diff options
Diffstat (limited to 'app')
165 files changed, 5553 insertions, 0 deletions
diff --git a/app/build/README.md b/app/build/README.md new file mode 100644 index 0000000..a877cfa --- /dev/null +++ b/app/build/README.md @@ -0,0 +1,8 @@ +## How to upgrade our packaged apps to a new version? + + 1. Edit `docker-compose.yml` + 2. Change the `VERSION` variable to the desired version + 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14) + 4. Run `docker-compose build` + 5. Run `docker-compose push` + 6. Done diff --git a/app/build/blog-quentin/.dockerenv b/app/build/blog-quentin/.dockerenv new file mode 100755 index 0000000..e69de29 --- /dev/null +++ b/app/build/blog-quentin/.dockerenv diff --git a/app/build/blog-quentin/Dockerfile b/app/build/blog-quentin/Dockerfile new file mode 100644 index 0000000..61f5c40 --- /dev/null +++ b/app/build/blog-quentin/Dockerfile @@ -0,0 +1,16 @@ +FROM amd64/debian:stretch as builder + +COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile + +WORKDIR /root/quentin.dufour.io + +RUN apt-get update && \ + apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \ + bundle install + +COPY ./quentin.dufour.io/ /root/quentin.dufour.io/ +RUN bundle exec jekyll build + +FROM superboum/amd64_webserver:v2 +COPY --from=builder /root/quentin.dufour.io/_site /srv/http + diff --git a/app/build/blog-quentin/README.md b/app/build/blog-quentin/README.md new file mode 100644 index 0000000..25ac463 --- /dev/null +++ b/app/build/blog-quentin/README.md @@ -0,0 +1 @@ +sudo docker build -t superboum/amd64_blog:v19 . diff --git a/app/build/coturn/Dockerfile b/app/build/coturn/Dockerfile new file mode 100644 index 0000000..0d23161 --- /dev/null +++ b/app/build/coturn/Dockerfile @@ -0,0 +1,8 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + apt-get install -y \ + coturn + +CMD ["/usr/bin/turnserver"] diff --git a/app/build/coturn/README.md b/app/build/coturn/README.md new file mode 100644 index 0000000..e882146 --- /dev/null +++ b/app/build/coturn/README.md @@ -0,0 +1,17 @@ + +## Génère l'image +``` +sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 . +``` + +## Run bash dans le container +``` +sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash +sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 +``` + +## Used ports +- udp/tcp 3478 3479 + +## Publish +sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 diff --git a/app/build/docker-compose.yml b/app/build/docker-compose.yml new file mode 100644 index 0000000..94bc154 --- /dev/null +++ b/app/build/docker-compose.yml @@ -0,0 +1,63 @@ +version: '3.4' +services: + + # Instant Messaging + riot: + build: + context: ./riotweb + args: + # https://github.com/vector-im/riot-web/releases + VERSION: 1.7.5 + image: superboum/amd64_riotweb:v15 + + synapse: + build: + context: ./matrix-synapse + args: + # https://github.com/matrix-org/synapse/releases + VERSION: 1.19.1 + image: superboum/amd64_synapse:v33 + + # Email + sogo: + build: + context: ./sogo + args: + # fake for now + VERSION: 5.0.0 + image: superboum/amd64_sogo:v7 + + # VoIP + jitsi-meet: + build: + context: ./jitsi-meet + args: + # https://github.com/jitsi/jitsi-meet + PREFIXV: stable/jitsi-meet_ + VERSION: 4966 + image: superboum/amd64_jitsi_meet:v1 + + jitsi-conference-focus: + build: + context: ./jitsi-conference-focus + args: + # https://github.com/jitsi/jicofo + PREFIXV: stable/jitsi-meet_ + VERSION: 4966 + image: superboum/amd64_jitsi_conference_focus:v5 + + jitsi-videobridge: + build: + context: ./jitsi-videobridge + args: + # https://github.com/jitsi/jitsi-videobridge + PREFIXV: stable/jitsi-meet_ + VERSION: 4966 + image: superboum/amd64_jitsi_videobridge:v15 + + jitsi-xmpp: + build: + context: ./jitsi-xmpp + args: + VERSION: fake-1 + image: superboum/amd64_jitsi_xmpp:v4 diff --git a/app/build/dovecot/.gitignore b/app/build/dovecot/.gitignore new file mode 100644 index 0000000..71a04e2 --- /dev/null +++ b/app/build/dovecot/.gitignore @@ -0,0 +1 @@ +dovecot-ldap.conf diff --git a/app/build/dovecot/Dockerfile b/app/build/dovecot/Dockerfile new file mode 100644 index 0000000..9b87627 --- /dev/null +++ b/app/build/dovecot/Dockerfile @@ -0,0 +1,17 @@ +FROM amd64/debian:stretch + +RUN apt-get update && \ + apt-get install -y \ + dovecot-antispam \ + dovecot-core \ + dovecot-imapd \ + dovecot-ldap \ + dovecot-managesieved \ + dovecot-sieve \ + dovecot-lmtpd && \ + rm -rf /etc/dovecot/* +RUN useradd mailstore +COPY ./conf/* /etc/dovecot/ +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/build/dovecot/README.md b/app/build/dovecot/README.md new file mode 100644 index 0000000..8c9f372 --- /dev/null +++ b/app/build/dovecot/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_dovecot:v2 . +``` + + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \ + -p 993:993 \ + -p 143:143 \ + -p 24:24 \ + -p 1337:1337 \ + -v /mnt/glusterfs/email/ssl:/etc/ssl/ \ + -v /mnt/glusterfs/email/mail:/var/mail \ + -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \ + superboum/amd64_dovecot:v1 \ + dovecot -F +``` diff --git a/app/build/dovecot/entrypoint.sh b/app/build/dovecot/entrypoint.sh new file mode 100755 index 0000000..2165d8f --- /dev/null +++ b/app/build/dovecot/entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp dovecot.crt /etc/ssl/certs/dovecot.crt + cp dovecot.key /etc/ssl/private/dovecot.key + chmod 400 /etc/ssl/certs/dovecot.crt + chmod 400 /etc/ssl/private/dovecot.key +fi + +if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then + chown -R mailstore /var/mail +fi + +exec "$@" diff --git a/app/build/jitsi-conference-focus/Dockerfile b/app/build/jitsi-conference-focus/Dockerfile new file mode 100644 index 0000000..e2c459c --- /dev/null +++ b/app/build/jitsi-conference-focus/Dockerfile @@ -0,0 +1,27 @@ +FROM debian:buster AS builder + +ARG PREFIXV +ARG VERSION +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk maven wget unzip && \ + wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip + +RUN unzip jicofo.zip && \ + mv jicofo*${VERSION} jicofo && \ + cd jicofo && \ + mvn package -DskipTests -Dassembly.skipAssembly=false && \ + unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ + mv jicofo-1.1-SNAPSHOT /srv/build + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jre-headless ca-certificates + +ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi" + +COPY --from=builder /srv/build /srv/jicofo +COPY jicofo /usr/local/bin/jicofo +COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties + +CMD ["/usr/local/bin/jicofo"] diff --git a/app/build/jitsi-conference-focus/jicofo b/app/build/jitsi-conference-focus/jicofo new file mode 100755 index 0000000..2bc6e3f --- /dev/null +++ b/app/build/jitsi-conference-focus/jicofo @@ -0,0 +1,16 @@ +#!/bin/bash + +cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt +update-ca-certificates -f + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +/srv/jicofo/jicofo.sh \ + --host=${JITSI_PROSODY_HOST} \ + --domain=jitsi.deuxfleurs.fr \ + --secret=${JITSI_SECRET_JICOFO_COMPONENT} \ + --user_domain=auth.jitsi.deuxfleurs.fr \ + --user_password=${JITSI_SECRET_JICOFO_USER} diff --git a/app/build/jitsi-conference-focus/sip-communicator.properties b/app/build/jitsi-conference-focus/sip-communicator.properties new file mode 100644 index 0000000..53c32e2 --- /dev/null +++ b/app/build/jitsi-conference-focus/sip-communicator.properties @@ -0,0 +1,2 @@ +org.jitsi.jicofo.SHORT_ID=1 +org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr diff --git a/app/build/jitsi-meet/Dockerfile b/app/build/jitsi-meet/Dockerfile new file mode 100644 index 0000000..feef115 --- /dev/null +++ b/app/build/jitsi-meet/Dockerfile @@ -0,0 +1,28 @@ +FROM debian:buster AS builder + +ARG PREFIXV +ARG VERSION + +RUN apt-get update && \ + apt-get install -y curl && \ + curl -sL https://deb.nodesource.com/setup_14.x | bash - && \ + apt-get install -y git nodejs make wget unzip && \ + wget https://github.com/jitsi/jitsi-meet/archive/${PREFIXV}${VERSION}.zip -O jitsi-meet.zip + +RUN unzip jitsi-meet.zip && \ + mv jitsi-meet-*${VERSION} jitsi-meet && \ + cd jitsi-meet && \ + npm install && \ + make + +FROM debian:buster + +COPY --from=builder /jitsi-meet /srv/jitsi-meet +RUN apt-get update && \ + apt-get install -y nginx && \ + rm /etc/nginx/sites-enabled/* + +COPY config.js /srv/jitsi-meet/config.js +COPY entrypoint.sh /usr/local/bin/entrypoint +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["/usr/sbin/nginx", "-g", "daemon off;"] diff --git a/app/build/jitsi-meet/config.js b/app/build/jitsi-meet/config.js new file mode 100644 index 0000000..18ff319 --- /dev/null +++ b/app/build/jitsi-meet/config.js @@ -0,0 +1,517 @@ +/* eslint-disable no-unused-vars, no-var */ + +var config = { + // Connection + // + + hosts: { + // XMPP domain. + domain: 'jitsi.deuxfleurs.fr', + + // When using authentication, domain for guest users. + // anonymousdomain: 'guest.example.com', + + // Domain for authenticated users. Defaults to <domain>. + // authdomain: 'jitsi-meet.example.com', + + // Jirecon recording component domain. + // jirecon: 'jirecon.jitsi-meet.example.com', + + // Call control component (Jigasi). + // call_control: 'callcontrol.jitsi-meet.example.com', + + // Focus component domain. Defaults to focus.<domain>. + // focus: 'focus.jitsi-meet.example.com', + + // XMPP MUC domain. FIXME: use XEP-0030 to discover it. + muc: 'conference.jitsi.deuxfleurs.fr' + }, + + // BOSH URL. FIXME: use XEP-0156 to discover it. + bosh: '//jitsi.deuxfleurs.fr/http-bind', + + // Websocket URL + // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', + + // The name of client node advertised in XEP-0115 'c' stanza + clientNode: 'http://jitsi.org/jitsimeet', + + // The real JID of focus participant - can be overridden here + // focusUserJid: 'focus@auth.jitsi-meet.example.com', + + + // Testing / experimental features. + // + + testing: { + // Enables experimental simulcast support on Firefox. + enableFirefoxSimulcast: false, + + // P2P test mode disables automatic switching to P2P when there are 2 + // participants in the conference. + p2pTestMode: false + + // Enables the test specific features consumed by jitsi-meet-torture + // testMode: false + + // Disables the auto-play behavior of *all* newly created video element. + // This is useful when the client runs on a host with limited resources. + // noAutoPlayVideo: false + }, + + // Disables ICE/UDP by filtering out local and remote UDP candidates in + // signalling. + // webrtcIceUdpDisable: false, + + // Disables ICE/TCP by filtering out local and remote TCP candidates in + // signalling. + // webrtcIceTcpDisable: false, + + + // Media + // + + // Audio + + // Disable measuring of audio levels. + // disableAudioLevels: false, + // audioLevelsInterval: 200, + + // Enabling this will run the lib-jitsi-meet no audio detection module which + // will notify the user if the current selected microphone has no audio + // input and will suggest another valid device if one is present. + enableNoAudioDetection: true, + + // Enabling this will run the lib-jitsi-meet noise detection module which will + // notify the user if there is noise, other than voice, coming from the current + // selected microphone. The purpose it to let the user know that the input could + // be potentially unpleasant for other meeting participants. + enableNoisyMicDetection: true, + + // Start the conference in audio only mode (no video is being received nor + // sent). + // startAudioOnly: false, + + // Every participant after the Nth will start audio muted. + // startAudioMuted: 10, + + // Start calls with audio muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithAudioMuted: false, + + // Enabling it (with #params) will disable local audio output of remote + // participants and to enable it back a reload is needed. + // startSilent: false + + // Video + + // Sets the preferred resolution (height) for local video. Defaults to 720. + resolution: 480, + + // w3c spec-compliant video constraints to use for video capture. Currently + // used by browsers that return true from lib-jitsi-meet's + // util#browser#usesNewGumFlow. The constraints are independency from + // this config's resolution value. Defaults to requesting an ideal aspect + // ratio of 16:9 with an ideal resolution of 720. + constraints: { + video: { + aspectRatio: 16 / 9, + height: { + ideal: 480, + max: 720, + min: 240 + } + } + }, + + // Enable / disable simulcast support. + // disableSimulcast: false, + + // Enable / disable layer suspension. If enabled, endpoints whose HD + // layers are not in use will be suspended (no longer sent) until they + // are requested again. + // enableLayerSuspension: false, + + // Every participant after the Nth will start video muted. + // startVideoMuted: 10, + + // Start calls with video muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithVideoMuted: false, + + // If set to true, prefer to use the H.264 video codec (if supported). + // Note that it's not recommended to do this because simulcast is not + // supported when using H.264. For 1-to-1 calls this setting is enabled by + // default and can be toggled in the p2p section. + // preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // Desktop sharing + + // The ID of the jidesha extension for Chrome. + desktopSharingChromeExtId: null, + + // Whether desktop sharing should be disabled on Chrome. + // desktopSharingChromeDisabled: false, + + // The media sources to use when using screen sharing with the Chrome + // extension. + desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], + + // Required version of Chrome extension + desktopSharingChromeMinExtVersion: '0.1', + + // Whether desktop sharing should be disabled on Firefox. + // desktopSharingFirefoxDisabled: false, + + // Optional desktop sharing frame rate options. Default value: min:5, max:5. + // desktopSharingFrameRate: { + // min: 5, + // max: 5 + // }, + + // Try to start calls with screen-sharing instead of camera video. + // startScreenSharing: false, + + // Recording + + // Whether to enable file recording or not. + // fileRecordingsEnabled: false, + // Enable the dropbox integration. + // dropbox: { + // appKey: '<APP_KEY>' // Specify your app key here. + // // A URL to redirect the user to, after authenticating + // // by default uses: + // // 'https://jitsi-meet.example.com/static/oauth.html' + // redirectURI: + // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' + // }, + // When integrations like dropbox are enabled only that will be shown, + // by enabling fileRecordingsServiceEnabled, we show both the integrations + // and the generic recording service (its configuration and storage type + // depends on jibri configuration) + // fileRecordingsServiceEnabled: false, + // Whether to show the possibility to share file recording with other people + // (e.g. meeting participants), based on the actual implementation + // on the backend. + // fileRecordingsServiceSharingEnabled: false, + + // Whether to enable live streaming or not. + // liveStreamingEnabled: false, + + // Transcription (in interface_config, + // subtitles and buttons can be configured) + // transcribingEnabled: false, + + // Enables automatic turning on captions when recording is started + // autoCaptionOnRecord: false, + + // Misc + + // Default value for the channel "last N" attribute. -1 for unlimited. + channelLastN: -1, + + // Disables or enables RTX (RFC 4588) (defaults to false). + // disableRtx: false, + + // Disables or enables TCC (the default is in Jicofo and set to true) + // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting + // affects congestion control, it practically enables send-side bandwidth + // estimations. + // enableTcc: true, + + // Disables or enables REMB (the default is in Jicofo and set to false) + // (draft-alvestrand-rmcat-remb-03). This setting affects congestion + // control, it practically enables recv-side bandwidth estimations. When + // both TCC and REMB are enabled, TCC takes precedence. When both are + // disabled, then bandwidth estimations are disabled. + // enableRemb: false, + + // Defines the minimum number of participants to start a call (the default + // is set in Jicofo and set to 2). + // minParticipants: 2, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // Enable IPv6 support. + // useIPv6: true, + + // Enables / disables a data communication channel with the Videobridge. + // Values can be 'datachannel', 'websocket', true (treat it as + // 'datachannel'), undefined (treat it as 'datachannel') and false (don't + // open any channel). + // openBridgeChannel: true, + + + // UI + // + + // Use display name as XMPP nickname. + // useNicks: false, + + // Require users to always specify a display name. + // requireDisplayName: true, + + // Whether to use a welcome page or not. In case it's false a random room + // will be joined when no room is specified. + enableWelcomePage: true, + + // Enabling the close page will ignore the welcome page redirection when + // a call is hangup. + // enableClosePage: false, + + // Disable hiding of remote thumbnails when in a 1-on-1 conference call. + // disable1On1Mode: false, + + // Default language for the user interface. + defaultLanguage: 'fr', + + // If true all users without a token will be considered guests and all users + // with token will be considered non-guests. Only guests will be allowed to + // edit their profile. + enableUserRolesBasedOnToken: false, + + // Whether or not some features are checked based on token. + // enableFeaturesBasedOnToken: false, + + // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. + // lockRoomGuestEnabled: false, + + // When enabled the password used for locking a room is restricted to up to the number of digits specified + // roomPasswordNumberOfDigits: 10, + // default: roomPasswordNumberOfDigits: false, + + // Message to show the users. Example: 'The service will be down for + // maintenance at 01:00 AM GMT, + // noticeMessage: '', + + // Enables calendar integration, depends on googleApiApplicationClientID + // and microsoftApiApplicationClientID + // enableCalendarIntegration: false, + + // Stats + // + + // Whether to enable stats collection or not in the TraceablePeerConnection. + // This can be useful for debugging purposes (post-processing/analysis of + // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth + // estimation tests. + // gatherStats: false, + + // The interval at which PeerConnection.getStats() is called. Defaults to 10000 + // pcStatsInterval: 10000, + + // To enable sending statistics to callstats.io you must provide the + // Application ID and Secret. + // callStatsID: '', + // callStatsSecret: '', + + // enables sending participants display name to callstats + // enableDisplayNameInStats: false + + // enables sending participants email if available to callstats and other analytics + // enableEmailInStats: false + + // Privacy + // + + // If third party requests are disabled, no other server will be contacted. + // This means avatars will be locally generated and callstats integration + // will not function. + // disableThirdPartyRequests: false, + + + // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. + // + + p2p: { + // Enables peer to peer mode. When enabled the system will try to + // establish a direct connection when there are exactly 2 participants + // in the room. If that succeeds the conference will stop sending data + // through the JVB and use the peer to peer connection instead. When a + // 3rd participant joins the conference will be moved back to the JVB + // connection. + enabled: true, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:443' }, + { urls: 'stun:stun.l.google.com:19302' }, + { urls: 'stun:stun1.l.google.com:19302' }, + { urls: 'stun:stun2.l.google.com:19302' } + ], + + // Sets the ICE transport policy for the p2p connection. At the time + // of this writing the list of possible values are 'all' and 'relay', + // but that is subject to change in the future. The enum is defined in + // the WebRTC standard: + // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. + // If not set, the effective value is 'all'. + // iceTransportPolicy: 'all', + + // If set to true, it will prefer to use H.264 for P2P calls (if H.264 + // is supported). + preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // How long we're going to wait, before going back to P2P after the 3rd + // participant has left the conference (to filter out page reload). + backToP2PDelay: 60 + }, + + analytics: { + // The Google Analytics Tracking ID: + // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' + + // The Amplitude APP Key: + // amplitudeAPPKey: '<APP_KEY>' + + // Array of script URLs to load as lib-jitsi-meet "analytics handlers". + // scriptURLs: [ + // "libs/analytics-ga.min.js", // google-analytics + // "https://example.com/my-custom-analytics.js" + // ], + }, + + // Information about the jitsi-meet instance we are connecting to, including + // the user region as seen by the server. + deploymentInfo: { + // shard: "shard1", + // region: "europe", + // userRegion: "asia" + } + + // Information for the chrome extension banner + // chromeExtensionBanner: { + // // The chrome extension to be installed address + // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', + + // // Extensions info which allows checking if they are installed or not + // chromeExtensionsInfo: [ + // { + // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', + // path: 'jitsi-logo-48x48.png' + // } + // ] + // } + + // Local Recording + // + + // localRecording: { + // Enables local recording. + // Additionally, 'localrecording' (all lowercase) needs to be added to + // TOOLBAR_BUTTONS in interface_config.js for the Local Recording + // button to show up on the toolbar. + // + // enabled: true, + // + + // The recording format, can be one of 'ogg', 'flac' or 'wav'. + // format: 'flac' + // + + // } + + // Options related to end-to-end (participant to participant) ping. + // e2eping: { + // // The interval in milliseconds at which pings will be sent. + // // Defaults to 10000, set to <= 0 to disable. + // pingInterval: 10000, + // + // // The interval in milliseconds at which analytics events + // // with the measured RTT will be sent. Defaults to 60000, set + // // to <= 0 to disable. + // analyticsInterval: 60000, + // } + + // If set, will attempt to use the provided video input device label when + // triggering a screenshare, instead of proceeding through the normal flow + // for obtaining a desktop stream. + // NOTE: This option is experimental and is currently intended for internal + // use only. + // _desktopSharingSourceDevice: 'sample-id-or-label' + + // If true, any checks to handoff to another application will be prevented + // and instead the app will continue to display in the current browser. + // disableDeepLinking: false + + // A property to disable the right click context menu for localVideo + // the menu has option to flip the locally seen video for local presentations + // disableLocalVideoFlip: false + + // Deployment specific URLs. + // deploymentUrls: { + // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for + // // user documentation. + // userDocumentationURL: 'https://docs.example.com/video-meetings.html', + // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link + // // to the specified URL for an app download page. + // downloadAppsUrl: 'https://docs.example.com/our-apps.html' + // } + + // List of undocumented settings used in jitsi-meet + /** + _immediateReloadThreshold + autoRecord + autoRecordToken + debug + debugAudioLevels + deploymentInfo + dialInConfCodeUrl + dialInNumbersUrl + dialOutAuthUrl + dialOutCodesUrl + disableRemoteControl + displayJids + etherpad_base + externalConnectUrl + firefox_fake_device + googleApiApplicationClientID + iAmRecorder + iAmSipGateway + microsoftApiApplicationClientID + peopleSearchQueryTypes + peopleSearchUrl + requireDisplayName + tokenAuthUrl + */ + + // List of undocumented settings used in lib-jitsi-meet + /** + _peerConnStatusOutOfLastNTimeout + _peerConnStatusRtcMuteTimeout + abTesting + avgRtpStatsN + callStatsConfIDNamespace + callStatsCustomScriptUrl + desktopSharingSources + disableAEC + disableAGC + disableAP + disableHPF + disableNS + enableLipSync + enableTalkWhileMuted + forceJVB121Ratio + hiddenDomain + ignoreStartMuted + nick + startBitrate + */ + +}; + +/* eslint-enable no-unused-vars, no-var */ + diff --git a/app/build/jitsi-meet/entrypoint.sh b/app/build/jitsi-meet/entrypoint.sh new file mode 100755 index 0000000..1e18bd1 --- /dev/null +++ b/app/build/jitsi-meet/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +cat > /etc/nginx/sites-available/jitsi <<EOF +server_names_hash_bucket_size 64; + +server { + listen 0.0.0.0:443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + server_name _; + ssl_certificate ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.crt; + ssl_certificate_key ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.key; + root /srv/jitsi-meet; + index index.html; + location ~ ^/([a-zA-Z0-9=\?]+)$ { + rewrite ^/(.*)$ / break; + } + location / { + ssi on; + } + # BOSH, Bidirectional-streams Over Synchronous HTTP + # https://en.wikipedia.org/wiki/BOSH_(protocol) + location /http-bind { + proxy_pass http://${JITSI_PROSODY_BOSH_HOST}:${JITSI_PROSODY_BOSH_PORT}/http-bind; + proxy_set_header X-Forwarded-For \$remote_addr; + proxy_set_header Host \$http_host; + } + # external_api.js must be accessible from the root of the + # installation for the electron version of Jitsi Meet to work + # https://github.com/jitsi/jitsi-meet-electron + location /external_api.js { + alias /srv/jitsi-meet/libs/external_api.min.js; + } +} +EOF + +ln -sf /etc/nginx/sites-available/jitsi /etc/nginx/sites-enabled/jitsi + +exec "$@" diff --git a/app/build/jitsi-videobridge/Dockerfile b/app/build/jitsi-videobridge/Dockerfile new file mode 100644 index 0000000..c17fb4f --- /dev/null +++ b/app/build/jitsi-videobridge/Dockerfile @@ -0,0 +1,30 @@ +FROM debian:buster AS builder + +ARG PREFIXV +ARG VERSION + +RUN apt-get update && \ + apt-get install -y wget unzip maven openjdk-11-jdk && \ + wget https://github.com/jitsi/jitsi-videobridge/archive/${PREFIXV}${VERSION}.zip -O jvb.zip + +RUN unzip jvb.zip && \ + mv jitsi-videobridge*${VERSION} jvb && \ + cd jvb && \ + mvn package -DskipTests && \ + ls jvb/target && \ + unzip jvb/target/jitsi-videobridge*.zip && \ + mv jitsi-videobridge-*-SNAPSHOT build + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jre-headless + +COPY --from=builder /jvb/build /srv/jvb +ENV HOME=/root +WORKDIR /root +COPY jvb_run /usr/local/bin/jvb_run + +ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi" + +CMD ["/usr/local/bin/jvb_run"] diff --git a/app/build/jitsi-videobridge/jvb_run b/app/build/jitsi-videobridge/jvb_run new file mode 100755 index 0000000..b86c911 --- /dev/null +++ b/app/build/jitsi-videobridge/jvb_run @@ -0,0 +1,54 @@ +#!/bin/bash + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +mkdir -p /root/.sip-communicator + +cat > /root/.sip-communicator/sip-communicator.properties <<EOF +# Enable broadcasting stats/presence in a MUC +org.jitsi.videobridge.ENABLE_STATISTICS=true +org.jitsi.videobridge.STATISTICS_TRANSPORT=muc + +# Connect to the first XMPP server +org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb +org.jitsi.videobridge.xmpp.user.shard.PASSWORD=${JITSI_SECRET_VIDEOBRIDGE} +org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr +org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=singleton +org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true + +# Do we need it? @FIXME +org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false + +# NAT things, two times just in case... +org.ice4j.ice.harvest.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP} +org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP} +org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP} +org.jitsi.videobridge.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP} +org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP} +org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP} +org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false +EOF + +[ -v JITSI_DEBUG ] && cat >> /root/.sip-communicator/sip-communicator.properties <<EOF +net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_ARBITRARY_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_SIP_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_JABBER_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_RTP_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_ICE4j_ENABLED=true +net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_COUNT=1 +net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_SIZE=-1 +EOF + +/srv/jvb/jvb.sh \ + --host=${JITSI_PROSODY_HOST} \ + --domain=jitsi.deuxfleurs.fr \ + --port=5347 \ + --secret=${JITSI_SECRET_VIDEOBRIDGE} \ + --apis=xmpp,rest diff --git a/app/build/jitsi-xmpp/Dockerfile b/app/build/jitsi-xmpp/Dockerfile new file mode 100644 index 0000000..3733d49 --- /dev/null +++ b/app/build/jitsi-xmpp/Dockerfile @@ -0,0 +1,11 @@ +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y prosody + +COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua +COPY xmpp_conf /usr/local/bin/xmpp_conf +COPY xmpp_gen /usr/local/bin/xmpp_gen +COPY xmpp_run /usr/local/bin/xmpp_run + +CMD ["/usr/local/bin/xmpp_run"] diff --git a/app/build/jitsi-xmpp/external_components.cfg.lua b/app/build/jitsi-xmpp/external_components.cfg.lua new file mode 100644 index 0000000..beaaa87 --- /dev/null +++ b/app/build/jitsi-xmpp/external_components.cfg.lua @@ -0,0 +1,2 @@ +component_ports = { 5347 } +component_interface = "0.0.0.0" diff --git a/app/build/jitsi-xmpp/xmpp_conf b/app/build/jitsi-xmpp/xmpp_conf new file mode 100755 index 0000000..5990d07 --- /dev/null +++ b/app/build/jitsi-xmpp/xmpp_conf @@ -0,0 +1,47 @@ +#!/bin/bash + +cat >> /etc/hosts <<EOF +${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr +127.0.0.1 `hostname` +EOF + +mkdir -p /etc/prosody/conf.{d,avail}/ +cat > /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua <<EOF +VirtualHost "jitsi.deuxfleurs.fr" + authentication = "anonymous" + ssl = { + key = "/var/lib/prosody/jitsi.deuxfleurs.fr.key"; + certificate = "/var/lib/prosody/jitsi.deuxfleurs.fr.crt"; + } + modules_enabled = { + "bosh"; + "pubsub"; + } + c2s_require_encryption = false + +VirtualHost "auth.jitsi.deuxfleurs.fr" + ssl = { + key = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.key"; + certificate = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt"; + } + authentication = "internal_plain" + admins = { "focus@auth.jitsi.deuxfleurs.fr"} + +Component "conference.jitsi.deuxfleurs.fr" "muc" +Component "internal.auth.jitsi.deuxfleurs.fr" "muc" + storage = "memory" + modules_enabled = { "ping"; } + admins = { "focus@auth.jitsi.deuxfleurs.fr", "jvb@auth.jitsi.deuxfleurs.fr" } + +Component "jitsi-videobridge.jitsi.deuxfleurs.fr" + component_secret = "${JITSI_SECRET_VIDEOBRIDGE}" +Component "focus.jitsi.deuxfleurs.fr" + component_secret = "${JITSI_SECRET_JICOFO_COMPONENT}" + +EOF + +ln -sf \ + /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua \ + /etc/prosody/conf.d/jitsi.deuxfleurs.fr.cfg.lua + + diff --git a/app/build/jitsi-xmpp/xmpp_gen b/app/build/jitsi-xmpp/xmpp_gen new file mode 100755 index 0000000..3a2e04a --- /dev/null +++ b/app/build/jitsi-xmpp/xmpp_gen @@ -0,0 +1,9 @@ +#!/bin/bash + +/usr/local/bin/xmpp_conf + +prosodyctl cert generate jitsi.deuxfleurs.fr +prosodyctl cert generate auth.jitsi.deuxfleurs.fr + +cp /var/lib/prosody/*.crt ${JITSI_CERTS_FOLDER} +cp /var/lib/prosody/*.key ${JITSI_CERTS_FOLDER} diff --git a/app/build/jitsi-xmpp/xmpp_run b/app/build/jitsi-xmpp/xmpp_run new file mode 100755 index 0000000..6383b65 --- /dev/null +++ b/app/build/jitsi-xmpp/xmpp_run @@ -0,0 +1,20 @@ +#!/bin/bash + +/usr/local/bin/xmpp_conf +cp ${JITSI_CERTS_FOLDER}/* /var/lib/prosody/ +chown -R prosody:prosody /var/lib/prosody + +mkdir -p /usr/local/share/ca-certificates/ +ln -sf \ + /var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt \ + /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt + +prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER} +prosodyctl register jvb auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_VIDEOBRIDGE} + +mkdir /run/prosody +touch /run/prosody/prosody.pid +chown -R prosody:prosody /run/prosody + +cd /var/lib/prosody +su - prosody -s /bin/bash -c prosody diff --git a/app/build/landing/README.md b/app/build/landing/README.md new file mode 100644 index 0000000..5d2cb2b --- /dev/null +++ b/app/build/landing/README.md @@ -0,0 +1,3 @@ +``` +docker build -t superboum/amd64_landing:v8 . +``` diff --git a/app/build/mariadb/60-disable-dialog.cnf b/app/build/mariadb/60-disable-dialog.cnf new file mode 100644 index 0000000..d41731a --- /dev/null +++ b/app/build/mariadb/60-disable-dialog.cnf @@ -0,0 +1,3 @@ +[mariadb] +pam_use_cleartext_plugin +bind-address = 0.0.0.0 diff --git a/app/build/mariadb/60-ldap.cnf b/app/build/mariadb/60-ldap.cnf new file mode 100644 index 0000000..72ffb9f --- /dev/null +++ b/app/build/mariadb/60-ldap.cnf @@ -0,0 +1,3 @@ +[mariadb] +plugin-load=auth_pam.so + diff --git a/app/build/mariadb/60-remote.cnf b/app/build/mariadb/60-remote.cnf new file mode 100644 index 0000000..f759a49 --- /dev/null +++ b/app/build/mariadb/60-remote.cnf @@ -0,0 +1,2 @@ +[mysqld] +bind-address = 0.0.0.0 diff --git a/app/build/mariadb/Dockerfile b/app/build/mariadb/Dockerfile new file mode 100644 index 0000000..15ef954 --- /dev/null +++ b/app/build/mariadb/Dockerfile @@ -0,0 +1,14 @@ +FROM debian:stretch + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y mariadb-server mariadb-client libnss-ldapd + +COPY 60-ldap.cnf /etc/mysql/mariadb.conf.d/60-ldap.cnf +COPY 60-remote.cnf /etc/mysql/mariadb.conf.d/60-remote.cnf +COPY 60-disable-dialog.cnf /etc/mysql/mariadb.conf.d/60-disable-dialog.cnf +COPY pam-mariadb /etc/pam.d/mariadb +COPY nsswitch.conf /etc/nsswitch.conf +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/build/mariadb/README.md b/app/build/mariadb/README.md new file mode 100644 index 0000000..1a3b8aa --- /dev/null +++ b/app/build/mariadb/README.md @@ -0,0 +1,19 @@ +``` +sudo docker build -t superboum/amd64_mariadb:v3 . + +sudo docker run \ + -t -i \ + -p 3306:3306 \ + -v /tmp/mysql:/var/lib/mysql \ + -e LDAP_URI='ldap://bottin.service.2.cluster.deuxfleurs.fr' \ + -e LDAP_BASE='ou=users,dc=deuxfleurs,dc=fr' \ + -e LDAP_VERSION=3 \ + -e LDAP_BIND_DN='cn=admin,dc=deuxfleurs,dc=fr' \ + -e LDAP_BIND_PW='xxxx' \ + -e MYSQL_PASSWORD='xxxx' \ + superboum/amd64_mariadb:v1 \ + tail -f /var/log/mysql/error.log + +CREATE USER quentin@localhost IDENTIFIED VIA pam USING 'mariadb'; + +``` diff --git a/app/build/mariadb/entrypoint.sh b/app/build/mariadb/entrypoint.sh new file mode 100755 index 0000000..7ebf049 --- /dev/null +++ b/app/build/mariadb/entrypoint.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +set -e + +cat > /etc/nslcd.conf <<EOF +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ${LDAP_URI} + +# The search base that will be used for all queries. +base ${LDAP_BASE} + +# The LDAP protocol version to use. +ldap_version ${LDAP_VERSION} + +# The DN to bind with for normal lookups. +binddn ${LDAP_BIND_DN} +bindpw ${LDAP_BIND_PW} + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +#tls_reqcert never +tls_cacertfile /etc/ssl/certs/ca-certificates.crt + +# The search scope. +#scope sub +EOF + +/usr/sbin/nslcd + +chown mysql:mysql /var/lib/mysql +[ -z "$(ls -A /var/lib/mysql)" ] && mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql + +/usr/bin/mysqld_safe & + +until ls /var/run/mysqld/mysqld.sock; do sleep 1; done +/usr/bin/mysqladmin -u root password ${MYSQL_PASSWORD} || true + +exec "$@" + diff --git a/app/build/mariadb/nsswitch.conf b/app/build/mariadb/nsswitch.conf new file mode 100644 index 0000000..853348e --- /dev/null +++ b/app/build/mariadb/nsswitch.conf @@ -0,0 +1,21 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: files ldap +group: files ldap +shadow: files ldap +gshadow: files + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis + diff --git a/app/build/mariadb/pam-mariadb b/app/build/mariadb/pam-mariadb new file mode 100644 index 0000000..e1bb814 --- /dev/null +++ b/app/build/mariadb/pam-mariadb @@ -0,0 +1,2 @@ +auth required pam_ldap.so +account required pam_ldap.so diff --git a/app/build/matrix-synapse/Dockerfile b/app/build/matrix-synapse/Dockerfile new file mode 100644 index 0000000..b8480d5 --- /dev/null +++ b/app/build/matrix-synapse/Dockerfile @@ -0,0 +1,47 @@ +FROM amd64/debian:buster as builder + +ARG VERSION +RUN apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y \ + python3 \ + python3-pip \ + python3-dev \ + python3-setuptools \ + libffi-dev \ + build-essential \ + libssl-dev \ + libjpeg-dev \ + libjpeg62-turbo-dev \ + libxml2-dev \ + zlib1g-dev \ + # postgresql-dev \ + libpq-dev \ + virtualenv \ + libxslt1-dev && \ + virtualenv /root/matrix-env -p /usr/bin/python3 && \ + . /root/matrix-env/bin/activate && \ + pip3 install \ + https://github.com/matrix-org/synapse/archive/v${VERSION}.tar.gz#egg=matrix-synapse[matrix-synapse-ldap3,postgres,resources.consent,saml2,url_preview] + +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y \ + python3 \ + python3-distutils \ + libffi6 \ + libjpeg62-turbo \ + libssl1.1 \ + libxslt1.1 \ + libpq5 \ + zlib1g \ + libjemalloc2 \ + ca-certificates + +ENV LD_PRELOAD /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 +COPY --from=builder /root/matrix-env /root/matrix-env +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/build/matrix-synapse/entrypoint.sh b/app/build/matrix-synapse/entrypoint.sh new file mode 100755 index 0000000..b93a702 --- /dev/null +++ b/app/build/matrix-synapse/entrypoint.sh @@ -0,0 +1,3 @@ +#!/bin/sh +. /root/matrix-env/bin/activate +exec "$@" diff --git a/app/build/nextcloud/Dockerfile b/app/build/nextcloud/Dockerfile new file mode 100644 index 0000000..9f817f6 --- /dev/null +++ b/app/build/nextcloud/Dockerfile @@ -0,0 +1,27 @@ +FROM debian:10 + +RUN apt-get update && \ + apt-get -qq -y full-upgrade + +RUN apt-get install -y apache2 php php-gd php-mbstring php-pgsql php-curl php-dom php-xml php-zip \ + php-intl php-ldap php-fileinfo php-exif php-apcu php-redis php-imagick unzip curl wget && \ + phpenmod gd && \ + phpenmod curl && \ + phpenmod mbstring && \ + phpenmod pgsql && \ + phpenmod dom && \ + phpenmod zip && \ + phpenmod intl && \ + phpenmod ldap && \ + phpenmod fileinfo && \ + phpenmod exif && \ + phpenmod apcu && \ + phpenmod redis && \ + phpenmod imagick && \ + phpenmod xml + +COPY container-setup.sh /tmp +RUN /tmp/container-setup.sh + +COPY entrypoint.sh / +CMD /entrypoint.sh diff --git a/app/build/nextcloud/container-setup.sh b/app/build/nextcloud/container-setup.sh new file mode 100755 index 0000000..8330291 --- /dev/null +++ b/app/build/nextcloud/container-setup.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +set -ex + +curl https://download.nextcloud.com/server/releases/nextcloud-19.0.0.zip > /tmp/nextcloud.zip +cd /var/www +unzip /tmp/nextcloud.zip +rm /tmp/nextcloud.zip +mv html html.old +mv nextcloud html + +cd html +mkdir data + +cd apps +wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz +tar xf tasks.tar.gz +wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz +tar xf maps-0.1.6.tar.gz +wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz +tar xf calendar.tar.gz +wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz +tar xf news.tar.gz +wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz +tar xf notes.tar.gz +wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz +tar xf contacts.tar.gz +wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz +tar xf mail.tar.gz +wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz +tar xf groupfolders.tar.gz +rm *.tar.gz + +chown -R www-data:www-data /var/www/html + +cd /var/www/html +php occ diff --git a/app/build/nextcloud/entrypoint.sh b/app/build/nextcloud/entrypoint.sh new file mode 100755 index 0000000..72b4f94 --- /dev/null +++ b/app/build/nextcloud/entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -xe + +chown www-data:www-data /var/www/html/config/config.php +touch /var/www/html/data/.ocdata + +exec apachectl -DFOREGROUND diff --git a/app/build/opendkim/Dockerfile b/app/build/opendkim/Dockerfile new file mode 100644 index 0000000..70a39e4 --- /dev/null +++ b/app/build/opendkim/Dockerfile @@ -0,0 +1,8 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + apt-get install -y opendkim opendkim-tools + +COPY ./opendkim.conf /etc/opendkim.conf +CMD opendkim -f -v -x /etc/opendkim.conf diff --git a/app/build/opendkim/README.md b/app/build/opendkim/README.md new file mode 100644 index 0000000..e146125 --- /dev/null +++ b/app/build/opendkim/README.md @@ -0,0 +1,12 @@ +``` +sudo docker build -t superboum/amd64_opendkim:v1 . +``` + +``` +sudo docker run -t -i \ + -v `pwd`/conf:/etc/dkim \ + -v /dev/log:/dev/log \ + -p 8999:8999 + superboum/amd64_opendkim:v1 + opendkim -f -v -x /etc/opendkim.conf +``` diff --git a/app/build/opendkim/opendkim.conf b/app/build/opendkim/opendkim.conf new file mode 100644 index 0000000..0d6465f --- /dev/null +++ b/app/build/opendkim/opendkim.conf @@ -0,0 +1,12 @@ +Syslog yes +SyslogSuccess yes +LogWhy yes +UMask 007 +Mode sv +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +KeyTable refile:/etc/dkim/keytable +SigningTable refile:/etc/dkim/signingtable +ExternalIgnoreList refile:/etc/dkim/trusted +InternalHosts refile:/etc/dkim/trusted +Socket inet:8999 diff --git a/app/build/pithos/0.7.5.tar.gz b/app/build/pithos/0.7.5.tar.gz Binary files differnew file mode 100644 index 0000000..4eb1273 --- /dev/null +++ b/app/build/pithos/0.7.5.tar.gz diff --git a/app/build/pithos/Dockerfile b/app/build/pithos/Dockerfile new file mode 100644 index 0000000..70f87d8 --- /dev/null +++ b/app/build/pithos/Dockerfile @@ -0,0 +1,4 @@ +FROM amd64/openjdk:13-alpine + +COPY pithos-0.7.5-standalone.jar /srv/pithos.jar +ENTRYPOINT ["/opt/openjdk-13/bin/java", "-jar", "/srv/pithos.jar"] diff --git a/app/build/pithos/README.md b/app/build/pithos/README.md new file mode 100644 index 0000000..3f0037d --- /dev/null +++ b/app/build/pithos/README.md @@ -0,0 +1,9 @@ +This project is considered as "dangerous" as it is tagged as "Project not under active development". +Consequently, just in case, I am backuping the .jar and the sources in this git repo. +Better safe than sorry or pretty. + +``` +sudo docker build -t superboum/amd64_pithos:v1 . +sudo docker push superboum/amd64_pithos:v1 +sudo docker run --rm -it -p 8080:8080 -v pithos.yaml:/etc/pithos/pithos.yaml superboum/amd64_pithos:v1 +``` diff --git a/app/build/pithos/pithos-0.7.5-standalone.jar b/app/build/pithos/pithos-0.7.5-standalone.jar Binary files differnew file mode 100644 index 0000000..6073e72 --- /dev/null +++ b/app/build/pithos/pithos-0.7.5-standalone.jar diff --git a/app/build/postfix/Dockerfile b/app/build/postfix/Dockerfile new file mode 100644 index 0000000..9e4c067 --- /dev/null +++ b/app/build/postfix/Dockerfile @@ -0,0 +1,11 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get install -y \ + postfix \ + postfix-ldap + +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["postfix", "start-fg"] diff --git a/app/build/postfix/README.md b/app/build/postfix/README.md new file mode 100644 index 0000000..ac44fc0 --- /dev/null +++ b/app/build/postfix/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_postfix:v1 . +``` + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \ + -e MAILNAME="smtp.deuxfleurs.fr" \ + -p 25:25 \ + -p 465:465 \ + -p 587:587 \ + -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \ + -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \ + -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \ + superboum/amd64_postfix:v1 \ + bash +``` + diff --git a/app/build/postfix/entrypoint.sh b/app/build/postfix/entrypoint.sh new file mode 100755 index 0000000..c7ace3d --- /dev/null +++ b/app/build/postfix/entrypoint.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp postfix.crt /etc/ssl/certs/postfix.crt + cp postfix.key /etc/ssl/private/postfix.key + chmod 400 /etc/ssl/certs/postfix.crt + chmod 400 /etc/ssl/private/postfix.key +fi + +# A way to map files inside the postfix folder :s +for file in $(ls /etc/postfix-conf); do + cp /etc/postfix-conf/${file} /etc/postfix/${file} +done + +echo ${MAILNAME} > /etc/mailname + +exec "$@" diff --git a/app/build/postgres/Dockerfile b/app/build/postgres/Dockerfile new file mode 100644 index 0000000..bb018b8 --- /dev/null +++ b/app/build/postgres/Dockerfile @@ -0,0 +1,19 @@ +FROM amd64/debian:stretch + +RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \ + apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y postgresql-all golang-1.11 git && \ + export GOPATH=/usr/local/go && \ + mkdir -p /usr/local/go/src/github.com/sorintlab && \ + cd /usr/local/go/src/github.com/sorintlab && \ + git clone --depth=1 https://github.com/sorintlab/stolon && \ + ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \ + ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \ + cd ./stolon && \ + ./build && \ + mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \ + rm -rf /usr/local/go + +USER postgres + diff --git a/app/build/postgres/README.md b/app/build/postgres/README.md new file mode 100644 index 0000000..d2f7a12 --- /dev/null +++ b/app/build/postgres/README.md @@ -0,0 +1,4 @@ +``` +docker build -t superboum/arm32v7_postgres . +docker build -t superboum/amd64_postgres:v2 . +``` diff --git a/app/build/postgres/postgresql.conf b/app/build/postgres/postgresql.conf new file mode 100644 index 0000000..8e0af2b --- /dev/null +++ b/app/build/postgres/postgresql.conf @@ -0,0 +1,25 @@ +data_directory = '/var/lib/postgresql/9.6/main' # use data in another directory +hba_file = '/etc/postgresql/9.6/main/pg_hba.conf' # host-based authentication file +ident_file = '/etc/postgresql/9.6/main/pg_ident.conf' # ident configuration file +external_pid_file = '/var/run/postgresql/9.6-main.pid' # write an extra PID file +listen_addresses = '*' #listen on every ip / interfaces +port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories +ssl = true # (change requires restart) +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart) +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart) +shared_buffers = 128MB # min 128kB +dynamic_shared_memory_type = posix # the default is the first option +log_line_prefix = '%m [%p] %q%u@%d ' # special values: +log_timezone = 'UTC' +cluster_name = '9.6/main' # added to process titles if nonempty +stats_temp_directory = '/var/run/postgresql/9.6-main.pg_stat_tmp' +datestyle = 'iso, mdy' +timezone = 'UTC' +lc_messages = 'C.UTF-8' # locale for system error message +lc_monetary = 'C.UTF-8' # locale for monetary formatting +lc_numeric = 'C.UTF-8' # locale for number formatting +lc_time = 'C.UTF-8' # locale for time formatting +default_text_search_config = 'pg_catalog.english' + diff --git a/app/build/postgres/start.sh b/app/build/postgres/start.sh new file mode 100755 index 0000000..f1d493f --- /dev/null +++ b/app/build/postgres/start.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +if [ -f /local/pg_hba.conf ]; then + echo "Copying Nomad configuration..." + cp /local/pg_hba.conf /etc/postgresql/9.6/main/ + echo "Done" +fi + + +if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then + echo "Copying base" + cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main + echo "Done" +fi + +chmod -R 700 /var/lib/postgresql/9.6/main +chown -R postgres /var/lib/postgresql/9.6/main + +echo "Starting postgres..." +. /usr/share/postgresql-common/init.d-functions +start 9.6 +tail -f /var/log/postgresql/postgresql-9.6-main.log diff --git a/app/build/riotweb/Dockerfile b/app/build/riotweb/Dockerfile new file mode 100644 index 0000000..862e2e5 --- /dev/null +++ b/app/build/riotweb/Dockerfile @@ -0,0 +1,13 @@ +FROM amd64/debian:buster as builder + +ARG VERSION +WORKDIR /root + +RUN apt-get update && \ + apt-get install -y wget && \ + wget https://github.com/vector-im/riot-web/releases/download/v${VERSION}/riot-v${VERSION}.tar.gz && \ + tar xf riot-v${VERSION}.tar.gz && \ + mv riot-v${VERSION}/ riot/ + +FROM superboum/amd64_webserver:v3 +COPY --from=builder /root/riot /srv/http diff --git a/app/build/riotweb/config.json b/app/build/riotweb/config.json new file mode 100644 index 0000000..8ce8e4c --- /dev/null +++ b/app/build/riotweb/config.json @@ -0,0 +1,24 @@ +{ + "default_hs_url": "https://im.deuxfleurs.fr", + "default_is_url": "https://vector.im", + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Deuxfleurs", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html", + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "features": { + "feature_groups": "labs", + "feature_pinning": "labs" + }, + "default_federate": true, + "welcomePageUrl": "home.html", + "default_theme": "light", + "roomDirectory": { + "servers": [ "im.deuxfleurs.fr", "matrix.org" ] + } +} + diff --git a/app/build/seafile/Dockerfile b/app/build/seafile/Dockerfile new file mode 100644 index 0000000..88dee4f --- /dev/null +++ b/app/build/seafile/Dockerfile @@ -0,0 +1,46 @@ +FROM amd64/debian:buster as builder + +ENV VERSION 7.0.5 + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar && \ + wget https://download.seadrive.org/seafile-server_${VERSION}_x86-64.tar.gz -O ./seafile.tar.gz && \ + tar xf ./seafile.tar.gz && \ + mv seafile-server-${VERSION} seafile-server + +FROM amd64/debian:buster + +COPY --from=builder ./seafile-server /srv/webstore/seafile-server + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y \ + python \ + mariadb-client \ + python2.7 \ + libpython2.7 \ + python-setuptools \ + python-ldap \ + python-urllib3 \ + ffmpeg \ + python-pip \ + python-mysqldb \ + python-memcache \ + procps \ + python-requests && \ + pip install Pillow==4.3.0 && \ + pip install moviepy && \ + useradd -u 1000 -d /srv/webstore seauser && \ + chown -R seauser:1000 /srv/webstore/ + +RUN mkdir -p /usr/local/lib/mariadb/plugin/ && \ + ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/mysql_clear_password.so /usr/local/lib/mariadb/plugin/ && \ + ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/dialog.so /usr/local/lib/mariadb/plugin/ + +WORKDIR /srv/webstore/seafile-server +COPY seadocker /usr/local/bin/seadocker +COPY seaenv /usr/local/bin/seaenv + +ENTRYPOINT ["/usr/local/bin/seaenv"] +CMD ["/usr/local/bin/seadocker"] diff --git a/app/build/seafile/README.md b/app/build/seafile/README.md new file mode 100644 index 0000000..26d04e0 --- /dev/null +++ b/app/build/seafile/README.md @@ -0,0 +1,27 @@ + +```bash +sudo docker build -t superboum/amd64_seafile:v5 . +``` + +When upgrading, connect on a production server and run: + +```bash +nomad stop seafile +sudo docker build -t superboum/amd64_seafile:v6 . + +sudo docker run -t -i \ + -v /mnt/glusterfs/seafile:/mnt/seafile-data \ + -v /mnt/glusterfs/seaconf/conf:/srv/webstore/conf \ + -v /mnt/glusterfs/seaconf/ccnet:/srv/webstore/ccnet \ + superboum/amd64_seafile:v5 + +# See: +# * https://download.seafile.com/published/seafile-manual/deploy/upgrade.md +# * https://download.seafile.com/published/seafile-manual/changelog/server-changelog.md + + + +nomad start seafile.hcl +``` + +when upgrading, change the command on start diff --git a/app/build/seafile/seadocker b/app/build/seafile/seadocker new file mode 100755 index 0000000..5b5982b --- /dev/null +++ b/app/build/seafile/seadocker @@ -0,0 +1,4 @@ +#!/bin/bash +/srv/webstore/seafile-server/seafile.sh start +/srv/webstore/seafile-server/seahub.sh start +tail -f /srv/webstore/logs/* diff --git a/app/build/seafile/seaenv b/app/build/seafile/seaenv new file mode 100755 index 0000000..3b0e0bb --- /dev/null +++ b/app/build/seafile/seaenv @@ -0,0 +1,7 @@ +#!/bin/bash + +chown seauser /srv/webstore +chown seauser -R /srv/webstore/ccnet +chown seauser -R /srv/webstore/conf + +runuser -u seauser -- "$@" diff --git a/app/build/sogo/Dockerfile b/app/build/sogo/Dockerfile new file mode 100644 index 0000000..46880dd --- /dev/null +++ b/app/build/sogo/Dockerfile @@ -0,0 +1,17 @@ +#FROM amd64/debian:stretch as builder + +FROM amd64/debian:buster + +RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf + +RUN apt-get update && \ + apt-get install -y apt-transport-https gnupg2 sudo nginx && \ + rm -rf /etc/nginx/sites-enabled/* && \ + apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \ + echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \ + apt-get update && \ + apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client + +COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf +COPY entrypoint /usr/sbin/entrypoint +ENTRYPOINT ["/usr/sbin/entrypoint"] diff --git a/app/build/sogo/README.md b/app/build/sogo/README.md new file mode 100644 index 0000000..ea12245 --- /dev/null +++ b/app/build/sogo/README.md @@ -0,0 +1,20 @@ +``` +docker build -t superboum/amd64_sogo:v6 . + +# privileged is only for debug +docker run --rm -ti \ + --privileged \ + -p 8080:8080 \ + -v /tmp/sogo/log:/var/log/sogo \ + -v /tmp/sogo/run:/var/run/sogo \ + -v /tmp/sogo/spool:/var/spool/sogo \ + -v /tmp/sogo/tmp:/tmp \ + -v `pwd`/sogo:/etc/sogo:ro \ + superboum/amd64_sogo:v1 +``` + +Password must be url encoded in sogo.conf for postgres +Will need a nginx instance: http://wiki.sogo.nu/nginxSettings + +Might (or might not) be needed: +traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr diff --git a/app/build/sogo/entrypoint b/app/build/sogo/entrypoint new file mode 100755 index 0000000..8b39def --- /dev/null +++ b/app/build/sogo/entrypoint @@ -0,0 +1,13 @@ +#!/bin/bash +mkdir -p /var/log/sogo +mkdir -p /var/run/sogo +mkdir -p /var/spool/sogo +chown sogo /var/log/sogo +chown sogo /var/run/sogo +chown sogo /var/spool/sogo + +nginx -g 'daemon on; master_process on;' +sudo -u sogo memcached -d +sudo -u sogo sogod +sleep 10 +tail -n200 -f /var/log/sogo/sogo.log diff --git a/app/build/sogo/sogo.nginx.conf b/app/build/sogo/sogo.nginx.conf new file mode 100644 index 0000000..ad920a5 --- /dev/null +++ b/app/build/sogo/sogo.nginx.conf @@ -0,0 +1,83 @@ +server { + listen 8080; + server_name default_server; + root /usr/lib/GNUstep/SOGo/WebServerResources/; + + ## requirement to create new calendars in Thunderbird ## + proxy_http_version 1.1; + + # Message size limit + client_max_body_size 50m; + client_body_buffer_size 128k; + + location = / { + rewrite ^ '/SOGo'; + allow all; + } + + location = /principals/ { + rewrite ^ '/SOGo/dav'; + allow all; + } + + location ^~/SOGo { + proxy_pass 'http://127.0.0.1:20000'; + proxy_redirect 'http://127.0.0.1:20000' default; + # forward user's IP address + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header x-webobjects-server-protocol HTTP/1.0; + proxy_set_header x-webobjects-remote-host 127.0.0.1; + proxy_set_header x-webobjects-server-name $server_name; + proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_set_header x-webobjects-server-port $server_port; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + break; + } + + location /SOGo.woa/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location /SOGo/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location ^~ /Microsoft-Server-ActiveSync { + access_log /var/log/nginx/activesync.log; + error_log /var/log/nginx/activesync-error.log; + + proxy_connect_timeout 75; + proxy_send_timeout 3600; + proxy_read_timeout 3600; + proxy_buffers 64 256k; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; + } +} diff --git a/app/build/static/Dockerfile b/app/build/static/Dockerfile new file mode 100644 index 0000000..cdba59a --- /dev/null +++ b/app/build/static/Dockerfile @@ -0,0 +1,9 @@ +FROM golang:1.11.1-stretch as builder + +COPY ./goStatic /goStatic +WORKDIR /goStatic +RUN CGO_ENABLED=0 go build -a -o web-server . + +FROM scratch +COPY --from=builder /goStatic/web-server / +ENTRYPOINT ["/web-server"] diff --git a/app/build/static/README.md b/app/build/static/README.md new file mode 100644 index 0000000..d50390c --- /dev/null +++ b/app/build/static/README.md @@ -0,0 +1,5 @@ + +``` +sudo docker build -t superboum/amd64_webserver:v3 . +sudo docker push superboum/amd64_webserver:v3 +``` diff --git a/app/build/static/goStatic b/app/build/static/goStatic new file mode 160000 +Subproject 3f97f57aaee09a142afe3ca0f1a5d51acd85643 diff --git a/app/build/webpull/.gitignore b/app/build/webpull/.gitignore new file mode 100644 index 0000000..ba2906d --- /dev/null +++ b/app/build/webpull/.gitignore @@ -0,0 +1 @@ +main diff --git a/app/build/webpull/Dockerfile.nodejs b/app/build/webpull/Dockerfile.nodejs new file mode 100644 index 0000000..acc7e74 --- /dev/null +++ b/app/build/webpull/Dockerfile.nodejs @@ -0,0 +1,9 @@ +FROM node:13.8-buster + +RUN apt-get update && \ + apt-get install -y git + +COPY ./main /srv/httpd +WORKDIR /srv +CMD ["/srv/httpd"] + diff --git a/app/build/webpull/Dockerfile.ruby b/app/build/webpull/Dockerfile.ruby new file mode 100644 index 0000000..7578cca --- /dev/null +++ b/app/build/webpull/Dockerfile.ruby @@ -0,0 +1,12 @@ +FROM fedora:32 + +ENV LC_ALL=C.UTF-8 +ENV LANG=C.UTF-8 +ENV LANGUAGE=en_US.UTF-8 +ENV RUBYOPT --disable-did_you_mean + +RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel + +COPY ./main /srv/httpd +WORKDIR /srv +CMD ["/srv/httpd"] diff --git a/app/build/webpull/README.md b/app/build/webpull/README.md new file mode 100644 index 0000000..5d17d17 --- /dev/null +++ b/app/build/webpull/README.md @@ -0,0 +1,23 @@ +# webpull + +Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL + +You need to specify a secret token at boot: + +``` +WEBPULL_TOKEN=s3cr3et ./webpull +``` + +## Node.js version + +``` +go build ./main.go +sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 . +``` + +## Ruby version + +``` +go build ./main.go +sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 . +``` diff --git a/app/build/webpull/main.go b/app/build/webpull/main.go new file mode 100644 index 0000000..46c90b9 --- /dev/null +++ b/app/build/webpull/main.go @@ -0,0 +1,100 @@ +package main + +import ( + "fmt" + "errors" + "io" + "os/exec" + "os" + "log" + "net/http" + "strings" +) + +func myexec(w io.Writer, main string, params ...string) error { + cmd := exec.Command(main, params...) + cmd.Stdout = w + cmd.Stderr = w + err := cmd.Run() + if err != nil { + fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " ")) + } + return err +} + +func update(w io.Writer) error { + fmt.Fprintf(w, "Start update...\n") + _, err := os.Stat("./.git") + if err != nil { + fmt.Fprintf(w, ".git folder does not exist, creating it...\n") + err := myexec(w, "git", "init") + if err != nil { + return err + } + } + + err = myexec(w, "git", "remote", "get-url", "origin") + if err != nil { + repo, exists := os.LookupEnv("WEBPULL_REPO") + if !exists { + fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n") + return errors.New("Missing environment variable WEBPULL_REPO") + } + fmt.Fprintf(w, "git remote is not yet set...\n") + err := myexec(w, "git", "remote", "add", "origin", repo) + if err != nil { + return err + } + } + + err = myexec(w, "git", "pull", "origin", "master") + if err != nil { + fmt.Fprintf(w, "Failed to pull...\n") + return err + } + + _, err = os.Stat("./.webpull") + if err != nil { + fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n") + return err + } + + err = myexec(w, "./.webpull") + if err != nil { + fmt.Fprintf(w, "An error occured during script execution\n") + return err + } + + fmt.Fprintf(w, "Success.\n") + return nil +} + +func main() { + token, exists := os.LookupEnv("WEBPULL_TOKEN") + if !exists { + log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined") + } + + if update(os.Stdout) != nil { + log.Fatal("Initial 'update' failed") + } + + fs := http.FileServer(http.Dir("./static")) + http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) { + keys, ok := r.URL.Query()["token"] + if !ok || len(keys[0]) < 1 { + http.Error(w, "Missing 'token' query parameter", 401) + return + } + + if keys[0] != token { + http.Error(w, "Wrong token", 401) + return + } + + update(w) + }) + http.Handle("/", fs) + + log.Fatal(http.ListenAndServe(":8080", nil)) +} diff --git a/app/config/configuration/.gitignore b/app/config/configuration/.gitignore new file mode 100644 index 0000000..056b4d2 --- /dev/null +++ b/app/config/configuration/.gitignore @@ -0,0 +1,33 @@ +# Blacklist everything cleverly +* +!*/ + +# Whitelist some patterns +!*.sample +!*.gen +!*.tpl +!.gitignore + +# Whitelist specific files +!seafile/conf/seafdav.conf +!seafile/ccnet/seafile.ini + +!email/dkim/keytable +!email/dkim/signingtable +!email/dkim/trusted +!email/postfix/dynamicmaps.cf +!email/postfix/header_checks +!email/postfix/main.cf +!email/postfix/master.cf +!email/postfix/transport +!email/postfix/transport.db + +!email/sogo/sogo.conf.tpl + +!chat/**/* + +!directory/*/* + +!traefik/traefik.toml + +!garage/config.toml diff --git a/app/config/configuration/chat/coturn/turnserver.conf.tpl b/app/config/configuration/chat/coturn/turnserver.conf.tpl new file mode 100644 index 0000000..f867ac0 --- /dev/null +++ b/app/config/configuration/chat/coturn/turnserver.conf.tpl @@ -0,0 +1,19 @@ +use-auth-secret +static-auth-secret={{ key "secrets/chat/coturn/static-auth" | trimSpace }} +realm=turn.deuxfleurs.fr + +# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. +#no-tcp-relay + +# don't let the relay ever try to connect to private IP address ranges within your network (if any) +# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. +#denied-peer-ip=10.0.0.0-10.255.255.255 +#denied-peer-ip=192.168.0.0-192.168.255.255 +#denied-peer-ip=172.16.0.0-172.31.255.255 + +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200 + +min-port=49152 +max-port=49252 diff --git a/app/config/configuration/chat/easybridge/config.json.tpl b/app/config/configuration/chat/easybridge/config.json.tpl new file mode 100644 index 0000000..40ecc44 --- /dev/null +++ b/app/config/configuration/chat/easybridge/config.json.tpl @@ -0,0 +1,17 @@ +{ + "log_level": "info", + "easybridge_avatar": "/app/easybridge.jpg", + + "web_bind_addr": "0.0.0.0:8281", + "web_url": "https://easybridge.deuxfleurs.fr", + "web_session_key": "{{ key "secrets/chat/easybridge/web_session_key" | trimSpace }}", + + "appservice_bind_addr": "0.0.0.0:8321", + "registration": "/data/registration.yaml", + "homeserver_url": "https://im.deuxfleurs.fr", + "matrix_domain": "deuxfleurs.fr", + "name_format": "{}_ezbr_", + + "db_type": "postgres", + "db_path": "host=psql-proxy.service.2.cluster.deuxfleurs.fr port=5432 user={{ key "secrets/chat/easybridge/db_user" | trimSpace }} dbname=easybridge password={{ key "secrets/chat/easybridge/db_pass" | trimSpace }} sslmode=disable" +} diff --git a/app/config/configuration/chat/easybridge/registration.yaml.tpl b/app/config/configuration/chat/easybridge/registration.yaml.tpl new file mode 100644 index 0000000..ec098fd --- /dev/null +++ b/app/config/configuration/chat/easybridge/registration.yaml.tpl @@ -0,0 +1,14 @@ +id: Easybridge +url: http://easybridge-api.service.2.cluster.deuxfleurs.fr:8321 +as_token: {{ key "secrets/chat/easybridge/as_token" | trimSpace }} +hs_token: {{ key "secrets/chat/easybridge/hs_token" | trimSpace }} +sender_localpart: _ezbr_ +rate_limited: false +namespaces: + users: + - exclusive: true + regex: '@.*_ezbr_' + aliases: + - exclusive: true + regex: '#.*_ezbr_' + rooms: [] diff --git a/app/config/configuration/chat/fb2mx/config.yaml b/app/config/configuration/chat/fb2mx/config.yaml new file mode 100644 index 0000000..964c681 --- /dev/null +++ b/app/config/configuration/chat/fb2mx/config.yaml @@ -0,0 +1,133 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: https://im.deuxfleurs.fr + # The domain of the homeserver (for MXIDs, etc). + domain: deuxfleurs.fr + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}' + + # The unique ID of this appservice. + id: facebook + # Username of the appservice bot. + bot_username: facebookbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook bridge bot + bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv + + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + community_id: "+fbusers:deuxfleurs.fr" + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' + hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' + +# Bridge config +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: "facebook_{userid}" + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # + # `facebook_{localpart}={server}` is a good value. + community_template: "facebook_{localpart}={server}" + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: "{displayname} (FB)" + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!fb" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Facebook account. + sync_with_custom_puppets: true + # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast + # presence, but then it won't send other users' presence to the client. + presence: true + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "deuxfleurs.fr": "user" + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: normal + filename: ./mautrix-facebook.log + maxBytes: 10485760 + backupCount: 10 + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + fbchat: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [file, console] diff --git a/app/config/configuration/chat/fb2mx/registration.yaml b/app/config/configuration/chat/fb2mx/registration.yaml new file mode 100644 index 0000000..c3d8c05 --- /dev/null +++ b/app/config/configuration/chat/fb2mx/registration.yaml @@ -0,0 +1,11 @@ +id: facebook +as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' +hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' +namespaces: + users: + - exclusive: true + regex: '@facebook_.+:deuxfleurs.fr' + group_id: '+fbusers:deuxfleurs.fr' +url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 +sender_localpart: facebookbot +rate_limited: false diff --git a/app/config/configuration/chat/riot_web/config.json b/app/config/configuration/chat/riot_web/config.json new file mode 100644 index 0000000..5844afc --- /dev/null +++ b/app/config/configuration/chat/riot_web/config.json @@ -0,0 +1,25 @@ +{ + "default_hs_url": "https://im.deuxfleurs.fr", + "default_is_url": "https://vector.im", + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Deuxfleurs", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "features": { + "feature_groups": "labs", + "feature_pinning": "labs" + }, + "default_federate": true, + "welcomePageUrl": "home.html", + "default_theme": "light", + "roomDirectory": { + "servers": [ "im.deuxfleurs.fr", "matrix.org" ] + }, + "jitsi": { + "preferredDomain": "jitsi.deuxfleurs.fr" + } +} diff --git a/app/config/configuration/chat/synapse/conf.d/report_stats.yaml b/app/config/configuration/chat/synapse/conf.d/report_stats.yaml new file mode 100644 index 0000000..cb95cc3 --- /dev/null +++ b/app/config/configuration/chat/synapse/conf.d/report_stats.yaml @@ -0,0 +1 @@ +report_stats: true diff --git a/app/config/configuration/chat/synapse/conf.d/server_name.yaml b/app/config/configuration/chat/synapse/conf.d/server_name.yaml new file mode 100644 index 0000000..540ce45 --- /dev/null +++ b/app/config/configuration/chat/synapse/conf.d/server_name.yaml @@ -0,0 +1 @@ +server_name: deuxfleurs.fr diff --git a/app/config/configuration/chat/synapse/homeserver.yaml b/app/config/configuration/chat/synapse/homeserver.yaml new file mode 100644 index 0000000..7f313f6 --- /dev/null +++ b/app/config/configuration/chat/synapse/homeserver.yaml @@ -0,0 +1,420 @@ +# vim:ft=yaml + +server_name: "deuxfleurs.fr" +# PEM encoded X509 certificate for TLS. +# You can replace the self-signed certificate that synapse +# autogenerates on launch with your own SSL certificate + key pair +# if you like. Any required intermediary certificates can be +# appended after the primary certificate in hierarchical order. +tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" + +# PEM encoded private key for TLS +tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" + +# PEM dh parameters for ephemeral keys +tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" + +# Don't bind to the https port +no_tls: True + + +## Server ## + +# When running as a daemon, the file to store the pid in +pid_file: "/var/run/matrix-synapse.pid" + +# Whether to serve a web client from the HTTP/HTTPS root resource. +web_client: False + +# The public-facing base URL for the client API (not including _matrix/...) +public_baseurl: https://im.deuxfleurs.fr/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# A list of other Home Servers to fetch the public room directory from +# and include in the public room directory of this home server +# This is a temporary stopgap solution to populate new server with a +# list of rooms until there exists a good solution of a decentralized +# room directory. +# secondary_directory_servers: +# - matrix.org +# - vector.im + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + # Unsecure HTTP listener, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: 8008 + tls: false + bind_address: '' + type: http + + x_forwarded: false + + resources: + - names: [client] + compress: true + + - port: 8448 + tls: false + bind_address: '' + type: http + + x_forwarded: false + + resources: + - names: [federation] + compress: false + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # - port: 9000 + # bind_address: 127.0.0.1 + # type: manhole + + +# Database configuration +database: + name: psycopg2 + args: + user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }} + password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} + database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }} + host: psql-proxy.service.2.cluster.deuxfleurs.fr + port: 5432 + cp_min: 5 + cp_max: 10 +# Number of events to cache in memory. +event_cache_size: "10K" + + +# A yaml python logging config file +log_config: "/etc/matrix-synapse/log.yaml" + +# Stop twisted from discarding the stack traces of exceptions in +# deferreds by waiting a reactor tick before running a deferred's +# callbacks. +# full_twisted_stacktraces: true + + +## Ratelimiting ## + +# Number of messages a client can send per second +rc_messages_per_second: 0.2 + +# Number of message a client can send before being throttled +rc_message_burst_count: 10.0 + +# The federation window size in milliseconds +federation_rc_window_size: 1000 + +# The number of federation requests from a single server in a window +# before the server will delay processing the request. +federation_rc_sleep_limit: 10 + +# The duration in milliseconds to delay processing events from +# remote servers by if they go over the sleep limit. +federation_rc_sleep_delay: 500 + +# The maximum number of concurrent federation requests allowed +# from a single server +federation_rc_reject_limit: 50 + +# The number of federation requests to concurrently process from a +# single server +federation_rc_concurrent: 3 + + + +# Directory where uploaded images and attachments are stored. +media_store_path: "/var/lib/matrix-synapse/media" +uploads_path: "/var/lib/matrix-synapse/uploads" + +# The largest allowed upload size in bytes +max_upload_size: "100M" + +# Maximum number of pixels that will be thumbnailed +max_image_pixels: "32M" + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +dynamic_thumbnails: false + +# List of thumbnail to precalculate when an image is uploaded. +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +# Is the preview URL API enabled? If enabled, you *must* specify +# an explicit url_preview_ip_range_blacklist of IPs that the spider is +# denied from accessing. +url_preview_enabled: True + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + + + + +## Captcha ## + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +turn_uris: [ "turn:turn.deuxfleurs.fr:3478?transport=udp", "turn:turn.deuxfleurs.fr:3478?transport=tcp" ] + +# The shared secret used to compute passwords for the TURN server +turn_shared_secret: '{{ key "secrets/chat/coturn/static-auth" | trimSpace }}' + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + +turn_allow_guests: True + +## Registration ## + +# Enable registration for new users. +enable_registration: False + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +registration_shared_secret: '{{ key "secrets/chat/synapse/registration_shared_secret" | trimSpace }}' + +# Sets the expiry for the short term user creation in +# milliseconds. For instance the bellow duration is two weeks +# in milliseconds. +user_creation_max_duration: 1209600000 + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number of rounds is 12. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: True + +# The list of identity servers trusted to verify third party +# identifiers by this server. +trusted_third_party_id_servers: + - matrix.org + - vector.im + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: + - "/etc/matrix-synapse/easybridge_registration.yaml" + #- "/etc/matrix-synapse/fb2mx_registration.yaml" + + +# macaroon_secret_key: <PRIVATE STRING> + +# Used to enable access token expiration. +expire_access_token: False + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2 +# config_path: Path to the sp_conf.py configuration file +# idp_redirect_url: Identity provider URL which will redirect +# the user back to /login/saml2 with proper info. +# See pysaml2 docs for format of config. +#saml2_config: +# enabled: true +# config_path: "/home/erikj/git/synapse/sp_conf.py" +# idp_redirect_url: "http://test/idp" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homesever.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + +password_providers: + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389" + start_tls: false + bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' + bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' + base: "ou=users,dc=deuxfleurs,dc=fr" + attributes: + uid: "cn" + name: "displayName" + mail: "mail" + +# Enable password for login. +password_config: + enabled: true + +# Enable sending emails for notification events +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>" +# app_name: Matrix +# template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True + +# Key that had to be added after some synapse updates to please matrix developers... +report_stats: false +suppress_key_server_warning: true +enable_group_creation: true diff --git a/app/config/configuration/chat/synapse/log.yaml b/app/config/configuration/chat/synapse/log.yaml new file mode 100644 index 0000000..eb69d8f --- /dev/null +++ b/app/config/configuration/chat/synapse/log.yaml @@ -0,0 +1,41 @@ + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/homeserver.log + maxBytes: 10485760 + backupCount: 3 + filters: [context] + level: WARN + console: + class: logging.StreamHandler + formatter: precise + level: WARN + +loggers: + synapse: + level: INFO + + synapse.storage.SQL: + level: INFO + + ldap3: + level: DEBUG + ldap_auth_provider: + level: DEBUG + +root: + level: INFO + handlers: [file, console] diff --git a/app/config/configuration/directory/bottin/config.json b/app/config/configuration/directory/bottin/config.json new file mode 100644 index 0000000..c30a4d5 --- /dev/null +++ b/app/config/configuration/directory/bottin/config.json @@ -0,0 +1,31 @@ +{ + "suffix": "dc=deuxfleurs,dc=fr", + "bind": "0.0.0.0:1389", + "consul_host": "http://consul.service.2.cluster.deuxfleurs.fr:8500", + "log_level": "debug", + "acl": [ + "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword", + "*::read modify:SELF:*", + "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", + "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*", + "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:", + "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*", + + "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", + "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*" + ] +} diff --git a/app/config/configuration/directory/guichet/config.json.tpl b/app/config/configuration/directory/guichet/config.json.tpl new file mode 100644 index 0000000..98e2297 --- /dev/null +++ b/app/config/configuration/directory/guichet/config.json.tpl @@ -0,0 +1,30 @@ +{ + "http_bind_addr": ":9991", + "ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389", + + "base_dn": "dc=deuxfleurs,dc=fr", + "user_base_dn": "ou=users,dc=deuxfleurs,dc=fr", + "user_name_attr": "cn", + "group_base_dn": "ou=groups,dc=deuxfleurs,dc=fr", + "group_name_attr": "cn", + + "invitation_base_dn": "ou=invitations,dc=deuxfleurs,dc=fr", + "invitation_name_attr": "cn", + "invited_mail_format": "{}@deuxfleurs.fr", + "invited_auto_groups": [ + "cn=email,ou=groups,dc=deuxfleurs,dc=fr", + "cn=seafile,ou=groups,dc=deuxfleurs,dc=fr", + "cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr" + ], + + "web_address": "https://guichet.deuxfleurs.fr", + "mail_from": "coucou@deuxfleurs.fr", + "smtp_server": "adnab.me:25", + "smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}", + "smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}", + + "admin_account": "cn=admin,dc=deuxfleurs,dc=fr", + "group_can_admin": "cn=admin,ou=groups,dc=deuxfleurs,dc=fr", + "group_can_invite": "cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr" +} + diff --git a/app/config/configuration/email/dkim/keytable b/app/config/configuration/email/dkim/keytable new file mode 100644 index 0000000..f4ac7cd --- /dev/null +++ b/app/config/configuration/email/dkim/keytable @@ -0,0 +1 @@ +smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private diff --git a/app/config/configuration/email/dkim/signingtable b/app/config/configuration/email/dkim/signingtable new file mode 100644 index 0000000..60d66ff --- /dev/null +++ b/app/config/configuration/email/dkim/signingtable @@ -0,0 +1,2 @@ +*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr +*@dufour.io smtp._domainkey.deuxfleurs.fr diff --git a/app/config/configuration/email/dkim/smtp.private.sample b/app/config/configuration/email/dkim/smtp.private.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/configuration/email/dkim/smtp.private.sample diff --git a/app/config/configuration/email/dkim/smtp.txt.sample b/app/config/configuration/email/dkim/smtp.txt.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/configuration/email/dkim/smtp.txt.sample diff --git a/app/config/configuration/email/dkim/trusted b/app/config/configuration/email/dkim/trusted new file mode 100644 index 0000000..a01170d --- /dev/null +++ b/app/config/configuration/email/dkim/trusted @@ -0,0 +1,4 @@ +127.0.0.1 +localhost +192.168.1.0/24 +172.16.0.0/12 diff --git a/app/config/configuration/email/dovecot/certs.gen b/app/config/configuration/email/dovecot/certs.gen new file mode 100755 index 0000000..f26e917 --- /dev/null +++ b/app/config/configuration/email/dovecot/certs.gen @@ -0,0 +1,13 @@ +#!/bin/bash + +TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" +openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + diff --git a/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl b/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl new file mode 100644 index 0000000..9fb1ea6 --- /dev/null +++ b/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl @@ -0,0 +1,8 @@ +hosts = bottin2.service.2.cluster.deuxfleurs.fr +dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }} +dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }} +base = dc=deuxfleurs,dc=fr +scope = subtree +user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) +pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) +user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/app/config/configuration/email/postfix/certs.gen b/app/config/configuration/email/postfix/certs.gen new file mode 100755 index 0000000..f25439b --- /dev/null +++ b/app/config/configuration/email/postfix/certs.gen @@ -0,0 +1,13 @@ +#!/bin/bash + +TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" +openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + diff --git a/app/config/configuration/email/postfix/dynamicmaps.cf b/app/config/configuration/email/postfix/dynamicmaps.cf new file mode 100644 index 0000000..32d8f62 --- /dev/null +++ b/app/config/configuration/email/postfix/dynamicmaps.cf @@ -0,0 +1,9 @@ +# Postfix dynamic maps configuration file. +# +# The first match found is the one that is used. Wildcards are not supported +# as of postfix 2.0.2 +# +#type location of .so file open function (mkmap func) +#==== ================================ ============= ============ +ldap postfix-ldap.so dict_ldap_open +sqlite postfix-sqlite.so dict_sqlite_open diff --git a/app/config/configuration/email/postfix/header_checks b/app/config/configuration/email/postfix/header_checks new file mode 100644 index 0000000..cad52ec --- /dev/null +++ b/app/config/configuration/email/postfix/header_checks @@ -0,0 +1,3 @@ +/^Received:/ IGNORE +/^X-Originating-IP:/ IGNORE +/^X-Mailer:/ IGNORE diff --git a/app/config/configuration/email/postfix/ldap-account.cf.tpl b/app/config/configuration/email/postfix/ldap-account.cf.tpl new file mode 100644 index 0000000..2575f10 --- /dev/null +++ b/app/config/configuration/email/postfix/ldap-account.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=users,dc=deuxfleurs,dc=fr +query_filter = mail=%s +result_attribute = mail diff --git a/app/config/configuration/email/postfix/ldap-alias.cf.tpl b/app/config/configuration/email/postfix/ldap-alias.cf.tpl new file mode 100644 index 0000000..775c0ad --- /dev/null +++ b/app/config/configuration/email/postfix/ldap-alias.cf.tpl @@ -0,0 +1,9 @@ +server_host = bottin2.service.2.cluster.deuxfleurs.fr +server_port = 389 +search_base = dc=deuxfleurs,dc=fr +query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) +result_attribute = mail +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 diff --git a/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl b/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl new file mode 100644 index 0000000..e013953 --- /dev/null +++ b/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr +query_filter = (&(objectclass=dNSDomain)(domain=%s)) +result_attribute = domain diff --git a/app/config/configuration/email/postfix/main.cf b/app/config/configuration/email/postfix/main.cf new file mode 100644 index 0000000..4204cb4 --- /dev/null +++ b/app/config/configuration/email/postfix/main.cf @@ -0,0 +1,104 @@ +#=== +# Base configuration +#=== +myhostname = smtp.deuxfleurs.fr +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = smtp.deuxfleurs.fr +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_protocols = all +inet_interfaces = all +message_size_limit = 204800000 +smtpd_banner = $myhostname +biff = no +append_dot_mydomain = no +readme_directory = no +compatibility_level = 2 + +#=== +# TLS parameters +#=== +smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt +smtpd_tls_key_file=/etc/ssl/private/postfix.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +smtp_tls_security_level = may + +#=== +# Remove privacy related content from emails +#=== +mime_header_checks = regexp:/etc/postfix/header_checks +header_checks = regexp:/etc/postfix/header_checks + +#=== +# Handle user authentication (handled by dovecot) +#=== +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337 +smtpd_sasl_type = dovecot + +#=== +# Restrictions / Checks +#=== +# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists + +# Require a valid HELO +smtpd_helo_required = yes +# As we use the same postfix to send and receive, +# we can't enforce a valid HELO hostname... +#smtpd_helo_restrictions = +# reject_unknown_helo_hostname + +# Require that sender email has a valid domain +smtpd_sender_restrictions = + reject_unknown_sender_domain + +# Delivering email policy +# MyNetwork is required by sogo +smtpd_recipient_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + reject_rbl_client zen.spamhaus.org + reject_rhsbl_reverse_client dbl.spamhaus.org + reject_rhsbl_helo dbl.spamhaus.org + reject_rhsbl_sender dbl.spamhaus.org + +# Sending email policy +# MyNetwork is required by sogo +smtpd_relay_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + +smtpd_data_restrictions = reject_unauth_pipelining + +smtpd_client_connection_rate_limit = 2 + +#=== +# Rate limiting +#=== +slow_destination_recipient_limit = 20 +slow_destination_concurrency_limit = 2 + +#==== +# Transport configuration +#==== +transport_maps = hash:/etc/postfix/transport +virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf +virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf +virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf +virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24 + +#=== +# Mail filters +#=== +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 +non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 diff --git a/app/config/configuration/email/postfix/master.cf b/app/config/configuration/email/postfix/master.cf new file mode 100644 index 0000000..53bc601 --- /dev/null +++ b/app/config/configuration/email/postfix/master.cf @@ -0,0 +1,114 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - n - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +slow unix - - n - 5 smtp + -o syslog_name=postfix-slow + -o smtp_destination_concurrency_limit=3 + -o slow_destination_rate_delay=1 + + +#628 inet n - - - - qmqpd +pickup fifo n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +smtp unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +relay unix - - n - - smtp + -o smtp_fallback_relay= +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +scache unix - - n - 1 scache +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} diff --git a/app/config/configuration/email/postfix/transport b/app/config/configuration/email/postfix/transport new file mode 100644 index 0000000..68f62c5 --- /dev/null +++ b/app/config/configuration/email/postfix/transport @@ -0,0 +1,5 @@ +#wanadoo.com slow: +#wanadoo.fr slow: +#orange.com slow: +#orange.fr slow: +#smtp.orange.fr slow: diff --git a/app/config/configuration/email/postfix/transport.db b/app/config/configuration/email/postfix/transport.db Binary files differnew file mode 100644 index 0000000..487f394 --- /dev/null +++ b/app/config/configuration/email/postfix/transport.db diff --git a/app/config/configuration/email/sogo/sogo.conf.tpl b/app/config/configuration/email/sogo/sogo.conf.tpl new file mode 100644 index 0000000..d4261e5 --- /dev/null +++ b/app/config/configuration/email/sogo/sogo.conf.tpl @@ -0,0 +1,68 @@ +{ + WONoDetach = NO; + WOWorkersCount = 10; + WOPort = "127.0.0.1:20000"; + SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_user_profile"; + OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_sessions_folder"; + OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_alarms_folder"; + OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_store"; + OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_acl"; + OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_cache_folder"; + SOGoTimeZone = "Europe/Paris"; + SOGoMailDomain = "deuxfleurs.fr"; + SOGoLanguage = French; + SOGoAppointmentSendEMailNotifications = YES; + SOGoEnablePublicAccess = YES; + SOGoMailingMechanism = smtp; + SOGoSMTPServer = postfix-smtp.service.2.cluster.deuxfleurs.fr; + SOGoSMTPAuthenticationType = PLAIN; + SOGoForceExternalLoginWithEmail = YES; + SOGoIMAPAclConformsToIMAPExt = YES; + SOGoTimeZone = UTC; + SOGoSentFolderName = Sent; + SOGoTrashFolderName = Trash; + SOGoDraftsFolderName = Drafts; + SOGoIMAPServer = "imaps://dovecot-imaps.service.2.cluster.deuxfleurs.fr:993/?tlsVerifyMode=none"; + SOGoSieveServer = "sieve://sieve.service.2.cluster.deuxfleurs.fr:4190/?tls=YES"; + SOGoIMAPAclConformsToIMAPExt = YES; + SOGoVacationEnabled = NO; + SOGoForwardEnabled = NO; + SOGoSieveScriptsEnabled = NO; + SOGoFirstDayOfWeek = 1; + SOGoRefreshViewCheck = every_5_minutes; + SOGoMailAuxiliaryUserAccountsEnabled = NO; + SOGoPasswordChangeEnabled = YES; + SOGoPageTitle = "deuxfleurs.fr"; + SOGoLoginModule = Mail; + SOGoMailAddOutgoingAddresses = YES; + SOGoSelectedAddressBook = autobook; + SOGoMailAuxiliaryUserAccountsEnabled = YES; + SOGoCalendarEventsDefaultClassification = PRIVATE; + SOGoMailReplyPlacement = above; + SOGoMailSignaturePlacement = above; + SOGoMailComposeMessageType = html; + + SOGoLDAPContactInfoAttribute = "displayname"; + + SOGoUserSources = ( + { + type = ldap; + CNFieldName = displayname; + IDFieldName = cn; + UIDFieldName = cn; + MailFieldNames = (mail, mailForwardingAddress); + SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber); + IMAPLoginFieldName = mail; + baseDN = "ou=users,dc=deuxfleurs,dc=fr"; + bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}"; + bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}"; + bindFields = (cn, mail); + canAuthenticate = YES; + displayName = "Bottin"; + hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"; + id = bottin; + isAddressBook = NO; + } + ); +} diff --git a/app/config/configuration/mariadb/main/env.tpl b/app/config/configuration/mariadb/main/env.tpl new file mode 100644 index 0000000..0fe903b --- /dev/null +++ b/app/config/configuration/mariadb/main/env.tpl @@ -0,0 +1,6 @@ +LDAP_URI = "ldap://bottin2.service.2.cluster.deuxfleurs.fr" +LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr" +LDAP_VERSION = 3 +LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}" +LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}" +MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}" diff --git a/app/config/configuration/nextcloud/config.php.tpl b/app/config/configuration/nextcloud/config.php.tpl new file mode 100644 index 0000000..7dcfc6e --- /dev/null +++ b/app/config/configuration/nextcloud/config.php.tpl @@ -0,0 +1,49 @@ +<?php +$CONFIG = array ( + 'appstoreenabled' => false, + 'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}', + 'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}', + 'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}', + 'trusted_domains' => array ( + 0 => 'nextcloud.deuxfleurs.fr', + ), + 'memcache.local' => '\\OC\\Memcache\\APCu', + + 'objectstore' => array( + 'class' => '\\OC\\Files\\ObjectStore\\S3', + 'arguments' => array( + 'bucket' => 'nextcloud', + 'autocreate' => false, + 'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}', + 'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}', + 'hostname' => 'garage.deuxfleurs.fr', + 'port' => 443, + 'use_ssl' => true, + 'region' => 'garage', + // required for some non Amazon S3 implementations + 'use_path_style' => true + ), + ), + + 'dbtype' => 'pgsql', + 'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr', + 'dbname' => 'nextcloud', + 'dbtableprefix' => 'nc_', + 'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}', + 'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}', + + 'default_language' => 'fr', + 'default_locale' => 'fr_FR', + + 'mail_domain' => 'deuxfleurs.fr', + 'mail_from_address' => 'nextcloud@deuxfleurs.fr', + // TODO SMTP CONFIG + + // TODO REDIS CACHE + + 'version' => '19.0.0.12', + 'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr', + + 'installed' => true, +); + diff --git a/app/config/configuration/postgres/keeper/env.tpl b/app/config/configuration/postgres/keeper/env.tpl new file mode 100644 index 0000000..7831aad --- /dev/null +++ b/app/config/configuration/postgres/keeper/env.tpl @@ -0,0 +1,3 @@ +PG_SU_PWD={{ key "secrets/postgres/keeper/pg_su_pwd" | trimSpace }} +PG_REPL_USER={{ key "secrets/postgres/keeper/pg_repl_username" | trimSpace }} +PG_REPL_PWD={{ key "secrets/postgres/keeper/pg_repl_pwd" | trimSpace }} diff --git a/app/config/configuration/seafile/ccnet/mykey.peer.sample b/app/config/configuration/seafile/ccnet/mykey.peer.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/configuration/seafile/ccnet/mykey.peer.sample diff --git a/app/config/configuration/seafile/ccnet/seafile.ini b/app/config/configuration/seafile/ccnet/seafile.ini new file mode 100644 index 0000000..306d126 --- /dev/null +++ b/app/config/configuration/seafile/ccnet/seafile.ini @@ -0,0 +1 @@ +/mnt/seafile-data/
\ No newline at end of file diff --git a/app/config/configuration/seafile/conf/ccnet.conf.tpl b/app/config/configuration/seafile/conf/ccnet.conf.tpl new file mode 100644 index 0000000..2395a9b --- /dev/null +++ b/app/config/configuration/seafile/conf/ccnet.conf.tpl @@ -0,0 +1,29 @@ +[General] +USER_NAME = deuxfleurs +ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }} +NAME = deuxfleurs +SERVICE_URL = https://cloud.deuxfleurs.fr + +[Network] +PORT = 10001 + +[Client] +PORT = 13418 + +[LDAP] +HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/ +BASE = ou=users,dc=deuxfleurs,dc=fr +USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }} +FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr +PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }} +LOGIN_ATTR = mail + +[Database] +ENGINE = mysql +HOST = mariadb.service.2.cluster.deuxfleurs.fr +PORT = 3306 +USER = seafile +PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} +DB = ccnet-db +CONNECTION_CHARSET = utf8 + diff --git a/app/config/configuration/seafile/conf/mykey.peer.sample b/app/config/configuration/seafile/conf/mykey.peer.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/configuration/seafile/conf/mykey.peer.sample diff --git a/app/config/configuration/seafile/conf/seafdav.conf b/app/config/configuration/seafile/conf/seafdav.conf new file mode 100644 index 0000000..49a79a2 --- /dev/null +++ b/app/config/configuration/seafile/conf/seafdav.conf @@ -0,0 +1,5 @@ +[WEBDAV] +enabled = true +port = 8084 +fastcgi = false +share_name = /seafdav diff --git a/app/config/configuration/seafile/conf/seafile.conf.tpl b/app/config/configuration/seafile/conf/seafile.conf.tpl new file mode 100644 index 0000000..f224234 --- /dev/null +++ b/app/config/configuration/seafile/conf/seafile.conf.tpl @@ -0,0 +1,19 @@ +[network] +port = 12001 + +[fileserver] +port = 8082 +max_upload_size=8192 +max_download_dir_size=8192 + +[database] +type = mysql +host = mariadb.service.2.cluster.deuxfleurs.fr +port = 3306 +user = seafile +password = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} +db_name = seafile-db +connection_charset = utf8 + +[quota] +default = 50 diff --git a/app/config/configuration/seafile/conf/seahub_settings.py.tpl b/app/config/configuration/seafile/conf/seahub_settings.py.tpl new file mode 100644 index 0000000..6c63ee4 --- /dev/null +++ b/app/config/configuration/seafile/conf/seahub_settings.py.tpl @@ -0,0 +1,21 @@ +SECRET_KEY = "8ep+sgi&s1-f2cq2178!ekk!0h0nw2y4z1-olbaopxmodsd8vk" +FILE_SERVER_ROOT = 'https://cloud.deuxfleurs.fr/seafhttp' +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.mysql', + 'NAME': 'seahub-db', + 'USER': 'seafile', + 'PASSWORD': '{{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}', + 'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr', + 'PORT': '3306', + 'OPTIONS': { + 'init_command': 'SET storage_engine=INNODB', + } + } +} +FILE_PREVIEW_MAX_SIZE = 100 * 1024 * 1024 +ENABLE_THUMBNAIL = True +THUMBNAIL_ROOT = '/mnt/seafile-data/thumbnail/thumb/' +THUMBNAIL_EXTENSION = 'png' +THUMBNAIL_DEFAULT_SIZE = '24' +PREVIEW_DEFAULT_SIZE = '300' diff --git a/app/config/configuration/traefik/traefik.toml b/app/config/configuration/traefik/traefik.toml new file mode 100644 index 0000000..03fca8a --- /dev/null +++ b/app/config/configuration/traefik/traefik.toml @@ -0,0 +1,45 @@ +InsecureSkipVerify = true +defaultEntryPoints = ["http", "https"] + +[entryPoints] + [entryPoints.admin] + address = ":8082" + + [entryPoints.http] + address = ":80" + [entryPoints.http.redirect] + entryPoint = "https" + + [entryPoints.https] + address = ":443" + compress = true + [entryPoints.https.tls] + +[ping] +entrypoint = "admin" + +[retry] + +[acme] + email = "quentin@dufour.io" + storage = "traefik/acme/account" + entryPoint = "https" + onHostRule = true + + [acme.httpChallenge] + entryPoint = "http" + +[api] + entryPoint = "admin" + dashboard = true + +[consul] + endpoint = "172.17.0.1:8500" + watch = true + prefix = "traefik" + +[consulCatalog] + endpoint = "172.17.0.1:8500" + prefix = "traefik" + domain = "web.deuxfleurs.fr" + exposedByDefault = false diff --git a/app/config/restore_configuration.sh b/app/config/restore_configuration.sh new file mode 100755 index 0000000..33742e5 --- /dev/null +++ b/app/config/restore_configuration.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +find {configuration,secrets}/$1 -type f \ + | grep --perl-regexp --invert-match "\.sample$|\.gen$|/.gitignore$" \ + | while read filename; do + consul kv put "${filename}" "@${filename}" + done diff --git a/app/config/secrets/.gitignore b/app/config/secrets/.gitignore new file mode 100644 index 0000000..1d7b40b --- /dev/null +++ b/app/config/secrets/.gitignore @@ -0,0 +1,10 @@ +# Blacklist everything cleverly +* +!*/ + +# Whitelist some patterns +!*.sample +!*.gen +!.gitignore + +# Whitelist specific files diff --git a/app/config/secrets/chat/coturn/static-auth.sample b/app/config/secrets/chat/coturn/static-auth.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/coturn/static-auth.sample diff --git a/app/config/secrets/chat/fb2mx/as_token.sample b/app/config/secrets/chat/fb2mx/as_token.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/fb2mx/as_token.sample diff --git a/app/config/secrets/chat/fb2mx/db_url.sample b/app/config/secrets/chat/fb2mx/db_url.sample new file mode 100644 index 0000000..aff4635 --- /dev/null +++ b/app/config/secrets/chat/fb2mx/db_url.sample @@ -0,0 +1 @@ +postgres://username:password@hostname/dbname diff --git a/app/config/secrets/chat/fb2mx/hs_token.sample b/app/config/secrets/chat/fb2mx/hs_token.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/fb2mx/hs_token.sample diff --git a/app/config/secrets/chat/synapse/homeserver.tls.crt.sample b/app/config/secrets/chat/synapse/homeserver.tls.crt.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/homeserver.tls.crt.sample diff --git a/app/config/secrets/chat/synapse/homeserver.tls.dh.sample b/app/config/secrets/chat/synapse/homeserver.tls.dh.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/homeserver.tls.dh.sample diff --git a/app/config/secrets/chat/synapse/homeserver.tls.key.sample b/app/config/secrets/chat/synapse/homeserver.tls.key.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/homeserver.tls.key.sample diff --git a/app/config/secrets/chat/synapse/ldap_binddn.sample b/app/config/secrets/chat/synapse/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/ldap_binddn.sample diff --git a/app/config/secrets/chat/synapse/ldap_bindpw.sample b/app/config/secrets/chat/synapse/ldap_bindpw.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/ldap_bindpw.sample diff --git a/app/config/secrets/chat/synapse/postgres_db.sample b/app/config/secrets/chat/synapse/postgres_db.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/postgres_db.sample diff --git a/app/config/secrets/chat/synapse/postgres_pwd.sample b/app/config/secrets/chat/synapse/postgres_pwd.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/postgres_pwd.sample diff --git a/app/config/secrets/chat/synapse/postgres_user.sample b/app/config/secrets/chat/synapse/postgres_user.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/postgres_user.sample diff --git a/app/config/secrets/chat/synapse/registration_shared_secret.sample b/app/config/secrets/chat/synapse/registration_shared_secret.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/chat/synapse/registration_shared_secret.sample diff --git a/app/config/secrets/email/sogo/ldap_binddn.sample b/app/config/secrets/email/sogo/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/email/sogo/ldap_binddn.sample diff --git a/app/config/secrets/email/sogo/ldap_bindpw.sample b/app/config/secrets/email/sogo/ldap_bindpw.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/email/sogo/ldap_bindpw.sample diff --git a/app/config/secrets/email/sogo/postgre_auth.sample b/app/config/secrets/email/sogo/postgre_auth.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/email/sogo/postgre_auth.sample diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample diff --git a/app/config/secrets/jitsi/global_env.sample b/app/config/secrets/jitsi/global_env.sample new file mode 100644 index 0000000..658c9c9 --- /dev/null +++ b/app/config/secrets/jitsi/global_env.sample @@ -0,0 +1,9 @@ +JITSI_SECRET_VIDEOBRIDGE=redacted +JITSI_SECRET_JICOFO_COMPONENT=redacted +JITSI_SECRET_JICOFO_USER=redacted +JITSI_PROSODY_BOSH_PORT=5280 +JITSI_PROSODY_BOSH_HOST=127.0.0.1 +JITSI_PROSODY_HOST=127.0.0.1 +JITSI_CERTS_FOLDER=/secrets/certs/ +JITSI_NAT_PUBLIC_IP=redacted +JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }} diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample diff --git a/app/config/secrets/mariadb/main/ldap_binddn.sample b/app/config/secrets/mariadb/main/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/mariadb/main/ldap_binddn.sample diff --git a/app/config/secrets/mariadb/main/ldap_bindpwd.sample b/app/config/secrets/mariadb/main/ldap_bindpwd.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/mariadb/main/ldap_bindpwd.sample diff --git a/app/config/secrets/mariadb/main/mysql_pwd.sample b/app/config/secrets/mariadb/main/mysql_pwd.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/mariadb/main/mysql_pwd.sample diff --git a/app/config/secrets/platoo/bddpw.sample b/app/config/secrets/platoo/bddpw.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/platoo/bddpw.sample diff --git a/app/config/secrets/postgres/keeper/pg_repl_pwd.sample b/app/config/secrets/postgres/keeper/pg_repl_pwd.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/postgres/keeper/pg_repl_pwd.sample diff --git a/app/config/secrets/postgres/keeper/pg_repl_username.sample b/app/config/secrets/postgres/keeper/pg_repl_username.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/postgres/keeper/pg_repl_username.sample diff --git a/app/config/secrets/postgres/keeper/pg_su_pwd.sample b/app/config/secrets/postgres/keeper/pg_su_pwd.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/postgres/keeper/pg_su_pwd.sample diff --git a/app/config/secrets/web/home_token.sample b/app/config/secrets/web/home_token.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/web/home_token.sample diff --git a/app/config/secrets/web/quentin.dufour.io_token.sample b/app/config/secrets/web/quentin.dufour.io_token.sample new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/app/config/secrets/web/quentin.dufour.io_token.sample diff --git a/app/deployment/bottin2.hcl b/app/deployment/bottin2.hcl new file mode 100644 index 0000000..85bda59 --- /dev/null +++ b/app/deployment/bottin2.hcl @@ -0,0 +1,116 @@ +job "directory2" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "bottin" { + count = 1 + task "bottin" { + driver = "docker" + config { + image = "lxpz/bottin_amd64:14" + readonly_rootfs = true + port_map { + ldap_port = 1389 + } + volumes = [ + "secrets/config.json:/config.json" + ] + } + + resources { + memory = 100 + network { + port "ldap_port" { + static = "389" + } + } + } + + template { + data = "{{ key \"configuration/directory/bottin/config.json\" }}" + destination = "secrets/config.json" + } + + service { + tags = ["bottin"] + port = "ldap_port" + address_mode = "host" + name = "bottin2" + check { + type = "tcp" + port = "ldap_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } + + group "guichet" { + count = 1 + task "guichet" { + driver = "docker" + config { + image = "lxpz/guichet_amd64:10" + readonly_rootfs = true + port_map { + web_port = 9991 + } + volumes = [ + "secrets/config.json:/config.json" + ] + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/directory/guichet/config.json.tpl?raw" + destination = "secrets/config.json.tpl" + mode = "file" + } + template { + source = "secrets/config.json.tpl" + destination = "secrets/config.json" + } + + resources { + memory = 200 + network { + port "web_port" {} + } + } + + service { + name = "guichet" + tags = [ + "guichet", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:guichet.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/core.hcl b/app/deployment/core.hcl new file mode 100644 index 0000000..43774a6 --- /dev/null +++ b/app/deployment/core.hcl @@ -0,0 +1,43 @@ +job "core" { + datacenters = ["dc1"] + type = "system" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + update { + max_parallel = 1 + stagger = "1m" + } + + group "network" { + task "diplonat" { + driver = "docker" + + config { + image = "darkgallium/amd64_diplonat:v2" + network_mode = "host" + readonly_rootfs = true + privileged = true + } + + template { + data = <<EOH +DIPLONAT_PRIVATE_IP={{ env "attr.unique.network.ip-address" }} +DIPLONAT_REFRESH_TIME=60 +DIPLONAT_EXPIRATION_TIME=300 +DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }} +RUST_LOG=debug +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 40 + } + } + } +} diff --git a/app/deployment/email.hcl b/app/deployment/email.hcl new file mode 100644 index 0000000..86c4d87 --- /dev/null +++ b/app/deployment/email.hcl @@ -0,0 +1,475 @@ +job "email" { + datacenters = ["dc1"] + type = "service" + + group "dovecot" { + count = 1 + task "server" { + driver = "docker" + + config { + image = "superboum/amd64_dovecot:v2" + readonly_rootfs = false + port_map { + auth_port = 1337 + imaps_port = 993 + imap_port = 143 + lmtp_port = 24 + } + command = "dovecot" + args = [ "-F" ] + volumes = [ + "secrets/ssl/certs:/etc/ssl/certs", + "secrets/ssl/private:/etc/ssl/private", + "secrets/conf/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf", + "/mnt/glusterfs/email/mail:/var/mail/", + ] + } + + env { + TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" + } + + resources { + cpu = 100 + memory = 200 + network { + mbits = 1 + port "auth_port" { + static = "1337" + } + port "imap_port" { + static = "143" + } + port "imaps_port" { + static = "993" + } + port "lmtp_port" { + static = "24" + } + } + } + + service { + name = "dovecot-auth" + port = "auth_port" + address_mode = "host" + tags = [ + "dovecot", + ] + check { + type = "tcp" + port = "auth_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "dovecot-imap" + port = "imap_port" + address_mode = "host" + tags = [ + "dovecot" + ] + check { + type = "tcp" + port = "imap_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "dovecot-imaps" + port = "imaps_port" + address_mode = "host" + tags = [ + "dovecot", + "(diplonat (tcp_port 993))" + ] + + check { + type = "tcp" + port = "imaps_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "dovecot-lmtp" + port = "lmtp_port" + address_mode = "host" + tags = [ + "dovecot", + ] + + check { + type = "tcp" + port = "lmtp_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw" + destination = "secrets/conf/dovecot-ldap.conf.tpl" + mode = "file" + } + template { + source = "secrets/conf/dovecot-ldap.conf.tpl" + destination = "secrets/conf/dovecot-ldap.conf" + perms = "400" + } + + template { + data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}" + destination = "secrets/ssl/certs/dovecot.crt" + perms = "400" + } + template { + data = "{{ key \"configuration/email/dovecot/dovecot.key\" }}" + destination = "secrets/ssl/private/dovecot.key" + perms = "400" + } + } + } + + group "opendkim" { + count = 1 + task "server" { + driver = "docker" + + config { + image = "superboum/amd64_opendkim:v1" + readonly_rootfs = false + port_map { + dkim_port = 8999 + } + command = "opendkim" + args = [ "-f", "-v", "-x", "/etc/opendkim.conf" ] + volumes = [ + "secrets/dkim:/etc/dkim", + "/dev/log:/dev/log", + ] + } + + resources { + cpu = 100 + memory = 50 + network { + mbits = 1 + port "dkim_port" { + static = "8999" + } + } + } + + service { + name = "opendkim" + port = "dkim_port" + address_mode = "host" + tags = [ + "opendkim", + ] + check { + type = "tcp" + port = "dkim_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + template { + data = "{{ key \"configuration/email/dkim/keytable\" }}" + destination = "secrets/dkim/keytable" + } + template { + data = "{{ key \"configuration/email/dkim/signingtable\" }}" + destination = "secrets/dkim/signingtable" + } + template { + data = "{{ key \"configuration/email/dkim/smtp.private\" }}" + destination = "secrets/dkim/smtp.private" + perms = "600" + } + template { + data = "{{ key \"configuration/email/dkim/smtp.txt\" }}" + destination = "secrets/dkim/smtp.txt" + } + template { + data = "{{ key \"configuration/email/dkim/trusted\" }}" + destination = "secrets/dkim/trusted" + } + } + } + + group "postfix" { + count = 1 + task "server" { + driver = "docker" + + config { + image = "superboum/amd64_postfix:v1" + readonly_rootfs = false + port_map { + smtp_port = 25 + smtps_port = 465 + submission_port = 587 + } + command = "postfix" + args = [ "start-fg" ] + volumes = [ + "secrets/ssl/certs:/etc/ssl/certs", + "secrets/ssl/private:/etc/ssl/private", + "secrets/postfix:/etc/postfix-conf", + "/dev/log:/dev/log" + ] + } + + env { + TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" + MAILNAME = "smtp.deuxfleurs.fr", + } + + resources { + cpu = 100 + memory = 200 + network { + mbits = 1 + port "smtp_port" { + static = "25" + } + port "smtps_port" { + static = "465" + } + port "submission_port" { + static = "587" + } + } + } + + service { + name = "postfix-smtp" + port = "smtp_port" + address_mode = "host" + tags = [ + "postfix", + "(diplonat (tcp_port 25 465 587))" + ] + check { + type = "tcp" + port = "smtp_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "postfix-smtps" + port = "smtps_port" + address_mode = "host" + tags = [ + "postfix", + ] + + check { + type = "tcp" + port = "smtps_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "postfix-submission" + port = "submission_port" + address_mode = "host" + tags = [ + "postfix", + ] + + check { + type = "tcp" + port = "submission_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw" + destination = "secrets/postfix/ldap-account.cf.tpl" + mode = "file" + } + template { + source = "secrets/postfix/ldap-account.cf.tpl" + destination = "secrets/postfix/ldap-account.cf" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw" + destination = "secrets/postfix/ldap-alias.cf.tpl" + mode = "file" + } + template { + source = "secrets/postfix/ldap-alias.cf.tpl" + destination = "secrets/postfix/ldap-alias.cf" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-virtual-domains.cf.tpl?raw" + destination = "secrets/postfix/ldap-virtual-domains.cf.tpl" + mode = "file" + } + template { + source = "secrets/postfix/ldap-virtual-domains.cf.tpl" + destination = "secrets/postfix/ldap-virtual-domains.cf" + } + + + template { + data = "{{ key \"configuration/email/postfix/postfix.crt\" }}" + destination = "secrets/ssl/certs/postfix.crt" + perms = "400" + } + template { + data = "{{ key \"configuration/email/postfix/postfix.key\" }}" + destination = "secrets/ssl/private/postfix.key" + perms = "400" + } + template { + data = "{{ key \"configuration/email/postfix/dynamicmaps.cf\" }}" + destination = "secrets/postfix/dynamicmaps.cf" + } + template { + data = "{{ key \"configuration/email/postfix/header_checks\" }}" + destination = "secrets/postfix/header_checks" + } + template { + data = "{{ key \"configuration/email/postfix/main.cf\" }}" + destination = "secrets/postfix/main.cf" + } + template { + data = "{{ key \"configuration/email/postfix/master.cf\" }}" + destination = "secrets/postfix/master.cf" + } + template { + data = "{{ key \"configuration/email/postfix/transport\" }}" + destination = "secrets/postfix/transport" + } + template { + data = "{{ key \"configuration/email/postfix/transport.db\" }}" + destination = "secrets/postfix/transport.db" + } + } + } + + group "sogo" { + count = 1 + task "bundle" { + + driver = "docker" + + config { + image = "superboum/amd64_sogo:v7" + readonly_rootfs = false + port_map { + sogo_web_port = 8080 + } + volumes = [ + "secrets/sogo.conf:/etc/sogo/sogo.conf", + ] + } + env { + FAKE = 2 + } + + /* Workaround as there is no consul source and no way to template recursively... */ + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/sogo/sogo.conf.tpl?raw" + destination = "secrets/tpl/sogo.conf.tpl" + mode = "file" + } + template { + source = "secrets/tpl/sogo.conf.tpl" + destination = "secrets/sogo.conf" + } + + resources { + cpu = 200 + memory = 1000 + network { + mbits = 1 + port "sogo_web_port" {} + } + } + + service { + name = "sogo" + port = "sogo_web_port" + address_mode = "host" + tags = [ + "sogo", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:www.sogo.deuxfleurs.fr,sogo.deuxfleurs.fr;PathPrefix:/" + ] + check { + type = "tcp" + port = "sogo_web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "5m" + ignore_warnings = false + } + } + } + + } + } +} diff --git a/app/deployment/garage.hcl b/app/deployment/garage.hcl new file mode 100644 index 0000000..3478706 --- /dev/null +++ b/app/deployment/garage.hcl @@ -0,0 +1,99 @@ +job "garage" { + datacenters = ["dc1", "belair", "saturne"] + type = "system" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "garage" { + task "server" { + driver = "docker" + config { + image = "lxpz/garage_amd64:4" + port_map { + rpc_port = 3901 + api_port = 3900 + } + volumes = [ + "/mnt/storage/garage/data:/garage/data", + "/mnt/ssd/garage/meta:/garage/meta", + "secrets/garage.toml:/garage/config.toml", + "secrets/garage-ca.crt:/garage/garage-ca.crt", + "secrets/garage.crt:/garage/garage.crt", + "secrets/garage.key:/garage/garage.key", + ] + } + + template { + data = "{{ key \"configuration/garage/garage.toml\" }}" + destination = "secrets/garage.toml" + } + template { + data = "{{ key \"secrets/garage/garage-ca.crt\" }}" + destination = "secrets/garage-ca.crt" + } + template { + data = "{{ key \"secrets/garage/garage.crt\" }}" + destination = "secrets/garage.crt" + } + template { + data = "{{ key \"secrets/garage/garage.key\" }}" + destination = "secrets/garage.key" + } + + resources { + memory = 500 + cpu = 1000 + network { + port "rpc_port" { + static = "3901" + } + port "api_port" {} + } + } + + service { + tags = [ + "garage_api", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:garage.deuxfleurs.fr" + ] + port = "api_port" + address_mode = "host" + name = "garage-api" + check { + type = "tcp" + port = "api_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = ["garage-rpc"] + port = "rpc_port" + address_mode = "host" + name = "garage-rpc" + check { + type = "tcp" + port = "rpc_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} diff --git a/app/deployment/im.hcl b/app/deployment/im.hcl new file mode 100644 index 0000000..53b81d1 --- /dev/null +++ b/app/deployment/im.hcl @@ -0,0 +1,361 @@ +job "im" { + datacenters = ["dc1"] + type = "service" + + group "matrix" { + count = 1 + task "synapse" { + driver = "docker" + + config { + image = "superboum/amd64_synapse:v33" + readonly_rootfs = true + port_map { + client_port = 8008 + federation_port = 8448 + } + command = "python" + args = [ + "-m", "synapse.app.homeserver", + "-n", + "-c", "/etc/matrix-synapse/homeserver.yaml" + ] + volumes = [ + "secrets/conf:/etc/matrix-synapse", + "/mnt/glusterfs/chat/matrix/synapse/media:/var/lib/matrix-synapse/media", + "/mnt/glusterfs/chat/matrix/synapse/uploads:/var/lib/matrix-synapse/uploads", + "/tmp/synapse-logs:/var/log/matrix-synapse", + "/tmp/synapse:/tmp" + ] + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/chat/synapse/homeserver.yaml?raw" + destination = "secrets/tpl/homeserver.yaml.tpl" + mode = "file" + } + template { + source = "secrets/tpl/homeserver.yaml.tpl" + destination = "secrets/conf/homeserver.yaml" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/chat/easybridge/registration.yaml.tpl?raw" + destination = "secrets/tpl/easybridge_registration.yaml.tpl" + mode = "file" + } + template { + source = "secrets/tpl/easybridge_registration.yaml.tpl" + destination = "secrets/conf/easybridge_registration.yaml" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/chat/fb2mx/registration.yaml?raw" + destination = "secrets/tpl/fb2mx_registration.yaml.tpl" + mode = "file" + } + template { + source = "secrets/tpl/fb2mx_registration.yaml.tpl" + destination = "secrets/conf/fb2mx_registration.yaml" + } + + template { + data = "{{ key \"configuration/chat/synapse/log.yaml\" }}" + destination = "secrets/conf/log.yaml" + } + template { + data = "{{ key \"configuration/chat/synapse/conf.d/server_name.yaml\" }}" + destination = "secrets/conf/server_name.yaml" + } + template { + data = "{{ key \"configuration/chat/synapse/conf.d/report_stats.yaml\" }}" + destination = "secrets/conf/report_stats.yaml" + } + template { + data = "{{ key \"secrets/chat/synapse/homeserver.tls.crt\" }}" + destination = "secrets/conf/homeserver.tls.crt" + } + template { + data = "{{ key \"secrets/chat/synapse/homeserver.tls.dh\" }}" + destination = "secrets/conf/homeserver.tls.dh" + } + template { + data = "{{ key \"secrets/chat/synapse/homeserver.tls.key\" }}" + destination = "secrets/conf/homeserver.tls.key" + } + template { + data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}" + destination = "secrets/conf/homeserver.signing.key" + } + + env { + SYNAPSE_CACHE_FACTOR = 1 + } + + resources { + cpu = 1000 + memory = 4000 + network { + port "client_port" { } + port "federation_port" { } + } + } + + service { + name = "synapse-client" + port = "client_port" + address_mode = "host" + tags = [ + "matrix", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:im.deuxfleurs.fr;PathPrefix:/_matrix", + "traefik.frontend.headers.customResponseHeaders=Access-Control-Allow-Origin: *", + "traefik.frontend.priority=100" + ] + check { + type = "tcp" + port = "client_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "synapse-federation" + port = "federation_port" + address_mode = "host" + tags = [ + "matrix", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:deuxfleurs.fr;PathPrefix:/_matrix", + "traefik.frontend.priority=100" + ] + } + + } + } + + group "easybridge" { + count = 1 + task "easybridge" { + driver = "docker" + config { + image = "lxpz/easybridge_amd64:27" + port_map { + api_port = 8321 + web_port = 8281 + } + volumes = [ + "secrets/conf:/data" + ] + args = [ "./easybridge", "-config", "/data/config.json" ] + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/chat/easybridge/registration.yaml.tpl?raw" + destination = "secrets/tpl/registration.yaml.tpl" + mode = "file" + } + template { + source = "secrets/tpl/registration.yaml.tpl" + destination = "secrets/conf/registration.yaml" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/chat/easybridge/config.json.tpl?raw" + destination = "secrets/tpl/config.json.tpl" + mode = "file" + } + template { + source = "secrets/tpl/config.json.tpl" + destination = "secrets/conf/config.json" + } + + resources { + memory = 500 + cpu = 1000 + network { + port "api_port" { + static = "8321" + } + port "web_port" {} + } + } + + service { + name = "easybridge-api" + tags = ["easybridge-api"] + port = "api_port" + address_mode = "host" + check { + type = "tcp" + port = "api_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "easybridge-web" + tags = [ + "easybridge-web", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:easybridge.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } + + + group "riotweb" { + count = 1 + + task "server" { + driver = "docker" + config { + image = "superboum/amd64_riotweb:v15" + port_map { + web_port = 8043 + } + volumes = [ + "secrets/config.json:/srv/http/config.json" + ] + } + + template { + data = "{{ key \"configuration/chat/riot_web/config.json\" }}" + destination = "secrets/config.json" + } + + resources { + memory = 21 + network { + port "web_port" {} + } + } + + service { + tags = [ + "webstatic", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:im.deuxfleurs.fr,riot.deuxfleurs.fr;PathPrefix:/", + "traefik.frontend.priority=10" + ] + port = "web_port" + address_mode = "host" + name = "webstatic" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } + +/* + group "turn_stun" { + count=1 + task "coturn" { + driver = "docker" + config { + image = "registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1" + port_map { + main_port = 3478 + alt_port = 3479 + } + command = "/usr/bin/turnserver" + args = [ + "-X", "82.253.205.190", + "-v", + "-f", + "-a" + ] + volumes = [ + "secrets/turnserver.conf:/etc/turnserver.conf" + ] + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/chat/coturn/turnserver.conf.tpl?raw" + destination = "secrets/turnserver.conf.tpl" + mode = "file" + } + + template { + source = "secrets/turnserver.conf.tpl" + destination = "secrets/turnserver.conf" + } + + resources { + memory = 50 + network { + port "main_port" { + static = "3478" + } + port "alt_port" { + static = "3479" + } + } + } + + service { + tags = [ + "coturn", + "matrix" + ] + port = "main_port" + address_mode = "host" + name = "coturn" + check { + type = "tcp" + port = "main_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + } + } +*/ + +} + diff --git a/app/deployment/jitsi.hcl b/app/deployment/jitsi.hcl new file mode 100644 index 0000000..c1bee73 --- /dev/null +++ b/app/deployment/jitsi.hcl @@ -0,0 +1,252 @@ +job "jitsi" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "core" { + task "xmpp" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_xmpp:v4" + network_mode = "host" + port_map { + xmpp_port = 5222 + ext_port = 5347 + bosh_port = 5280 + } + } + + template { + data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt" + } + template { + data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.key\" }}" + destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.key" + } + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + } + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.key" + } + artifact { + source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw" + destination = "secrets/global_env.tpl" + mode = "file" + } + template { + source = "secrets/global_env.tpl" + destination = "secrets/global_env" + env = true + } + + resources { + cpu = 300 + memory = 200 + network { + port "xmpp_port" { + static = "5222" + } + port "ext_port" { + static = "5347" + } + port "bosh_port" { + static = "5280" + } + } + } + + service { + tags = [ + "jitsi" + ] + port = "bosh_port" + address_mode = "host" + name = "jitsi-xmpp-bosh" + check { + type = "tcp" + port = "bosh_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + + task "front" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_meet:v1" + network_mode = "host" + port_map { + https_port = 443 + } + } + + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + } + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.key" + } + artifact { + source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw" + destination = "secrets/global_env.tpl" + mode = "file" + } + template { + source = "secrets/global_env.tpl" + destination = "secrets/global_env" + env = true + } + + resources { + cpu = 300 + memory = 200 + network { + port "https_port" { + static = "443" + } + } + } + + service { + tags = [ + "jitsi", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:jitsi.deuxfleurs.fr;PathPrefix:/", + "traefik.protocol=https" + ] + port = "https_port" + address_mode = "host" + name = "jitsi-front-https" + check { + type = "tcp" + port = "https_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + + task "jicofo" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_conference_focus:v5" + network_mode = "host" + } + + template { + data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/jitsi.deuxfleurs.fr.crt" + } + template { + data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}" + destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt" + } + artifact { + source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw" + destination = "secrets/global_env.tpl" + mode = "file" + } + template { + source = "secrets/global_env.tpl" + destination = "secrets/global_env" + env = true + } + + resources { + cpu = 300 + memory = 400 + } + } + + task "videobridge" { + driver = "docker" + config { + image = "superboum/amd64_jitsi_videobridge:v15" + network_mode = "host" + port_map { + video1_port = 8080 + video2_port = 10000 + } + ulimit { + nofile = "1048576:1048576" + nproc = "65536:65536" + } + } + + env { + #JITSI_DEBUG = 1 + JITSI_VIDEO_TCP = 8080 + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw" + destination = "secrets/global_env.tpl" + mode = "file" + } + template { + source = "secrets/global_env.tpl" + destination = "secrets/global_env" + env = true + } + + resources { + cpu = 900 + memory = 1500 + network { + port "video1_port" { + static = "8080" + } + port "video2_port" { + static = "10000" + } + } + + } + + service { + tags = [ + "jitsi", + "(diplonat (tcp_port 8080) (udp_port 10000))" + ] + port = "video1_port" + address_mode = "host" + name = "jitsi-videobridge-video1" + check { + type = "tcp" + port = "video1_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + + } +} + diff --git a/app/deployment/mariadb.hcl b/app/deployment/mariadb.hcl new file mode 100644 index 0000000..2b9be7e --- /dev/null +++ b/app/deployment/mariadb.hcl @@ -0,0 +1,69 @@ +job "mariadb" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "main" { + count = 1 + task "server" { + driver = "docker" + config { + image = "superboum/amd64_mariadb:v3" + port_map { + mariadb_port = 3306 + } + command = "tail" + args = [ + "-f", "/var/log/mysql/error.log", + ] + volumes = [ + "/mnt/glusterfs/mariadb/main/server:/var/lib/mysql", + ] + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/mariadb/main/env.tpl?raw" + destination = "secrets/env.tpl" + mode = "file" + } + template { + source = "secrets/env.tpl" + destination = "secrets/env" + env = true + } + + + resources { + memory = 800 + network { + port "mariadb_port" { + static = "3306" + } + } + } + + service { + tags = ["mariadb"] + port = "mariadb_port" + address_mode = "host" + name = "mariadb" + check { + type = "tcp" + port = "mariadb_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/nextcloud.hcl b/app/deployment/nextcloud.hcl new file mode 100644 index 0000000..2cc4f5f --- /dev/null +++ b/app/deployment/nextcloud.hcl @@ -0,0 +1,67 @@ +job "nextcloud" { + datacenters = ["dc1", "belair"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "nextcloud" { + count = 1 + task "nextcloud" { + driver = "docker" + config { + image = "lxpz/deuxfleurs_nextcloud_amd64:8" + port_map { + web_port = 80 + } + volumes = [ + "secrets/config.php:/var/www/html/config/config.php" + ] + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/nextcloud/config.php.tpl?raw" + destination = "secrets/config.php.tpl" + mode = "file" + } + template { + source = "secrets/config.php.tpl" + destination = "secrets/config.php" + } + + resources { + memory = 1000 + cpu = 2000 + network { + port "web_port" {} + } + } + + service { + name = "nextcloud" + tags = [ + "nextcloud", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:nextcloud.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/object_storage.hcl b/app/deployment/object_storage.hcl new file mode 100644 index 0000000..fa40c4b --- /dev/null +++ b/app/deployment/object_storage.hcl @@ -0,0 +1,159 @@ +job "not_safe_object_storage" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "not_safe_pithos" { + count = 2 + task "not_safe_server" { + driver = "docker" + config { + image = "superboum/amd64_pithos:v1" + readonly_rootfs = true + port_map { + s3_port = 8080 + } + volumes = [ + "secrets/pithos.yaml:/etc/pithos/pithos.yaml" + ] + } + + resources { + memory = 500 + network { + port "s3_port" { + static = "8080" + } + } + } + + template { + data = <<EOH +service: + host: '0.0.0.0' + port: 8080 + + +## logging configuration +## --------------------- +logging: + level: info + console: true + files: [] + +# overrides: +# io.exo.pithos: debug + + +## global options +## -------------- +options: + service-uri: 's3.esir.deuxfleurs.fr' + reporting: true + server-side-encryption: true + multipart-upload: true + masterkey-provisioning: true + masterkey-access: true + default-region: 'FR-RN1' + + +## keystore configuration +## ---------------------- +# +# Keystores associate an access key with +# an organization and secret key. +# +# They may offer provisioning capacities with the +# masterkey. The default provider relies on keys +# being defined inline. +# generate access key: openssl rand -base64 24 +# generate secret key: openssl rand -base64 39 +# (size is arbitrary) +keystore: + keys: + NHu3glGc0lj5FL5AZPTvgjB20tb9w4Eo: + master: true + tenant: 'pyr@spootnik.org' + secret: 'fpyehmZsimMHeYScjwTUREzvIOICeRZiO01Dck0JIKEifKdwOT3T' + rXNoqKXY45RcxpBOKy8i4H8fqGzlHIZu: + tenant: 'exoscale' + secret: 'qtQlWujN70Ukh9IvIbqIM3Zqos/5aU72hOhLCXblQ0PmfYsGO8lU' + + +## bucketstore configuration +## ------------------------- +# +# The bucketstore is ring global and contains information +# on bucket location and global parameters. +# +# Its primary aim is to hold bucket location and ownership +# information. +# +# The default provider relies on cassandra. +bucketstore: + default-region: 'FR-RN1' + cluster: + - 148.60.11.181 + - 148.60.11.183 + - 148.60.11.237 + keyspace: 'storage' + + +## regions +## ------- +# +# Regions are composed of a metastore and an arbitrary number +# of named storage classes which depend on a blobstore. +# +# The metastore holds metadata for the full region, as well as +# object storage-class placement information. +# +# The default implementation of both metastore and blobstore +# rely on cassandra. +# +regions: + FR-RN1: + metastore: + cluster: + - 148.60.11.181 + - 148.60.11.183 + - 148.60.11.237 + keyspace: 'storage' + storage-classes: + standard: + cluster: + - 148.60.11.181 + - 148.60.11.183 + - 148.60.11.237 + keyspace: 'storage' + max-chunk: '128k' + max-block-chunks: 1024 +EOH + destination = "secrets/pithos.yaml" + } + + service { + tags = ["pithos"] + port = "s3_port" + address_mode = "host" + name = "pithos" + check { + type = "tcp" + port = "s3_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "300s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/platoo.hcl b/app/deployment/platoo.hcl new file mode 100644 index 0000000..0502934 --- /dev/null +++ b/app/deployment/platoo.hcl @@ -0,0 +1,64 @@ +job "platoo" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "core" { + task "nodejs" { + driver = "docker" + config { + image = "victormoi/platoo:v1" + force_pull = true + port_map { + web_port = 8080 + } + } + + template { + data = <<EOH +user=platoo +host=psql-proxy.service.2.cluster.deuxfleurs.fr +database=platoodb +password={{ key "secrets/platoo/bddpw" | trimSpace }} +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 400 + network { + port "web_port" {} + } + } + + service { + tags = [ + "platoo", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:platoo.deuxfleurs.fr;PathPrefix:/" + ] + port = "web_port" + address_mode = "host" + name = "platoo" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/postgres.hcl b/app/deployment/postgres.hcl new file mode 100644 index 0000000..456156e --- /dev/null +++ b/app/deployment/postgres.hcl @@ -0,0 +1,145 @@ +job "postgres" { + datacenters = ["dc1"] + type = "system" + priority = 90 + + update { + max_parallel = 1 + stagger = "5m" + } + + group "postgres" { + task "sentinel" { + driver = "docker" + + config { + image = "superboum/amd64_postgres:v3" + readonly_rootfs = false + command = "/usr/local/bin/stolon-sentinel" + args = [ + "--cluster-name", "pissenlit", + "--store-backend", "consul", + "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500", + ] + } + resources { + memory = 100 + } + } + + task "proxy" { + driver = "docker" + + config { + image = "superboum/amd64_postgres:v3" + readonly_rootfs = false + command = "/usr/local/bin/stolon-proxy" + args = [ + "--cluster-name", "pissenlit", + "--store-backend", "consul", + "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500", + "--port", "5432", + "--listen-address", "0.0.0.0" + ] + port_map { + psql_proxy_port = 5432 + } + } + + resources { + memory = 100 + network { + port "psql_proxy_port" { + static = 5432 + } + } + } + + service { + tags = ["sql"] + port = "psql_proxy_port" + address_mode = "host" + name = "psql-proxy" + check { + type = "tcp" + port = "psql_proxy_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "10m" + ignore_warnings = false + } + } + } + } + + task "keeper" { + driver = "docker" + + config { + network_mode = "host" + image = "superboum/amd64_postgres:v3" + readonly_rootfs = false + command = "/usr/local/bin/stolon-keeper" + args = [ + "--cluster-name", "pissenlit", + "--store-backend", "consul", + "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500", + "--data-dir", "/mnt/persist", + "--pg-su-password", "${PG_SU_PWD}", + "--pg-repl-username", "${PG_REPL_USER}", + "--pg-repl-password", "${PG_REPL_PWD}", + "--pg-listen-address", "${attr.unique.network.ip-address}", + "--pg-port", "5433", + "--pg-bin-path", "/usr/lib/postgresql/9.6/bin/" + ] + port_map { + psql_port = 5433 + } + volumes = [ + "/mnt/ssd/postgres:/mnt/persist" + ] + } + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/postgres/keeper/env.tpl?raw" + destination = "secrets/env.tpl" + mode = "file" + } + template { + source = "secrets/env.tpl" + destination = "secrets/env" + env = true + } + + resources { + memory = 500 + network { + port "psql_port" { + static = "5433" + } + } + } + + service { + tags = ["sql"] + port = "psql_port" + address_mode = "host" + name = "keeper" + check { + type = "tcp" + port = "psql_port" + interval = "60s" + timeout = "5s" + + check_restart { + limit = 3 + grace = "60m" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/science.hcl b/app/deployment/science.hcl new file mode 100644 index 0000000..81e398a --- /dev/null +++ b/app/deployment/science.hcl @@ -0,0 +1,58 @@ +job "science" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "diagnet" { + task "main" { + driver = "docker" + config { + image = "lesterpig/diagnet-landmark:latest" + args = [ + "-name", "landmark-deuxfleurs", + "-chrome", "-chrome-interval", "60m", + "-http", ":8000" + ] + port_map { + web_port = 8000 + } + } + + resources { + cpu = 1000 + memory = 1200 + network { + port "web_port" {} + } + } + + service { + tags = [ + "diagnet", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:diagnet.science.deuxfleurs.fr;PathPrefix:/" + ] + port = "web_port" + address_mode = "host" + name = "diagnet" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/seafile.hcl b/app/deployment/seafile.hcl new file mode 100644 index 0000000..e22699c --- /dev/null +++ b/app/deployment/seafile.hcl @@ -0,0 +1,174 @@ +job "seafile" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "main" { + count = 1 + task "server" { + driver = "docker" + config { + image = "superboum/amd64_seafile:v6" + + ## cmd + args are used for running an instance attachable for update + # command = "/bin/sleep" + # args = ["999999"] + + port_map { + seahub_port = 8000 + seafdav_port = 8084 + seafhttp_port = 8082 + } + + mounts = [ + { + type = "bind" + source = "/mnt/glusterfs/seafile" + target = "/mnt/seafile-data" + } + ] + + volumes = [ + "secrets/conf:/srv/webstore/conf", + "secrets/ccnet:/srv/webstore/ccnet" + ] + } + + resources { + memory = 512 + network { + port "seahub_port" {} + port "seafhttp_port" {} + port "seafdav_port" {} + } + } + + service { + tags = [ + "seafile", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:cloud.deuxfleurs.fr;PathPrefix:/" + ] + port = "seahub_port" + address_mode = "host" + name = "seahub" + check { + type = "tcp" + port = "seahub_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = [ + "seafile", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:cloud.deuxfleurs.fr;PathPrefixStrip:/seafhttp" + + ] + port = "seafhttp_port" + address_mode = "host" + name = "seafhttp" + check { + type = "tcp" + port = "seafhttp_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = [ + "seafile", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:cloud.deuxfleurs.fr;PathPrefix:/seafdav" + + ] + port = "seafdav_port" + address_mode = "host" + name = "seafdav" + check { + type = "tcp" + port = "seafdav_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/ccnet.conf.tpl?raw" + destination = "secrets/conf/ccnet.conf.tpl" + mode = "file" + } + template { + source = "secrets/conf/ccnet.conf.tpl" + destination = "secrets/conf/ccnet.conf" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/seafile.conf.tpl?raw" + destination = "secrets/conf/seafile.conf.tpl" + mode = "file" + } + template { + source = "secrets/conf/seafile.conf.tpl" + destination = "secrets/conf/seafile.conf" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/seahub_settings.py.tpl?raw" + destination = "secrets/conf/seahub_settings.py.tpl" + mode = "file" + } + template { + source = "secrets/conf/seahub_settings.py.tpl" + destination = "secrets/conf/seahub_settings.py" + } + + template { + data = "{{ key \"configuration/seafile/ccnet/mykey.peer\" }}" + destination = "secrets/ccnet/mykey.peer" + } + template { + data = "{{ key \"configuration/seafile/ccnet/seafile.ini\" }}" + destination = "secrets/ccnet/seafile.ini" + } + template { + data = "{{ key \"configuration/seafile/conf/mykey.peer\" }}" + destination = "secrets/conf/mykey.peer" + } + template { + data = "{{ key \"configuration/seafile/conf/seafdav.conf\" }}" + destination = "secrets/conf/seafdav.conf" + } + template { + data = "{{ key \"configuration/seafile/conf/gunicorn.conf\" }}" + destination = "secrets/conf/gunicorn.conf" + } + } + } +} + diff --git a/app/deployment/traefik.hcl b/app/deployment/traefik.hcl new file mode 100644 index 0000000..a0803e4 --- /dev/null +++ b/app/deployment/traefik.hcl @@ -0,0 +1,68 @@ +job "frontend" { + datacenters = ["dc1"] + type = "service" + + group "traefik" { + task "server" { + driver = "docker" + + config { + image = "amd64/traefik:1.7.20" + readonly_rootfs = true + port_map { + https_port = 443 + http_port = 80 + adm_port = 8082 + } + volumes = [ + "secrets/traefik.toml:/etc/traefik/traefik.toml", + ] + } + + resources { + memory = 265 + network { + port "https_port" { + static = "443" + } + port "http_port" { + static = "80" + } + port "adm_port" { + static = "8082" + } + } + } + + service { + tags = [ + "https", + "frontend", + "(diplonat (tcp_port 80 443))" + ] + port = "https_port" + address_mode = "host" + name = "traefik" + check { + type = "http" + protocol = "http" + port = "adm_port" + path = "/ping" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + template { + data = "{{ key \"configuration/traefik/traefik.toml\" }}" + destination = "secrets/traefik.toml" + } + } + } +} + diff --git a/app/deployment/web_static.hcl b/app/deployment/web_static.hcl new file mode 100644 index 0000000..c935b2a --- /dev/null +++ b/app/deployment/web_static.hcl @@ -0,0 +1,113 @@ +job "web_static" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "landing" { + task "server" { + driver = "docker" + config { + image = "superboum/amd64_webpull_pug:v4" + port_map { + web_port = 8080 + } + } + + template { + data = <<EOH +WEBPULL_REPO="https://git.deuxfleurs.fr/Deuxfleurs/site.git" +WEBPULL_TOKEN="{{ key "secrets/web/home_token" | trimSpace }}" +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 200 + network { + port "web_port" {} + } + } + + service { + tags = [ + "webstatic", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:deuxfleurs.fr,www.deuxfleurs.fr,deuxfleurs.org,www.deuxfleurs.org;PathPrefix:/", + "traefik.frontend.priority=10" + ] + port = "web_port" + address_mode = "host" + name = "landing" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } + + group "quentin" { + task "server" { + driver = "docker" + config { + image = "superboum/amd64_webpull_ruby:v1" + port_map { + web_port = 8080 + } + } + + template { + data = <<EOH +WEBPULL_REPO="https://git.deuxfleurs.fr/quentin/quentin.dufour.io.git" +WEBPULL_TOKEN="{{ key "secrets/web/quentin.dufour.io_token" | trimSpace }}" +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 500 + network { + port "web_port" {} + } + } + + service { + tags = [ + "webstatic", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:quentin.dufour.io,www.quentin.dufour.io;PathPrefix:/" + ] + port = "web_port" + address_mode = "host" + name = "blog-quentin" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/deployment/webcap.hcl b/app/deployment/webcap.hcl new file mode 100644 index 0000000..1246b76 --- /dev/null +++ b/app/deployment/webcap.hcl @@ -0,0 +1,56 @@ +job "webcap" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "main" { + task "flask" { + driver = "docker" + config { + image = "superboum/amd64_webcap:v7" + port_map { + web_port = 3000 + } + } + env { + FLASK_APP = "/usr/local/bin/webcap" + } + + resources { + cpu = 1000 + memory = 2000 + network { + port "web_port" {} + } + } + + service { + tags = [ + "webcap", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:webcap.deuxfleurs.fr;PathPrefix:/" + ] + port = "web_port" + address_mode = "host" + name = "webcap" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/integration/jitsi/01_gen_certs.yml b/app/integration/jitsi/01_gen_certs.yml new file mode 100644 index 0000000..bf73291 --- /dev/null +++ b/app/integration/jitsi/01_gen_certs.yml @@ -0,0 +1,8 @@ +version: '3' +services: + jitsi-xmpp: + image: superboum/amd64_jitsi_xmpp:v2 + command: ["/usr/local/bin/xmpp_gen"] + volumes: [ './jitsi-certs/:/certs:rw' ] + env_file: [ 'dev.env' ] + diff --git a/app/integration/jitsi/02_run.yml b/app/integration/jitsi/02_run.yml new file mode 100644 index 0000000..73eefad --- /dev/null +++ b/app/integration/jitsi/02_run.yml @@ -0,0 +1,27 @@ +version: '3.4' +services: + jitsi-xmpp: + image: superboum/amd64_jitsi_xmpp:v3 + ports: + - "5222:5222" + - "5347:5347" + - "5280:5280" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-meet: + image: superboum/amd64_jitsi_meet:v1 + ports: + - "443:443" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-conference-focus: + image: superboum/amd64_jitsi_conference_focus:v4 + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-videobridge: + image: superboum/amd64_jitsi_videobridge:v14 + ports: + - "8080:8080/tcp" + - "10000:10000/udp" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] diff --git a/app/integration/jitsi/README.md b/app/integration/jitsi/README.md new file mode 100644 index 0000000..70b59fc --- /dev/null +++ b/app/integration/jitsi/README.md @@ -0,0 +1,26 @@ +This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md + +To build images: + +``` +docker-compose -f 02_run.yml build +``` + +To gen the certs: + +``` +docker-compose -f 01_gen_certs.yml up --force-recreate +``` + +To run the stack: + + +``` +docker-compose -f 02_run.yml up --force-recreate +``` + +To push the stack on the docker registry: + +``` +docker-compose -f 02_run.yml push +``` diff --git a/app/integration/jitsi/dev.env b/app/integration/jitsi/dev.env new file mode 100644 index 0000000..1dd2122 --- /dev/null +++ b/app/integration/jitsi/dev.env @@ -0,0 +1,10 @@ +JITSI_SECRET_VIDEOBRIDGE=S3CR3T01 +JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02 +JITSI_SECRET_JICOFO_USER=S3CR3T03 +JITSI_PROSODY_BOSH_PORT=5280 +JITSI_PROSODY_BOSH_HOST=172.17.0.1 +JITSI_PROSODY_HOST=172.17.0.1 +JITSI_CERTS_FOLDER=/certs/ +JITSI_NAT_PUBLIC_IP=37.164.35.154 +JITSI_NAT_LOCAL_IP=192.168.0.231 +JITSI_VIDEO_TCP=8080 diff --git a/app/integration/jitsi/jitsi-certs/.gitignore b/app/integration/jitsi/jitsi-certs/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/app/integration/jitsi/jitsi-certs/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore |