff --git a/app/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile
index f3dcd36..f3dcd36 100644
--- a/app/build/jitsi-xmpp/Dockerfile
+++ b/app/jitsi/build/jitsi-xmpp/Dockerfile
diff --git a/app/build/jitsi-xmpp/external_components.cfg.lua b/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua
index beaaa87..beaaa87 100644
--- a/app/build/jitsi-xmpp/external_components.cfg.lua
+++ b/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua
diff --git a/app/build/jitsi-xmpp/xmpp_conf b/app/jitsi/build/jitsi-xmpp/xmpp_conf
index 34b2cb3..34b2cb3 100755
--- a/app/build/jitsi-xmpp/xmpp_conf
+++ b/app/jitsi/build/jitsi-xmpp/xmpp_conf
diff --git a/app/build/jitsi-xmpp/xmpp_gen b/app/jitsi/build/jitsi-xmpp/xmpp_gen
index 3a2e04a..3a2e04a 100755
--- a/app/build/jitsi-xmpp/xmpp_gen
+++ b/app/jitsi/build/jitsi-xmpp/xmpp_gen
diff --git a/app/build/jitsi-xmpp/xmpp_run b/app/jitsi/build/jitsi-xmpp/xmpp_run
index 6383b65..6383b65 100755
--- a/app/build/jitsi-xmpp/xmpp_run
+++ b/app/jitsi/build/jitsi-xmpp/xmpp_run
diff --git a/app/config/configuration/jitsi/global_env.tpl b/app/jitsi/config/global_env.tpl
index 836a131..836a131 100644
--- a/app/config/configuration/jitsi/global_env.tpl
+++ b/app/jitsi/config/global_env.tpl
diff --git a/app/deployment/jitsi.hcl b/app/jitsi/deploy/jitsi.hcl
index 9c1edd5..852e1e6 100644
--- a/app/deployment/jitsi.hcl
+++ b/app/jitsi/deploy/jitsi.hcl
@@ -27,7 +27,7 @@ job "jitsi" {
}
template {
- data = file("../config/configuration/jitsi/global_env.tpl")
+ data = file("../config/global_env.tpl")
destination = "secrets/global_env"
env = true
}
@@ -94,13 +94,13 @@ job "jitsi" {
task "front" {
driver = "docker"
config {
- image = "superboum/amd64_jitsi_meet:v2"
+ image = "superboum/amd64_jitsi_meet:v3"
network_mode = "host"
ports = [ "https_port" ]
}
template {
- data = file("../config/configuration/jitsi/global_env.tpl")
+ data = file("../config/global_env.tpl")
destination = "secrets/global_env"
env = true
}
@@ -148,12 +148,12 @@ job "jitsi" {
task "jicofo" {
driver = "docker"
config {
- image = "superboum/amd64_jitsi_conference_focus:v5"
+ image = "superboum/amd64_jitsi_conference_focus:v6"
network_mode = "host"
}
template {
- data = file("../config/configuration/jitsi/global_env.tpl")
+ data = file("../config/global_env.tpl")
destination = "secrets/global_env"
env = true
}
@@ -178,7 +178,7 @@ job "jitsi" {
task "videobridge" {
driver = "docker"
config {
- image = "superboum/amd64_jitsi_videobridge:v15"
+ image = "superboum/amd64_jitsi_videobridge:v16"
network_mode = "host"
ports = [ "video1_port", "video2_port" ]
ulimit {
@@ -194,7 +194,7 @@ job "jitsi" {
}
template {
- data = file("../config/configuration/jitsi/global_env.tpl")
+ data = file("../config/global_env.tpl")
destination = "secrets/global_env"
env = true
}
diff --git a/app/integration/jitsi/01_gen_certs.yml b/app/jitsi/integratio/01_gen_certs.yml
index bf73291..bf73291 100644
--- a/app/integration/jitsi/01_gen_certs.yml
+++ b/app/jitsi/integratio/01_gen_certs.yml
diff --git a/app/integration/jitsi/02_run.yml b/app/jitsi/integratio/02_run.yml
index 73eefad..73eefad 100644
--- a/app/integration/jitsi/02_run.yml
+++ b/app/jitsi/integratio/02_run.yml
diff --git a/app/integration/jitsi/README.md b/app/jitsi/integratio/README.md
index 70b59fc..70b59fc 100644
--- a/app/integration/jitsi/README.md
+++ b/app/jitsi/integratio/README.md
diff --git a/app/integration/jitsi/dev.env b/app/jitsi/integratio/dev.env
index 1dd2122..1dd2122 100644
--- a/app/integration/jitsi/dev.env
+++ b/app/jitsi/integratio/dev.env
diff --git a/app/integration/jitsi/jitsi-certs/.gitignore b/app/jitsi/integratio/jitsi-certs/.gitignore
index d6b7ef3..d6b7ef3 100644
--- a/app/integration/jitsi/jitsi-certs/.gitignore
+++ b/app/jitsi/integratio/jitsi-certs/.gitignore
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
new file mode 100644
index 0000000..f2c4d4b
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt
@@ -0,0 +1 @@
+SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
new file mode 100644
index 0000000..4a332f8
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key
@@ -0,0 +1 @@
+SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr
diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
new file mode 100644
index 0000000..32750d3
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt
@@ -0,0 +1 @@
+SSL_CERT jitsi jitsi.deuxfleurs.fr
diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
new file mode 100644
index 0000000..7676132
--- /dev/null
+++ b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key
@@ -0,0 +1 @@
+SSL_KEY jitsi
diff --git a/app/build/nextcloud/Dockerfile b/app/nextcloud/build/nextcloud/Dockerfile
index 9f817f6..9f817f6 100644
--- a/app/build/nextcloud/Dockerfile
+++ b/app/nextcloud/build/nextcloud/Dockerfile
diff --git a/app/build/nextcloud/container-setup.sh b/app/nextcloud/build/nextcloud/container-setup.sh
index 8330291..8330291 100755
--- a/app/build/nextcloud/container-setup.sh
+++ b/app/nextcloud/build/nextcloud/container-setup.sh
diff --git a/app/build/nextcloud/entrypoint.sh b/app/nextcloud/build/nextcloud/entrypoint.sh
index 72b4f94..72b4f94 100755
--- a/app/build/nextcloud/entrypoint.sh
+++ b/app/nextcloud/build/nextcloud/entrypoint.sh
diff --git a/app/config/configuration/nextcloud/config.php.tpl b/app/nextcloud/config/config.php.tpl
index 7dcfc6e..7dcfc6e 100644
--- a/app/config/configuration/nextcloud/config.php.tpl
+++ b/app/nextcloud/config/config.php.tpl
diff --git a/app/deployment/nextcloud.hcl b/app/nextcloud/deploy/nextcloud.hcl
index 8eed7d9..8852787 100644
--- a/app/deployment/nextcloud.hcl
+++ b/app/nextcloud/deploy/nextcloud.hcl
@@ -28,7 +28,7 @@ job "nextcloud" {
}
template {
- data = file("../config/configuration/nextcloud/config.php.tpl")
+ data = file("../config/config.php.tpl")
destination = "secrets/config.php"
}
diff --git a/app/nextcloud/integration/README.md b/app/nextcloud/integration/README.md
new file mode 100644
index 0000000..3d49768
--- /dev/null
+++ b/app/nextcloud/integration/README.md
@@ -0,0 +1,20 @@
+Install Owncloud CLI:
+
+php ./occ \
+ --no-interaction \
+ --verbose \
+ maintenance:install \
+ --database pgsql \
+ --database-name nextcloud \
+ --database-host postgres \
+ --database-user nextcloud \
+ --database-pass nextcloud \
+ --admin-user nextcloud \
+ --admin-pass nextcloud \
+ --admin-email coucou@deuxfleurs.fr
+
+Official image entrypoint:
+
+https://github.com/nextcloud/docker/blob/master/20.0/fpm/entrypoint.sh
+
+
diff --git a/app/integration/plume/bottin.json b/app/nextcloud/integration/bottin.json
index a970762..a970762 100644
--- a/app/integration/plume/bottin.json
+++ b/app/nextcloud/integration/bottin.json
diff --git a/app/nextcloud/integration/docker-compose.yml b/app/nextcloud/integration/docker-compose.yml
new file mode 100644
index 0000000..7ba090b
--- /dev/null
+++ b/app/nextcloud/integration/docker-compose.yml
@@ -0,0 +1,27 @@
+version: '3.4'
+services:
+ php:
+ image: lxpz/deuxfleurs_nextcloud_amd64:8
+ depends_on:
+ - bottin
+ - postgres
+ ports:
+ - "80:80"
+
+ postgres:
+ image: postgres:9.6.19
+ environment:
+ - POSTGRES_DB=nextcloud
+ - POSTGRES_USER=nextcloud
+ - POSTGRES_PASSWORD=nextcloud
+
+ bottin:
+ image: lxpz/bottin_amd64:14
+ depends_on:
+ - consul
+ volumes:
+ - ./bottin.json:/config.json
+
+ consul:
+ image: consul:1.8.4
+
diff --git a/app/deployment/platoo.hcl b/app/platoo/deploy/platoo.hcl
index ffdda9e..ffdda9e 100644
--- a/app/deployment/platoo.hcl
+++ b/app/platoo/deploy/platoo.hcl
diff --git a/app/platoo/secrets/platoo/bddpw b/app/platoo/secrets/platoo/bddpw
new file mode 100644
index 0000000..1c9d86e
--- /dev/null
+++ b/app/platoo/secrets/platoo/bddpw
@@ -0,0 +1 @@
+SERVICE_PASSWORD platoo
diff --git a/app/build/plume/Dockerfile b/app/plume/build/plume/Dockerfile
index 9199e1e..4e05424 100644
--- a/app/build/plume/Dockerfile
+++ b/app/plume/build/plume/Dockerfile
@@ -19,7 +19,7 @@ RUN apt-get update && \
ARG VERSION
WORKDIR /opt
-RUN git clone -n https://git.deuxfleurs.fr/Deuxfleurs/plume.git
+RUN git clone -n https://git.joinplu.me/Plume/Plume.git plume
WORKDIR /opt/plume
RUN git checkout ${VERSION}
@@ -52,5 +52,3 @@ COPY --from=builder /usr/local/cargo/bin/plume /usr/local/bin/
COPY plm-start /usr/local/bin/
CMD ["plm-start"]
-
-EXPOSE 7878
diff --git a/app/build/plume/README.md b/app/plume/build/plume/README.md
index 6d86d81..6d86d81 100644
--- a/app/build/plume/README.md
+++ b/app/plume/build/plume/README.md
diff --git a/app/build/plume/plm-start b/app/plume/build/plume/plm-start
index da9d288..da9d288 100755
--- a/app/build/plume/plm-start
+++ b/app/plume/build/plume/plm-start
diff --git a/app/config/configuration/plume/app.env b/app/plume/config/app.env
index 1c234e7..1c234e7 100644
--- a/app/config/configuration/plume/app.env
+++ b/app/plume/config/app.env
diff --git a/app/deployment/plume.hcl b/app/plume/deploy/plume.hcl
index 59ec28a..0a82c57 100644
--- a/app/deployment/plume.hcl
+++ b/app/plume/deploy/plume.hcl
@@ -17,7 +17,7 @@ job "plume" {
task "plume" {
driver = "docker"
config {
- image = "superboum/plume:v1"
+ image = "superboum/plume:v2"
network_mode = "host"
ports = [ "web_port" ]
#command = "cat"
@@ -29,7 +29,7 @@ job "plume" {
}
template {
- data = file("../config/configuration/plume/app.env")
+ data = file("../config/app.env")
destination = "secrets/app.env"
env = true
}
diff --git a/app/plume/integration/bottin.json b/app/plume/integration/bottin.json
new file mode 100644
index 0000000..a970762
--- /dev/null
+++ b/app/plume/integration/bottin.json
@@ -0,0 +1,31 @@
+{
+ "suffix": "dc=deuxfleurs,dc=fr",
+ "bind": "0.0.0.0:389",
+ "consul_host": "http://consul:8500",
+ "log_level": "debug",
+ "acl": [
+ "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword",
+ "*::read modify:SELF:*",
+ "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
+ "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
+ "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*",
+ "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*",
+
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*",
+ "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*",
+
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*",
+
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*",
+
+ "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
+ "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*"
+ ]
+}
diff --git a/app/integration/plume/docker-compose.yml b/app/plume/integration/docker-compose.yml
index b88de8a..b88de8a 100644
--- a/app/integration/plume/docker-compose.yml
+++ b/app/plume/integration/docker-compose.yml
diff --git a/app/integration/plume/plume.env b/app/plume/integration/plume.env
index 88c62dc..88c62dc 100644
--- a/app/integration/plume/plume.env
+++ b/app/plume/integration/plume.env
diff --git a/app/plume/secrets/plume/pgsql_pw b/app/plume/secrets/plume/pgsql_pw
new file mode 100644
index 0000000..978be54
--- /dev/null
+++ b/app/plume/secrets/plume/pgsql_pw
@@ -0,0 +1 @@
+CMD openssl rand -base64 32
diff --git a/app/plume/secrets/plume/secret_key b/app/plume/secrets/plume/secret_key
new file mode 100644
index 0000000..978be54
--- /dev/null
+++ b/app/plume/secrets/plume/secret_key
@@ -0,0 +1 @@
+CMD openssl rand -base64 32
diff --git a/app/build/postgres/Dockerfile b/app/postgres/build/postgres/Dockerfile
index bb018b8..bb018b8 100644
--- a/app/build/postgres/Dockerfile
+++ b/app/postgres/build/postgres/Dockerfile
diff --git a/app/build/postgres/README.md b/app/postgres/build/postgres/README.md
index d2f7a12..d2f7a12 100644
--- a/app/build/postgres/README.md
+++ b/app/postgres/build/postgres/README.md
diff --git a/app/build/postgres/postgresql.conf b/app/postgres/build/postgres/postgresql.conf
index 8e0af2b..8e0af2b 100644
--- a/app/build/postgres/postgresql.conf
+++ b/app/postgres/build/postgres/postgresql.conf
diff --git a/app/build/postgres/start.sh b/app/postgres/build/postgres/start.sh
index f1d493f..f1d493f 100755
--- a/app/build/postgres/start.sh
+++ b/app/postgres/build/postgres/start.sh
diff --git a/app/config/configuration/postgres/keeper/env.tpl b/app/postgres/config/keeper/env.tpl
index 7831aad..7831aad 100644
--- a/app/config/configuration/postgres/keeper/env.tpl
+++ b/app/postgres/config/keeper/env.tpl
diff --git a/app/deployment/postgres.hcl b/app/postgres/deploy/postgres.hcl
index 388c65e..f5eec51 100644
--- a/app/deployment/postgres.hcl
+++ b/app/postgres/deploy/postgres.hcl
@@ -101,7 +101,7 @@ job "postgres" {
}
template {
- data = file("../config/configuration/postgres/keeper/env.tpl")
+ data = file("../config/keeper/env.tpl")
destination = "secrets/env"
env = true
}
diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_pwd b/app/postgres/secrets/postgres/keeper/pg_repl_pwd
new file mode 100644
index 0000000..ae0c229
--- /dev/null
+++ b/app/postgres/secrets/postgres/keeper/pg_repl_pwd
@@ -0,0 +1 @@
+SERVICE_PASSWORD replicator
diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_username b/app/postgres/secrets/postgres/keeper/pg_repl_username
new file mode 100644
index 0000000..58e6e46
--- /dev/null
+++ b/app/postgres/secrets/postgres/keeper/pg_repl_username
@@ -0,0 +1 @@
+CONST replicator
diff --git a/app/postgres/secrets/postgres/keeper/pg_su_pwd b/app/postgres/secrets/postgres/keeper/pg_su_pwd
new file mode 100644
index 0000000..907e2b8
--- /dev/null
+++ b/app/postgres/secrets/postgres/keeper/pg_su_pwd
@@ -0,0 +1 @@
+USER postgres superuser password
diff --git a/app/requirements.txt b/app/requirements.txt
new file mode 100644
index 0000000..7874d93
--- /dev/null
+++ b/app/requirements.txt
@@ -0,0 +1,3 @@
+python-consul==1.1.0
+python-ldap==3.3.1
+passlib==1.7.4
diff --git a/app/deployment/science.hcl b/app/science/deploy/science.hcl
index 1aee7a8..1aee7a8 100644
--- a/app/deployment/science.hcl
+++ b/app/science/deploy/science.hcl
diff --git a/app/build/mariadb/60-disable-dialog.cnf b/app/seafile/build/mariadb/60-disable-dialog.cnf
index d41731a..d41731a 100644
--- a/app/build/mariadb/60-disable-dialog.cnf
+++ b/app/seafile/build/mariadb/60-disable-dialog.cnf
diff --git a/app/build/mariadb/60-ldap.cnf b/app/seafile/build/mariadb/60-ldap.cnf
index 72ffb9f..72ffb9f 100644
--- a/app/build/mariadb/60-ldap.cnf
+++ b/app/seafile/build/mariadb/60-ldap.cnf
diff --git a/app/build/mariadb/60-remote.cnf b/app/seafile/build/mariadb/60-remote.cnf
index acf8f9b..acf8f9b 100644
--- a/app/build/mariadb/60-remote.cnf
+++ b/app/seafile/build/mariadb/60-remote.cnf
diff --git a/app/build/mariadb/Dockerfile b/app/seafile/build/mariadb/Dockerfile
index 15ef954..15ef954 100644
--- a/app/build/mariadb/Dockerfile
+++ b/app/seafile/build/mariadb/Dockerfile
diff --git a/app/build/mariadb/README.md b/app/seafile/build/mariadb/README.md
index 1a3b8aa..1a3b8aa 100644
--- a/app/build/mariadb/README.md
+++ b/app/seafile/build/mariadb/README.md
diff --git a/app/build/mariadb/entrypoint.sh b/app/seafile/build/mariadb/entrypoint.sh
index 7ebf049..7ebf049 100755
--- a/app/build/mariadb/entrypoint.sh
+++ b/app/seafile/build/mariadb/entrypoint.sh
diff --git a/app/build/mariadb/nsswitch.conf b/app/seafile/build/mariadb/nsswitch.conf
index 853348e..853348e 100644
--- a/app/build/mariadb/nsswitch.conf
+++ b/app/seafile/build/mariadb/nsswitch.conf
diff --git a/app/build/mariadb/pam-mariadb b/app/seafile/build/mariadb/pam-mariadb
index e1bb814..e1bb814 100644
--- a/app/build/mariadb/pam-mariadb
+++ b/app/seafile/build/mariadb/pam-mariadb
diff --git a/app/build/seafile/Dockerfile b/app/seafile/build/seafile/Dockerfile
index 88dee4f..88dee4f 100644
--- a/app/build/seafile/Dockerfile
+++ b/app/seafile/build/seafile/Dockerfile
diff --git a/app/build/seafile/README.md b/app/seafile/build/seafile/README.md
index 26d04e0..26d04e0 100644
--- a/app/build/seafile/README.md
+++ b/app/seafile/build/seafile/README.md
diff --git a/app/build/seafile/seadocker b/app/seafile/build/seafile/seadocker
index 5b5982b..5b5982b 100755
--- a/app/build/seafile/seadocker
+++ b/app/seafile/build/seafile/seadocker
diff --git a/app/build/seafile/seaenv b/app/seafile/build/seafile/seaenv
index 3b0e0bb..3b0e0bb 100755
--- a/app/build/seafile/seaenv
+++ b/app/seafile/build/seafile/seaenv
diff --git a/app/config/configuration/seafile/ccnet/seafile.ini b/app/seafile/config/ccnet/seafile.ini
index 306d126..306d126 100644
--- a/app/config/configuration/seafile/ccnet/seafile.ini
+++ b/app/seafile/config/ccnet/seafile.ini
diff --git a/app/config/configuration/seafile/conf/ccnet.conf.tpl b/app/seafile/config/conf/ccnet.conf.tpl
index 2395a9b..2395a9b 100644
--- a/app/config/configuration/seafile/conf/ccnet.conf.tpl
+++ b/app/seafile/config/conf/ccnet.conf.tpl
diff --git a/app/config/configuration/seafile/conf/gunicorn.conf b/app/seafile/config/conf/gunicorn.conf
index 415fd32..415fd32 100644
--- a/app/config/configuration/seafile/conf/gunicorn.conf
+++ b/app/seafile/config/conf/gunicorn.conf
diff --git a/app/config/configuration/seafile/conf/seafdav.conf b/app/seafile/config/conf/seafdav.conf
index af78547..af78547 100644
--- a/app/config/configuration/seafile/conf/seafdav.conf
+++ b/app/seafile/config/conf/seafdav.conf
diff --git a/app/config/configuration/seafile/conf/seafile.conf.tpl b/app/seafile/config/conf/seafile.conf.tpl
index a6425e9..a6425e9 100644
--- a/app/config/configuration/seafile/conf/seafile.conf.tpl
+++ b/app/seafile/config/conf/seafile.conf.tpl
diff --git a/app/config/configuration/seafile/conf/seahub_settings.py.tpl b/app/seafile/config/conf/seahub_settings.py.tpl
index 6c63ee4..6c63ee4 100644
--- a/app/config/configuration/seafile/conf/seahub_settings.py.tpl
+++ b/app/seafile/config/conf/seahub_settings.py.tpl
diff --git a/app/config/configuration/mariadb/main/env.tpl b/app/seafile/config/mariadb/main/env.tpl
index 0fe903b..0fe903b 100644
--- a/app/config/configuration/mariadb/main/env.tpl
+++ b/app/seafile/config/mariadb/main/env.tpl
diff --git a/app/deployment/seafile.hcl b/app/seafile/deploy/seafile.hcl
index 3af7db3..d8488d2 100644
--- a/app/deployment/seafile.hcl
+++ b/app/seafile/deploy/seafile.hcl
@@ -35,7 +35,7 @@ job "seafile" {
}
template {
- data = file("../config/configuration/mariadb/main/env.tpl")
+ data = file("../config/mariadb/main/env.tpl")
destination = "secrets/env"
env = true
}
@@ -179,30 +179,30 @@ job "seafile" {
}
template {
- data = file("../config/configuration/seafile/conf/ccnet.conf.tpl")
+ data = file("../config/conf/ccnet.conf.tpl")
destination = "secrets/conf/ccnet.conf"
}
template {
- data = file("../config/configuration/seafile/conf/seafile.conf.tpl")
+ data = file("../config/conf/seafile.conf.tpl")
destination = "secrets/conf/seafile.conf"
}
template {
- data = file("../config/configuration/seafile/conf/seahub_settings.py.tpl")
+ data = file("../config/conf/seahub_settings.py.tpl")
destination = "secrets/conf/seahub_settings.py"
}
template {
- data = file("../config/configuration/seafile/ccnet/seafile.ini")
+ data = file("../config/ccnet/seafile.ini")
destination = "secrets/ccnet/seafile.ini"
}
template {
- data = file("../config/configuration/seafile/conf/seafdav.conf")
+ data = file("../config/conf/seafdav.conf")
destination = "secrets/conf/seafdav.conf"
}
template {
- data = file("../config/configuration/seafile/conf/gunicorn.conf")
+ data = file("../config/conf/gunicorn.conf")
destination = "secrets/conf/gunicorn.conf"
}
diff --git a/app/seafile/secrets/mariadb/main/ldap_binddn b/app/seafile/secrets/mariadb/main/ldap_binddn
new file mode 100644
index 0000000..e77ff39
--- /dev/null
+++ b/app/seafile/secrets/mariadb/main/ldap_binddn
@@ -0,0 +1 @@
+SERVICE_DN mysql MySQL/MariaDB database
diff --git a/app/seafile/secrets/mariadb/main/ldap_bindpwd b/app/seafile/secrets/mariadb/main/ldap_bindpwd
new file mode 100644
index 0000000..c29f983
--- /dev/null
+++ b/app/seafile/secrets/mariadb/main/ldap_bindpwd
@@ -0,0 +1 @@
+SERVICE_PASSWORD mysql
diff --git a/app/seafile/secrets/mariadb/main/mysql_pwd b/app/seafile/secrets/mariadb/main/mysql_pwd
new file mode 100644
index 0000000..ae7fd75
--- /dev/null
+++ b/app/seafile/secrets/mariadb/main/mysql_pwd
@@ -0,0 +1 @@
+USER mysql_pwd (what is this?)
diff --git a/app/seafile/secrets/seafile/conf/mykey.peer b/app/seafile/secrets/seafile/conf/mykey.peer
new file mode 100644
index 0000000..12f0e5f
--- /dev/null
+++ b/app/seafile/secrets/seafile/conf/mykey.peer
@@ -0,0 +1 @@
+USER Seafile peer key
diff --git a/app/secretmgr.py b/app/secretmgr.py
new file mode 100755
index 0000000..6af6d13
--- /dev/null
+++ b/app/secretmgr.py
@@ -0,0 +1,369 @@
+#!/usr/bin/env python3
+
+# DEPENDENCY: python-consul
+import consul
+
+# DEPENDENCY: python-ldap
+import ldap
+
+# DEPENDENCY: passlib
+from passlib.hash import ldap_salted_sha1
+
+import os
+import sys
+import glob
+import subprocess
+import getpass
+import base64
+from secrets import token_bytes
+
+
+"""
+TODO: this will be a utility to handle secrets in the Consul database
+for the various components of the Deuxfleurs infrastructure
+
+Functionnalities:
+- check that secrets are correctly configured
+- help user fill in secrets
+- create LDAP service users and fill in corresponding secrets
+- maybe one day: manage SSL certificates and keys
+
+It uses files placed in <module_name>/secrets/* to know what secrets
+it should handle. These secret files contain directives for what to do
+about these secrets.
+
+Example directives:
+
+USER <description>
+(a secret that must be filled in by the user)
+
+USER_LONG <description>
+(the same, indicates that the secret fits on several lines)
+
+CMD <command>
+(a secret that is generated by running this command)
+
+CONST <constant value>
+(the secret has a constant value set here)
+
+CONST_LONG
+<constant value, several lines>
+(same)
+
+SERVICE_DN <service name> <service description>
+(the LDAP DN of a service user)
+
+SERVICE_PASSWORD <service name>
+(the LDAP password for the corresponding service user)
+
+SSL_CERT <cert name> <list of domains>
+(a SSL domain for the given domains)
+
+SSL_KEY <cert name>
+(the SSL key going with corresponding certificate)
+
+RSA_PUBLIC_KEY <key name> <key description>
+(a public RSA key)
+
+RSA_PRIVATE_KEY <key name>
+(the corresponding private RSA key)
+"""
+
+
+# Parameters
+LDAP_URL = "ldap://localhost:1389"
+SERVICE_DN_SUFFIX = "ou=services,ou=users,dc=deuxfleurs,dc=fr"
+consul_server = consul.Consul()
+
+
+# ----
+
+USER = "USER"
+USER_LONG = "USER_LONG"
+CMD = "CMD"
+CONST = "CONST"
+CONST_LONG = "CONST_LONG"
+SERVICE_DN = "SERVICE_DN"
+SERVICE_PASSWORD = "SERVICE_PASSWORD"
+SSL_CERT = "SSL_CERT"
+SSL_KEY = "SSL_KEY"
+RSA_PUBLIC_KEY = "RSA_PUBLIC_KEY"
+RSA_PRIVATE_KEY = "RSA_PRIVATE_KEY"
+
+class bcolors:
+ HEADER = '\033[95m'
+ OKBLUE = '\033[94m'
+ OKCYAN = '\033[96m'
+ OKGREEN = '\033[92m'
+ WARNING = '\033[93m'
+ FAIL = '\033[91m'
+ ENDC = '\033[0m'
+ BOLD = '\033[1m'
+ UNDERLINE = '\033[4m'
+
+def read_secret(key, file_path):
+ lines = [l.strip() for l in open(file_path, "r")]
+ l0 = lines[0].split(" ")
+ stype = l0[0]
+ secret = {"type": stype, "key": key}
+ if stype in [USER, USER_LONG]:
+ secret["desc"] = " ".join(l0[1:])
+ elif stype == CMD:
+ secret["cmd"] = " ".join(l0[1:])
+ elif stype == CONST:
+ secret["value"] = " ".join(l0[1:])
+ elif stype == CONST_LONG:
+ secret["value"] = "\n".join(lines[1:])
+ elif stype in [SERVICE_DN, SERVICE_PASSWORD]:
+ secret["service"] = l0[1]
+ if stype == SERVICE_DN:
+ secret["service_desc"] = " ".join(l0[2:])
+ elif stype in [SSL_CERT, SSL_KEY]:
+ secret["cert_name"] = l0[1]
+ if stype == SSL_CERT:
+ secret["cert_domains"] = l0[2:]
+ elif stype in [RSA_PUBLIC_KEY, RSA_PRIVATE_KEY]:
+ secret["key_name"] = l0[1]
+ if stype == RSA_PUBLIC_KEY:
+ secret["key_desc"] = " ".join(l0[2:])
+ else:
+ print(bcolors.FAIL, "ERROR:", bcolors.ENDC, "Invalid secret type", stype, "in", file_path)
+ sys.exit(-1)
+
+ return secret
+
+def read_secrets(module_list):
+ secrets = {}
+ for mod in module_list:
+ for file_path in glob.glob(mod.strip('/') + "/secrets/**", recursive=True):
+ if os.path.isfile(file_path):
+ key = '/'.join(file_path.split("/")[1:])
+ secrets[key] = read_secret(key, file_path)
+ return secrets
+
+def get_secrets_services(secrets):
+ services = {}
+ for key, secret in secrets.items():
+ if secret["type"] not in [SERVICE_DN, SERVICE_PASSWORD]:
+ continue
+ svc = secret["service"]
+ print(svc, "@", key, bcolors.OKCYAN, "...", bcolors.ENDC)
+ if svc not in services:
+ services[svc] = {
+ "dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX),
+ "pass": None,
+ "dn_at": [],
+ "pass_at": [],
+ }
+ if secret["type"] == SERVICE_DN:
+ services[svc]["dn_at"].append(key)
+ services[svc]["desc"] = secret["service_desc"]
+
+ if secret["type"] == SERVICE_PASSWORD:
+ services[svc]["pass_at"].append(key)
+ _, data = consul_server.kv.get(key)
+ if data is not None:
+ if services[svc]["pass"] is None:
+ services[svc]["pass"] = data["Value"].decode('ascii').strip()
+
+ return services
+
+ldap_admin_conn = None
+def get_ldap_admin_conn():
+ global ldap_admin_conn
+ if ldap_admin_conn is None:
+ ldap_admin_conn = ldap.initialize(LDAP_URL)
+ ldap_user = input("LDAP admin user (full DN, please!): ")
+ ldap_pass = getpass.getpass("LDAP admin password: ")
+ ldap_admin_conn.simple_bind_s(ldap_user, ldap_pass)
+ return ldap_admin_conn
+
+# ---- CHECK COMMAND ----
+
+def check_secrets(module_list):
+ secrets = read_secrets(module_list)
+ print("Found", len(secrets), "secrets to check")
+ print()
+
+ check_secrets_presence(secrets)
+ check_secrets_services(secrets)
+
+def check_secrets_presence(secrets):
+ print("Checking secrets presence...")
+ for key in secrets.keys():
+ _, data = consul_server.kv.get(key)
+ if data is None:
+ print(key, bcolors.FAIL, "x", bcolors.ENDC)
+ else:
+ print(key, bcolors.OKGREEN, "✓", bcolors.ENDC)
+ print()
+
+def check_secrets_services(secrets):
+ print("Checking secrets for LDAP service users...")
+ services = get_secrets_services(secrets)
+
+ for svc_name, svc in services.items():
+ for dn_key in svc["dn_at"]:
+ _, data = consul_server.kv.get(dn_key)
+ if data is not None:
+ got_val = data["Value"].decode('ascii').strip()
+ if got_val != svc["dn"]:
+ print(svc_name, "wrong DN at", dn_key, bcolors.FAIL, "x", bcolors.ENDC)
+ print("got:", got_val, "instead of:", svc["dn"])
+
+ if svc["pass"] is None:
+ print(svc_name, bcolors.FAIL, "no password stored", bcolors.ENDC)
+ else:
+ for pass_key in svc["pass_at"]:
+ _, data = consul_server.kv.get(pass_key)
+ if data is not None:
+ got_val = data["Value"].decode('ascii').strip()
+ if got_val != svc["pass"]:
+ print(svc_name, "wrong pass at", dn_key, bcolors.FAIL, "x", bcolors.ENDC)
+
+ l = ldap.initialize(LDAP_URL)
+ try:
+ l.simple_bind_s(svc["dn"], svc["pass"])
+ print(svc_name, bcolors.OKGREEN, "✓", bcolors.ENDC)
+ except Exception as e:
+ print(svc_name, bcolors.FAIL, e, bcolors.ENDC)
+ print()
+
+
+# ---- GEN COMMAND ----
+
+def gen_secrets(module_list, regen):
+ secrets = read_secrets(module_list)
+ print("Found", len(secrets), "secrets to check and maybe generate")
+ print()
+
+ gen_secrets_base(secrets, regen)
+ gen_secrets_services(secrets, regen)
+
+ check_secrets_presence(secrets)
+ check_secrets_services(secrets)
+
+def gen_secrets_base(secrets, regen):
+ print("Filling in user secrets and cmd secrets...")
+
+ for key, secret in secrets.items():
+ _, data = consul_server.kv.get(key)
+ if data is not None and not regen:
+ continue
+
+ if secret["type"] == USER:
+ print("----")
+ print(key)
+ print("Description:", secret["desc"])
+ print("Enter value for secret, or ^C to skip:")
+ try:
+ val = input().strip()
+ consul_server.kv.put(key, val)
+ print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+ except KeyboardInterrupt:
+ print(bcolors.WARNING, "Skipped.", bcolors.ENDC)
+
+ if secret["type"] == USER_LONG:
+ print("----")
+ print(key)
+ print("Description:", secret["desc"])
+ print("Enter value for secret, or ^C to skip:")
+ print("THIS IS A LONG VALUE, ENTER SEVERAL LINES AND FINISH WITH A LINE CONTAINING A SINGLE .")
+ try:
+ lines = []
+ while True:
+ line = input().strip()
+ if line == ".":
+ break
+ vals.append(line)
+ val = "\n".join(lines)
+ consul_server.kv.put(key, val)
+ print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+ except KeyboardInterrupt:
+ print(bcolors.WARNING, "Skipped.", bcolors.ENDC)
+
+ if secret["type"] in [CONST, CONST_LONG]:
+ print("----")
+ print(key)
+ print("Resetting to constant value.")
+ consul_server.kv.put(key, secret["value"])
+ print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+
+ if secret["type"] == CMD:
+ print("----")
+ print(key)
+ print("Executing command:", secret["cmd"])
+ val = subprocess.check_output(["sh", "-c", secret["cmd"]])
+ consul_server.kv.put(key, val)
+ print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+
+ print()
+
+def gen_secrets_services(secrets, regen):
+ print("Generating LDAP service accounts...")
+ services = get_secrets_services(secrets)
+
+ for svc_name, svc in services.items():
+ print("----")
+ print("Service:", svc_name)
+ print("Description:", svc["desc"])
+
+ for dn_key in svc["dn_at"]:
+ _, data = consul_server.kv.get(dn_key)
+ if data is None or data["Value"].decode('ascii').strip() != svc["dn"]:
+ print(bcolors.OKCYAN, "Setting DN", bcolors.ENDC, "at", dn_key)
+ consul_server.kv.put(dn_key, svc["dn"])
+
+ if svc["pass"] is None or regen:
+ print(bcolors.OKCYAN, "Generating new password", bcolors.ENDC)
+ svc["pass"] = base64.urlsafe_b64encode(token_bytes(12)).decode('ascii')
+
+ l = ldap.initialize(LDAP_URL)
+ try:
+ l.simple_bind_s(svc["dn"], svc["pass"])
+ except:
+ fix_service_user(svc)
+
+ for pass_key in svc["pass_at"]:
+ _, data = consul_server.kv.get(pass_key)
+ if data is None or data["Value"].decode('ascii').strip() != svc["pass"]:
+ print(bcolors.OKCYAN, "Setting password", bcolors.ENDC, "at", pass_key)
+ consul_server.kv.put(pass_key, svc["pass"])
+
+ print()
+
+def fix_service_user(svc):
+ print("Fixing service user", svc["dn"], "...")
+ l = get_ldap_admin_conn()
+ res = l.search_s(svc["dn"], ldap.SCOPE_BASE, "objectclass=*")
+ pass_crypt = ldap_salted_sha1.hash(svc["pass"])
+ if res is None or len(res) == 0:
+ print(bcolors.OKCYAN, "Creating entity...", bcolors.ENDC)
+ l.add_s(svc["dn"],
+ [
+ ("objectclass", [b"person", b"top"]),
+ ("displayname", [svc["desc"].encode('ascii')]),
+ ("userpassword", [pass_crypt.encode('ascii')]),
+ ])
+ else:
+ print(bcolors.OKCYAN, "Resetting entity password", bcolors.ENDC)
+ l.modify_s(svc["dn"],
+ [
+ (ldap.MOD_REPLACE, "userpassword", [pass_crypt.encode('ascii')])
+ ])
+
+# ---- MAIN ----
+
+if __name__ == "__main__":
+ for i, val in enumerate(sys.argv):
+ if val == "check":
+ check_secrets(sys.argv[i+1:])
+ break
+ elif val == "gen":
+ gen_secrets(sys.argv[i+1:], False)
+ break
+ elif val == "regen":
+ gen_secrets(sys.argv[i+1:], True)
+ break
+
+
diff --git a/app/config/configuration/traefik/traefik.toml b/app/traefik/config/traefik.toml
index 4a48fde..4a48fde 100644
--- a/app/config/configuration/traefik/traefik.toml
+++ b/app/traefik/config/traefik.toml
diff --git a/app/deployment/traefik.hcl b/app/traefik/deploy/traefik.hcl
index d0dc129..bcfa95b 100644
--- a/app/deployment/traefik.hcl
+++ b/app/traefik/deploy/traefik.hcl
@@ -29,7 +29,7 @@ job "frontend" {
}
template {
- data = file("../config/configuration/traefik/traefik.toml")
+ data = file("../config/traefik.toml")
destination = "secrets/traefik.toml"
}
diff --git a/os/config/roles/consul/tasks/main.yml b/os/config/roles/consul/tasks/main.yml
index 761c1f8..994ecd7 100644
--- a/os/config/roles/consul/tasks/main.yml
+++ b/os/config/roles/consul/tasks/main.yml
@@ -1,6 +1,6 @@
- name: "Set consul version"
set_fact:
- consul_version: 1.8.4
+ consul_version: 1.9.0
- name: "Download and install Consul for x86_64"
unarchive:
diff --git a/os/config/roles/nomad/tasks/main.yml b/os/config/roles/nomad/tasks/main.yml
index c79013e..625d7b7 100644
--- a/os/config/roles/nomad/tasks/main.yml
+++ b/os/config/roles/nomad/tasks/main.yml
@@ -1,6 +1,6 @@
- name: "Set nomad version"
set_fact:
- nomad_version: 0.12.9
+ nomad_version: 1.0.1
- name: "Download and install Nomad for x86_64"
unarchive: