aboutsummaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/build/README.md8
-rwxr-xr-xapp/build/blog-quentin/.dockerenv0
-rw-r--r--app/build/blog-quentin/Dockerfile16
-rw-r--r--app/build/blog-quentin/README.md1
-rw-r--r--app/build/coturn/Dockerfile8
-rw-r--r--app/build/coturn/README.md17
-rw-r--r--app/build/docker-compose.yml63
-rw-r--r--app/build/dovecot/.gitignore1
-rw-r--r--app/build/dovecot/Dockerfile17
-rw-r--r--app/build/dovecot/README.md18
-rwxr-xr-xapp/build/dovecot/entrypoint.sh27
-rw-r--r--app/build/jitsi-conference-focus/Dockerfile27
-rwxr-xr-xapp/build/jitsi-conference-focus/jicofo16
-rw-r--r--app/build/jitsi-conference-focus/sip-communicator.properties2
-rw-r--r--app/build/jitsi-meet/Dockerfile28
-rw-r--r--app/build/jitsi-meet/config.js517
-rwxr-xr-xapp/build/jitsi-meet/entrypoint.sh38
-rw-r--r--app/build/jitsi-videobridge/Dockerfile30
-rwxr-xr-xapp/build/jitsi-videobridge/jvb_run54
-rw-r--r--app/build/jitsi-xmpp/Dockerfile11
-rw-r--r--app/build/jitsi-xmpp/external_components.cfg.lua2
-rwxr-xr-xapp/build/jitsi-xmpp/xmpp_conf47
-rwxr-xr-xapp/build/jitsi-xmpp/xmpp_gen9
-rwxr-xr-xapp/build/jitsi-xmpp/xmpp_run20
-rw-r--r--app/build/landing/README.md3
-rw-r--r--app/build/mariadb/60-disable-dialog.cnf3
-rw-r--r--app/build/mariadb/60-ldap.cnf3
-rw-r--r--app/build/mariadb/60-remote.cnf2
-rw-r--r--app/build/mariadb/Dockerfile14
-rw-r--r--app/build/mariadb/README.md19
-rwxr-xr-xapp/build/mariadb/entrypoint.sh50
-rw-r--r--app/build/mariadb/nsswitch.conf21
-rw-r--r--app/build/mariadb/pam-mariadb2
-rw-r--r--app/build/matrix-synapse/Dockerfile47
-rwxr-xr-xapp/build/matrix-synapse/entrypoint.sh3
-rw-r--r--app/build/nextcloud/Dockerfile27
-rwxr-xr-xapp/build/nextcloud/container-setup.sh37
-rwxr-xr-xapp/build/nextcloud/entrypoint.sh8
-rw-r--r--app/build/opendkim/Dockerfile8
-rw-r--r--app/build/opendkim/README.md12
-rw-r--r--app/build/opendkim/opendkim.conf12
-rw-r--r--app/build/pithos/0.7.5.tar.gzbin0 -> 93151 bytes
-rw-r--r--app/build/pithos/Dockerfile4
-rw-r--r--app/build/pithos/README.md9
-rw-r--r--app/build/pithos/pithos-0.7.5-standalone.jarbin0 -> 21821895 bytes
-rw-r--r--app/build/postfix/Dockerfile11
-rw-r--r--app/build/postfix/README.md18
-rwxr-xr-xapp/build/postfix/entrypoint.sh30
-rw-r--r--app/build/postgres/Dockerfile19
-rw-r--r--app/build/postgres/README.md4
-rw-r--r--app/build/postgres/postgresql.conf25
-rwxr-xr-xapp/build/postgres/start.sh22
-rw-r--r--app/build/riotweb/Dockerfile13
-rw-r--r--app/build/riotweb/config.json24
-rw-r--r--app/build/seafile/Dockerfile46
-rw-r--r--app/build/seafile/README.md27
-rwxr-xr-xapp/build/seafile/seadocker4
-rwxr-xr-xapp/build/seafile/seaenv7
-rw-r--r--app/build/sogo/Dockerfile17
-rw-r--r--app/build/sogo/README.md20
-rwxr-xr-xapp/build/sogo/entrypoint13
-rw-r--r--app/build/sogo/sogo.nginx.conf83
-rw-r--r--app/build/static/Dockerfile9
-rw-r--r--app/build/static/README.md5
m---------app/build/static/goStatic0
-rw-r--r--app/build/webpull/.gitignore1
-rw-r--r--app/build/webpull/Dockerfile.nodejs9
-rw-r--r--app/build/webpull/Dockerfile.ruby12
-rw-r--r--app/build/webpull/README.md23
-rw-r--r--app/build/webpull/main.go100
-rw-r--r--app/config/configuration/.gitignore33
-rw-r--r--app/config/configuration/chat/coturn/turnserver.conf.tpl19
-rw-r--r--app/config/configuration/chat/easybridge/config.json.tpl17
-rw-r--r--app/config/configuration/chat/easybridge/registration.yaml.tpl14
-rw-r--r--app/config/configuration/chat/fb2mx/config.yaml133
-rw-r--r--app/config/configuration/chat/fb2mx/registration.yaml11
-rw-r--r--app/config/configuration/chat/riot_web/config.json25
-rw-r--r--app/config/configuration/chat/synapse/conf.d/report_stats.yaml1
-rw-r--r--app/config/configuration/chat/synapse/conf.d/server_name.yaml1
-rw-r--r--app/config/configuration/chat/synapse/homeserver.yaml420
-rw-r--r--app/config/configuration/chat/synapse/log.yaml41
-rw-r--r--app/config/configuration/directory/bottin/config.json31
-rw-r--r--app/config/configuration/directory/guichet/config.json.tpl30
-rw-r--r--app/config/configuration/email/dkim/keytable1
-rw-r--r--app/config/configuration/email/dkim/signingtable2
-rw-r--r--app/config/configuration/email/dkim/smtp.private.sample0
-rw-r--r--app/config/configuration/email/dkim/smtp.txt.sample0
-rw-r--r--app/config/configuration/email/dkim/trusted4
-rwxr-xr-xapp/config/configuration/email/dovecot/certs.gen13
-rw-r--r--app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl8
-rwxr-xr-xapp/config/configuration/email/postfix/certs.gen13
-rw-r--r--app/config/configuration/email/postfix/dynamicmaps.cf9
-rw-r--r--app/config/configuration/email/postfix/header_checks3
-rw-r--r--app/config/configuration/email/postfix/ldap-account.cf.tpl12
-rw-r--r--app/config/configuration/email/postfix/ldap-alias.cf.tpl9
-rw-r--r--app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl12
-rw-r--r--app/config/configuration/email/postfix/main.cf104
-rw-r--r--app/config/configuration/email/postfix/master.cf114
-rw-r--r--app/config/configuration/email/postfix/transport5
-rw-r--r--app/config/configuration/email/postfix/transport.dbbin0 -> 12288 bytes
-rw-r--r--app/config/configuration/email/sogo/sogo.conf.tpl68
-rw-r--r--app/config/configuration/mariadb/main/env.tpl6
-rw-r--r--app/config/configuration/nextcloud/config.php.tpl49
-rw-r--r--app/config/configuration/postgres/keeper/env.tpl3
-rw-r--r--app/config/configuration/seafile/ccnet/mykey.peer.sample0
-rw-r--r--app/config/configuration/seafile/ccnet/seafile.ini1
-rw-r--r--app/config/configuration/seafile/conf/ccnet.conf.tpl29
-rw-r--r--app/config/configuration/seafile/conf/mykey.peer.sample0
-rw-r--r--app/config/configuration/seafile/conf/seafdav.conf5
-rw-r--r--app/config/configuration/seafile/conf/seafile.conf.tpl19
-rw-r--r--app/config/configuration/seafile/conf/seahub_settings.py.tpl21
-rw-r--r--app/config/configuration/traefik/traefik.toml45
-rwxr-xr-xapp/config/restore_configuration.sh7
-rw-r--r--app/config/secrets/.gitignore10
-rw-r--r--app/config/secrets/chat/coturn/static-auth.sample0
-rw-r--r--app/config/secrets/chat/fb2mx/as_token.sample0
-rw-r--r--app/config/secrets/chat/fb2mx/db_url.sample1
-rw-r--r--app/config/secrets/chat/fb2mx/hs_token.sample0
-rw-r--r--app/config/secrets/chat/synapse/homeserver.tls.crt.sample0
-rw-r--r--app/config/secrets/chat/synapse/homeserver.tls.dh.sample0
-rw-r--r--app/config/secrets/chat/synapse/homeserver.tls.key.sample0
-rw-r--r--app/config/secrets/chat/synapse/ldap_binddn.sample0
-rw-r--r--app/config/secrets/chat/synapse/ldap_bindpw.sample0
-rw-r--r--app/config/secrets/chat/synapse/postgres_db.sample0
-rw-r--r--app/config/secrets/chat/synapse/postgres_pwd.sample0
-rw-r--r--app/config/secrets/chat/synapse/postgres_user.sample0
-rw-r--r--app/config/secrets/chat/synapse/registration_shared_secret.sample0
-rw-r--r--app/config/secrets/email/sogo/ldap_binddn.sample0
-rw-r--r--app/config/secrets/email/sogo/ldap_bindpw.sample0
-rw-r--r--app/config/secrets/email/sogo/postgre_auth.sample0
-rw-r--r--app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample0
-rw-r--r--app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample0
-rw-r--r--app/config/secrets/jitsi/global_env.sample9
-rw-r--r--app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample0
-rw-r--r--app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample0
-rw-r--r--app/config/secrets/mariadb/main/ldap_binddn.sample0
-rw-r--r--app/config/secrets/mariadb/main/ldap_bindpwd.sample0
-rw-r--r--app/config/secrets/mariadb/main/mysql_pwd.sample0
-rw-r--r--app/config/secrets/platoo/bddpw.sample0
-rw-r--r--app/config/secrets/postgres/keeper/pg_repl_pwd.sample0
-rw-r--r--app/config/secrets/postgres/keeper/pg_repl_username.sample0
-rw-r--r--app/config/secrets/postgres/keeper/pg_su_pwd.sample0
-rw-r--r--app/config/secrets/web/home_token.sample0
-rw-r--r--app/config/secrets/web/quentin.dufour.io_token.sample0
-rw-r--r--app/deployment/bottin2.hcl116
-rw-r--r--app/deployment/core.hcl43
-rw-r--r--app/deployment/email.hcl475
-rw-r--r--app/deployment/garage.hcl99
-rw-r--r--app/deployment/im.hcl361
-rw-r--r--app/deployment/jitsi.hcl252
-rw-r--r--app/deployment/mariadb.hcl69
-rw-r--r--app/deployment/nextcloud.hcl67
-rw-r--r--app/deployment/object_storage.hcl159
-rw-r--r--app/deployment/platoo.hcl64
-rw-r--r--app/deployment/postgres.hcl145
-rw-r--r--app/deployment/science.hcl58
-rw-r--r--app/deployment/seafile.hcl174
-rw-r--r--app/deployment/traefik.hcl68
-rw-r--r--app/deployment/web_static.hcl113
-rw-r--r--app/deployment/webcap.hcl56
-rw-r--r--app/integration/jitsi/01_gen_certs.yml8
-rw-r--r--app/integration/jitsi/02_run.yml27
-rw-r--r--app/integration/jitsi/README.md26
-rw-r--r--app/integration/jitsi/dev.env10
-rw-r--r--app/integration/jitsi/jitsi-certs/.gitignore2
165 files changed, 5553 insertions, 0 deletions
diff --git a/app/build/README.md b/app/build/README.md
new file mode 100644
index 0000000..a877cfa
--- /dev/null
+++ b/app/build/README.md
@@ -0,0 +1,8 @@
+## How to upgrade our packaged apps to a new version?
+
+ 1. Edit `docker-compose.yml`
+ 2. Change the `VERSION` variable to the desired version
+ 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14)
+ 4. Run `docker-compose build`
+ 5. Run `docker-compose push`
+ 6. Done
diff --git a/app/build/blog-quentin/.dockerenv b/app/build/blog-quentin/.dockerenv
new file mode 100755
index 0000000..e69de29
--- /dev/null
+++ b/app/build/blog-quentin/.dockerenv
diff --git a/app/build/blog-quentin/Dockerfile b/app/build/blog-quentin/Dockerfile
new file mode 100644
index 0000000..61f5c40
--- /dev/null
+++ b/app/build/blog-quentin/Dockerfile
@@ -0,0 +1,16 @@
+FROM amd64/debian:stretch as builder
+
+COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile
+
+WORKDIR /root/quentin.dufour.io
+
+RUN apt-get update && \
+ apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \
+ bundle install
+
+COPY ./quentin.dufour.io/ /root/quentin.dufour.io/
+RUN bundle exec jekyll build
+
+FROM superboum/amd64_webserver:v2
+COPY --from=builder /root/quentin.dufour.io/_site /srv/http
+
diff --git a/app/build/blog-quentin/README.md b/app/build/blog-quentin/README.md
new file mode 100644
index 0000000..25ac463
--- /dev/null
+++ b/app/build/blog-quentin/README.md
@@ -0,0 +1 @@
+sudo docker build -t superboum/amd64_blog:v19 .
diff --git a/app/build/coturn/Dockerfile b/app/build/coturn/Dockerfile
new file mode 100644
index 0000000..0d23161
--- /dev/null
+++ b/app/build/coturn/Dockerfile
@@ -0,0 +1,8 @@
+FROM amd64/debian:buster
+
+RUN apt-get update && \
+ apt-get dist-upgrade -y && \
+ apt-get install -y \
+ coturn
+
+CMD ["/usr/bin/turnserver"]
diff --git a/app/build/coturn/README.md b/app/build/coturn/README.md
new file mode 100644
index 0000000..e882146
--- /dev/null
+++ b/app/build/coturn/README.md
@@ -0,0 +1,17 @@
+
+## Génère l'image
+```
+sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 .
+```
+
+## Run bash dans le container
+```
+sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash
+sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
+```
+
+## Used ports
+- udp/tcp 3478 3479
+
+## Publish
+sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1
diff --git a/app/build/docker-compose.yml b/app/build/docker-compose.yml
new file mode 100644
index 0000000..94bc154
--- /dev/null
+++ b/app/build/docker-compose.yml
@@ -0,0 +1,63 @@
+version: '3.4'
+services:
+
+ # Instant Messaging
+ riot:
+ build:
+ context: ./riotweb
+ args:
+ # https://github.com/vector-im/riot-web/releases
+ VERSION: 1.7.5
+ image: superboum/amd64_riotweb:v15
+
+ synapse:
+ build:
+ context: ./matrix-synapse
+ args:
+ # https://github.com/matrix-org/synapse/releases
+ VERSION: 1.19.1
+ image: superboum/amd64_synapse:v33
+
+ # Email
+ sogo:
+ build:
+ context: ./sogo
+ args:
+ # fake for now
+ VERSION: 5.0.0
+ image: superboum/amd64_sogo:v7
+
+ # VoIP
+ jitsi-meet:
+ build:
+ context: ./jitsi-meet
+ args:
+ # https://github.com/jitsi/jitsi-meet
+ PREFIXV: stable/jitsi-meet_
+ VERSION: 4966
+ image: superboum/amd64_jitsi_meet:v1
+
+ jitsi-conference-focus:
+ build:
+ context: ./jitsi-conference-focus
+ args:
+ # https://github.com/jitsi/jicofo
+ PREFIXV: stable/jitsi-meet_
+ VERSION: 4966
+ image: superboum/amd64_jitsi_conference_focus:v5
+
+ jitsi-videobridge:
+ build:
+ context: ./jitsi-videobridge
+ args:
+ # https://github.com/jitsi/jitsi-videobridge
+ PREFIXV: stable/jitsi-meet_
+ VERSION: 4966
+ image: superboum/amd64_jitsi_videobridge:v15
+
+ jitsi-xmpp:
+ build:
+ context: ./jitsi-xmpp
+ args:
+ VERSION: fake-1
+ image: superboum/amd64_jitsi_xmpp:v4
diff --git a/app/build/dovecot/.gitignore b/app/build/dovecot/.gitignore
new file mode 100644
index 0000000..71a04e2
--- /dev/null
+++ b/app/build/dovecot/.gitignore
@@ -0,0 +1 @@
+dovecot-ldap.conf
diff --git a/app/build/dovecot/Dockerfile b/app/build/dovecot/Dockerfile
new file mode 100644
index 0000000..9b87627
--- /dev/null
+++ b/app/build/dovecot/Dockerfile
@@ -0,0 +1,17 @@
+FROM amd64/debian:stretch
+
+RUN apt-get update && \
+ apt-get install -y \
+ dovecot-antispam \
+ dovecot-core \
+ dovecot-imapd \
+ dovecot-ldap \
+ dovecot-managesieved \
+ dovecot-sieve \
+ dovecot-lmtpd && \
+ rm -rf /etc/dovecot/*
+RUN useradd mailstore
+COPY ./conf/* /etc/dovecot/
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/app/build/dovecot/README.md b/app/build/dovecot/README.md
new file mode 100644
index 0000000..8c9f372
--- /dev/null
+++ b/app/build/dovecot/README.md
@@ -0,0 +1,18 @@
+```
+sudo docker build -t superboum/amd64_dovecot:v2 .
+```
+
+
+```
+sudo docker run -t -i \
+ -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \
+ -p 993:993 \
+ -p 143:143 \
+ -p 24:24 \
+ -p 1337:1337 \
+ -v /mnt/glusterfs/email/ssl:/etc/ssl/ \
+ -v /mnt/glusterfs/email/mail:/var/mail \
+ -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \
+ superboum/amd64_dovecot:v1 \
+ dovecot -F
+```
diff --git a/app/build/dovecot/entrypoint.sh b/app/build/dovecot/entrypoint.sh
new file mode 100755
index 0000000..2165d8f
--- /dev/null
+++ b/app/build/dovecot/entrypoint.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then
+ cd /root
+ openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout dovecot.key \
+ -out dovecot.crt
+
+ mkdir -p /etc/ssl/{certs,private}/
+
+ cp dovecot.crt /etc/ssl/certs/dovecot.crt
+ cp dovecot.key /etc/ssl/private/dovecot.key
+ chmod 400 /etc/ssl/certs/dovecot.crt
+ chmod 400 /etc/ssl/private/dovecot.key
+fi
+
+if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then
+ chown -R mailstore /var/mail
+fi
+
+exec "$@"
diff --git a/app/build/jitsi-conference-focus/Dockerfile b/app/build/jitsi-conference-focus/Dockerfile
new file mode 100644
index 0000000..e2c459c
--- /dev/null
+++ b/app/build/jitsi-conference-focus/Dockerfile
@@ -0,0 +1,27 @@
+FROM debian:buster AS builder
+
+ARG PREFIXV
+ARG VERSION
+RUN apt-get update && \
+ apt-get install -y openjdk-11-jdk maven wget unzip && \
+ wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip
+
+RUN unzip jicofo.zip && \
+ mv jicofo*${VERSION} jicofo && \
+ cd jicofo && \
+ mvn package -DskipTests -Dassembly.skipAssembly=false && \
+ unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \
+ mv jicofo-1.1-SNAPSHOT /srv/build
+
+FROM debian:buster
+
+RUN apt-get update && \
+ apt-get install -y openjdk-11-jre-headless ca-certificates
+
+ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi"
+
+COPY --from=builder /srv/build /srv/jicofo
+COPY jicofo /usr/local/bin/jicofo
+COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties
+
+CMD ["/usr/local/bin/jicofo"]
diff --git a/app/build/jitsi-conference-focus/jicofo b/app/build/jitsi-conference-focus/jicofo
new file mode 100755
index 0000000..2bc6e3f
--- /dev/null
+++ b/app/build/jitsi-conference-focus/jicofo
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
+update-ca-certificates -f
+
+cat >> /etc/hosts <<EOF
+${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
+127.0.0.1 `hostname`
+EOF
+
+/srv/jicofo/jicofo.sh \
+ --host=${JITSI_PROSODY_HOST} \
+ --domain=jitsi.deuxfleurs.fr \
+ --secret=${JITSI_SECRET_JICOFO_COMPONENT} \
+ --user_domain=auth.jitsi.deuxfleurs.fr \
+ --user_password=${JITSI_SECRET_JICOFO_USER}
diff --git a/app/build/jitsi-conference-focus/sip-communicator.properties b/app/build/jitsi-conference-focus/sip-communicator.properties
new file mode 100644
index 0000000..53c32e2
--- /dev/null
+++ b/app/build/jitsi-conference-focus/sip-communicator.properties
@@ -0,0 +1,2 @@
+org.jitsi.jicofo.SHORT_ID=1
+org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
diff --git a/app/build/jitsi-meet/Dockerfile b/app/build/jitsi-meet/Dockerfile
new file mode 100644
index 0000000..feef115
--- /dev/null
+++ b/app/build/jitsi-meet/Dockerfile
@@ -0,0 +1,28 @@
+FROM debian:buster AS builder
+
+ARG PREFIXV
+ARG VERSION
+
+RUN apt-get update && \
+ apt-get install -y curl && \
+ curl -sL https://deb.nodesource.com/setup_14.x | bash - && \
+ apt-get install -y git nodejs make wget unzip && \
+ wget https://github.com/jitsi/jitsi-meet/archive/${PREFIXV}${VERSION}.zip -O jitsi-meet.zip
+
+RUN unzip jitsi-meet.zip && \
+ mv jitsi-meet-*${VERSION} jitsi-meet && \
+ cd jitsi-meet && \
+ npm install && \
+ make
+
+FROM debian:buster
+
+COPY --from=builder /jitsi-meet /srv/jitsi-meet
+RUN apt-get update && \
+ apt-get install -y nginx && \
+ rm /etc/nginx/sites-enabled/*
+
+COPY config.js /srv/jitsi-meet/config.js
+COPY entrypoint.sh /usr/local/bin/entrypoint
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+CMD ["/usr/sbin/nginx", "-g", "daemon off;"]
diff --git a/app/build/jitsi-meet/config.js b/app/build/jitsi-meet/config.js
new file mode 100644
index 0000000..18ff319
--- /dev/null
+++ b/app/build/jitsi-meet/config.js
@@ -0,0 +1,517 @@
+/* eslint-disable no-unused-vars, no-var */
+
+var config = {
+ // Connection
+ //
+
+ hosts: {
+ // XMPP domain.
+ domain: 'jitsi.deuxfleurs.fr',
+
+ // When using authentication, domain for guest users.
+ // anonymousdomain: 'guest.example.com',
+
+ // Domain for authenticated users. Defaults to <domain>.
+ // authdomain: 'jitsi-meet.example.com',
+
+ // Jirecon recording component domain.
+ // jirecon: 'jirecon.jitsi-meet.example.com',
+
+ // Call control component (Jigasi).
+ // call_control: 'callcontrol.jitsi-meet.example.com',
+
+ // Focus component domain. Defaults to focus.<domain>.
+ // focus: 'focus.jitsi-meet.example.com',
+
+ // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
+ muc: 'conference.jitsi.deuxfleurs.fr'
+ },
+
+ // BOSH URL. FIXME: use XEP-0156 to discover it.
+ bosh: '//jitsi.deuxfleurs.fr/http-bind',
+
+ // Websocket URL
+ // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',
+
+ // The name of client node advertised in XEP-0115 'c' stanza
+ clientNode: 'http://jitsi.org/jitsimeet',
+
+ // The real JID of focus participant - can be overridden here
+ // focusUserJid: 'focus@auth.jitsi-meet.example.com',
+
+
+ // Testing / experimental features.
+ //
+
+ testing: {
+ // Enables experimental simulcast support on Firefox.
+ enableFirefoxSimulcast: false,
+
+ // P2P test mode disables automatic switching to P2P when there are 2
+ // participants in the conference.
+ p2pTestMode: false
+
+ // Enables the test specific features consumed by jitsi-meet-torture
+ // testMode: false
+
+ // Disables the auto-play behavior of *all* newly created video element.
+ // This is useful when the client runs on a host with limited resources.
+ // noAutoPlayVideo: false
+ },
+
+ // Disables ICE/UDP by filtering out local and remote UDP candidates in
+ // signalling.
+ // webrtcIceUdpDisable: false,
+
+ // Disables ICE/TCP by filtering out local and remote TCP candidates in
+ // signalling.
+ // webrtcIceTcpDisable: false,
+
+
+ // Media
+ //
+
+ // Audio
+
+ // Disable measuring of audio levels.
+ // disableAudioLevels: false,
+ // audioLevelsInterval: 200,
+
+ // Enabling this will run the lib-jitsi-meet no audio detection module which
+ // will notify the user if the current selected microphone has no audio
+ // input and will suggest another valid device if one is present.
+ enableNoAudioDetection: true,
+
+ // Enabling this will run the lib-jitsi-meet noise detection module which will
+ // notify the user if there is noise, other than voice, coming from the current
+ // selected microphone. The purpose it to let the user know that the input could
+ // be potentially unpleasant for other meeting participants.
+ enableNoisyMicDetection: true,
+
+ // Start the conference in audio only mode (no video is being received nor
+ // sent).
+ // startAudioOnly: false,
+
+ // Every participant after the Nth will start audio muted.
+ // startAudioMuted: 10,
+
+ // Start calls with audio muted. Unlike the option above, this one is only
+ // applied locally. FIXME: having these 2 options is confusing.
+ // startWithAudioMuted: false,
+
+ // Enabling it (with #params) will disable local audio output of remote
+ // participants and to enable it back a reload is needed.
+ // startSilent: false
+
+ // Video
+
+ // Sets the preferred resolution (height) for local video. Defaults to 720.
+ resolution: 480,
+
+ // w3c spec-compliant video constraints to use for video capture. Currently
+ // used by browsers that return true from lib-jitsi-meet's
+ // util#browser#usesNewGumFlow. The constraints are independency from
+ // this config's resolution value. Defaults to requesting an ideal aspect
+ // ratio of 16:9 with an ideal resolution of 720.
+ constraints: {
+ video: {
+ aspectRatio: 16 / 9,
+ height: {
+ ideal: 480,
+ max: 720,
+ min: 240
+ }
+ }
+ },
+
+ // Enable / disable simulcast support.
+ // disableSimulcast: false,
+
+ // Enable / disable layer suspension. If enabled, endpoints whose HD
+ // layers are not in use will be suspended (no longer sent) until they
+ // are requested again.
+ // enableLayerSuspension: false,
+
+ // Every participant after the Nth will start video muted.
+ // startVideoMuted: 10,
+
+ // Start calls with video muted. Unlike the option above, this one is only
+ // applied locally. FIXME: having these 2 options is confusing.
+ // startWithVideoMuted: false,
+
+ // If set to true, prefer to use the H.264 video codec (if supported).
+ // Note that it's not recommended to do this because simulcast is not
+ // supported when using H.264. For 1-to-1 calls this setting is enabled by
+ // default and can be toggled in the p2p section.
+ // preferH264: true,
+
+ // If set to true, disable H.264 video codec by stripping it out of the
+ // SDP.
+ // disableH264: false,
+
+ // Desktop sharing
+
+ // The ID of the jidesha extension for Chrome.
+ desktopSharingChromeExtId: null,
+
+ // Whether desktop sharing should be disabled on Chrome.
+ // desktopSharingChromeDisabled: false,
+
+ // The media sources to use when using screen sharing with the Chrome
+ // extension.
+ desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
+
+ // Required version of Chrome extension
+ desktopSharingChromeMinExtVersion: '0.1',
+
+ // Whether desktop sharing should be disabled on Firefox.
+ // desktopSharingFirefoxDisabled: false,
+
+ // Optional desktop sharing frame rate options. Default value: min:5, max:5.
+ // desktopSharingFrameRate: {
+ // min: 5,
+ // max: 5
+ // },
+
+ // Try to start calls with screen-sharing instead of camera video.
+ // startScreenSharing: false,
+
+ // Recording
+
+ // Whether to enable file recording or not.
+ // fileRecordingsEnabled: false,
+ // Enable the dropbox integration.
+ // dropbox: {
+ // appKey: '<APP_KEY>' // Specify your app key here.
+ // // A URL to redirect the user to, after authenticating
+ // // by default uses:
+ // // 'https://jitsi-meet.example.com/static/oauth.html'
+ // redirectURI:
+ // 'https://jitsi-meet.example.com/subfolder/static/oauth.html'
+ // },
+ // When integrations like dropbox are enabled only that will be shown,
+ // by enabling fileRecordingsServiceEnabled, we show both the integrations
+ // and the generic recording service (its configuration and storage type
+ // depends on jibri configuration)
+ // fileRecordingsServiceEnabled: false,
+ // Whether to show the possibility to share file recording with other people
+ // (e.g. meeting participants), based on the actual implementation
+ // on the backend.
+ // fileRecordingsServiceSharingEnabled: false,
+
+ // Whether to enable live streaming or not.
+ // liveStreamingEnabled: false,
+
+ // Transcription (in interface_config,
+ // subtitles and buttons can be configured)
+ // transcribingEnabled: false,
+
+ // Enables automatic turning on captions when recording is started
+ // autoCaptionOnRecord: false,
+
+ // Misc
+
+ // Default value for the channel "last N" attribute. -1 for unlimited.
+ channelLastN: -1,
+
+ // Disables or enables RTX (RFC 4588) (defaults to false).
+ // disableRtx: false,
+
+ // Disables or enables TCC (the default is in Jicofo and set to true)
+ // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting
+ // affects congestion control, it practically enables send-side bandwidth
+ // estimations.
+ // enableTcc: true,
+
+ // Disables or enables REMB (the default is in Jicofo and set to false)
+ // (draft-alvestrand-rmcat-remb-03). This setting affects congestion
+ // control, it practically enables recv-side bandwidth estimations. When
+ // both TCC and REMB are enabled, TCC takes precedence. When both are
+ // disabled, then bandwidth estimations are disabled.
+ // enableRemb: false,
+
+ // Defines the minimum number of participants to start a call (the default
+ // is set in Jicofo and set to 2).
+ // minParticipants: 2,
+
+ // Use XEP-0215 to fetch STUN and TURN servers.
+ // useStunTurn: true,
+
+ // Enable IPv6 support.
+ // useIPv6: true,
+
+ // Enables / disables a data communication channel with the Videobridge.
+ // Values can be 'datachannel', 'websocket', true (treat it as
+ // 'datachannel'), undefined (treat it as 'datachannel') and false (don't
+ // open any channel).
+ // openBridgeChannel: true,
+
+
+ // UI
+ //
+
+ // Use display name as XMPP nickname.
+ // useNicks: false,
+
+ // Require users to always specify a display name.
+ // requireDisplayName: true,
+
+ // Whether to use a welcome page or not. In case it's false a random room
+ // will be joined when no room is specified.
+ enableWelcomePage: true,
+
+ // Enabling the close page will ignore the welcome page redirection when
+ // a call is hangup.
+ // enableClosePage: false,
+
+ // Disable hiding of remote thumbnails when in a 1-on-1 conference call.
+ // disable1On1Mode: false,
+
+ // Default language for the user interface.
+ defaultLanguage: 'fr',
+
+ // If true all users without a token will be considered guests and all users
+ // with token will be considered non-guests. Only guests will be allowed to
+ // edit their profile.
+ enableUserRolesBasedOnToken: false,
+
+ // Whether or not some features are checked based on token.
+ // enableFeaturesBasedOnToken: false,
+
+ // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests.
+ // lockRoomGuestEnabled: false,
+
+ // When enabled the password used for locking a room is restricted to up to the number of digits specified
+ // roomPasswordNumberOfDigits: 10,
+ // default: roomPasswordNumberOfDigits: false,
+
+ // Message to show the users. Example: 'The service will be down for
+ // maintenance at 01:00 AM GMT,
+ // noticeMessage: '',
+
+ // Enables calendar integration, depends on googleApiApplicationClientID
+ // and microsoftApiApplicationClientID
+ // enableCalendarIntegration: false,
+
+ // Stats
+ //
+
+ // Whether to enable stats collection or not in the TraceablePeerConnection.
+ // This can be useful for debugging purposes (post-processing/analysis of
+ // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth
+ // estimation tests.
+ // gatherStats: false,
+
+ // The interval at which PeerConnection.getStats() is called. Defaults to 10000
+ // pcStatsInterval: 10000,
+
+ // To enable sending statistics to callstats.io you must provide the
+ // Application ID and Secret.
+ // callStatsID: '',
+ // callStatsSecret: '',
+
+ // enables sending participants display name to callstats
+ // enableDisplayNameInStats: false
+
+ // enables sending participants email if available to callstats and other analytics
+ // enableEmailInStats: false
+
+ // Privacy
+ //
+
+ // If third party requests are disabled, no other server will be contacted.
+ // This means avatars will be locally generated and callstats integration
+ // will not function.
+ // disableThirdPartyRequests: false,
+
+
+ // Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
+ //
+
+ p2p: {
+ // Enables peer to peer mode. When enabled the system will try to
+ // establish a direct connection when there are exactly 2 participants
+ // in the room. If that succeeds the conference will stop sending data
+ // through the JVB and use the peer to peer connection instead. When a
+ // 3rd participant joins the conference will be moved back to the JVB
+ // connection.
+ enabled: true,
+
+ // Use XEP-0215 to fetch STUN and TURN servers.
+ // useStunTurn: true,
+
+ // The STUN servers that will be used in the peer to peer connections
+ stunServers: [
+
+ // { urls: 'stun:jitsi-meet.example.com:443' },
+ { urls: 'stun:stun.l.google.com:19302' },
+ { urls: 'stun:stun1.l.google.com:19302' },
+ { urls: 'stun:stun2.l.google.com:19302' }
+ ],
+
+ // Sets the ICE transport policy for the p2p connection. At the time
+ // of this writing the list of possible values are 'all' and 'relay',
+ // but that is subject to change in the future. The enum is defined in
+ // the WebRTC standard:
+ // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum.
+ // If not set, the effective value is 'all'.
+ // iceTransportPolicy: 'all',
+
+ // If set to true, it will prefer to use H.264 for P2P calls (if H.264
+ // is supported).
+ preferH264: true,
+
+ // If set to true, disable H.264 video codec by stripping it out of the
+ // SDP.
+ // disableH264: false,
+
+ // How long we're going to wait, before going back to P2P after the 3rd
+ // participant has left the conference (to filter out page reload).
+ backToP2PDelay: 60
+ },
+
+ analytics: {
+ // The Google Analytics Tracking ID:
+ // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1'
+
+ // The Amplitude APP Key:
+ // amplitudeAPPKey: '<APP_KEY>'
+
+ // Array of script URLs to load as lib-jitsi-meet "analytics handlers".
+ // scriptURLs: [
+ // "libs/analytics-ga.min.js", // google-analytics
+ // "https://example.com/my-custom-analytics.js"
+ // ],
+ },
+
+ // Information about the jitsi-meet instance we are connecting to, including
+ // the user region as seen by the server.
+ deploymentInfo: {
+ // shard: "shard1",
+ // region: "europe",
+ // userRegion: "asia"
+ }
+
+ // Information for the chrome extension banner
+ // chromeExtensionBanner: {
+ // // The chrome extension to be installed address
+ // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb',
+
+ // // Extensions info which allows checking if they are installed or not
+ // chromeExtensionsInfo: [
+ // {
+ // id: 'kglhbbefdnlheedjiejgomgmfplipfeb',
+ // path: 'jitsi-logo-48x48.png'
+ // }
+ // ]
+ // }
+
+ // Local Recording
+ //
+
+ // localRecording: {
+ // Enables local recording.
+ // Additionally, 'localrecording' (all lowercase) needs to be added to
+ // TOOLBAR_BUTTONS in interface_config.js for the Local Recording
+ // button to show up on the toolbar.
+ //
+ // enabled: true,
+ //
+
+ // The recording format, can be one of 'ogg', 'flac' or 'wav'.
+ // format: 'flac'
+ //
+
+ // }
+
+ // Options related to end-to-end (participant to participant) ping.
+ // e2eping: {
+ // // The interval in milliseconds at which pings will be sent.
+ // // Defaults to 10000, set to <= 0 to disable.
+ // pingInterval: 10000,
+ //
+ // // The interval in milliseconds at which analytics events
+ // // with the measured RTT will be sent. Defaults to 60000, set
+ // // to <= 0 to disable.
+ // analyticsInterval: 60000,
+ // }
+
+ // If set, will attempt to use the provided video input device label when
+ // triggering a screenshare, instead of proceeding through the normal flow
+ // for obtaining a desktop stream.
+ // NOTE: This option is experimental and is currently intended for internal
+ // use only.
+ // _desktopSharingSourceDevice: 'sample-id-or-label'
+
+ // If true, any checks to handoff to another application will be prevented
+ // and instead the app will continue to display in the current browser.
+ // disableDeepLinking: false
+
+ // A property to disable the right click context menu for localVideo
+ // the menu has option to flip the locally seen video for local presentations
+ // disableLocalVideoFlip: false
+
+ // Deployment specific URLs.
+ // deploymentUrls: {
+ // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for
+ // // user documentation.
+ // userDocumentationURL: 'https://docs.example.com/video-meetings.html',
+ // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link
+ // // to the specified URL for an app download page.
+ // downloadAppsUrl: 'https://docs.example.com/our-apps.html'
+ // }
+
+ // List of undocumented settings used in jitsi-meet
+ /**
+ _immediateReloadThreshold
+ autoRecord
+ autoRecordToken
+ debug
+ debugAudioLevels
+ deploymentInfo
+ dialInConfCodeUrl
+ dialInNumbersUrl
+ dialOutAuthUrl
+ dialOutCodesUrl
+ disableRemoteControl
+ displayJids
+ etherpad_base
+ externalConnectUrl
+ firefox_fake_device
+ googleApiApplicationClientID
+ iAmRecorder
+ iAmSipGateway
+ microsoftApiApplicationClientID
+ peopleSearchQueryTypes
+ peopleSearchUrl
+ requireDisplayName
+ tokenAuthUrl
+ */
+
+ // List of undocumented settings used in lib-jitsi-meet
+ /**
+ _peerConnStatusOutOfLastNTimeout
+ _peerConnStatusRtcMuteTimeout
+ abTesting
+ avgRtpStatsN
+ callStatsConfIDNamespace
+ callStatsCustomScriptUrl
+ desktopSharingSources
+ disableAEC
+ disableAGC
+ disableAP
+ disableHPF
+ disableNS
+ enableLipSync
+ enableTalkWhileMuted
+ forceJVB121Ratio
+ hiddenDomain
+ ignoreStartMuted
+ nick
+ startBitrate
+ */
+
+};
+
+/* eslint-enable no-unused-vars, no-var */
+
diff --git a/app/build/jitsi-meet/entrypoint.sh b/app/build/jitsi-meet/entrypoint.sh
new file mode 100755
index 0000000..1e18bd1
--- /dev/null
+++ b/app/build/jitsi-meet/entrypoint.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+cat > /etc/nginx/sites-available/jitsi <<EOF
+server_names_hash_bucket_size 64;
+
+server {
+ listen 0.0.0.0:443 ssl http2 default_server;
+ listen [::]:443 ssl http2 default_server;
+ server_name _;
+ ssl_certificate ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.crt;
+ ssl_certificate_key ${JITSI_CERTS_FOLDER}/jitsi.deuxfleurs.fr.key;
+ root /srv/jitsi-meet;
+ index index.html;
+ location ~ ^/([a-zA-Z0-9=\?]+)$ {
+ rewrite ^/(.*)$ / break;
+ }
+ location / {
+ ssi on;
+ }
+ # BOSH, Bidirectional-streams Over Synchronous HTTP
+ # https://en.wikipedia.org/wiki/BOSH_(protocol)
+ location /http-bind {
+ proxy_pass http://${JITSI_PROSODY_BOSH_HOST}:${JITSI_PROSODY_BOSH_PORT}/http-bind;
+ proxy_set_header X-Forwarded-For \$remote_addr;
+ proxy_set_header Host \$http_host;
+ }
+ # external_api.js must be accessible from the root of the
+ # installation for the electron version of Jitsi Meet to work
+ # https://github.com/jitsi/jitsi-meet-electron
+ location /external_api.js {
+ alias /srv/jitsi-meet/libs/external_api.min.js;
+ }
+}
+EOF
+
+ln -sf /etc/nginx/sites-available/jitsi /etc/nginx/sites-enabled/jitsi
+
+exec "$@"
diff --git a/app/build/jitsi-videobridge/Dockerfile b/app/build/jitsi-videobridge/Dockerfile
new file mode 100644
index 0000000..c17fb4f
--- /dev/null
+++ b/app/build/jitsi-videobridge/Dockerfile
@@ -0,0 +1,30 @@
+FROM debian:buster AS builder
+
+ARG PREFIXV
+ARG VERSION
+
+RUN apt-get update && \
+ apt-get install -y wget unzip maven openjdk-11-jdk && \
+ wget https://github.com/jitsi/jitsi-videobridge/archive/${PREFIXV}${VERSION}.zip -O jvb.zip
+
+RUN unzip jvb.zip && \
+ mv jitsi-videobridge*${VERSION} jvb && \
+ cd jvb && \
+ mvn package -DskipTests && \
+ ls jvb/target && \
+ unzip jvb/target/jitsi-videobridge*.zip && \
+ mv jitsi-videobridge-*-SNAPSHOT build
+
+FROM debian:buster
+
+RUN apt-get update && \
+ apt-get install -y openjdk-11-jre-headless
+
+COPY --from=builder /jvb/build /srv/jvb
+ENV HOME=/root
+WORKDIR /root
+COPY jvb_run /usr/local/bin/jvb_run
+
+ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi"
+
+CMD ["/usr/local/bin/jvb_run"]
diff --git a/app/build/jitsi-videobridge/jvb_run b/app/build/jitsi-videobridge/jvb_run
new file mode 100755
index 0000000..b86c911
--- /dev/null
+++ b/app/build/jitsi-videobridge/jvb_run
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+cat >> /etc/hosts <<EOF
+${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
+127.0.0.1 `hostname`
+EOF
+
+mkdir -p /root/.sip-communicator
+
+cat > /root/.sip-communicator/sip-communicator.properties <<EOF
+# Enable broadcasting stats/presence in a MUC
+org.jitsi.videobridge.ENABLE_STATISTICS=true
+org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
+
+# Connect to the first XMPP server
+org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=jitsi.deuxfleurs.fr
+org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.deuxfleurs.fr
+org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
+org.jitsi.videobridge.xmpp.user.shard.PASSWORD=${JITSI_SECRET_VIDEOBRIDGE}
+org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
+org.jitsi.videobridge.xmpp.user.shard.MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr
+org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=singleton
+org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
+
+# Do we need it? @FIXME
+org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false
+
+# NAT things, two times just in case...
+org.ice4j.ice.harvest.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP}
+org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP}
+org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP}
+org.jitsi.videobridge.TCP_HARVESTER_PORT=${JITSI_VIDEO_TCP}
+org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=${JITSI_NAT_LOCAL_IP}
+org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=${JITSI_NAT_PUBLIC_IP}
+org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false
+EOF
+
+[ -v JITSI_DEBUG ] && cat >> /root/.sip-communicator/sip-communicator.properties <<EOF
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_ENABLED=true
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_ARBITRARY_ENABLED=true
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_SIP_ENABLED=true
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_JABBER_ENABLED=true
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_RTP_ENABLED=true
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_ICE4j_ENABLED=true
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_COUNT=1
+net.java.sip.communicator.packetlogging.PACKET_LOGGING_FILE_SIZE=-1
+EOF
+
+/srv/jvb/jvb.sh \
+ --host=${JITSI_PROSODY_HOST} \
+ --domain=jitsi.deuxfleurs.fr \
+ --port=5347 \
+ --secret=${JITSI_SECRET_VIDEOBRIDGE} \
+ --apis=xmpp,rest
diff --git a/app/build/jitsi-xmpp/Dockerfile b/app/build/jitsi-xmpp/Dockerfile
new file mode 100644
index 0000000..3733d49
--- /dev/null
+++ b/app/build/jitsi-xmpp/Dockerfile
@@ -0,0 +1,11 @@
+FROM debian:buster
+
+RUN apt-get update && \
+ apt-get install -y prosody
+
+COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua
+COPY xmpp_conf /usr/local/bin/xmpp_conf
+COPY xmpp_gen /usr/local/bin/xmpp_gen
+COPY xmpp_run /usr/local/bin/xmpp_run
+
+CMD ["/usr/local/bin/xmpp_run"]
diff --git a/app/build/jitsi-xmpp/external_components.cfg.lua b/app/build/jitsi-xmpp/external_components.cfg.lua
new file mode 100644
index 0000000..beaaa87
--- /dev/null
+++ b/app/build/jitsi-xmpp/external_components.cfg.lua
@@ -0,0 +1,2 @@
+component_ports = { 5347 }
+component_interface = "0.0.0.0"
diff --git a/app/build/jitsi-xmpp/xmpp_conf b/app/build/jitsi-xmpp/xmpp_conf
new file mode 100755
index 0000000..5990d07
--- /dev/null
+++ b/app/build/jitsi-xmpp/xmpp_conf
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+cat >> /etc/hosts <<EOF
+${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-videobridge.jitsi.deuxfleurs.fr focus.jitsi.deuxfleurs.fr auth.jitsi.deuxfleurs.fr
+127.0.0.1 `hostname`
+EOF
+
+mkdir -p /etc/prosody/conf.{d,avail}/
+cat > /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua <<EOF
+VirtualHost "jitsi.deuxfleurs.fr"
+ authentication = "anonymous"
+ ssl = {
+ key = "/var/lib/prosody/jitsi.deuxfleurs.fr.key";
+ certificate = "/var/lib/prosody/jitsi.deuxfleurs.fr.crt";
+ }
+ modules_enabled = {
+ "bosh";
+ "pubsub";
+ }
+ c2s_require_encryption = false
+
+VirtualHost "auth.jitsi.deuxfleurs.fr"
+ ssl = {
+ key = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.key";
+ certificate = "/var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt";
+ }
+ authentication = "internal_plain"
+ admins = { "focus@auth.jitsi.deuxfleurs.fr"}
+
+Component "conference.jitsi.deuxfleurs.fr" "muc"
+Component "internal.auth.jitsi.deuxfleurs.fr" "muc"
+ storage = "memory"
+ modules_enabled = { "ping"; }
+ admins = { "focus@auth.jitsi.deuxfleurs.fr", "jvb@auth.jitsi.deuxfleurs.fr" }
+
+Component "jitsi-videobridge.jitsi.deuxfleurs.fr"
+ component_secret = "${JITSI_SECRET_VIDEOBRIDGE}"
+Component "focus.jitsi.deuxfleurs.fr"
+ component_secret = "${JITSI_SECRET_JICOFO_COMPONENT}"
+
+EOF
+
+ln -sf \
+ /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua \
+ /etc/prosody/conf.d/jitsi.deuxfleurs.fr.cfg.lua
+
+
diff --git a/app/build/jitsi-xmpp/xmpp_gen b/app/build/jitsi-xmpp/xmpp_gen
new file mode 100755
index 0000000..3a2e04a
--- /dev/null
+++ b/app/build/jitsi-xmpp/xmpp_gen
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+/usr/local/bin/xmpp_conf
+
+prosodyctl cert generate jitsi.deuxfleurs.fr
+prosodyctl cert generate auth.jitsi.deuxfleurs.fr
+
+cp /var/lib/prosody/*.crt ${JITSI_CERTS_FOLDER}
+cp /var/lib/prosody/*.key ${JITSI_CERTS_FOLDER}
diff --git a/app/build/jitsi-xmpp/xmpp_run b/app/build/jitsi-xmpp/xmpp_run
new file mode 100755
index 0000000..6383b65
--- /dev/null
+++ b/app/build/jitsi-xmpp/xmpp_run
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+/usr/local/bin/xmpp_conf
+cp ${JITSI_CERTS_FOLDER}/* /var/lib/prosody/
+chown -R prosody:prosody /var/lib/prosody
+
+mkdir -p /usr/local/share/ca-certificates/
+ln -sf \
+ /var/lib/prosody/auth.jitsi.deuxfleurs.fr.crt \
+ /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt
+
+prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER}
+prosodyctl register jvb auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_VIDEOBRIDGE}
+
+mkdir /run/prosody
+touch /run/prosody/prosody.pid
+chown -R prosody:prosody /run/prosody
+
+cd /var/lib/prosody
+su - prosody -s /bin/bash -c prosody
diff --git a/app/build/landing/README.md b/app/build/landing/README.md
new file mode 100644
index 0000000..5d2cb2b
--- /dev/null
+++ b/app/build/landing/README.md
@@ -0,0 +1,3 @@
+```
+docker build -t superboum/amd64_landing:v8 .
+```
diff --git a/app/build/mariadb/60-disable-dialog.cnf b/app/build/mariadb/60-disable-dialog.cnf
new file mode 100644
index 0000000..d41731a
--- /dev/null
+++ b/app/build/mariadb/60-disable-dialog.cnf
@@ -0,0 +1,3 @@
+[mariadb]
+pam_use_cleartext_plugin
+bind-address = 0.0.0.0
diff --git a/app/build/mariadb/60-ldap.cnf b/app/build/mariadb/60-ldap.cnf
new file mode 100644
index 0000000..72ffb9f
--- /dev/null
+++ b/app/build/mariadb/60-ldap.cnf
@@ -0,0 +1,3 @@
+[mariadb]
+plugin-load=auth_pam.so
+
diff --git a/app/build/mariadb/60-remote.cnf b/app/build/mariadb/60-remote.cnf
new file mode 100644
index 0000000..f759a49
--- /dev/null
+++ b/app/build/mariadb/60-remote.cnf
@@ -0,0 +1,2 @@
+[mysqld]
+bind-address = 0.0.0.0
diff --git a/app/build/mariadb/Dockerfile b/app/build/mariadb/Dockerfile
new file mode 100644
index 0000000..15ef954
--- /dev/null
+++ b/app/build/mariadb/Dockerfile
@@ -0,0 +1,14 @@
+FROM debian:stretch
+
+RUN apt-get update && \
+ apt-get dist-upgrade -y && \
+ DEBIAN_FRONTEND=noninteractive apt-get install -y mariadb-server mariadb-client libnss-ldapd
+
+COPY 60-ldap.cnf /etc/mysql/mariadb.conf.d/60-ldap.cnf
+COPY 60-remote.cnf /etc/mysql/mariadb.conf.d/60-remote.cnf
+COPY 60-disable-dialog.cnf /etc/mysql/mariadb.conf.d/60-disable-dialog.cnf
+COPY pam-mariadb /etc/pam.d/mariadb
+COPY nsswitch.conf /etc/nsswitch.conf
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/app/build/mariadb/README.md b/app/build/mariadb/README.md
new file mode 100644
index 0000000..1a3b8aa
--- /dev/null
+++ b/app/build/mariadb/README.md
@@ -0,0 +1,19 @@
+```
+sudo docker build -t superboum/amd64_mariadb:v3 .
+
+sudo docker run \
+ -t -i \
+ -p 3306:3306 \
+ -v /tmp/mysql:/var/lib/mysql \
+ -e LDAP_URI='ldap://bottin.service.2.cluster.deuxfleurs.fr' \
+ -e LDAP_BASE='ou=users,dc=deuxfleurs,dc=fr' \
+ -e LDAP_VERSION=3 \
+ -e LDAP_BIND_DN='cn=admin,dc=deuxfleurs,dc=fr' \
+ -e LDAP_BIND_PW='xxxx' \
+ -e MYSQL_PASSWORD='xxxx' \
+ superboum/amd64_mariadb:v1 \
+ tail -f /var/log/mysql/error.log
+
+CREATE USER quentin@localhost IDENTIFIED VIA pam USING 'mariadb';
+
+```
diff --git a/app/build/mariadb/entrypoint.sh b/app/build/mariadb/entrypoint.sh
new file mode 100755
index 0000000..7ebf049
--- /dev/null
+++ b/app/build/mariadb/entrypoint.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+
+cat > /etc/nslcd.conf <<EOF
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri ${LDAP_URI}
+
+# The search base that will be used for all queries.
+base ${LDAP_BASE}
+
+# The LDAP protocol version to use.
+ldap_version ${LDAP_VERSION}
+
+# The DN to bind with for normal lookups.
+binddn ${LDAP_BIND_DN}
+bindpw ${LDAP_BIND_PW}
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+#tls_reqcert never
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub
+EOF
+
+/usr/sbin/nslcd
+
+chown mysql:mysql /var/lib/mysql
+[ -z "$(ls -A /var/lib/mysql)" ] && mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
+
+/usr/bin/mysqld_safe &
+
+until ls /var/run/mysqld/mysqld.sock; do sleep 1; done
+/usr/bin/mysqladmin -u root password ${MYSQL_PASSWORD} || true
+
+exec "$@"
+
diff --git a/app/build/mariadb/nsswitch.conf b/app/build/mariadb/nsswitch.conf
new file mode 100644
index 0000000..853348e
--- /dev/null
+++ b/app/build/mariadb/nsswitch.conf
@@ -0,0 +1,21 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+gshadow: files
+
+hosts: files dns
+networks: files
+
+protocols: db files
+services: db files
+ethers: db files
+rpc: db files
+
+netgroup: nis
+
diff --git a/app/build/mariadb/pam-mariadb b/app/build/mariadb/pam-mariadb
new file mode 100644
index 0000000..e1bb814
--- /dev/null
+++ b/app/build/mariadb/pam-mariadb
@@ -0,0 +1,2 @@
+auth required pam_ldap.so
+account required pam_ldap.so
diff --git a/app/build/matrix-synapse/Dockerfile b/app/build/matrix-synapse/Dockerfile
new file mode 100644
index 0000000..b8480d5
--- /dev/null
+++ b/app/build/matrix-synapse/Dockerfile
@@ -0,0 +1,47 @@
+FROM amd64/debian:buster as builder
+
+ARG VERSION
+RUN apt-get update && \
+ apt-get -qq -y full-upgrade && \
+ apt-get install -y \
+ python3 \
+ python3-pip \
+ python3-dev \
+ python3-setuptools \
+ libffi-dev \
+ build-essential \
+ libssl-dev \
+ libjpeg-dev \
+ libjpeg62-turbo-dev \
+ libxml2-dev \
+ zlib1g-dev \
+ # postgresql-dev \
+ libpq-dev \
+ virtualenv \
+ libxslt1-dev && \
+ virtualenv /root/matrix-env -p /usr/bin/python3 && \
+ . /root/matrix-env/bin/activate && \
+ pip3 install \
+ https://github.com/matrix-org/synapse/archive/v${VERSION}.tar.gz#egg=matrix-synapse[matrix-synapse-ldap3,postgres,resources.consent,saml2,url_preview]
+
+FROM amd64/debian:buster
+
+RUN apt-get update && \
+ apt-get -qq -y full-upgrade && \
+ apt-get install -y \
+ python3 \
+ python3-distutils \
+ libffi6 \
+ libjpeg62-turbo \
+ libssl1.1 \
+ libxslt1.1 \
+ libpq5 \
+ zlib1g \
+ libjemalloc2 \
+ ca-certificates
+
+ENV LD_PRELOAD /usr/lib/x86_64-linux-gnu/libjemalloc.so.2
+COPY --from=builder /root/matrix-env /root/matrix-env
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/app/build/matrix-synapse/entrypoint.sh b/app/build/matrix-synapse/entrypoint.sh
new file mode 100755
index 0000000..b93a702
--- /dev/null
+++ b/app/build/matrix-synapse/entrypoint.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+. /root/matrix-env/bin/activate
+exec "$@"
diff --git a/app/build/nextcloud/Dockerfile b/app/build/nextcloud/Dockerfile
new file mode 100644
index 0000000..9f817f6
--- /dev/null
+++ b/app/build/nextcloud/Dockerfile
@@ -0,0 +1,27 @@
+FROM debian:10
+
+RUN apt-get update && \
+ apt-get -qq -y full-upgrade
+
+RUN apt-get install -y apache2 php php-gd php-mbstring php-pgsql php-curl php-dom php-xml php-zip \
+ php-intl php-ldap php-fileinfo php-exif php-apcu php-redis php-imagick unzip curl wget && \
+ phpenmod gd && \
+ phpenmod curl && \
+ phpenmod mbstring && \
+ phpenmod pgsql && \
+ phpenmod dom && \
+ phpenmod zip && \
+ phpenmod intl && \
+ phpenmod ldap && \
+ phpenmod fileinfo && \
+ phpenmod exif && \
+ phpenmod apcu && \
+ phpenmod redis && \
+ phpenmod imagick && \
+ phpenmod xml
+
+COPY container-setup.sh /tmp
+RUN /tmp/container-setup.sh
+
+COPY entrypoint.sh /
+CMD /entrypoint.sh
diff --git a/app/build/nextcloud/container-setup.sh b/app/build/nextcloud/container-setup.sh
new file mode 100755
index 0000000..8330291
--- /dev/null
+++ b/app/build/nextcloud/container-setup.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -ex
+
+curl https://download.nextcloud.com/server/releases/nextcloud-19.0.0.zip > /tmp/nextcloud.zip
+cd /var/www
+unzip /tmp/nextcloud.zip
+rm /tmp/nextcloud.zip
+mv html html.old
+mv nextcloud html
+
+cd html
+mkdir data
+
+cd apps
+wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz
+tar xf tasks.tar.gz
+wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz
+tar xf maps-0.1.6.tar.gz
+wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz
+tar xf calendar.tar.gz
+wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz
+tar xf news.tar.gz
+wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz
+tar xf notes.tar.gz
+wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz
+tar xf contacts.tar.gz
+wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz
+tar xf mail.tar.gz
+wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz
+tar xf groupfolders.tar.gz
+rm *.tar.gz
+
+chown -R www-data:www-data /var/www/html
+
+cd /var/www/html
+php occ
diff --git a/app/build/nextcloud/entrypoint.sh b/app/build/nextcloud/entrypoint.sh
new file mode 100755
index 0000000..72b4f94
--- /dev/null
+++ b/app/build/nextcloud/entrypoint.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -xe
+
+chown www-data:www-data /var/www/html/config/config.php
+touch /var/www/html/data/.ocdata
+
+exec apachectl -DFOREGROUND
diff --git a/app/build/opendkim/Dockerfile b/app/build/opendkim/Dockerfile
new file mode 100644
index 0000000..70a39e4
--- /dev/null
+++ b/app/build/opendkim/Dockerfile
@@ -0,0 +1,8 @@
+FROM amd64/debian:buster
+
+RUN apt-get update && \
+ apt-get dist-upgrade -y && \
+ apt-get install -y opendkim opendkim-tools
+
+COPY ./opendkim.conf /etc/opendkim.conf
+CMD opendkim -f -v -x /etc/opendkim.conf
diff --git a/app/build/opendkim/README.md b/app/build/opendkim/README.md
new file mode 100644
index 0000000..e146125
--- /dev/null
+++ b/app/build/opendkim/README.md
@@ -0,0 +1,12 @@
+```
+sudo docker build -t superboum/amd64_opendkim:v1 .
+```
+
+```
+sudo docker run -t -i \
+ -v `pwd`/conf:/etc/dkim \
+ -v /dev/log:/dev/log \
+ -p 8999:8999
+ superboum/amd64_opendkim:v1
+ opendkim -f -v -x /etc/opendkim.conf
+```
diff --git a/app/build/opendkim/opendkim.conf b/app/build/opendkim/opendkim.conf
new file mode 100644
index 0000000..0d6465f
--- /dev/null
+++ b/app/build/opendkim/opendkim.conf
@@ -0,0 +1,12 @@
+Syslog yes
+SyslogSuccess yes
+LogWhy yes
+UMask 007
+Mode sv
+OversignHeaders From
+TrustAnchorFile /usr/share/dns/root.key
+KeyTable refile:/etc/dkim/keytable
+SigningTable refile:/etc/dkim/signingtable
+ExternalIgnoreList refile:/etc/dkim/trusted
+InternalHosts refile:/etc/dkim/trusted
+Socket inet:8999
diff --git a/app/build/pithos/0.7.5.tar.gz b/app/build/pithos/0.7.5.tar.gz
new file mode 100644
index 0000000..4eb1273
--- /dev/null
+++ b/app/build/pithos/0.7.5.tar.gz
Binary files differ
diff --git a/app/build/pithos/Dockerfile b/app/build/pithos/Dockerfile
new file mode 100644
index 0000000..70f87d8
--- /dev/null
+++ b/app/build/pithos/Dockerfile
@@ -0,0 +1,4 @@
+FROM amd64/openjdk:13-alpine
+
+COPY pithos-0.7.5-standalone.jar /srv/pithos.jar
+ENTRYPOINT ["/opt/openjdk-13/bin/java", "-jar", "/srv/pithos.jar"]
diff --git a/app/build/pithos/README.md b/app/build/pithos/README.md
new file mode 100644
index 0000000..3f0037d
--- /dev/null
+++ b/app/build/pithos/README.md
@@ -0,0 +1,9 @@
+This project is considered as "dangerous" as it is tagged as "Project not under active development".
+Consequently, just in case, I am backuping the .jar and the sources in this git repo.
+Better safe than sorry or pretty.
+
+```
+sudo docker build -t superboum/amd64_pithos:v1 .
+sudo docker push superboum/amd64_pithos:v1
+sudo docker run --rm -it -p 8080:8080 -v pithos.yaml:/etc/pithos/pithos.yaml superboum/amd64_pithos:v1
+```
diff --git a/app/build/pithos/pithos-0.7.5-standalone.jar b/app/build/pithos/pithos-0.7.5-standalone.jar
new file mode 100644
index 0000000..6073e72
--- /dev/null
+++ b/app/build/pithos/pithos-0.7.5-standalone.jar
Binary files differ
diff --git a/app/build/postfix/Dockerfile b/app/build/postfix/Dockerfile
new file mode 100644
index 0000000..9e4c067
--- /dev/null
+++ b/app/build/postfix/Dockerfile
@@ -0,0 +1,11 @@
+FROM amd64/debian:buster
+
+RUN apt-get update && \
+ apt-get install -y \
+ postfix \
+ postfix-ldap
+
+COPY entrypoint.sh /usr/local/bin/entrypoint
+
+ENTRYPOINT ["/usr/local/bin/entrypoint"]
+CMD ["postfix", "start-fg"]
diff --git a/app/build/postfix/README.md b/app/build/postfix/README.md
new file mode 100644
index 0000000..ac44fc0
--- /dev/null
+++ b/app/build/postfix/README.md
@@ -0,0 +1,18 @@
+```
+sudo docker build -t superboum/amd64_postfix:v1 .
+```
+
+```
+sudo docker run -t -i \
+ -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \
+ -e MAILNAME="smtp.deuxfleurs.fr" \
+ -p 25:25 \
+ -p 465:465 \
+ -p 587:587 \
+ -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \
+ -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \
+ -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \
+ superboum/amd64_postfix:v1 \
+ bash
+```
+
diff --git a/app/build/postfix/entrypoint.sh b/app/build/postfix/entrypoint.sh
new file mode 100755
index 0000000..c7ace3d
--- /dev/null
+++ b/app/build/postfix/entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then
+ cd /root
+ openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout postfix.key \
+ -out postfix.crt
+
+ mkdir -p /etc/ssl/{certs,private}/
+
+ cp postfix.crt /etc/ssl/certs/postfix.crt
+ cp postfix.key /etc/ssl/private/postfix.key
+ chmod 400 /etc/ssl/certs/postfix.crt
+ chmod 400 /etc/ssl/private/postfix.key
+fi
+
+# A way to map files inside the postfix folder :s
+for file in $(ls /etc/postfix-conf); do
+ cp /etc/postfix-conf/${file} /etc/postfix/${file}
+done
+
+echo ${MAILNAME} > /etc/mailname
+
+exec "$@"
diff --git a/app/build/postgres/Dockerfile b/app/build/postgres/Dockerfile
new file mode 100644
index 0000000..bb018b8
--- /dev/null
+++ b/app/build/postgres/Dockerfile
@@ -0,0 +1,19 @@
+FROM amd64/debian:stretch
+
+RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \
+ apt-get update && \
+ apt-get -qq -y full-upgrade && \
+ apt-get install -y postgresql-all golang-1.11 git && \
+ export GOPATH=/usr/local/go && \
+ mkdir -p /usr/local/go/src/github.com/sorintlab && \
+ cd /usr/local/go/src/github.com/sorintlab && \
+ git clone --depth=1 https://github.com/sorintlab/stolon && \
+ ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \
+ ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \
+ cd ./stolon && \
+ ./build && \
+ mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \
+ rm -rf /usr/local/go
+
+USER postgres
+
diff --git a/app/build/postgres/README.md b/app/build/postgres/README.md
new file mode 100644
index 0000000..d2f7a12
--- /dev/null
+++ b/app/build/postgres/README.md
@@ -0,0 +1,4 @@
+```
+docker build -t superboum/arm32v7_postgres .
+docker build -t superboum/amd64_postgres:v2 .
+```
diff --git a/app/build/postgres/postgresql.conf b/app/build/postgres/postgresql.conf
new file mode 100644
index 0000000..8e0af2b
--- /dev/null
+++ b/app/build/postgres/postgresql.conf
@@ -0,0 +1,25 @@
+data_directory = '/var/lib/postgresql/9.6/main' # use data in another directory
+hba_file = '/etc/postgresql/9.6/main/pg_hba.conf' # host-based authentication file
+ident_file = '/etc/postgresql/9.6/main/pg_ident.conf' # ident configuration file
+external_pid_file = '/var/run/postgresql/9.6-main.pid' # write an extra PID file
+listen_addresses = '*' #listen on every ip / interfaces
+port = 5432 # (change requires restart)
+max_connections = 100 # (change requires restart)
+unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
+ssl = true # (change requires restart)
+ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart)
+ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart)
+shared_buffers = 128MB # min 128kB
+dynamic_shared_memory_type = posix # the default is the first option
+log_line_prefix = '%m [%p] %q%u@%d ' # special values:
+log_timezone = 'UTC'
+cluster_name = '9.6/main' # added to process titles if nonempty
+stats_temp_directory = '/var/run/postgresql/9.6-main.pg_stat_tmp'
+datestyle = 'iso, mdy'
+timezone = 'UTC'
+lc_messages = 'C.UTF-8' # locale for system error message
+lc_monetary = 'C.UTF-8' # locale for monetary formatting
+lc_numeric = 'C.UTF-8' # locale for number formatting
+lc_time = 'C.UTF-8' # locale for time formatting
+default_text_search_config = 'pg_catalog.english'
+
diff --git a/app/build/postgres/start.sh b/app/build/postgres/start.sh
new file mode 100755
index 0000000..f1d493f
--- /dev/null
+++ b/app/build/postgres/start.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+if [ -f /local/pg_hba.conf ]; then
+ echo "Copying Nomad configuration..."
+ cp /local/pg_hba.conf /etc/postgresql/9.6/main/
+ echo "Done"
+fi
+
+
+if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then
+ echo "Copying base"
+ cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main
+ echo "Done"
+fi
+
+chmod -R 700 /var/lib/postgresql/9.6/main
+chown -R postgres /var/lib/postgresql/9.6/main
+
+echo "Starting postgres..."
+. /usr/share/postgresql-common/init.d-functions
+start 9.6
+tail -f /var/log/postgresql/postgresql-9.6-main.log
diff --git a/app/build/riotweb/Dockerfile b/app/build/riotweb/Dockerfile
new file mode 100644
index 0000000..862e2e5
--- /dev/null
+++ b/app/build/riotweb/Dockerfile
@@ -0,0 +1,13 @@
+FROM amd64/debian:buster as builder
+
+ARG VERSION
+WORKDIR /root
+
+RUN apt-get update && \
+ apt-get install -y wget && \
+ wget https://github.com/vector-im/riot-web/releases/download/v${VERSION}/riot-v${VERSION}.tar.gz && \
+ tar xf riot-v${VERSION}.tar.gz && \
+ mv riot-v${VERSION}/ riot/
+
+FROM superboum/amd64_webserver:v3
+COPY --from=builder /root/riot /srv/http
diff --git a/app/build/riotweb/config.json b/app/build/riotweb/config.json
new file mode 100644
index 0000000..8ce8e4c
--- /dev/null
+++ b/app/build/riotweb/config.json
@@ -0,0 +1,24 @@
+{
+ "default_hs_url": "https://im.deuxfleurs.fr",
+ "default_is_url": "https://vector.im",
+ "disable_custom_urls": false,
+ "disable_guests": false,
+ "disable_login_language_selector": false,
+ "disable_3pid_login": false,
+ "brand": "Deuxfleurs",
+ "integrations_ui_url": "https://scalar.vector.im/",
+ "integrations_rest_url": "https://scalar.vector.im/api",
+ "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html",
+ "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
+ "features": {
+ "feature_groups": "labs",
+ "feature_pinning": "labs"
+ },
+ "default_federate": true,
+ "welcomePageUrl": "home.html",
+ "default_theme": "light",
+ "roomDirectory": {
+ "servers": [ "im.deuxfleurs.fr", "matrix.org" ]
+ }
+}
+
diff --git a/app/build/seafile/Dockerfile b/app/build/seafile/Dockerfile
new file mode 100644
index 0000000..88dee4f
--- /dev/null
+++ b/app/build/seafile/Dockerfile
@@ -0,0 +1,46 @@
+FROM amd64/debian:buster as builder
+
+ENV VERSION 7.0.5
+
+RUN apt-get update && \
+ apt-get dist-upgrade -y && \
+ DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar && \
+ wget https://download.seadrive.org/seafile-server_${VERSION}_x86-64.tar.gz -O ./seafile.tar.gz && \
+ tar xf ./seafile.tar.gz && \
+ mv seafile-server-${VERSION} seafile-server
+
+FROM amd64/debian:buster
+
+COPY --from=builder ./seafile-server /srv/webstore/seafile-server
+
+RUN apt-get update && \
+ apt-get dist-upgrade -y && \
+ DEBIAN_FRONTEND=noninteractive apt-get install -y \
+ python \
+ mariadb-client \
+ python2.7 \
+ libpython2.7 \
+ python-setuptools \
+ python-ldap \
+ python-urllib3 \
+ ffmpeg \
+ python-pip \
+ python-mysqldb \
+ python-memcache \
+ procps \
+ python-requests && \
+ pip install Pillow==4.3.0 && \
+ pip install moviepy && \
+ useradd -u 1000 -d /srv/webstore seauser && \
+ chown -R seauser:1000 /srv/webstore/
+
+RUN mkdir -p /usr/local/lib/mariadb/plugin/ && \
+ ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/mysql_clear_password.so /usr/local/lib/mariadb/plugin/ && \
+ ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/dialog.so /usr/local/lib/mariadb/plugin/
+
+WORKDIR /srv/webstore/seafile-server
+COPY seadocker /usr/local/bin/seadocker
+COPY seaenv /usr/local/bin/seaenv
+
+ENTRYPOINT ["/usr/local/bin/seaenv"]
+CMD ["/usr/local/bin/seadocker"]
diff --git a/app/build/seafile/README.md b/app/build/seafile/README.md
new file mode 100644
index 0000000..26d04e0
--- /dev/null
+++ b/app/build/seafile/README.md
@@ -0,0 +1,27 @@
+
+```bash
+sudo docker build -t superboum/amd64_seafile:v5 .
+```
+
+When upgrading, connect on a production server and run:
+
+```bash
+nomad stop seafile
+sudo docker build -t superboum/amd64_seafile:v6 .
+
+sudo docker run -t -i \
+ -v /mnt/glusterfs/seafile:/mnt/seafile-data \
+ -v /mnt/glusterfs/seaconf/conf:/srv/webstore/conf \
+ -v /mnt/glusterfs/seaconf/ccnet:/srv/webstore/ccnet \
+ superboum/amd64_seafile:v5
+
+# See:
+# * https://download.seafile.com/published/seafile-manual/deploy/upgrade.md
+# * https://download.seafile.com/published/seafile-manual/changelog/server-changelog.md
+
+
+
+nomad start seafile.hcl
+```
+
+when upgrading, change the command on start
diff --git a/app/build/seafile/seadocker b/app/build/seafile/seadocker
new file mode 100755
index 0000000..5b5982b
--- /dev/null
+++ b/app/build/seafile/seadocker
@@ -0,0 +1,4 @@
+#!/bin/bash
+/srv/webstore/seafile-server/seafile.sh start
+/srv/webstore/seafile-server/seahub.sh start
+tail -f /srv/webstore/logs/*
diff --git a/app/build/seafile/seaenv b/app/build/seafile/seaenv
new file mode 100755
index 0000000..3b0e0bb
--- /dev/null
+++ b/app/build/seafile/seaenv
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+chown seauser /srv/webstore
+chown seauser -R /srv/webstore/ccnet
+chown seauser -R /srv/webstore/conf
+
+runuser -u seauser -- "$@"
diff --git a/app/build/sogo/Dockerfile b/app/build/sogo/Dockerfile
new file mode 100644
index 0000000..46880dd
--- /dev/null
+++ b/app/build/sogo/Dockerfile
@@ -0,0 +1,17 @@
+#FROM amd64/debian:stretch as builder
+
+FROM amd64/debian:buster
+
+RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf
+
+RUN apt-get update && \
+ apt-get install -y apt-transport-https gnupg2 sudo nginx && \
+ rm -rf /etc/nginx/sites-enabled/* && \
+ apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \
+ echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \
+ apt-get update && \
+ apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client
+
+COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf
+COPY entrypoint /usr/sbin/entrypoint
+ENTRYPOINT ["/usr/sbin/entrypoint"]
diff --git a/app/build/sogo/README.md b/app/build/sogo/README.md
new file mode 100644
index 0000000..ea12245
--- /dev/null
+++ b/app/build/sogo/README.md
@@ -0,0 +1,20 @@
+```
+docker build -t superboum/amd64_sogo:v6 .
+
+# privileged is only for debug
+docker run --rm -ti \
+ --privileged \
+ -p 8080:8080 \
+ -v /tmp/sogo/log:/var/log/sogo \
+ -v /tmp/sogo/run:/var/run/sogo \
+ -v /tmp/sogo/spool:/var/spool/sogo \
+ -v /tmp/sogo/tmp:/tmp \
+ -v `pwd`/sogo:/etc/sogo:ro \
+ superboum/amd64_sogo:v1
+```
+
+Password must be url encoded in sogo.conf for postgres
+Will need a nginx instance: http://wiki.sogo.nu/nginxSettings
+
+Might (or might not) be needed:
+traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr
diff --git a/app/build/sogo/entrypoint b/app/build/sogo/entrypoint
new file mode 100755
index 0000000..8b39def
--- /dev/null
+++ b/app/build/sogo/entrypoint
@@ -0,0 +1,13 @@
+#!/bin/bash
+mkdir -p /var/log/sogo
+mkdir -p /var/run/sogo
+mkdir -p /var/spool/sogo
+chown sogo /var/log/sogo
+chown sogo /var/run/sogo
+chown sogo /var/spool/sogo
+
+nginx -g 'daemon on; master_process on;'
+sudo -u sogo memcached -d
+sudo -u sogo sogod
+sleep 10
+tail -n200 -f /var/log/sogo/sogo.log
diff --git a/app/build/sogo/sogo.nginx.conf b/app/build/sogo/sogo.nginx.conf
new file mode 100644
index 0000000..ad920a5
--- /dev/null
+++ b/app/build/sogo/sogo.nginx.conf
@@ -0,0 +1,83 @@
+server {
+ listen 8080;
+ server_name default_server;
+ root /usr/lib/GNUstep/SOGo/WebServerResources/;
+
+ ## requirement to create new calendars in Thunderbird ##
+ proxy_http_version 1.1;
+
+ # Message size limit
+ client_max_body_size 50m;
+ client_body_buffer_size 128k;
+
+ location = / {
+ rewrite ^ '/SOGo';
+ allow all;
+ }
+
+ location = /principals/ {
+ rewrite ^ '/SOGo/dav';
+ allow all;
+ }
+
+ location ^~/SOGo {
+ proxy_pass 'http://127.0.0.1:20000';
+ proxy_redirect 'http://127.0.0.1:20000' default;
+ # forward user's IP address
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ proxy_set_header x-webobjects-server-protocol HTTP/1.0;
+ proxy_set_header x-webobjects-remote-host 127.0.0.1;
+ proxy_set_header x-webobjects-server-name $server_name;
+ proxy_set_header x-webobjects-server-url $scheme://$host;
+ proxy_set_header x-webobjects-server-port $server_port;
+ proxy_connect_timeout 90;
+ proxy_send_timeout 90;
+ proxy_read_timeout 90;
+ proxy_buffer_size 4k;
+ proxy_buffers 4 32k;
+ proxy_busy_buffers_size 64k;
+ proxy_temp_file_write_size 64k;
+ break;
+ }
+
+ location /SOGo.woa/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ allow all;
+ expires max;
+ }
+
+ location /SOGo/WebServerResources/ {
+ alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+ allow all;
+ expires max;
+ }
+
+ location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ expires max;
+ }
+
+ location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
+ alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+ expires max;
+ }
+
+ location ^~ /Microsoft-Server-ActiveSync {
+ access_log /var/log/nginx/activesync.log;
+ error_log /var/log/nginx/activesync-error.log;
+
+ proxy_connect_timeout 75;
+ proxy_send_timeout 3600;
+ proxy_read_timeout 3600;
+ proxy_buffers 64 256k;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
+ proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /;
+ }
+}
diff --git a/app/build/static/Dockerfile b/app/build/static/Dockerfile
new file mode 100644
index 0000000..cdba59a
--- /dev/null
+++ b/app/build/static/Dockerfile
@@ -0,0 +1,9 @@
+FROM golang:1.11.1-stretch as builder
+
+COPY ./goStatic /goStatic
+WORKDIR /goStatic
+RUN CGO_ENABLED=0 go build -a -o web-server .
+
+FROM scratch
+COPY --from=builder /goStatic/web-server /
+ENTRYPOINT ["/web-server"]
diff --git a/app/build/static/README.md b/app/build/static/README.md
new file mode 100644
index 0000000..d50390c
--- /dev/null
+++ b/app/build/static/README.md
@@ -0,0 +1,5 @@
+
+```
+sudo docker build -t superboum/amd64_webserver:v3 .
+sudo docker push superboum/amd64_webserver:v3
+```
diff --git a/app/build/static/goStatic b/app/build/static/goStatic
new file mode 160000
+Subproject 3f97f57aaee09a142afe3ca0f1a5d51acd85643
diff --git a/app/build/webpull/.gitignore b/app/build/webpull/.gitignore
new file mode 100644
index 0000000..ba2906d
--- /dev/null
+++ b/app/build/webpull/.gitignore
@@ -0,0 +1 @@
+main
diff --git a/app/build/webpull/Dockerfile.nodejs b/app/build/webpull/Dockerfile.nodejs
new file mode 100644
index 0000000..acc7e74
--- /dev/null
+++ b/app/build/webpull/Dockerfile.nodejs
@@ -0,0 +1,9 @@
+FROM node:13.8-buster
+
+RUN apt-get update && \
+ apt-get install -y git
+
+COPY ./main /srv/httpd
+WORKDIR /srv
+CMD ["/srv/httpd"]
+
diff --git a/app/build/webpull/Dockerfile.ruby b/app/build/webpull/Dockerfile.ruby
new file mode 100644
index 0000000..7578cca
--- /dev/null
+++ b/app/build/webpull/Dockerfile.ruby
@@ -0,0 +1,12 @@
+FROM fedora:32
+
+ENV LC_ALL=C.UTF-8
+ENV LANG=C.UTF-8
+ENV LANGUAGE=en_US.UTF-8
+ENV RUBYOPT --disable-did_you_mean
+
+RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel
+
+COPY ./main /srv/httpd
+WORKDIR /srv
+CMD ["/srv/httpd"]
diff --git a/app/build/webpull/README.md b/app/build/webpull/README.md
new file mode 100644
index 0000000..5d17d17
--- /dev/null
+++ b/app/build/webpull/README.md
@@ -0,0 +1,23 @@
+# webpull
+
+Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL
+
+You need to specify a secret token at boot:
+
+```
+WEBPULL_TOKEN=s3cr3et ./webpull
+```
+
+## Node.js version
+
+```
+go build ./main.go
+sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 .
+```
+
+## Ruby version
+
+```
+go build ./main.go
+sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 .
+```
diff --git a/app/build/webpull/main.go b/app/build/webpull/main.go
new file mode 100644
index 0000000..46c90b9
--- /dev/null
+++ b/app/build/webpull/main.go
@@ -0,0 +1,100 @@
+package main
+
+import (
+ "fmt"
+ "errors"
+ "io"
+ "os/exec"
+ "os"
+ "log"
+ "net/http"
+ "strings"
+)
+
+func myexec(w io.Writer, main string, params ...string) error {
+ cmd := exec.Command(main, params...)
+ cmd.Stdout = w
+ cmd.Stderr = w
+ err := cmd.Run()
+ if err != nil {
+ fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " "))
+ }
+ return err
+}
+
+func update(w io.Writer) error {
+ fmt.Fprintf(w, "Start update...\n")
+ _, err := os.Stat("./.git")
+ if err != nil {
+ fmt.Fprintf(w, ".git folder does not exist, creating it...\n")
+ err := myexec(w, "git", "init")
+ if err != nil {
+ return err
+ }
+ }
+
+ err = myexec(w, "git", "remote", "get-url", "origin")
+ if err != nil {
+ repo, exists := os.LookupEnv("WEBPULL_REPO")
+ if !exists {
+ fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n")
+ return errors.New("Missing environment variable WEBPULL_REPO")
+ }
+ fmt.Fprintf(w, "git remote is not yet set...\n")
+ err := myexec(w, "git", "remote", "add", "origin", repo)
+ if err != nil {
+ return err
+ }
+ }
+
+ err = myexec(w, "git", "pull", "origin", "master")
+ if err != nil {
+ fmt.Fprintf(w, "Failed to pull...\n")
+ return err
+ }
+
+ _, err = os.Stat("./.webpull")
+ if err != nil {
+ fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n")
+ return err
+ }
+
+ err = myexec(w, "./.webpull")
+ if err != nil {
+ fmt.Fprintf(w, "An error occured during script execution\n")
+ return err
+ }
+
+ fmt.Fprintf(w, "Success.\n")
+ return nil
+}
+
+func main() {
+ token, exists := os.LookupEnv("WEBPULL_TOKEN")
+ if !exists {
+ log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined")
+ }
+
+ if update(os.Stdout) != nil {
+ log.Fatal("Initial 'update' failed")
+ }
+
+ fs := http.FileServer(http.Dir("./static"))
+ http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) {
+ keys, ok := r.URL.Query()["token"]
+ if !ok || len(keys[0]) < 1 {
+ http.Error(w, "Missing 'token' query parameter", 401)
+ return
+ }
+
+ if keys[0] != token {
+ http.Error(w, "Wrong token", 401)
+ return
+ }
+
+ update(w)
+ })
+ http.Handle("/", fs)
+
+ log.Fatal(http.ListenAndServe(":8080", nil))
+}
diff --git a/app/config/configuration/.gitignore b/app/config/configuration/.gitignore
new file mode 100644
index 0000000..056b4d2
--- /dev/null
+++ b/app/config/configuration/.gitignore
@@ -0,0 +1,33 @@
+# Blacklist everything cleverly
+*
+!*/
+
+# Whitelist some patterns
+!*.sample
+!*.gen
+!*.tpl
+!.gitignore
+
+# Whitelist specific files
+!seafile/conf/seafdav.conf
+!seafile/ccnet/seafile.ini
+
+!email/dkim/keytable
+!email/dkim/signingtable
+!email/dkim/trusted
+!email/postfix/dynamicmaps.cf
+!email/postfix/header_checks
+!email/postfix/main.cf
+!email/postfix/master.cf
+!email/postfix/transport
+!email/postfix/transport.db
+
+!email/sogo/sogo.conf.tpl
+
+!chat/**/*
+
+!directory/*/*
+
+!traefik/traefik.toml
+
+!garage/config.toml
diff --git a/app/config/configuration/chat/coturn/turnserver.conf.tpl b/app/config/configuration/chat/coturn/turnserver.conf.tpl
new file mode 100644
index 0000000..f867ac0
--- /dev/null
+++ b/app/config/configuration/chat/coturn/turnserver.conf.tpl
@@ -0,0 +1,19 @@
+use-auth-secret
+static-auth-secret={{ key "secrets/chat/coturn/static-auth" | trimSpace }}
+realm=turn.deuxfleurs.fr
+
+# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
+#no-tcp-relay
+
+# don't let the relay ever try to connect to private IP address ranges within your network (if any)
+# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
+#denied-peer-ip=10.0.0.0-10.255.255.255
+#denied-peer-ip=192.168.0.0-192.168.255.255
+#denied-peer-ip=172.16.0.0-172.31.255.255
+
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200
+
+min-port=49152
+max-port=49252
diff --git a/app/config/configuration/chat/easybridge/config.json.tpl b/app/config/configuration/chat/easybridge/config.json.tpl
new file mode 100644
index 0000000..40ecc44
--- /dev/null
+++ b/app/config/configuration/chat/easybridge/config.json.tpl
@@ -0,0 +1,17 @@
+{
+ "log_level": "info",
+ "easybridge_avatar": "/app/easybridge.jpg",
+
+ "web_bind_addr": "0.0.0.0:8281",
+ "web_url": "https://easybridge.deuxfleurs.fr",
+ "web_session_key": "{{ key "secrets/chat/easybridge/web_session_key" | trimSpace }}",
+
+ "appservice_bind_addr": "0.0.0.0:8321",
+ "registration": "/data/registration.yaml",
+ "homeserver_url": "https://im.deuxfleurs.fr",
+ "matrix_domain": "deuxfleurs.fr",
+ "name_format": "{}_ezbr_",
+
+ "db_type": "postgres",
+ "db_path": "host=psql-proxy.service.2.cluster.deuxfleurs.fr port=5432 user={{ key "secrets/chat/easybridge/db_user" | trimSpace }} dbname=easybridge password={{ key "secrets/chat/easybridge/db_pass" | trimSpace }} sslmode=disable"
+}
diff --git a/app/config/configuration/chat/easybridge/registration.yaml.tpl b/app/config/configuration/chat/easybridge/registration.yaml.tpl
new file mode 100644
index 0000000..ec098fd
--- /dev/null
+++ b/app/config/configuration/chat/easybridge/registration.yaml.tpl
@@ -0,0 +1,14 @@
+id: Easybridge
+url: http://easybridge-api.service.2.cluster.deuxfleurs.fr:8321
+as_token: {{ key "secrets/chat/easybridge/as_token" | trimSpace }}
+hs_token: {{ key "secrets/chat/easybridge/hs_token" | trimSpace }}
+sender_localpart: _ezbr_
+rate_limited: false
+namespaces:
+ users:
+ - exclusive: true
+ regex: '@.*_ezbr_'
+ aliases:
+ - exclusive: true
+ regex: '#.*_ezbr_'
+ rooms: []
diff --git a/app/config/configuration/chat/fb2mx/config.yaml b/app/config/configuration/chat/fb2mx/config.yaml
new file mode 100644
index 0000000..964c681
--- /dev/null
+++ b/app/config/configuration/chat/fb2mx/config.yaml
@@ -0,0 +1,133 @@
+# Homeserver details
+homeserver:
+ # The address that this appservice can use to connect to the homeserver.
+ address: https://im.deuxfleurs.fr
+ # The domain of the homeserver (for MXIDs, etc).
+ domain: deuxfleurs.fr
+ # Whether or not to verify the SSL certificate of the homeserver.
+ # Only applies if address starts with https://
+ verify_ssl: true
+
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+ # The address that the homeserver can use to connect to this appservice.
+ address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319
+
+ # The hostname and port where this appservice should listen.
+ hostname: 0.0.0.0
+ port: 29319
+ # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+ # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+ max_body_size: 1
+
+ # The full URI to the database. SQLite and Postgres are fully supported.
+ # Other DBMSes supported by SQLAlchemy may or may not work.
+ # Format examples:
+ # SQLite: sqlite:///filename.db
+ # Postgres: postgres://username:password@hostname/dbname
+ database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}'
+
+ # The unique ID of this appservice.
+ id: facebook
+ # Username of the appservice bot.
+ bot_username: facebookbot
+ # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+ # to leave display name/avatar as-is.
+ bot_displayname: Facebook bridge bot
+ bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv
+
+ # Community ID for bridged users (changes registration file) and rooms.
+ # Must be created manually.
+ community_id: "+fbusers:deuxfleurs.fr"
+
+ # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+ as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}'
+ hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}'
+
+# Bridge config
+bridge:
+ # Localpart template of MXIDs for Facebook users.
+ # {userid} is replaced with the user ID of the Facebook user.
+ username_template: "facebook_{userid}"
+ # Localpart template for per-user room grouping community IDs.
+ # The bridge will create these communities and add all of the specific user's portals to the community.
+ # {localpart} is the MXID localpart and {server} is the MXID server part of the user.
+ #
+ # `facebook_{localpart}={server}` is a good value.
+ community_template: "facebook_{localpart}={server}"
+ # Displayname template for Facebook users.
+ # {displayname} is replaced with the display name of the Facebook user
+ # as defined below in displayname_preference.
+ # Keys available for displayname_preference are also available here.
+ displayname_template: "{displayname} (FB)"
+ # Available keys:
+ # "name" (full name)
+ # "first_name"
+ # "last_name"
+ # "nickname"
+ # "own_nickname" (user-specific!)
+ displayname_preference:
+ - name
+
+ # The prefix for commands. Only required in non-management rooms.
+ command_prefix: "!fb"
+
+ # Number of chats to sync (and create portals for) on startup/login.
+ # Maximum 20, set 0 to disable automatic syncing.
+ initial_chat_sync: 10
+ # Whether or not the Facebook users of logged in Matrix users should be
+ # invited to private chats when the user sends a message from another client.
+ invite_own_puppet_to_pm: false
+ # Whether or not to use /sync to get presence, read receipts and typing notifications when using
+ # your own Matrix account as the Matrix puppet for your Facebook account.
+ sync_with_custom_puppets: true
+ # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
+ # presence, but then it won't send other users' presence to the client.
+ presence: true
+ # Whether or not to update avatars when syncing all contacts at startup.
+ update_avatar_initial_sync: true
+
+ # Permissions for using the bridge.
+ # Permitted values:
+ # user - Use the bridge with puppeting.
+ # admin - Use and administrate the bridge.
+ # Permitted keys:
+ # * - All Matrix users
+ # domain - All users on that homeserver
+ # mxid - Specific user
+ permissions:
+ "deuxfleurs.fr": "user"
+
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+ version: 1
+ formatters:
+ colored:
+ (): mautrix_facebook.util.ColorFormatter
+ format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+ normal:
+ format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+ handlers:
+ file:
+ class: logging.handlers.RotatingFileHandler
+ formatter: normal
+ filename: ./mautrix-facebook.log
+ maxBytes: 10485760
+ backupCount: 10
+ console:
+ class: logging.StreamHandler
+ formatter: colored
+ loggers:
+ mau:
+ level: DEBUG
+ fbchat:
+ level: DEBUG
+ aiohttp:
+ level: INFO
+ root:
+ level: DEBUG
+ handlers: [file, console]
diff --git a/app/config/configuration/chat/fb2mx/registration.yaml b/app/config/configuration/chat/fb2mx/registration.yaml
new file mode 100644
index 0000000..c3d8c05
--- /dev/null
+++ b/app/config/configuration/chat/fb2mx/registration.yaml
@@ -0,0 +1,11 @@
+id: facebook
+as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}'
+hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}'
+namespaces:
+ users:
+ - exclusive: true
+ regex: '@facebook_.+:deuxfleurs.fr'
+ group_id: '+fbusers:deuxfleurs.fr'
+url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319
+sender_localpart: facebookbot
+rate_limited: false
diff --git a/app/config/configuration/chat/riot_web/config.json b/app/config/configuration/chat/riot_web/config.json
new file mode 100644
index 0000000..5844afc
--- /dev/null
+++ b/app/config/configuration/chat/riot_web/config.json
@@ -0,0 +1,25 @@
+{
+ "default_hs_url": "https://im.deuxfleurs.fr",
+ "default_is_url": "https://vector.im",
+ "disable_custom_urls": false,
+ "disable_guests": false,
+ "disable_login_language_selector": false,
+ "disable_3pid_login": false,
+ "brand": "Deuxfleurs",
+ "integrations_ui_url": "https://scalar.vector.im/",
+ "integrations_rest_url": "https://scalar.vector.im/api",
+ "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
+ "features": {
+ "feature_groups": "labs",
+ "feature_pinning": "labs"
+ },
+ "default_federate": true,
+ "welcomePageUrl": "home.html",
+ "default_theme": "light",
+ "roomDirectory": {
+ "servers": [ "im.deuxfleurs.fr", "matrix.org" ]
+ },
+ "jitsi": {
+ "preferredDomain": "jitsi.deuxfleurs.fr"
+ }
+}
diff --git a/app/config/configuration/chat/synapse/conf.d/report_stats.yaml b/app/config/configuration/chat/synapse/conf.d/report_stats.yaml
new file mode 100644
index 0000000..cb95cc3
--- /dev/null
+++ b/app/config/configuration/chat/synapse/conf.d/report_stats.yaml
@@ -0,0 +1 @@
+report_stats: true
diff --git a/app/config/configuration/chat/synapse/conf.d/server_name.yaml b/app/config/configuration/chat/synapse/conf.d/server_name.yaml
new file mode 100644
index 0000000..540ce45
--- /dev/null
+++ b/app/config/configuration/chat/synapse/conf.d/server_name.yaml
@@ -0,0 +1 @@
+server_name: deuxfleurs.fr
diff --git a/app/config/configuration/chat/synapse/homeserver.yaml b/app/config/configuration/chat/synapse/homeserver.yaml
new file mode 100644
index 0000000..7f313f6
--- /dev/null
+++ b/app/config/configuration/chat/synapse/homeserver.yaml
@@ -0,0 +1,420 @@
+# vim:ft=yaml
+
+server_name: "deuxfleurs.fr"
+# PEM encoded X509 certificate for TLS.
+# You can replace the self-signed certificate that synapse
+# autogenerates on launch with your own SSL certificate + key pair
+# if you like. Any required intermediary certificates can be
+# appended after the primary certificate in hierarchical order.
+tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
+
+# PEM encoded private key for TLS
+tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
+
+# PEM dh parameters for ephemeral keys
+tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
+
+# Don't bind to the https port
+no_tls: True
+
+
+## Server ##
+
+# When running as a daemon, the file to store the pid in
+pid_file: "/var/run/matrix-synapse.pid"
+
+# Whether to serve a web client from the HTTP/HTTPS root resource.
+web_client: False
+
+# The public-facing base URL for the client API (not including _matrix/...)
+public_baseurl: https://im.deuxfleurs.fr/
+
+# Set the soft limit on the number of file descriptors synapse can use
+# Zero is used to indicate synapse should set the soft limit to the
+# hard limit.
+soft_file_limit: 0
+
+# The GC threshold parameters to pass to `gc.set_threshold`, if defined
+# gc_thresholds: [700, 10, 10]
+
+# A list of other Home Servers to fetch the public room directory from
+# and include in the public room directory of this home server
+# This is a temporary stopgap solution to populate new server with a
+# list of rooms until there exists a good solution of a decentralized
+# room directory.
+# secondary_directory_servers:
+# - matrix.org
+# - vector.im
+
+# List of ports that Synapse should listen on, their purpose and their
+# configuration.
+listeners:
+ # Unsecure HTTP listener,
+ # For when matrix traffic passes through loadbalancer that unwraps TLS.
+ - port: 8008
+ tls: false
+ bind_address: ''
+ type: http
+
+ x_forwarded: false
+
+ resources:
+ - names: [client]
+ compress: true
+
+ - port: 8448
+ tls: false
+ bind_address: ''
+ type: http
+
+ x_forwarded: false
+
+ resources:
+ - names: [federation]
+ compress: false
+
+ # Turn on the twisted ssh manhole service on localhost on the given
+ # port.
+ # - port: 9000
+ # bind_address: 127.0.0.1
+ # type: manhole
+
+
+# Database configuration
+database:
+ name: psycopg2
+ args:
+ user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }}
+ password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }}
+ database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }}
+ host: psql-proxy.service.2.cluster.deuxfleurs.fr
+ port: 5432
+ cp_min: 5
+ cp_max: 10
+# Number of events to cache in memory.
+event_cache_size: "10K"
+
+
+# A yaml python logging config file
+log_config: "/etc/matrix-synapse/log.yaml"
+
+# Stop twisted from discarding the stack traces of exceptions in
+# deferreds by waiting a reactor tick before running a deferred's
+# callbacks.
+# full_twisted_stacktraces: true
+
+
+## Ratelimiting ##
+
+# Number of messages a client can send per second
+rc_messages_per_second: 0.2
+
+# Number of message a client can send before being throttled
+rc_message_burst_count: 10.0
+
+# The federation window size in milliseconds
+federation_rc_window_size: 1000
+
+# The number of federation requests from a single server in a window
+# before the server will delay processing the request.
+federation_rc_sleep_limit: 10
+
+# The duration in milliseconds to delay processing events from
+# remote servers by if they go over the sleep limit.
+federation_rc_sleep_delay: 500
+
+# The maximum number of concurrent federation requests allowed
+# from a single server
+federation_rc_reject_limit: 50
+
+# The number of federation requests to concurrently process from a
+# single server
+federation_rc_concurrent: 3
+
+
+
+# Directory where uploaded images and attachments are stored.
+media_store_path: "/var/lib/matrix-synapse/media"
+uploads_path: "/var/lib/matrix-synapse/uploads"
+
+# The largest allowed upload size in bytes
+max_upload_size: "100M"
+
+# Maximum number of pixels that will be thumbnailed
+max_image_pixels: "32M"
+
+# Whether to generate new thumbnails on the fly to precisely match
+# the resolution requested by the client. If true then whenever
+# a new resolution is requested by the client the server will
+# generate a new thumbnail. If false the server will pick a thumbnail
+# from a precalculated list.
+dynamic_thumbnails: false
+
+# List of thumbnail to precalculate when an image is uploaded.
+thumbnail_sizes:
+- width: 32
+ height: 32
+ method: crop
+- width: 96
+ height: 96
+ method: crop
+- width: 320
+ height: 240
+ method: scale
+- width: 640
+ height: 480
+ method: scale
+- width: 800
+ height: 600
+ method: scale
+
+# Is the preview URL API enabled? If enabled, you *must* specify
+# an explicit url_preview_ip_range_blacklist of IPs that the spider is
+# denied from accessing.
+url_preview_enabled: True
+
+# List of IP address CIDR ranges that the URL preview spider is denied
+# from accessing. There are no defaults: you must explicitly
+# specify a list for URL previewing to work. You should specify any
+# internal services in your network that you do not want synapse to try
+# to connect to, otherwise anyone in any Matrix room could cause your
+# synapse to issue arbitrary GET requests to your internal services,
+# causing serious security issues.
+#
+url_preview_ip_range_blacklist:
+ - '127.0.0.0/8'
+ - '10.0.0.0/8'
+ - '172.16.0.0/12'
+ - '192.168.0.0/16'
+#
+# List of IP address CIDR ranges that the URL preview spider is allowed
+# to access even if they are specified in url_preview_ip_range_blacklist.
+# This is useful for specifying exceptions to wide-ranging blacklisted
+# target IP ranges - e.g. for enabling URL previews for a specific private
+# website only visible in your network.
+#
+# url_preview_ip_range_whitelist:
+# - '192.168.1.1'
+
+# Optional list of URL matches that the URL preview spider is
+# denied from accessing. You should use url_preview_ip_range_blacklist
+# in preference to this, otherwise someone could define a public DNS
+# entry that points to a private IP address and circumvent the blacklist.
+# This is more useful if you know there is an entire shape of URL that
+# you know that will never want synapse to try to spider.
+#
+# Each list entry is a dictionary of url component attributes as returned
+# by urlparse.urlsplit as applied to the absolute form of the URL. See
+# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
+# The values of the dictionary are treated as an filename match pattern
+# applied to that component of URLs, unless they start with a ^ in which
+# case they are treated as a regular expression match. If all the
+# specified component matches for a given list item succeed, the URL is
+# blacklisted.
+#
+# url_preview_url_blacklist:
+# # blacklist any URL with a username in its URI
+# - username: '*'
+#
+# # blacklist all *.google.com URLs
+# - netloc: 'google.com'
+# - netloc: '*.google.com'
+#
+# # blacklist all plain HTTP URLs
+# - scheme: 'http'
+#
+# # blacklist http(s)://www.acme.com/foo
+# - netloc: 'www.acme.com'
+# path: '/foo'
+#
+# # blacklist any URL with a literal IPv4 address
+# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
+
+# The largest allowed URL preview spidering size in bytes
+max_spider_size: "10M"
+
+
+
+
+## Captcha ##
+
+# This Home Server's ReCAPTCHA public key.
+recaptcha_public_key: "YOUR_PUBLIC_KEY"
+
+# This Home Server's ReCAPTCHA private key.
+recaptcha_private_key: "YOUR_PRIVATE_KEY"
+
+# Enables ReCaptcha checks when registering, preventing signup
+# unless a captcha is answered. Requires a valid ReCaptcha
+# public/private key.
+enable_registration_captcha: False
+
+# A secret key used to bypass the captcha test entirely.
+#captcha_bypass_secret: "YOUR_SECRET_HERE"
+
+# The API endpoint to use for verifying m.login.recaptcha responses.
+recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+
+
+## Turn ##
+
+# The public URIs of the TURN server to give to clients
+turn_uris: [ "turn:turn.deuxfleurs.fr:3478?transport=udp", "turn:turn.deuxfleurs.fr:3478?transport=tcp" ]
+
+# The shared secret used to compute passwords for the TURN server
+turn_shared_secret: '{{ key "secrets/chat/coturn/static-auth" | trimSpace }}'
+
+# How long generated TURN credentials last
+turn_user_lifetime: "1h"
+
+turn_allow_guests: True
+
+## Registration ##
+
+# Enable registration for new users.
+enable_registration: False
+
+# If set, allows registration by anyone who also has the shared
+# secret, even if registration is otherwise disabled.
+registration_shared_secret: '{{ key "secrets/chat/synapse/registration_shared_secret" | trimSpace }}'
+
+# Sets the expiry for the short term user creation in
+# milliseconds. For instance the bellow duration is two weeks
+# in milliseconds.
+user_creation_max_duration: 1209600000
+
+# Set the number of bcrypt rounds used to generate password hash.
+# Larger numbers increase the work factor needed to generate the hash.
+# The default number of rounds is 12.
+bcrypt_rounds: 12
+
+# Allows users to register as guests without a password/email/etc, and
+# participate in rooms hosted on this server which have been made
+# accessible to anonymous users.
+allow_guest_access: True
+
+# The list of identity servers trusted to verify third party
+# identifiers by this server.
+trusted_third_party_id_servers:
+ - matrix.org
+ - vector.im
+
+
+## Metrics ###
+
+# Enable collection and rendering of performance metrics
+enable_metrics: False
+
+## API Configuration ##
+
+# A list of event types that will be included in the room_invite_state
+room_invite_state_types:
+ - "m.room.join_rules"
+ - "m.room.canonical_alias"
+ - "m.room.avatar"
+ - "m.room.name"
+
+
+# A list of application service config file to use
+app_service_config_files:
+ - "/etc/matrix-synapse/easybridge_registration.yaml"
+ #- "/etc/matrix-synapse/fb2mx_registration.yaml"
+
+
+# macaroon_secret_key: <PRIVATE STRING>
+
+# Used to enable access token expiration.
+expire_access_token: False
+
+## Signing Keys ##
+
+# Path to the signing key to sign messages with
+signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
+
+# The keys that the server used to sign messages with but won't use
+# to sign new messages. E.g. it has lost its private key
+old_signing_keys: {}
+# "ed25519:auto":
+# # Base64 encoded public key
+# key: "The public part of your old signing key."
+# # Millisecond POSIX timestamp when the key expired.
+# expired_ts: 123456789123
+
+# How long key response published by this server is valid for.
+# Used to set the valid_until_ts in /key/v2 APIs.
+# Determines how quickly servers will query to check which keys
+# are still valid.
+key_refresh_interval: "1d" # 1 Day.
+
+# The trusted servers to download signing keys from.
+perspectives:
+ servers:
+ "matrix.org":
+ verify_keys:
+ "ed25519:auto":
+ key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+
+
+
+# Enable SAML2 for registration and login. Uses pysaml2
+# config_path: Path to the sp_conf.py configuration file
+# idp_redirect_url: Identity provider URL which will redirect
+# the user back to /login/saml2 with proper info.
+# See pysaml2 docs for format of config.
+#saml2_config:
+# enabled: true
+# config_path: "/home/erikj/git/synapse/sp_conf.py"
+# idp_redirect_url: "http://test/idp"
+
+
+
+# Enable CAS for registration and login.
+#cas_config:
+# enabled: true
+# server_url: "https://cas-server.com"
+# service_url: "https://homesever.domain.com:8448"
+# #required_attributes:
+# # name: value
+
+
+# The JWT needs to contain a globally unique "sub" (subject) claim.
+#
+# jwt_config:
+# enabled: true
+# secret: "a secret"
+# algorithm: "HS256"
+
+password_providers:
+ - module: "ldap_auth_provider.LdapAuthProvider"
+ config:
+ enabled: true
+ uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"
+ start_tls: false
+ bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}'
+ bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}'
+ base: "ou=users,dc=deuxfleurs,dc=fr"
+ attributes:
+ uid: "cn"
+ name: "displayName"
+ mail: "mail"
+
+# Enable password for login.
+password_config:
+ enabled: true
+
+# Enable sending emails for notification events
+#email:
+# enable_notifs: false
+# smtp_host: "localhost"
+# smtp_port: 25
+# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
+# app_name: Matrix
+# template_dir: res/templates
+# notif_template_html: notif_mail.html
+# notif_template_text: notif_mail.txt
+# notif_for_new_users: True
+
+# Key that had to be added after some synapse updates to please matrix developers...
+report_stats: false
+suppress_key_server_warning: true
+enable_group_creation: true
diff --git a/app/config/configuration/chat/synapse/log.yaml b/app/config/configuration/chat/synapse/log.yaml
new file mode 100644
index 0000000..eb69d8f
--- /dev/null
+++ b/app/config/configuration/chat/synapse/log.yaml
@@ -0,0 +1,41 @@
+
+version: 1
+
+formatters:
+ precise:
+ format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+
+filters:
+ context:
+ (): synapse.util.logcontext.LoggingContextFilter
+ request: ""
+
+handlers:
+ file:
+ class: logging.handlers.RotatingFileHandler
+ formatter: precise
+ filename: /var/log/matrix-synapse/homeserver.log
+ maxBytes: 10485760
+ backupCount: 3
+ filters: [context]
+ level: WARN
+ console:
+ class: logging.StreamHandler
+ formatter: precise
+ level: WARN
+
+loggers:
+ synapse:
+ level: INFO
+
+ synapse.storage.SQL:
+ level: INFO
+
+ ldap3:
+ level: DEBUG
+ ldap_auth_provider:
+ level: DEBUG
+
+root:
+ level: INFO
+ handlers: [file, console]
diff --git a/app/config/configuration/directory/bottin/config.json b/app/config/configuration/directory/bottin/config.json
new file mode 100644
index 0000000..c30a4d5
--- /dev/null
+++ b/app/config/configuration/directory/bottin/config.json
@@ -0,0 +1,31 @@
+{
+ "suffix": "dc=deuxfleurs,dc=fr",
+ "bind": "0.0.0.0:1389",
+ "consul_host": "http://consul.service.2.cluster.deuxfleurs.fr:8500",
+ "log_level": "debug",
+ "acl": [
+ "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword",
+ "*::read modify:SELF:*",
+ "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
+ "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
+ "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*",
+ "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*",
+
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*",
+ "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*",
+
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*",
+
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*",
+ "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*",
+
+ "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
+ "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*"
+ ]
+}
diff --git a/app/config/configuration/directory/guichet/config.json.tpl b/app/config/configuration/directory/guichet/config.json.tpl
new file mode 100644
index 0000000..98e2297
--- /dev/null
+++ b/app/config/configuration/directory/guichet/config.json.tpl
@@ -0,0 +1,30 @@
+{
+ "http_bind_addr": ":9991",
+ "ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389",
+
+ "base_dn": "dc=deuxfleurs,dc=fr",
+ "user_base_dn": "ou=users,dc=deuxfleurs,dc=fr",
+ "user_name_attr": "cn",
+ "group_base_dn": "ou=groups,dc=deuxfleurs,dc=fr",
+ "group_name_attr": "cn",
+
+ "invitation_base_dn": "ou=invitations,dc=deuxfleurs,dc=fr",
+ "invitation_name_attr": "cn",
+ "invited_mail_format": "{}@deuxfleurs.fr",
+ "invited_auto_groups": [
+ "cn=email,ou=groups,dc=deuxfleurs,dc=fr",
+ "cn=seafile,ou=groups,dc=deuxfleurs,dc=fr",
+ "cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr"
+ ],
+
+ "web_address": "https://guichet.deuxfleurs.fr",
+ "mail_from": "coucou@deuxfleurs.fr",
+ "smtp_server": "adnab.me:25",
+ "smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}",
+ "smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}",
+
+ "admin_account": "cn=admin,dc=deuxfleurs,dc=fr",
+ "group_can_admin": "cn=admin,ou=groups,dc=deuxfleurs,dc=fr",
+ "group_can_invite": "cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr"
+}
+
diff --git a/app/config/configuration/email/dkim/keytable b/app/config/configuration/email/dkim/keytable
new file mode 100644
index 0000000..f4ac7cd
--- /dev/null
+++ b/app/config/configuration/email/dkim/keytable
@@ -0,0 +1 @@
+smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private
diff --git a/app/config/configuration/email/dkim/signingtable b/app/config/configuration/email/dkim/signingtable
new file mode 100644
index 0000000..60d66ff
--- /dev/null
+++ b/app/config/configuration/email/dkim/signingtable
@@ -0,0 +1,2 @@
+*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr
+*@dufour.io smtp._domainkey.deuxfleurs.fr
diff --git a/app/config/configuration/email/dkim/smtp.private.sample b/app/config/configuration/email/dkim/smtp.private.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/configuration/email/dkim/smtp.private.sample
diff --git a/app/config/configuration/email/dkim/smtp.txt.sample b/app/config/configuration/email/dkim/smtp.txt.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/configuration/email/dkim/smtp.txt.sample
diff --git a/app/config/configuration/email/dkim/trusted b/app/config/configuration/email/dkim/trusted
new file mode 100644
index 0000000..a01170d
--- /dev/null
+++ b/app/config/configuration/email/dkim/trusted
@@ -0,0 +1,4 @@
+127.0.0.1
+localhost
+192.168.1.0/24
+172.16.0.0/12
diff --git a/app/config/configuration/email/dovecot/certs.gen b/app/config/configuration/email/dovecot/certs.gen
new file mode 100755
index 0000000..f26e917
--- /dev/null
+++ b/app/config/configuration/email/dovecot/certs.gen
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
+openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout dovecot.key \
+ -out dovecot.crt
+
diff --git a/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl b/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl
new file mode 100644
index 0000000..9fb1ea6
--- /dev/null
+++ b/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl
@@ -0,0 +1,8 @@
+hosts = bottin2.service.2.cluster.deuxfleurs.fr
+dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }}
+dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }}
+base = dc=deuxfleurs,dc=fr
+scope = subtree
+user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
+pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
+user_attrs = mail=/var/mail/%{ldap:mail}
diff --git a/app/config/configuration/email/postfix/certs.gen b/app/config/configuration/email/postfix/certs.gen
new file mode 100755
index 0000000..f25439b
--- /dev/null
+++ b/app/config/configuration/email/postfix/certs.gen
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
+openssl req \
+ -new \
+ -newkey rsa:4096 \
+ -days 3650 \
+ -nodes \
+ -x509 \
+ -subj ${TLSINFO} \
+ -keyout postfix.key \
+ -out postfix.crt
+
diff --git a/app/config/configuration/email/postfix/dynamicmaps.cf b/app/config/configuration/email/postfix/dynamicmaps.cf
new file mode 100644
index 0000000..32d8f62
--- /dev/null
+++ b/app/config/configuration/email/postfix/dynamicmaps.cf
@@ -0,0 +1,9 @@
+# Postfix dynamic maps configuration file.
+#
+# The first match found is the one that is used. Wildcards are not supported
+# as of postfix 2.0.2
+#
+#type location of .so file open function (mkmap func)
+#==== ================================ ============= ============
+ldap postfix-ldap.so dict_ldap_open
+sqlite postfix-sqlite.so dict_sqlite_open
diff --git a/app/config/configuration/email/postfix/header_checks b/app/config/configuration/email/postfix/header_checks
new file mode 100644
index 0000000..cad52ec
--- /dev/null
+++ b/app/config/configuration/email/postfix/header_checks
@@ -0,0 +1,3 @@
+/^Received:/ IGNORE
+/^X-Originating-IP:/ IGNORE
+/^X-Mailer:/ IGNORE
diff --git a/app/config/configuration/email/postfix/ldap-account.cf.tpl b/app/config/configuration/email/postfix/ldap-account.cf.tpl
new file mode 100644
index 0000000..2575f10
--- /dev/null
+++ b/app/config/configuration/email/postfix/ldap-account.cf.tpl
@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
+scope = sub
+search_base = ou=users,dc=deuxfleurs,dc=fr
+query_filter = mail=%s
+result_attribute = mail
diff --git a/app/config/configuration/email/postfix/ldap-alias.cf.tpl b/app/config/configuration/email/postfix/ldap-alias.cf.tpl
new file mode 100644
index 0000000..775c0ad
--- /dev/null
+++ b/app/config/configuration/email/postfix/ldap-alias.cf.tpl
@@ -0,0 +1,9 @@
+server_host = bottin2.service.2.cluster.deuxfleurs.fr
+server_port = 389
+search_base = dc=deuxfleurs,dc=fr
+query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
+result_attribute = mail
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
diff --git a/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl b/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl
new file mode 100644
index 0000000..e013953
--- /dev/null
+++ b/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl
@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
+scope = sub
+search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr
+query_filter = (&(objectclass=dNSDomain)(domain=%s))
+result_attribute = domain
diff --git a/app/config/configuration/email/postfix/main.cf b/app/config/configuration/email/postfix/main.cf
new file mode 100644
index 0000000..4204cb4
--- /dev/null
+++ b/app/config/configuration/email/postfix/main.cf
@@ -0,0 +1,104 @@
+#===
+# Base configuration
+#===
+myhostname = smtp.deuxfleurs.fr
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = smtp.deuxfleurs.fr
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_protocols = all
+inet_interfaces = all
+message_size_limit = 204800000
+smtpd_banner = $myhostname
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+compatibility_level = 2
+
+#===
+# TLS parameters
+#===
+smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt
+smtpd_tls_key_file=/etc/ssl/private/postfix.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+
+#===
+# Remove privacy related content from emails
+#===
+mime_header_checks = regexp:/etc/postfix/header_checks
+header_checks = regexp:/etc/postfix/header_checks
+
+#===
+# Handle user authentication (handled by dovecot)
+#===
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337
+smtpd_sasl_type = dovecot
+
+#===
+# Restrictions / Checks
+#===
+# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists
+
+# Require a valid HELO
+smtpd_helo_required = yes
+# As we use the same postfix to send and receive,
+# we can't enforce a valid HELO hostname...
+#smtpd_helo_restrictions =
+# reject_unknown_helo_hostname
+
+# Require that sender email has a valid domain
+smtpd_sender_restrictions =
+ reject_unknown_sender_domain
+
+# Delivering email policy
+# MyNetwork is required by sogo
+smtpd_recipient_restrictions =
+ permit_sasl_authenticated
+ permit_mynetworks
+ reject_unauth_destination
+ reject_rbl_client zen.spamhaus.org
+ reject_rhsbl_reverse_client dbl.spamhaus.org
+ reject_rhsbl_helo dbl.spamhaus.org
+ reject_rhsbl_sender dbl.spamhaus.org
+
+# Sending email policy
+# MyNetwork is required by sogo
+smtpd_relay_restrictions =
+ permit_sasl_authenticated
+ permit_mynetworks
+ reject_unauth_destination
+
+smtpd_data_restrictions = reject_unauth_pipelining
+
+smtpd_client_connection_rate_limit = 2
+
+#===
+# Rate limiting
+#===
+slow_destination_recipient_limit = 20
+slow_destination_concurrency_limit = 2
+
+#====
+# Transport configuration
+#====
+transport_maps = hash:/etc/postfix/transport
+virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf
+virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf
+virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf
+virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24
+
+#===
+# Mail filters
+#===
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999
+non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999
diff --git a/app/config/configuration/email/postfix/master.cf b/app/config/configuration/email/postfix/master.cf
new file mode 100644
index 0000000..53bc601
--- /dev/null
+++ b/app/config/configuration/email/postfix/master.cf
@@ -0,0 +1,114 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+smtp inet n - n - - smtpd
+submission inet n - n - - smtpd
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+smtps inet n - n - - smtpd
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+slow unix - - n - 5 smtp
+ -o syslog_name=postfix-slow
+ -o smtp_destination_concurrency_limit=3
+ -o slow_destination_rate_delay=1
+
+
+#628 inet n - - - - qmqpd
+pickup fifo n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+qmgr fifo n - n 300 1 qmgr
+#qmgr fifo n - - 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+smtp unix - - n - - smtp
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+relay unix - - n - - smtp
+ -o smtp_fallback_relay=
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+scache unix - - n - 1 scache
+maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+ ${nexthop} ${user}
diff --git a/app/config/configuration/email/postfix/transport b/app/config/configuration/email/postfix/transport
new file mode 100644
index 0000000..68f62c5
--- /dev/null
+++ b/app/config/configuration/email/postfix/transport
@@ -0,0 +1,5 @@
+#wanadoo.com slow:
+#wanadoo.fr slow:
+#orange.com slow:
+#orange.fr slow:
+#smtp.orange.fr slow:
diff --git a/app/config/configuration/email/postfix/transport.db b/app/config/configuration/email/postfix/transport.db
new file mode 100644
index 0000000..487f394
--- /dev/null
+++ b/app/config/configuration/email/postfix/transport.db
Binary files differ
diff --git a/app/config/configuration/email/sogo/sogo.conf.tpl b/app/config/configuration/email/sogo/sogo.conf.tpl
new file mode 100644
index 0000000..d4261e5
--- /dev/null
+++ b/app/config/configuration/email/sogo/sogo.conf.tpl
@@ -0,0 +1,68 @@
+{
+ WONoDetach = NO;
+ WOWorkersCount = 10;
+ WOPort = "127.0.0.1:20000";
+ SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_user_profile";
+ OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_folder_info";
+ OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_sessions_folder";
+ OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_alarms_folder";
+ OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_store";
+ OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_acl";
+ OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_cache_folder";
+ SOGoTimeZone = "Europe/Paris";
+ SOGoMailDomain = "deuxfleurs.fr";
+ SOGoLanguage = French;
+ SOGoAppointmentSendEMailNotifications = YES;
+ SOGoEnablePublicAccess = YES;
+ SOGoMailingMechanism = smtp;
+ SOGoSMTPServer = postfix-smtp.service.2.cluster.deuxfleurs.fr;
+ SOGoSMTPAuthenticationType = PLAIN;
+ SOGoForceExternalLoginWithEmail = YES;
+ SOGoIMAPAclConformsToIMAPExt = YES;
+ SOGoTimeZone = UTC;
+ SOGoSentFolderName = Sent;
+ SOGoTrashFolderName = Trash;
+ SOGoDraftsFolderName = Drafts;
+ SOGoIMAPServer = "imaps://dovecot-imaps.service.2.cluster.deuxfleurs.fr:993/?tlsVerifyMode=none";
+ SOGoSieveServer = "sieve://sieve.service.2.cluster.deuxfleurs.fr:4190/?tls=YES";
+ SOGoIMAPAclConformsToIMAPExt = YES;
+ SOGoVacationEnabled = NO;
+ SOGoForwardEnabled = NO;
+ SOGoSieveScriptsEnabled = NO;
+ SOGoFirstDayOfWeek = 1;
+ SOGoRefreshViewCheck = every_5_minutes;
+ SOGoMailAuxiliaryUserAccountsEnabled = NO;
+ SOGoPasswordChangeEnabled = YES;
+ SOGoPageTitle = "deuxfleurs.fr";
+ SOGoLoginModule = Mail;
+ SOGoMailAddOutgoingAddresses = YES;
+ SOGoSelectedAddressBook = autobook;
+ SOGoMailAuxiliaryUserAccountsEnabled = YES;
+ SOGoCalendarEventsDefaultClassification = PRIVATE;
+ SOGoMailReplyPlacement = above;
+ SOGoMailSignaturePlacement = above;
+ SOGoMailComposeMessageType = html;
+
+ SOGoLDAPContactInfoAttribute = "displayname";
+
+ SOGoUserSources = (
+ {
+ type = ldap;
+ CNFieldName = displayname;
+ IDFieldName = cn;
+ UIDFieldName = cn;
+ MailFieldNames = (mail, mailForwardingAddress);
+ SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber);
+ IMAPLoginFieldName = mail;
+ baseDN = "ou=users,dc=deuxfleurs,dc=fr";
+ bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}";
+ bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}";
+ bindFields = (cn, mail);
+ canAuthenticate = YES;
+ displayName = "Bottin";
+ hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389";
+ id = bottin;
+ isAddressBook = NO;
+ }
+ );
+}
diff --git a/app/config/configuration/mariadb/main/env.tpl b/app/config/configuration/mariadb/main/env.tpl
new file mode 100644
index 0000000..0fe903b
--- /dev/null
+++ b/app/config/configuration/mariadb/main/env.tpl
@@ -0,0 +1,6 @@
+LDAP_URI = "ldap://bottin2.service.2.cluster.deuxfleurs.fr"
+LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr"
+LDAP_VERSION = 3
+LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}"
+LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}"
+MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}"
diff --git a/app/config/configuration/nextcloud/config.php.tpl b/app/config/configuration/nextcloud/config.php.tpl
new file mode 100644
index 0000000..7dcfc6e
--- /dev/null
+++ b/app/config/configuration/nextcloud/config.php.tpl
@@ -0,0 +1,49 @@
+<?php
+$CONFIG = array (
+ 'appstoreenabled' => false,
+ 'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}',
+ 'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}',
+ 'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}',
+ 'trusted_domains' => array (
+ 0 => 'nextcloud.deuxfleurs.fr',
+ ),
+ 'memcache.local' => '\\OC\\Memcache\\APCu',
+
+ 'objectstore' => array(
+ 'class' => '\\OC\\Files\\ObjectStore\\S3',
+ 'arguments' => array(
+ 'bucket' => 'nextcloud',
+ 'autocreate' => false,
+ 'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}',
+ 'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}',
+ 'hostname' => 'garage.deuxfleurs.fr',
+ 'port' => 443,
+ 'use_ssl' => true,
+ 'region' => 'garage',
+ // required for some non Amazon S3 implementations
+ 'use_path_style' => true
+ ),
+ ),
+
+ 'dbtype' => 'pgsql',
+ 'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr',
+ 'dbname' => 'nextcloud',
+ 'dbtableprefix' => 'nc_',
+ 'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}',
+ 'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}',
+
+ 'default_language' => 'fr',
+ 'default_locale' => 'fr_FR',
+
+ 'mail_domain' => 'deuxfleurs.fr',
+ 'mail_from_address' => 'nextcloud@deuxfleurs.fr',
+ // TODO SMTP CONFIG
+
+ // TODO REDIS CACHE
+
+ 'version' => '19.0.0.12',
+ 'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr',
+
+ 'installed' => true,
+);
+
diff --git a/app/config/configuration/postgres/keeper/env.tpl b/app/config/configuration/postgres/keeper/env.tpl
new file mode 100644
index 0000000..7831aad
--- /dev/null
+++ b/app/config/configuration/postgres/keeper/env.tpl
@@ -0,0 +1,3 @@
+PG_SU_PWD={{ key "secrets/postgres/keeper/pg_su_pwd" | trimSpace }}
+PG_REPL_USER={{ key "secrets/postgres/keeper/pg_repl_username" | trimSpace }}
+PG_REPL_PWD={{ key "secrets/postgres/keeper/pg_repl_pwd" | trimSpace }}
diff --git a/app/config/configuration/seafile/ccnet/mykey.peer.sample b/app/config/configuration/seafile/ccnet/mykey.peer.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/configuration/seafile/ccnet/mykey.peer.sample
diff --git a/app/config/configuration/seafile/ccnet/seafile.ini b/app/config/configuration/seafile/ccnet/seafile.ini
new file mode 100644
index 0000000..306d126
--- /dev/null
+++ b/app/config/configuration/seafile/ccnet/seafile.ini
@@ -0,0 +1 @@
+/mnt/seafile-data/ \ No newline at end of file
diff --git a/app/config/configuration/seafile/conf/ccnet.conf.tpl b/app/config/configuration/seafile/conf/ccnet.conf.tpl
new file mode 100644
index 0000000..2395a9b
--- /dev/null
+++ b/app/config/configuration/seafile/conf/ccnet.conf.tpl
@@ -0,0 +1,29 @@
+[General]
+USER_NAME = deuxfleurs
+ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }}
+NAME = deuxfleurs
+SERVICE_URL = https://cloud.deuxfleurs.fr
+
+[Network]
+PORT = 10001
+
+[Client]
+PORT = 13418
+
+[LDAP]
+HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/
+BASE = ou=users,dc=deuxfleurs,dc=fr
+USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }}
+FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr
+PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }}
+LOGIN_ATTR = mail
+
+[Database]
+ENGINE = mysql
+HOST = mariadb.service.2.cluster.deuxfleurs.fr
+PORT = 3306
+USER = seafile
+PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}
+DB = ccnet-db
+CONNECTION_CHARSET = utf8
+
diff --git a/app/config/configuration/seafile/conf/mykey.peer.sample b/app/config/configuration/seafile/conf/mykey.peer.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/configuration/seafile/conf/mykey.peer.sample
diff --git a/app/config/configuration/seafile/conf/seafdav.conf b/app/config/configuration/seafile/conf/seafdav.conf
new file mode 100644
index 0000000..49a79a2
--- /dev/null
+++ b/app/config/configuration/seafile/conf/seafdav.conf
@@ -0,0 +1,5 @@
+[WEBDAV]
+enabled = true
+port = 8084
+fastcgi = false
+share_name = /seafdav
diff --git a/app/config/configuration/seafile/conf/seafile.conf.tpl b/app/config/configuration/seafile/conf/seafile.conf.tpl
new file mode 100644
index 0000000..f224234
--- /dev/null
+++ b/app/config/configuration/seafile/conf/seafile.conf.tpl
@@ -0,0 +1,19 @@
+[network]
+port = 12001
+
+[fileserver]
+port = 8082
+max_upload_size=8192
+max_download_dir_size=8192
+
+[database]
+type = mysql
+host = mariadb.service.2.cluster.deuxfleurs.fr
+port = 3306
+user = seafile
+password = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}
+db_name = seafile-db
+connection_charset = utf8
+
+[quota]
+default = 50
diff --git a/app/config/configuration/seafile/conf/seahub_settings.py.tpl b/app/config/configuration/seafile/conf/seahub_settings.py.tpl
new file mode 100644
index 0000000..6c63ee4
--- /dev/null
+++ b/app/config/configuration/seafile/conf/seahub_settings.py.tpl
@@ -0,0 +1,21 @@
+SECRET_KEY = "8ep+sgi&s1-f2cq2178!ekk!0h0nw2y4z1-olbaopxmodsd8vk"
+FILE_SERVER_ROOT = 'https://cloud.deuxfleurs.fr/seafhttp'
+DATABASES = {
+ 'default': {
+ 'ENGINE': 'django.db.backends.mysql',
+ 'NAME': 'seahub-db',
+ 'USER': 'seafile',
+ 'PASSWORD': '{{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}',
+ 'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr',
+ 'PORT': '3306',
+ 'OPTIONS': {
+ 'init_command': 'SET storage_engine=INNODB',
+ }
+ }
+}
+FILE_PREVIEW_MAX_SIZE = 100 * 1024 * 1024
+ENABLE_THUMBNAIL = True
+THUMBNAIL_ROOT = '/mnt/seafile-data/thumbnail/thumb/'
+THUMBNAIL_EXTENSION = 'png'
+THUMBNAIL_DEFAULT_SIZE = '24'
+PREVIEW_DEFAULT_SIZE = '300'
diff --git a/app/config/configuration/traefik/traefik.toml b/app/config/configuration/traefik/traefik.toml
new file mode 100644
index 0000000..03fca8a
--- /dev/null
+++ b/app/config/configuration/traefik/traefik.toml
@@ -0,0 +1,45 @@
+InsecureSkipVerify = true
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+ [entryPoints.admin]
+ address = ":8082"
+
+ [entryPoints.http]
+ address = ":80"
+ [entryPoints.http.redirect]
+ entryPoint = "https"
+
+ [entryPoints.https]
+ address = ":443"
+ compress = true
+ [entryPoints.https.tls]
+
+[ping]
+entrypoint = "admin"
+
+[retry]
+
+[acme]
+ email = "quentin@dufour.io"
+ storage = "traefik/acme/account"
+ entryPoint = "https"
+ onHostRule = true
+
+ [acme.httpChallenge]
+ entryPoint = "http"
+
+[api]
+ entryPoint = "admin"
+ dashboard = true
+
+[consul]
+ endpoint = "172.17.0.1:8500"
+ watch = true
+ prefix = "traefik"
+
+[consulCatalog]
+ endpoint = "172.17.0.1:8500"
+ prefix = "traefik"
+ domain = "web.deuxfleurs.fr"
+ exposedByDefault = false
diff --git a/app/config/restore_configuration.sh b/app/config/restore_configuration.sh
new file mode 100755
index 0000000..33742e5
--- /dev/null
+++ b/app/config/restore_configuration.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+find {configuration,secrets}/$1 -type f \
+ | grep --perl-regexp --invert-match "\.sample$|\.gen$|/.gitignore$" \
+ | while read filename; do
+ consul kv put "${filename}" "@${filename}"
+ done
diff --git a/app/config/secrets/.gitignore b/app/config/secrets/.gitignore
new file mode 100644
index 0000000..1d7b40b
--- /dev/null
+++ b/app/config/secrets/.gitignore
@@ -0,0 +1,10 @@
+# Blacklist everything cleverly
+*
+!*/
+
+# Whitelist some patterns
+!*.sample
+!*.gen
+!.gitignore
+
+# Whitelist specific files
diff --git a/app/config/secrets/chat/coturn/static-auth.sample b/app/config/secrets/chat/coturn/static-auth.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/coturn/static-auth.sample
diff --git a/app/config/secrets/chat/fb2mx/as_token.sample b/app/config/secrets/chat/fb2mx/as_token.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/fb2mx/as_token.sample
diff --git a/app/config/secrets/chat/fb2mx/db_url.sample b/app/config/secrets/chat/fb2mx/db_url.sample
new file mode 100644
index 0000000..aff4635
--- /dev/null
+++ b/app/config/secrets/chat/fb2mx/db_url.sample
@@ -0,0 +1 @@
+postgres://username:password@hostname/dbname
diff --git a/app/config/secrets/chat/fb2mx/hs_token.sample b/app/config/secrets/chat/fb2mx/hs_token.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/fb2mx/hs_token.sample
diff --git a/app/config/secrets/chat/synapse/homeserver.tls.crt.sample b/app/config/secrets/chat/synapse/homeserver.tls.crt.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/homeserver.tls.crt.sample
diff --git a/app/config/secrets/chat/synapse/homeserver.tls.dh.sample b/app/config/secrets/chat/synapse/homeserver.tls.dh.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/homeserver.tls.dh.sample
diff --git a/app/config/secrets/chat/synapse/homeserver.tls.key.sample b/app/config/secrets/chat/synapse/homeserver.tls.key.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/homeserver.tls.key.sample
diff --git a/app/config/secrets/chat/synapse/ldap_binddn.sample b/app/config/secrets/chat/synapse/ldap_binddn.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/ldap_binddn.sample
diff --git a/app/config/secrets/chat/synapse/ldap_bindpw.sample b/app/config/secrets/chat/synapse/ldap_bindpw.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/ldap_bindpw.sample
diff --git a/app/config/secrets/chat/synapse/postgres_db.sample b/app/config/secrets/chat/synapse/postgres_db.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/postgres_db.sample
diff --git a/app/config/secrets/chat/synapse/postgres_pwd.sample b/app/config/secrets/chat/synapse/postgres_pwd.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/postgres_pwd.sample
diff --git a/app/config/secrets/chat/synapse/postgres_user.sample b/app/config/secrets/chat/synapse/postgres_user.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/postgres_user.sample
diff --git a/app/config/secrets/chat/synapse/registration_shared_secret.sample b/app/config/secrets/chat/synapse/registration_shared_secret.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/chat/synapse/registration_shared_secret.sample
diff --git a/app/config/secrets/email/sogo/ldap_binddn.sample b/app/config/secrets/email/sogo/ldap_binddn.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/email/sogo/ldap_binddn.sample
diff --git a/app/config/secrets/email/sogo/ldap_bindpw.sample b/app/config/secrets/email/sogo/ldap_bindpw.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/email/sogo/ldap_bindpw.sample
diff --git a/app/config/secrets/email/sogo/postgre_auth.sample b/app/config/secrets/email/sogo/postgre_auth.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/email/sogo/postgre_auth.sample
diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample
diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample
diff --git a/app/config/secrets/jitsi/global_env.sample b/app/config/secrets/jitsi/global_env.sample
new file mode 100644
index 0000000..658c9c9
--- /dev/null
+++ b/app/config/secrets/jitsi/global_env.sample
@@ -0,0 +1,9 @@
+JITSI_SECRET_VIDEOBRIDGE=redacted
+JITSI_SECRET_JICOFO_COMPONENT=redacted
+JITSI_SECRET_JICOFO_USER=redacted
+JITSI_PROSODY_BOSH_PORT=5280
+JITSI_PROSODY_BOSH_HOST=127.0.0.1
+JITSI_PROSODY_HOST=127.0.0.1
+JITSI_CERTS_FOLDER=/secrets/certs/
+JITSI_NAT_PUBLIC_IP=redacted
+JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }}
diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample
diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample
diff --git a/app/config/secrets/mariadb/main/ldap_binddn.sample b/app/config/secrets/mariadb/main/ldap_binddn.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/mariadb/main/ldap_binddn.sample
diff --git a/app/config/secrets/mariadb/main/ldap_bindpwd.sample b/app/config/secrets/mariadb/main/ldap_bindpwd.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/mariadb/main/ldap_bindpwd.sample
diff --git a/app/config/secrets/mariadb/main/mysql_pwd.sample b/app/config/secrets/mariadb/main/mysql_pwd.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/mariadb/main/mysql_pwd.sample
diff --git a/app/config/secrets/platoo/bddpw.sample b/app/config/secrets/platoo/bddpw.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/platoo/bddpw.sample
diff --git a/app/config/secrets/postgres/keeper/pg_repl_pwd.sample b/app/config/secrets/postgres/keeper/pg_repl_pwd.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/postgres/keeper/pg_repl_pwd.sample
diff --git a/app/config/secrets/postgres/keeper/pg_repl_username.sample b/app/config/secrets/postgres/keeper/pg_repl_username.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/postgres/keeper/pg_repl_username.sample
diff --git a/app/config/secrets/postgres/keeper/pg_su_pwd.sample b/app/config/secrets/postgres/keeper/pg_su_pwd.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/postgres/keeper/pg_su_pwd.sample
diff --git a/app/config/secrets/web/home_token.sample b/app/config/secrets/web/home_token.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/web/home_token.sample
diff --git a/app/config/secrets/web/quentin.dufour.io_token.sample b/app/config/secrets/web/quentin.dufour.io_token.sample
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/app/config/secrets/web/quentin.dufour.io_token.sample
diff --git a/app/deployment/bottin2.hcl b/app/deployment/bottin2.hcl
new file mode 100644
index 0000000..85bda59
--- /dev/null
+++ b/app/deployment/bottin2.hcl
@@ -0,0 +1,116 @@
+job "directory2" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "bottin" {
+ count = 1
+ task "bottin" {
+ driver = "docker"
+ config {
+ image = "lxpz/bottin_amd64:14"
+ readonly_rootfs = true
+ port_map {
+ ldap_port = 1389
+ }
+ volumes = [
+ "secrets/config.json:/config.json"
+ ]
+ }
+
+ resources {
+ memory = 100
+ network {
+ port "ldap_port" {
+ static = "389"
+ }
+ }
+ }
+
+ template {
+ data = "{{ key \"configuration/directory/bottin/config.json\" }}"
+ destination = "secrets/config.json"
+ }
+
+ service {
+ tags = ["bottin"]
+ port = "ldap_port"
+ address_mode = "host"
+ name = "bottin2"
+ check {
+ type = "tcp"
+ port = "ldap_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+
+ group "guichet" {
+ count = 1
+ task "guichet" {
+ driver = "docker"
+ config {
+ image = "lxpz/guichet_amd64:10"
+ readonly_rootfs = true
+ port_map {
+ web_port = 9991
+ }
+ volumes = [
+ "secrets/config.json:/config.json"
+ ]
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/directory/guichet/config.json.tpl?raw"
+ destination = "secrets/config.json.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/config.json.tpl"
+ destination = "secrets/config.json"
+ }
+
+ resources {
+ memory = 200
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ name = "guichet"
+ tags = [
+ "guichet",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:guichet.deuxfleurs.fr",
+ ]
+ port = "web_port"
+ address_mode = "host"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/core.hcl b/app/deployment/core.hcl
new file mode 100644
index 0000000..43774a6
--- /dev/null
+++ b/app/deployment/core.hcl
@@ -0,0 +1,43 @@
+job "core" {
+ datacenters = ["dc1"]
+ type = "system"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ update {
+ max_parallel = 1
+ stagger = "1m"
+ }
+
+ group "network" {
+ task "diplonat" {
+ driver = "docker"
+
+ config {
+ image = "darkgallium/amd64_diplonat:v2"
+ network_mode = "host"
+ readonly_rootfs = true
+ privileged = true
+ }
+
+ template {
+ data = <<EOH
+DIPLONAT_PRIVATE_IP={{ env "attr.unique.network.ip-address" }}
+DIPLONAT_REFRESH_TIME=60
+DIPLONAT_EXPIRATION_TIME=300
+DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
+RUST_LOG=debug
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ memory = 40
+ }
+ }
+ }
+}
diff --git a/app/deployment/email.hcl b/app/deployment/email.hcl
new file mode 100644
index 0000000..86c4d87
--- /dev/null
+++ b/app/deployment/email.hcl
@@ -0,0 +1,475 @@
+job "email" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ group "dovecot" {
+ count = 1
+ task "server" {
+ driver = "docker"
+
+ config {
+ image = "superboum/amd64_dovecot:v2"
+ readonly_rootfs = false
+ port_map {
+ auth_port = 1337
+ imaps_port = 993
+ imap_port = 143
+ lmtp_port = 24
+ }
+ command = "dovecot"
+ args = [ "-F" ]
+ volumes = [
+ "secrets/ssl/certs:/etc/ssl/certs",
+ "secrets/ssl/private:/etc/ssl/private",
+ "secrets/conf/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf",
+ "/mnt/glusterfs/email/mail:/var/mail/",
+ ]
+ }
+
+ env {
+ TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr"
+ }
+
+ resources {
+ cpu = 100
+ memory = 200
+ network {
+ mbits = 1
+ port "auth_port" {
+ static = "1337"
+ }
+ port "imap_port" {
+ static = "143"
+ }
+ port "imaps_port" {
+ static = "993"
+ }
+ port "lmtp_port" {
+ static = "24"
+ }
+ }
+ }
+
+ service {
+ name = "dovecot-auth"
+ port = "auth_port"
+ address_mode = "host"
+ tags = [
+ "dovecot",
+ ]
+ check {
+ type = "tcp"
+ port = "auth_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "dovecot-imap"
+ port = "imap_port"
+ address_mode = "host"
+ tags = [
+ "dovecot"
+ ]
+ check {
+ type = "tcp"
+ port = "imap_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "dovecot-imaps"
+ port = "imaps_port"
+ address_mode = "host"
+ tags = [
+ "dovecot",
+ "(diplonat (tcp_port 993))"
+ ]
+
+ check {
+ type = "tcp"
+ port = "imaps_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "dovecot-lmtp"
+ port = "lmtp_port"
+ address_mode = "host"
+ tags = [
+ "dovecot",
+ ]
+
+ check {
+ type = "tcp"
+ port = "lmtp_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw"
+ destination = "secrets/conf/dovecot-ldap.conf.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/conf/dovecot-ldap.conf.tpl"
+ destination = "secrets/conf/dovecot-ldap.conf"
+ perms = "400"
+ }
+
+ template {
+ data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}"
+ destination = "secrets/ssl/certs/dovecot.crt"
+ perms = "400"
+ }
+ template {
+ data = "{{ key \"configuration/email/dovecot/dovecot.key\" }}"
+ destination = "secrets/ssl/private/dovecot.key"
+ perms = "400"
+ }
+ }
+ }
+
+ group "opendkim" {
+ count = 1
+ task "server" {
+ driver = "docker"
+
+ config {
+ image = "superboum/amd64_opendkim:v1"
+ readonly_rootfs = false
+ port_map {
+ dkim_port = 8999
+ }
+ command = "opendkim"
+ args = [ "-f", "-v", "-x", "/etc/opendkim.conf" ]
+ volumes = [
+ "secrets/dkim:/etc/dkim",
+ "/dev/log:/dev/log",
+ ]
+ }
+
+ resources {
+ cpu = 100
+ memory = 50
+ network {
+ mbits = 1
+ port "dkim_port" {
+ static = "8999"
+ }
+ }
+ }
+
+ service {
+ name = "opendkim"
+ port = "dkim_port"
+ address_mode = "host"
+ tags = [
+ "opendkim",
+ ]
+ check {
+ type = "tcp"
+ port = "dkim_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ template {
+ data = "{{ key \"configuration/email/dkim/keytable\" }}"
+ destination = "secrets/dkim/keytable"
+ }
+ template {
+ data = "{{ key \"configuration/email/dkim/signingtable\" }}"
+ destination = "secrets/dkim/signingtable"
+ }
+ template {
+ data = "{{ key \"configuration/email/dkim/smtp.private\" }}"
+ destination = "secrets/dkim/smtp.private"
+ perms = "600"
+ }
+ template {
+ data = "{{ key \"configuration/email/dkim/smtp.txt\" }}"
+ destination = "secrets/dkim/smtp.txt"
+ }
+ template {
+ data = "{{ key \"configuration/email/dkim/trusted\" }}"
+ destination = "secrets/dkim/trusted"
+ }
+ }
+ }
+
+ group "postfix" {
+ count = 1
+ task "server" {
+ driver = "docker"
+
+ config {
+ image = "superboum/amd64_postfix:v1"
+ readonly_rootfs = false
+ port_map {
+ smtp_port = 25
+ smtps_port = 465
+ submission_port = 587
+ }
+ command = "postfix"
+ args = [ "start-fg" ]
+ volumes = [
+ "secrets/ssl/certs:/etc/ssl/certs",
+ "secrets/ssl/private:/etc/ssl/private",
+ "secrets/postfix:/etc/postfix-conf",
+ "/dev/log:/dev/log"
+ ]
+ }
+
+ env {
+ TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr"
+ MAILNAME = "smtp.deuxfleurs.fr",
+ }
+
+ resources {
+ cpu = 100
+ memory = 200
+ network {
+ mbits = 1
+ port "smtp_port" {
+ static = "25"
+ }
+ port "smtps_port" {
+ static = "465"
+ }
+ port "submission_port" {
+ static = "587"
+ }
+ }
+ }
+
+ service {
+ name = "postfix-smtp"
+ port = "smtp_port"
+ address_mode = "host"
+ tags = [
+ "postfix",
+ "(diplonat (tcp_port 25 465 587))"
+ ]
+ check {
+ type = "tcp"
+ port = "smtp_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "postfix-smtps"
+ port = "smtps_port"
+ address_mode = "host"
+ tags = [
+ "postfix",
+ ]
+
+ check {
+ type = "tcp"
+ port = "smtps_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "postfix-submission"
+ port = "submission_port"
+ address_mode = "host"
+ tags = [
+ "postfix",
+ ]
+
+ check {
+ type = "tcp"
+ port = "submission_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw"
+ destination = "secrets/postfix/ldap-account.cf.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/postfix/ldap-account.cf.tpl"
+ destination = "secrets/postfix/ldap-account.cf"
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw"
+ destination = "secrets/postfix/ldap-alias.cf.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/postfix/ldap-alias.cf.tpl"
+ destination = "secrets/postfix/ldap-alias.cf"
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-virtual-domains.cf.tpl?raw"
+ destination = "secrets/postfix/ldap-virtual-domains.cf.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/postfix/ldap-virtual-domains.cf.tpl"
+ destination = "secrets/postfix/ldap-virtual-domains.cf"
+ }
+
+
+ template {
+ data = "{{ key \"configuration/email/postfix/postfix.crt\" }}"
+ destination = "secrets/ssl/certs/postfix.crt"
+ perms = "400"
+ }
+ template {
+ data = "{{ key \"configuration/email/postfix/postfix.key\" }}"
+ destination = "secrets/ssl/private/postfix.key"
+ perms = "400"
+ }
+ template {
+ data = "{{ key \"configuration/email/postfix/dynamicmaps.cf\" }}"
+ destination = "secrets/postfix/dynamicmaps.cf"
+ }
+ template {
+ data = "{{ key \"configuration/email/postfix/header_checks\" }}"
+ destination = "secrets/postfix/header_checks"
+ }
+ template {
+ data = "{{ key \"configuration/email/postfix/main.cf\" }}"
+ destination = "secrets/postfix/main.cf"
+ }
+ template {
+ data = "{{ key \"configuration/email/postfix/master.cf\" }}"
+ destination = "secrets/postfix/master.cf"
+ }
+ template {
+ data = "{{ key \"configuration/email/postfix/transport\" }}"
+ destination = "secrets/postfix/transport"
+ }
+ template {
+ data = "{{ key \"configuration/email/postfix/transport.db\" }}"
+ destination = "secrets/postfix/transport.db"
+ }
+ }
+ }
+
+ group "sogo" {
+ count = 1
+ task "bundle" {
+
+ driver = "docker"
+
+ config {
+ image = "superboum/amd64_sogo:v7"
+ readonly_rootfs = false
+ port_map {
+ sogo_web_port = 8080
+ }
+ volumes = [
+ "secrets/sogo.conf:/etc/sogo/sogo.conf",
+ ]
+ }
+ env {
+ FAKE = 2
+ }
+
+ /* Workaround as there is no consul source and no way to template recursively... */
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/email/sogo/sogo.conf.tpl?raw"
+ destination = "secrets/tpl/sogo.conf.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/tpl/sogo.conf.tpl"
+ destination = "secrets/sogo.conf"
+ }
+
+ resources {
+ cpu = 200
+ memory = 1000
+ network {
+ mbits = 1
+ port "sogo_web_port" {}
+ }
+ }
+
+ service {
+ name = "sogo"
+ port = "sogo_web_port"
+ address_mode = "host"
+ tags = [
+ "sogo",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:www.sogo.deuxfleurs.fr,sogo.deuxfleurs.fr;PathPrefix:/"
+ ]
+ check {
+ type = "tcp"
+ port = "sogo_web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "5m"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ }
+ }
+}
diff --git a/app/deployment/garage.hcl b/app/deployment/garage.hcl
new file mode 100644
index 0000000..3478706
--- /dev/null
+++ b/app/deployment/garage.hcl
@@ -0,0 +1,99 @@
+job "garage" {
+ datacenters = ["dc1", "belair", "saturne"]
+ type = "system"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "garage" {
+ task "server" {
+ driver = "docker"
+ config {
+ image = "lxpz/garage_amd64:4"
+ port_map {
+ rpc_port = 3901
+ api_port = 3900
+ }
+ volumes = [
+ "/mnt/storage/garage/data:/garage/data",
+ "/mnt/ssd/garage/meta:/garage/meta",
+ "secrets/garage.toml:/garage/config.toml",
+ "secrets/garage-ca.crt:/garage/garage-ca.crt",
+ "secrets/garage.crt:/garage/garage.crt",
+ "secrets/garage.key:/garage/garage.key",
+ ]
+ }
+
+ template {
+ data = "{{ key \"configuration/garage/garage.toml\" }}"
+ destination = "secrets/garage.toml"
+ }
+ template {
+ data = "{{ key \"secrets/garage/garage-ca.crt\" }}"
+ destination = "secrets/garage-ca.crt"
+ }
+ template {
+ data = "{{ key \"secrets/garage/garage.crt\" }}"
+ destination = "secrets/garage.crt"
+ }
+ template {
+ data = "{{ key \"secrets/garage/garage.key\" }}"
+ destination = "secrets/garage.key"
+ }
+
+ resources {
+ memory = 500
+ cpu = 1000
+ network {
+ port "rpc_port" {
+ static = "3901"
+ }
+ port "api_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "garage_api",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:garage.deuxfleurs.fr"
+ ]
+ port = "api_port"
+ address_mode = "host"
+ name = "garage-api"
+ check {
+ type = "tcp"
+ port = "api_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ tags = ["garage-rpc"]
+ port = "rpc_port"
+ address_mode = "host"
+ name = "garage-rpc"
+ check {
+ type = "tcp"
+ port = "rpc_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/app/deployment/im.hcl b/app/deployment/im.hcl
new file mode 100644
index 0000000..53b81d1
--- /dev/null
+++ b/app/deployment/im.hcl
@@ -0,0 +1,361 @@
+job "im" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ group "matrix" {
+ count = 1
+ task "synapse" {
+ driver = "docker"
+
+ config {
+ image = "superboum/amd64_synapse:v33"
+ readonly_rootfs = true
+ port_map {
+ client_port = 8008
+ federation_port = 8448
+ }
+ command = "python"
+ args = [
+ "-m", "synapse.app.homeserver",
+ "-n",
+ "-c", "/etc/matrix-synapse/homeserver.yaml"
+ ]
+ volumes = [
+ "secrets/conf:/etc/matrix-synapse",
+ "/mnt/glusterfs/chat/matrix/synapse/media:/var/lib/matrix-synapse/media",
+ "/mnt/glusterfs/chat/matrix/synapse/uploads:/var/lib/matrix-synapse/uploads",
+ "/tmp/synapse-logs:/var/log/matrix-synapse",
+ "/tmp/synapse:/tmp"
+ ]
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/chat/synapse/homeserver.yaml?raw"
+ destination = "secrets/tpl/homeserver.yaml.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/tpl/homeserver.yaml.tpl"
+ destination = "secrets/conf/homeserver.yaml"
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/chat/easybridge/registration.yaml.tpl?raw"
+ destination = "secrets/tpl/easybridge_registration.yaml.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/tpl/easybridge_registration.yaml.tpl"
+ destination = "secrets/conf/easybridge_registration.yaml"
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/chat/fb2mx/registration.yaml?raw"
+ destination = "secrets/tpl/fb2mx_registration.yaml.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/tpl/fb2mx_registration.yaml.tpl"
+ destination = "secrets/conf/fb2mx_registration.yaml"
+ }
+
+ template {
+ data = "{{ key \"configuration/chat/synapse/log.yaml\" }}"
+ destination = "secrets/conf/log.yaml"
+ }
+ template {
+ data = "{{ key \"configuration/chat/synapse/conf.d/server_name.yaml\" }}"
+ destination = "secrets/conf/server_name.yaml"
+ }
+ template {
+ data = "{{ key \"configuration/chat/synapse/conf.d/report_stats.yaml\" }}"
+ destination = "secrets/conf/report_stats.yaml"
+ }
+ template {
+ data = "{{ key \"secrets/chat/synapse/homeserver.tls.crt\" }}"
+ destination = "secrets/conf/homeserver.tls.crt"
+ }
+ template {
+ data = "{{ key \"secrets/chat/synapse/homeserver.tls.dh\" }}"
+ destination = "secrets/conf/homeserver.tls.dh"
+ }
+ template {
+ data = "{{ key \"secrets/chat/synapse/homeserver.tls.key\" }}"
+ destination = "secrets/conf/homeserver.tls.key"
+ }
+ template {
+ data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}"
+ destination = "secrets/conf/homeserver.signing.key"
+ }
+
+ env {
+ SYNAPSE_CACHE_FACTOR = 1
+ }
+
+ resources {
+ cpu = 1000
+ memory = 4000
+ network {
+ port "client_port" { }
+ port "federation_port" { }
+ }
+ }
+
+ service {
+ name = "synapse-client"
+ port = "client_port"
+ address_mode = "host"
+ tags = [
+ "matrix",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https",
+ "traefik.frontend.rule=Host:im.deuxfleurs.fr;PathPrefix:/_matrix",
+ "traefik.frontend.headers.customResponseHeaders=Access-Control-Allow-Origin: *",
+ "traefik.frontend.priority=100"
+ ]
+ check {
+ type = "tcp"
+ port = "client_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "synapse-federation"
+ port = "federation_port"
+ address_mode = "host"
+ tags = [
+ "matrix",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https",
+ "traefik.frontend.rule=Host:deuxfleurs.fr;PathPrefix:/_matrix",
+ "traefik.frontend.priority=100"
+ ]
+ }
+
+ }
+ }
+
+ group "easybridge" {
+ count = 1
+ task "easybridge" {
+ driver = "docker"
+ config {
+ image = "lxpz/easybridge_amd64:27"
+ port_map {
+ api_port = 8321
+ web_port = 8281
+ }
+ volumes = [
+ "secrets/conf:/data"
+ ]
+ args = [ "./easybridge", "-config", "/data/config.json" ]
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/chat/easybridge/registration.yaml.tpl?raw"
+ destination = "secrets/tpl/registration.yaml.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/tpl/registration.yaml.tpl"
+ destination = "secrets/conf/registration.yaml"
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/chat/easybridge/config.json.tpl?raw"
+ destination = "secrets/tpl/config.json.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/tpl/config.json.tpl"
+ destination = "secrets/conf/config.json"
+ }
+
+ resources {
+ memory = 500
+ cpu = 1000
+ network {
+ port "api_port" {
+ static = "8321"
+ }
+ port "web_port" {}
+ }
+ }
+
+ service {
+ name = "easybridge-api"
+ tags = ["easybridge-api"]
+ port = "api_port"
+ address_mode = "host"
+ check {
+ type = "tcp"
+ port = "api_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ name = "easybridge-web"
+ tags = [
+ "easybridge-web",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:easybridge.deuxfleurs.fr",
+ ]
+ port = "web_port"
+ address_mode = "host"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+
+
+ group "riotweb" {
+ count = 1
+
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_riotweb:v15"
+ port_map {
+ web_port = 8043
+ }
+ volumes = [
+ "secrets/config.json:/srv/http/config.json"
+ ]
+ }
+
+ template {
+ data = "{{ key \"configuration/chat/riot_web/config.json\" }}"
+ destination = "secrets/config.json"
+ }
+
+ resources {
+ memory = 21
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "webstatic",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https",
+ "traefik.frontend.rule=Host:im.deuxfleurs.fr,riot.deuxfleurs.fr;PathPrefix:/",
+ "traefik.frontend.priority=10"
+ ]
+ port = "web_port"
+ address_mode = "host"
+ name = "webstatic"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+
+/*
+ group "turn_stun" {
+ count=1
+ task "coturn" {
+ driver = "docker"
+ config {
+ image = "registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1"
+ port_map {
+ main_port = 3478
+ alt_port = 3479
+ }
+ command = "/usr/bin/turnserver"
+ args = [
+ "-X", "82.253.205.190",
+ "-v",
+ "-f",
+ "-a"
+ ]
+ volumes = [
+ "secrets/turnserver.conf:/etc/turnserver.conf"
+ ]
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/chat/coturn/turnserver.conf.tpl?raw"
+ destination = "secrets/turnserver.conf.tpl"
+ mode = "file"
+ }
+
+ template {
+ source = "secrets/turnserver.conf.tpl"
+ destination = "secrets/turnserver.conf"
+ }
+
+ resources {
+ memory = 50
+ network {
+ port "main_port" {
+ static = "3478"
+ }
+ port "alt_port" {
+ static = "3479"
+ }
+ }
+ }
+
+ service {
+ tags = [
+ "coturn",
+ "matrix"
+ ]
+ port = "main_port"
+ address_mode = "host"
+ name = "coturn"
+ check {
+ type = "tcp"
+ port = "main_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ }
+ }
+*/
+
+}
+
diff --git a/app/deployment/jitsi.hcl b/app/deployment/jitsi.hcl
new file mode 100644
index 0000000..c1bee73
--- /dev/null
+++ b/app/deployment/jitsi.hcl
@@ -0,0 +1,252 @@
+job "jitsi" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "core" {
+ task "xmpp" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_jitsi_xmpp:v4"
+ network_mode = "host"
+ port_map {
+ xmpp_port = 5222
+ ext_port = 5347
+ bosh_port = 5280
+ }
+ }
+
+ template {
+ data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}"
+ destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt"
+ }
+ template {
+ data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.key\" }}"
+ destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.key"
+ }
+ template {
+ data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}"
+ destination = "secrets/certs/jitsi.deuxfleurs.fr.crt"
+ }
+ template {
+ data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}"
+ destination = "secrets/certs/jitsi.deuxfleurs.fr.key"
+ }
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw"
+ destination = "secrets/global_env.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/global_env.tpl"
+ destination = "secrets/global_env"
+ env = true
+ }
+
+ resources {
+ cpu = 300
+ memory = 200
+ network {
+ port "xmpp_port" {
+ static = "5222"
+ }
+ port "ext_port" {
+ static = "5347"
+ }
+ port "bosh_port" {
+ static = "5280"
+ }
+ }
+ }
+
+ service {
+ tags = [
+ "jitsi"
+ ]
+ port = "bosh_port"
+ address_mode = "host"
+ name = "jitsi-xmpp-bosh"
+ check {
+ type = "tcp"
+ port = "bosh_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+
+ task "front" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_jitsi_meet:v1"
+ network_mode = "host"
+ port_map {
+ https_port = 443
+ }
+ }
+
+ template {
+ data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}"
+ destination = "secrets/certs/jitsi.deuxfleurs.fr.crt"
+ }
+ template {
+ data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.key\" }}"
+ destination = "secrets/certs/jitsi.deuxfleurs.fr.key"
+ }
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw"
+ destination = "secrets/global_env.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/global_env.tpl"
+ destination = "secrets/global_env"
+ env = true
+ }
+
+ resources {
+ cpu = 300
+ memory = 200
+ network {
+ port "https_port" {
+ static = "443"
+ }
+ }
+ }
+
+ service {
+ tags = [
+ "jitsi",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:jitsi.deuxfleurs.fr;PathPrefix:/",
+ "traefik.protocol=https"
+ ]
+ port = "https_port"
+ address_mode = "host"
+ name = "jitsi-front-https"
+ check {
+ type = "tcp"
+ port = "https_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+
+ task "jicofo" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_jitsi_conference_focus:v5"
+ network_mode = "host"
+ }
+
+ template {
+ data = "{{ key \"secrets/jitsi/jitsi.deuxfleurs.fr.crt\" }}"
+ destination = "secrets/certs/jitsi.deuxfleurs.fr.crt"
+ }
+ template {
+ data = "{{ key \"secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt\" }}"
+ destination = "secrets/certs/auth.jitsi.deuxfleurs.fr.crt"
+ }
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw"
+ destination = "secrets/global_env.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/global_env.tpl"
+ destination = "secrets/global_env"
+ env = true
+ }
+
+ resources {
+ cpu = 300
+ memory = 400
+ }
+ }
+
+ task "videobridge" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_jitsi_videobridge:v15"
+ network_mode = "host"
+ port_map {
+ video1_port = 8080
+ video2_port = 10000
+ }
+ ulimit {
+ nofile = "1048576:1048576"
+ nproc = "65536:65536"
+ }
+ }
+
+ env {
+ #JITSI_DEBUG = 1
+ JITSI_VIDEO_TCP = 8080
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/secrets/jitsi/global_env?raw"
+ destination = "secrets/global_env.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/global_env.tpl"
+ destination = "secrets/global_env"
+ env = true
+ }
+
+ resources {
+ cpu = 900
+ memory = 1500
+ network {
+ port "video1_port" {
+ static = "8080"
+ }
+ port "video2_port" {
+ static = "10000"
+ }
+ }
+
+ }
+
+ service {
+ tags = [
+ "jitsi",
+ "(diplonat (tcp_port 8080) (udp_port 10000))"
+ ]
+ port = "video1_port"
+ address_mode = "host"
+ name = "jitsi-videobridge-video1"
+ check {
+ type = "tcp"
+ port = "video1_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+
+ }
+}
+
diff --git a/app/deployment/mariadb.hcl b/app/deployment/mariadb.hcl
new file mode 100644
index 0000000..2b9be7e
--- /dev/null
+++ b/app/deployment/mariadb.hcl
@@ -0,0 +1,69 @@
+job "mariadb" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "main" {
+ count = 1
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_mariadb:v3"
+ port_map {
+ mariadb_port = 3306
+ }
+ command = "tail"
+ args = [
+ "-f", "/var/log/mysql/error.log",
+ ]
+ volumes = [
+ "/mnt/glusterfs/mariadb/main/server:/var/lib/mysql",
+ ]
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/mariadb/main/env.tpl?raw"
+ destination = "secrets/env.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/env.tpl"
+ destination = "secrets/env"
+ env = true
+ }
+
+
+ resources {
+ memory = 800
+ network {
+ port "mariadb_port" {
+ static = "3306"
+ }
+ }
+ }
+
+ service {
+ tags = ["mariadb"]
+ port = "mariadb_port"
+ address_mode = "host"
+ name = "mariadb"
+ check {
+ type = "tcp"
+ port = "mariadb_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/nextcloud.hcl b/app/deployment/nextcloud.hcl
new file mode 100644
index 0000000..2cc4f5f
--- /dev/null
+++ b/app/deployment/nextcloud.hcl
@@ -0,0 +1,67 @@
+job "nextcloud" {
+ datacenters = ["dc1", "belair"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "nextcloud" {
+ count = 1
+ task "nextcloud" {
+ driver = "docker"
+ config {
+ image = "lxpz/deuxfleurs_nextcloud_amd64:8"
+ port_map {
+ web_port = 80
+ }
+ volumes = [
+ "secrets/config.php:/var/www/html/config/config.php"
+ ]
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/nextcloud/config.php.tpl?raw"
+ destination = "secrets/config.php.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/config.php.tpl"
+ destination = "secrets/config.php"
+ }
+
+ resources {
+ memory = 1000
+ cpu = 2000
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ name = "nextcloud"
+ tags = [
+ "nextcloud",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:nextcloud.deuxfleurs.fr",
+ ]
+ port = "web_port"
+ address_mode = "host"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/object_storage.hcl b/app/deployment/object_storage.hcl
new file mode 100644
index 0000000..fa40c4b
--- /dev/null
+++ b/app/deployment/object_storage.hcl
@@ -0,0 +1,159 @@
+job "not_safe_object_storage" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "not_safe_pithos" {
+ count = 2
+ task "not_safe_server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_pithos:v1"
+ readonly_rootfs = true
+ port_map {
+ s3_port = 8080
+ }
+ volumes = [
+ "secrets/pithos.yaml:/etc/pithos/pithos.yaml"
+ ]
+ }
+
+ resources {
+ memory = 500
+ network {
+ port "s3_port" {
+ static = "8080"
+ }
+ }
+ }
+
+ template {
+ data = <<EOH
+service:
+ host: '0.0.0.0'
+ port: 8080
+
+
+## logging configuration
+## ---------------------
+logging:
+ level: info
+ console: true
+ files: []
+
+# overrides:
+# io.exo.pithos: debug
+
+
+## global options
+## --------------
+options:
+ service-uri: 's3.esir.deuxfleurs.fr'
+ reporting: true
+ server-side-encryption: true
+ multipart-upload: true
+ masterkey-provisioning: true
+ masterkey-access: true
+ default-region: 'FR-RN1'
+
+
+## keystore configuration
+## ----------------------
+#
+# Keystores associate an access key with
+# an organization and secret key.
+#
+# They may offer provisioning capacities with the
+# masterkey. The default provider relies on keys
+# being defined inline.
+# generate access key: openssl rand -base64 24
+# generate secret key: openssl rand -base64 39
+# (size is arbitrary)
+keystore:
+ keys:
+ NHu3glGc0lj5FL5AZPTvgjB20tb9w4Eo:
+ master: true
+ tenant: 'pyr@spootnik.org'
+ secret: 'fpyehmZsimMHeYScjwTUREzvIOICeRZiO01Dck0JIKEifKdwOT3T'
+ rXNoqKXY45RcxpBOKy8i4H8fqGzlHIZu:
+ tenant: 'exoscale'
+ secret: 'qtQlWujN70Ukh9IvIbqIM3Zqos/5aU72hOhLCXblQ0PmfYsGO8lU'
+
+
+## bucketstore configuration
+## -------------------------
+#
+# The bucketstore is ring global and contains information
+# on bucket location and global parameters.
+#
+# Its primary aim is to hold bucket location and ownership
+# information.
+#
+# The default provider relies on cassandra.
+bucketstore:
+ default-region: 'FR-RN1'
+ cluster:
+ - 148.60.11.181
+ - 148.60.11.183
+ - 148.60.11.237
+ keyspace: 'storage'
+
+
+## regions
+## -------
+#
+# Regions are composed of a metastore and an arbitrary number
+# of named storage classes which depend on a blobstore.
+#
+# The metastore holds metadata for the full region, as well as
+# object storage-class placement information.
+#
+# The default implementation of both metastore and blobstore
+# rely on cassandra.
+#
+regions:
+ FR-RN1:
+ metastore:
+ cluster:
+ - 148.60.11.181
+ - 148.60.11.183
+ - 148.60.11.237
+ keyspace: 'storage'
+ storage-classes:
+ standard:
+ cluster:
+ - 148.60.11.181
+ - 148.60.11.183
+ - 148.60.11.237
+ keyspace: 'storage'
+ max-chunk: '128k'
+ max-block-chunks: 1024
+EOH
+ destination = "secrets/pithos.yaml"
+ }
+
+ service {
+ tags = ["pithos"]
+ port = "s3_port"
+ address_mode = "host"
+ name = "pithos"
+ check {
+ type = "tcp"
+ port = "s3_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "300s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/platoo.hcl b/app/deployment/platoo.hcl
new file mode 100644
index 0000000..0502934
--- /dev/null
+++ b/app/deployment/platoo.hcl
@@ -0,0 +1,64 @@
+job "platoo" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "core" {
+ task "nodejs" {
+ driver = "docker"
+ config {
+ image = "victormoi/platoo:v1"
+ force_pull = true
+ port_map {
+ web_port = 8080
+ }
+ }
+
+ template {
+ data = <<EOH
+user=platoo
+host=psql-proxy.service.2.cluster.deuxfleurs.fr
+database=platoodb
+password={{ key "secrets/platoo/bddpw" | trimSpace }}
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ memory = 400
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "platoo",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https",
+ "traefik.frontend.rule=Host:platoo.deuxfleurs.fr;PathPrefix:/"
+ ]
+ port = "web_port"
+ address_mode = "host"
+ name = "platoo"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/postgres.hcl b/app/deployment/postgres.hcl
new file mode 100644
index 0000000..456156e
--- /dev/null
+++ b/app/deployment/postgres.hcl
@@ -0,0 +1,145 @@
+job "postgres" {
+ datacenters = ["dc1"]
+ type = "system"
+ priority = 90
+
+ update {
+ max_parallel = 1
+ stagger = "5m"
+ }
+
+ group "postgres" {
+ task "sentinel" {
+ driver = "docker"
+
+ config {
+ image = "superboum/amd64_postgres:v3"
+ readonly_rootfs = false
+ command = "/usr/local/bin/stolon-sentinel"
+ args = [
+ "--cluster-name", "pissenlit",
+ "--store-backend", "consul",
+ "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500",
+ ]
+ }
+ resources {
+ memory = 100
+ }
+ }
+
+ task "proxy" {
+ driver = "docker"
+
+ config {
+ image = "superboum/amd64_postgres:v3"
+ readonly_rootfs = false
+ command = "/usr/local/bin/stolon-proxy"
+ args = [
+ "--cluster-name", "pissenlit",
+ "--store-backend", "consul",
+ "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500",
+ "--port", "5432",
+ "--listen-address", "0.0.0.0"
+ ]
+ port_map {
+ psql_proxy_port = 5432
+ }
+ }
+
+ resources {
+ memory = 100
+ network {
+ port "psql_proxy_port" {
+ static = 5432
+ }
+ }
+ }
+
+ service {
+ tags = ["sql"]
+ port = "psql_proxy_port"
+ address_mode = "host"
+ name = "psql-proxy"
+ check {
+ type = "tcp"
+ port = "psql_proxy_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "10m"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+
+ task "keeper" {
+ driver = "docker"
+
+ config {
+ network_mode = "host"
+ image = "superboum/amd64_postgres:v3"
+ readonly_rootfs = false
+ command = "/usr/local/bin/stolon-keeper"
+ args = [
+ "--cluster-name", "pissenlit",
+ "--store-backend", "consul",
+ "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500",
+ "--data-dir", "/mnt/persist",
+ "--pg-su-password", "${PG_SU_PWD}",
+ "--pg-repl-username", "${PG_REPL_USER}",
+ "--pg-repl-password", "${PG_REPL_PWD}",
+ "--pg-listen-address", "${attr.unique.network.ip-address}",
+ "--pg-port", "5433",
+ "--pg-bin-path", "/usr/lib/postgresql/9.6/bin/"
+ ]
+ port_map {
+ psql_port = 5433
+ }
+ volumes = [
+ "/mnt/ssd/postgres:/mnt/persist"
+ ]
+ }
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/postgres/keeper/env.tpl?raw"
+ destination = "secrets/env.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/env.tpl"
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ memory = 500
+ network {
+ port "psql_port" {
+ static = "5433"
+ }
+ }
+ }
+
+ service {
+ tags = ["sql"]
+ port = "psql_port"
+ address_mode = "host"
+ name = "keeper"
+ check {
+ type = "tcp"
+ port = "psql_port"
+ interval = "60s"
+ timeout = "5s"
+
+ check_restart {
+ limit = 3
+ grace = "60m"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/science.hcl b/app/deployment/science.hcl
new file mode 100644
index 0000000..81e398a
--- /dev/null
+++ b/app/deployment/science.hcl
@@ -0,0 +1,58 @@
+job "science" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "diagnet" {
+ task "main" {
+ driver = "docker"
+ config {
+ image = "lesterpig/diagnet-landmark:latest"
+ args = [
+ "-name", "landmark-deuxfleurs",
+ "-chrome", "-chrome-interval", "60m",
+ "-http", ":8000"
+ ]
+ port_map {
+ web_port = 8000
+ }
+ }
+
+ resources {
+ cpu = 1000
+ memory = 1200
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "diagnet",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:diagnet.science.deuxfleurs.fr;PathPrefix:/"
+ ]
+ port = "web_port"
+ address_mode = "host"
+ name = "diagnet"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/seafile.hcl b/app/deployment/seafile.hcl
new file mode 100644
index 0000000..e22699c
--- /dev/null
+++ b/app/deployment/seafile.hcl
@@ -0,0 +1,174 @@
+job "seafile" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "main" {
+ count = 1
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_seafile:v6"
+
+ ## cmd + args are used for running an instance attachable for update
+ # command = "/bin/sleep"
+ # args = ["999999"]
+
+ port_map {
+ seahub_port = 8000
+ seafdav_port = 8084
+ seafhttp_port = 8082
+ }
+
+ mounts = [
+ {
+ type = "bind"
+ source = "/mnt/glusterfs/seafile"
+ target = "/mnt/seafile-data"
+ }
+ ]
+
+ volumes = [
+ "secrets/conf:/srv/webstore/conf",
+ "secrets/ccnet:/srv/webstore/ccnet"
+ ]
+ }
+
+ resources {
+ memory = 512
+ network {
+ port "seahub_port" {}
+ port "seafhttp_port" {}
+ port "seafdav_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "seafile",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:cloud.deuxfleurs.fr;PathPrefix:/"
+ ]
+ port = "seahub_port"
+ address_mode = "host"
+ name = "seahub"
+ check {
+ type = "tcp"
+ port = "seahub_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ tags = [
+ "seafile",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:cloud.deuxfleurs.fr;PathPrefixStrip:/seafhttp"
+
+ ]
+ port = "seafhttp_port"
+ address_mode = "host"
+ name = "seafhttp"
+ check {
+ type = "tcp"
+ port = "seafhttp_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ service {
+ tags = [
+ "seafile",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:cloud.deuxfleurs.fr;PathPrefix:/seafdav"
+
+ ]
+ port = "seafdav_port"
+ address_mode = "host"
+ name = "seafdav"
+ check {
+ type = "tcp"
+ port = "seafdav_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/ccnet.conf.tpl?raw"
+ destination = "secrets/conf/ccnet.conf.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/conf/ccnet.conf.tpl"
+ destination = "secrets/conf/ccnet.conf"
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/seafile.conf.tpl?raw"
+ destination = "secrets/conf/seafile.conf.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/conf/seafile.conf.tpl"
+ destination = "secrets/conf/seafile.conf"
+ }
+
+ artifact {
+ source = "http://127.0.0.1:8500/v1/kv/configuration/seafile/conf/seahub_settings.py.tpl?raw"
+ destination = "secrets/conf/seahub_settings.py.tpl"
+ mode = "file"
+ }
+ template {
+ source = "secrets/conf/seahub_settings.py.tpl"
+ destination = "secrets/conf/seahub_settings.py"
+ }
+
+ template {
+ data = "{{ key \"configuration/seafile/ccnet/mykey.peer\" }}"
+ destination = "secrets/ccnet/mykey.peer"
+ }
+ template {
+ data = "{{ key \"configuration/seafile/ccnet/seafile.ini\" }}"
+ destination = "secrets/ccnet/seafile.ini"
+ }
+ template {
+ data = "{{ key \"configuration/seafile/conf/mykey.peer\" }}"
+ destination = "secrets/conf/mykey.peer"
+ }
+ template {
+ data = "{{ key \"configuration/seafile/conf/seafdav.conf\" }}"
+ destination = "secrets/conf/seafdav.conf"
+ }
+ template {
+ data = "{{ key \"configuration/seafile/conf/gunicorn.conf\" }}"
+ destination = "secrets/conf/gunicorn.conf"
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/traefik.hcl b/app/deployment/traefik.hcl
new file mode 100644
index 0000000..a0803e4
--- /dev/null
+++ b/app/deployment/traefik.hcl
@@ -0,0 +1,68 @@
+job "frontend" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ group "traefik" {
+ task "server" {
+ driver = "docker"
+
+ config {
+ image = "amd64/traefik:1.7.20"
+ readonly_rootfs = true
+ port_map {
+ https_port = 443
+ http_port = 80
+ adm_port = 8082
+ }
+ volumes = [
+ "secrets/traefik.toml:/etc/traefik/traefik.toml",
+ ]
+ }
+
+ resources {
+ memory = 265
+ network {
+ port "https_port" {
+ static = "443"
+ }
+ port "http_port" {
+ static = "80"
+ }
+ port "adm_port" {
+ static = "8082"
+ }
+ }
+ }
+
+ service {
+ tags = [
+ "https",
+ "frontend",
+ "(diplonat (tcp_port 80 443))"
+ ]
+ port = "https_port"
+ address_mode = "host"
+ name = "traefik"
+ check {
+ type = "http"
+ protocol = "http"
+ port = "adm_port"
+ path = "/ping"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+
+ template {
+ data = "{{ key \"configuration/traefik/traefik.toml\" }}"
+ destination = "secrets/traefik.toml"
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/web_static.hcl b/app/deployment/web_static.hcl
new file mode 100644
index 0000000..c935b2a
--- /dev/null
+++ b/app/deployment/web_static.hcl
@@ -0,0 +1,113 @@
+job "web_static" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "landing" {
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_webpull_pug:v4"
+ port_map {
+ web_port = 8080
+ }
+ }
+
+ template {
+ data = <<EOH
+WEBPULL_REPO="https://git.deuxfleurs.fr/Deuxfleurs/site.git"
+WEBPULL_TOKEN="{{ key "secrets/web/home_token" | trimSpace }}"
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ memory = 200
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "webstatic",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:deuxfleurs.fr,www.deuxfleurs.fr,deuxfleurs.org,www.deuxfleurs.org;PathPrefix:/",
+ "traefik.frontend.priority=10"
+ ]
+ port = "web_port"
+ address_mode = "host"
+ name = "landing"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+
+ group "quentin" {
+ task "server" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_webpull_ruby:v1"
+ port_map {
+ web_port = 8080
+ }
+ }
+
+ template {
+ data = <<EOH
+WEBPULL_REPO="https://git.deuxfleurs.fr/quentin/quentin.dufour.io.git"
+WEBPULL_TOKEN="{{ key "secrets/web/quentin.dufour.io_token" | trimSpace }}"
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ memory = 500
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "webstatic",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https",
+ "traefik.frontend.rule=Host:quentin.dufour.io,www.quentin.dufour.io;PathPrefix:/"
+ ]
+ port = "web_port"
+ address_mode = "host"
+ name = "blog-quentin"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/deployment/webcap.hcl b/app/deployment/webcap.hcl
new file mode 100644
index 0000000..1246b76
--- /dev/null
+++ b/app/deployment/webcap.hcl
@@ -0,0 +1,56 @@
+job "webcap" {
+ datacenters = ["dc1"]
+ type = "service"
+
+ constraint {
+ attribute = "${attr.cpu.arch}"
+ value = "amd64"
+ }
+
+ group "main" {
+ task "flask" {
+ driver = "docker"
+ config {
+ image = "superboum/amd64_webcap:v7"
+ port_map {
+ web_port = 3000
+ }
+ }
+ env {
+ FLASK_APP = "/usr/local/bin/webcap"
+ }
+
+ resources {
+ cpu = 1000
+ memory = 2000
+ network {
+ port "web_port" {}
+ }
+ }
+
+ service {
+ tags = [
+ "webcap",
+ "traefik.enable=true",
+ "traefik.frontend.entryPoints=https,http",
+ "traefik.frontend.rule=Host:webcap.deuxfleurs.fr;PathPrefix:/"
+ ]
+ port = "web_port"
+ address_mode = "host"
+ name = "webcap"
+ check {
+ type = "tcp"
+ port = "web_port"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "90s"
+ ignore_warnings = false
+ }
+ }
+ }
+ }
+ }
+}
+
diff --git a/app/integration/jitsi/01_gen_certs.yml b/app/integration/jitsi/01_gen_certs.yml
new file mode 100644
index 0000000..bf73291
--- /dev/null
+++ b/app/integration/jitsi/01_gen_certs.yml
@@ -0,0 +1,8 @@
+version: '3'
+services:
+ jitsi-xmpp:
+ image: superboum/amd64_jitsi_xmpp:v2
+ command: ["/usr/local/bin/xmpp_gen"]
+ volumes: [ './jitsi-certs/:/certs:rw' ]
+ env_file: [ 'dev.env' ]
+
diff --git a/app/integration/jitsi/02_run.yml b/app/integration/jitsi/02_run.yml
new file mode 100644
index 0000000..73eefad
--- /dev/null
+++ b/app/integration/jitsi/02_run.yml
@@ -0,0 +1,27 @@
+version: '3.4'
+services:
+ jitsi-xmpp:
+ image: superboum/amd64_jitsi_xmpp:v3
+ ports:
+ - "5222:5222"
+ - "5347:5347"
+ - "5280:5280"
+ env_file: [ 'dev.env' ]
+ volumes: [ './jitsi-certs/:/certs:ro' ]
+ jitsi-meet:
+ image: superboum/amd64_jitsi_meet:v1
+ ports:
+ - "443:443"
+ env_file: [ 'dev.env' ]
+ volumes: [ './jitsi-certs/:/certs:ro' ]
+ jitsi-conference-focus:
+ image: superboum/amd64_jitsi_conference_focus:v4
+ env_file: [ 'dev.env' ]
+ volumes: [ './jitsi-certs/:/certs:ro' ]
+ jitsi-videobridge:
+ image: superboum/amd64_jitsi_videobridge:v14
+ ports:
+ - "8080:8080/tcp"
+ - "10000:10000/udp"
+ env_file: [ 'dev.env' ]
+ volumes: [ './jitsi-certs/:/certs:ro' ]
diff --git a/app/integration/jitsi/README.md b/app/integration/jitsi/README.md
new file mode 100644
index 0000000..70b59fc
--- /dev/null
+++ b/app/integration/jitsi/README.md
@@ -0,0 +1,26 @@
+This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md
+
+To build images:
+
+```
+docker-compose -f 02_run.yml build
+```
+
+To gen the certs:
+
+```
+docker-compose -f 01_gen_certs.yml up --force-recreate
+```
+
+To run the stack:
+
+
+```
+docker-compose -f 02_run.yml up --force-recreate
+```
+
+To push the stack on the docker registry:
+
+```
+docker-compose -f 02_run.yml push
+```
diff --git a/app/integration/jitsi/dev.env b/app/integration/jitsi/dev.env
new file mode 100644
index 0000000..1dd2122
--- /dev/null
+++ b/app/integration/jitsi/dev.env
@@ -0,0 +1,10 @@
+JITSI_SECRET_VIDEOBRIDGE=S3CR3T01
+JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02
+JITSI_SECRET_JICOFO_USER=S3CR3T03
+JITSI_PROSODY_BOSH_PORT=5280
+JITSI_PROSODY_BOSH_HOST=172.17.0.1
+JITSI_PROSODY_HOST=172.17.0.1
+JITSI_CERTS_FOLDER=/certs/
+JITSI_NAT_PUBLIC_IP=37.164.35.154
+JITSI_NAT_LOCAL_IP=192.168.0.231
+JITSI_VIDEO_TCP=8080
diff --git a/app/integration/jitsi/jitsi-certs/.gitignore b/app/integration/jitsi/jitsi-certs/.gitignore
new file mode 100644
index 0000000..d6b7ef3
--- /dev/null
+++ b/app/integration/jitsi/jitsi-certs/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore