From a6b23f5713cc5d211a95aa1a614b63011f8ca4cc Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 15 Jan 2021 19:34:33 +0100 Subject: upgrade garage to 0.1.1 --- app/config/configuration/garage/garage.toml | 11 ++++++++++- app/deployment/garage.hcl | 3 ++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/app/config/configuration/garage/garage.toml b/app/config/configuration/garage/garage.toml index 51ae81f..4d08cf2 100644 --- a/app/config/configuration/garage/garage.toml +++ b/app/config/configuration/garage/garage.toml @@ -8,7 +8,12 @@ rpc_bind_addr = "[::]:3901" consul_host = "consul.service.2.cluster.deuxfleurs.fr:8500" consul_service_name = "garage-rpc" -bootstrap_peers = [ ] +bootstrap_peers = [] + +max_concurrent_rpc_requests = 12 +data_replication_factor = 3 +meta_replication_factor = 3 +meta_epidemic_fanout = 3 [rpc_tls] ca_cert = "/garage/garage-ca.crt" @@ -19,3 +24,7 @@ node_key = "/garage/garage.key" s3_region = "garage" api_bind_addr = "[::]:3900" +[s3_web] +bind_addr = "[::]:3902" +root_domain = ".web.deuxfleurs.fr" +index = "index.html" diff --git a/app/deployment/garage.hcl b/app/deployment/garage.hcl index d4c7c9e..fe0b641 100644 --- a/app/deployment/garage.hcl +++ b/app/deployment/garage.hcl @@ -12,13 +12,14 @@ job "garage" { network { port "s3" { static = 3900 } port "rpc" { static = 3901 } + port "web" { static = 3902 } } task "server" { driver = "docker" config { advertise_ipv6_address = true - image = "lxpz/garage_amd64:4" + image = "lxpz/garage_amd64:v0.1.1" network_mode = "host" volumes = [ "/mnt/storage/garage/data:/garage/data", -- cgit v1.2.3 From 0c4ee40e01c95d7bf73236cbead5cc261f67eb9d Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sat, 16 Jan 2021 16:21:25 +0100 Subject: Update garage --- app/deployment/garage.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/deployment/garage.hcl b/app/deployment/garage.hcl index fe0b641..20ee3cd 100644 --- a/app/deployment/garage.hcl +++ b/app/deployment/garage.hcl @@ -19,7 +19,7 @@ job "garage" { driver = "docker" config { advertise_ipv6_address = true - image = "lxpz/garage_amd64:v0.1.1" + image = "lxpz/garage_amd64:v0.1.1b" network_mode = "host" volumes = [ "/mnt/storage/garage/data:/garage/data", -- cgit v1.2.3 From c74dc92febd1841c8ea5ff31caab0f941d57527d Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sat, 16 Jan 2021 17:07:01 +0100 Subject: Proposal: reorganize app/ folder by modules --- app/.gitignore | 11 + app/README.md | 8 + app/backup/build/backup-consul/Dockerfile | 28 ++ app/backup/build/backup-consul/do_backup.sh | 20 + app/backup/deploy/backup.hcl | 67 +++ app/build/README.md | 8 - app/build/alps/Dockerfile | 21 - app/build/alps/skipverify.patch | 55 --- app/build/backup-consul/Dockerfile | 28 -- app/build/backup-consul/do_backup.sh | 20 - app/build/blog-quentin/.dockerenv | 0 app/build/blog-quentin/Dockerfile | 16 - app/build/blog-quentin/README.md | 1 - app/build/coturn/Dockerfile | 8 - app/build/coturn/README.md | 17 - app/build/docker-compose.yml | 92 ---- app/build/dovecot/.gitignore | 1 - app/build/dovecot/Dockerfile | 17 - app/build/dovecot/README.md | 18 - app/build/dovecot/conf/all_before.sieve | 5 - app/build/dovecot/conf/dovecot-ldap.sample.conf | 8 - app/build/dovecot/conf/dovecot.conf | 79 ---- app/build/dovecot/conf/report-ham.sieve | 17 - app/build/dovecot/conf/report-spam.sieve | 9 - app/build/dovecot/entrypoint.sh | 27 -- app/build/jitsi-conference-focus/Dockerfile | 27 -- app/build/jitsi-conference-focus/jicofo | 16 - .../sip-communicator.properties | 2 - app/build/jitsi-meet/Dockerfile | 28 -- app/build/jitsi-meet/config.js | 517 --------------------- app/build/jitsi-meet/entrypoint.sh | 38 -- app/build/jitsi-videobridge/Dockerfile | 30 -- app/build/jitsi-videobridge/jvb_run | 54 --- app/build/jitsi-xmpp/Dockerfile | 13 - app/build/jitsi-xmpp/external_components.cfg.lua | 2 - app/build/jitsi-xmpp/xmpp_conf | 49 -- app/build/jitsi-xmpp/xmpp_gen | 9 - app/build/jitsi-xmpp/xmpp_run | 20 - app/build/landing/README.md | 3 - app/build/mariadb/60-disable-dialog.cnf | 3 - app/build/mariadb/60-ldap.cnf | 3 - app/build/mariadb/60-remote.cnf | 2 - app/build/mariadb/Dockerfile | 14 - app/build/mariadb/README.md | 19 - app/build/mariadb/entrypoint.sh | 50 -- app/build/mariadb/nsswitch.conf | 21 - app/build/mariadb/pam-mariadb | 2 - app/build/matrix-synapse/Dockerfile | 47 -- app/build/matrix-synapse/entrypoint.sh | 3 - app/build/nextcloud/Dockerfile | 27 -- app/build/nextcloud/container-setup.sh | 37 -- app/build/nextcloud/entrypoint.sh | 8 - app/build/opendkim/Dockerfile | 8 - app/build/opendkim/README.md | 12 - app/build/opendkim/opendkim.conf | 12 - app/build/plume/Dockerfile | 54 --- app/build/plume/README.md | 3 - app/build/plume/plm-start | 9 - app/build/postfix/Dockerfile | 13 - app/build/postfix/README.md | 18 - app/build/postfix/entrypoint.sh | 31 -- app/build/postgres/Dockerfile | 19 - app/build/postgres/README.md | 4 - app/build/postgres/postgresql.conf | 25 - app/build/postgres/start.sh | 22 - app/build/riotweb/Dockerfile | 13 - app/build/seafile/Dockerfile | 46 -- app/build/seafile/README.md | 27 -- app/build/seafile/seadocker | 4 - app/build/seafile/seaenv | 7 - app/build/sogo/Dockerfile | 17 - app/build/sogo/README.md | 20 - app/build/sogo/entrypoint | 13 - app/build/sogo/sogo.nginx.conf | 83 ---- app/build/static/Dockerfile | 9 - app/build/static/README.md | 5 - app/build/static/goStatic | 1 - app/build/webpull/.gitignore | 1 - app/build/webpull/Dockerfile.nodejs | 9 - app/build/webpull/Dockerfile.ruby | 12 - app/build/webpull/README.md | 23 - app/build/webpull/main.go | 100 ---- .../configuration/chat/coturn/turnserver.conf.tpl | 19 - .../configuration/chat/easybridge/config.json.tpl | 17 - .../chat/easybridge/registration.yaml.tpl | 14 - app/config/configuration/chat/fb2mx/config.yaml | 133 ------ .../configuration/chat/fb2mx/registration.yaml | 11 - app/config/configuration/chat/riot_web/config.json | 49 -- .../chat/synapse/conf.d/report_stats.yaml | 1 - .../chat/synapse/conf.d/server_name.yaml | 1 - .../configuration/chat/synapse/homeserver.yaml | 420 ----------------- app/config/configuration/chat/synapse/log.yaml | 41 -- .../configuration/directory/bottin/config.json | 31 -- .../directory/guichet/config.json.tpl | 30 -- app/config/configuration/email/dkim/keytable | 1 - app/config/configuration/email/dkim/signingtable | 2 - .../configuration/email/dkim/smtp.private.sample | 0 .../configuration/email/dkim/smtp.txt.sample | 0 app/config/configuration/email/dkim/trusted | 4 - app/config/configuration/email/dovecot/certs.gen | 13 - .../email/dovecot/dovecot-ldap.conf.tpl | 8 - app/config/configuration/email/postfix/certs.gen | 13 - .../configuration/email/postfix/dynamicmaps.cf | 9 - .../configuration/email/postfix/header_checks | 3 - .../email/postfix/ldap-account.cf.tpl | 12 - .../configuration/email/postfix/ldap-alias.cf.tpl | 9 - .../email/postfix/ldap-virtual-domains.cf.tpl | 12 - app/config/configuration/email/postfix/main.cf | 104 ----- app/config/configuration/email/postfix/master.cf | 114 ----- app/config/configuration/email/postfix/transport | 5 - .../configuration/email/postfix/transport.db | Bin 12288 -> 0 bytes app/config/configuration/email/sogo/sogo.conf.tpl | 69 --- app/config/configuration/garage/garage.toml | 30 -- app/config/configuration/jitsi/global_env.tpl | 10 - app/config/configuration/mariadb/main/env.tpl | 6 - app/config/configuration/nextcloud/config.php.tpl | 49 -- app/config/configuration/plume/app.env | 30 -- app/config/configuration/postgres/keeper/env.tpl | 3 - .../configuration/seafile/ccnet/mykey.peer.sample | 0 app/config/configuration/seafile/ccnet/seafile.ini | 1 - .../configuration/seafile/conf/ccnet.conf.tpl | 29 -- .../configuration/seafile/conf/gunicorn.conf | 16 - .../configuration/seafile/conf/mykey.peer.sample | 0 app/config/configuration/seafile/conf/seafdav.conf | 6 - .../configuration/seafile/conf/seafile.conf.tpl | 19 - .../seafile/conf/seahub_settings.py.tpl | 21 - app/config/configuration/traefik/traefik.toml | 50 -- app/config/secrets/.gitignore | 11 - app/config/secrets/chat/coturn/static-auth.sample | 0 app/config/secrets/chat/fb2mx/as_token.sample | 0 app/config/secrets/chat/fb2mx/db_url.sample | 1 - app/config/secrets/chat/fb2mx/hs_token.sample | 0 .../secrets/chat/synapse/homeserver.tls.crt.sample | 0 .../secrets/chat/synapse/homeserver.tls.dh.sample | 0 .../secrets/chat/synapse/homeserver.tls.key.sample | 0 app/config/secrets/chat/synapse/ldap_binddn.sample | 0 app/config/secrets/chat/synapse/ldap_bindpw.sample | 0 app/config/secrets/chat/synapse/postgres_db.sample | 0 .../secrets/chat/synapse/postgres_pwd.sample | 0 .../secrets/chat/synapse/postgres_user.sample | 0 .../chat/synapse/registration_shared_secret.sample | 0 app/config/secrets/email/dkim/smtp.private.sample | 0 .../secrets/email/dovecot/dovecot.crt.sample | 0 .../secrets/email/dovecot/dovecot.key.sample | 0 .../secrets/email/dovecot/ldap_binddn.sample | 0 .../secrets/email/dovecot/ldap_bindpwd.sample | 0 .../secrets/email/postfix/postfix.crt.sample | 0 .../secrets/email/postfix/postfix.key.sample | 0 app/config/secrets/email/sogo/ldap_binddn.sample | 0 app/config/secrets/email/sogo/ldap_bindpw.sample | 0 app/config/secrets/email/sogo/postgre_auth.sample | 0 .../jitsi/auth.jitsi.deuxfleurs.fr.crt.sample | 0 .../jitsi/auth.jitsi.deuxfleurs.fr.key.sample | 0 .../secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample | 0 .../secrets/jitsi/jitsi.deuxfleurs.fr.key.sample | 0 app/config/secrets/mariadb/main/ldap_binddn.sample | 0 .../secrets/mariadb/main/ldap_bindpwd.sample | 0 app/config/secrets/mariadb/main/mysql_pwd.sample | 0 app/config/secrets/platoo/bddpw.sample | 0 app/config/secrets/plume/pgsql_pw.sh | 2 - app/config/secrets/plume/secret_key.sh | 2 - .../secrets/postgres/keeper/pg_repl_pwd.sample | 0 .../postgres/keeper/pg_repl_username.sample | 0 .../secrets/postgres/keeper/pg_su_pwd.sample | 0 app/config/secrets/seafile/conf/mykey.peer.sample | 0 app/config/secrets/web/home_token.sample | 0 .../secrets/web/quentin.dufour.io_token.sample | 0 app/core/deploy/core.hcl | 44 ++ app/deployment/backup.hcl | 67 --- app/deployment/core.hcl | 44 -- app/deployment/directory.hcl | 114 ----- app/deployment/email.hcl | 487 ------------------- app/deployment/garage.hcl | 102 ---- app/deployment/im.hcl | 265 ----------- app/deployment/jitsi.hcl | 234 ---------- app/deployment/nextcloud.hcl | 65 --- app/deployment/platoo.hcl | 64 --- app/deployment/plume.hcl | 69 --- app/deployment/postgres.hcl | 134 ------ app/deployment/science.hcl | 58 --- app/deployment/seafile.hcl | 222 --------- app/deployment/traefik.hcl | 72 --- app/deployment/web_static.hcl | 112 ----- app/directory/config/bottin/config.json | 31 ++ app/directory/config/guichet/config.json.tpl | 30 ++ app/directory/deploy/directory.hcl | 114 +++++ app/docker-compose.yml | 92 ++++ app/email/build/alps/Dockerfile | 21 + app/email/build/alps/skipverify.patch | 55 +++ app/email/build/dovecot/.gitignore | 1 + app/email/build/dovecot/Dockerfile | 17 + app/email/build/dovecot/README.md | 18 + app/email/build/dovecot/conf/all_before.sieve | 5 + .../build/dovecot/conf/dovecot-ldap.sample.conf | 8 + app/email/build/dovecot/conf/dovecot.conf | 79 ++++ app/email/build/dovecot/conf/report-ham.sieve | 17 + app/email/build/dovecot/conf/report-spam.sieve | 9 + app/email/build/dovecot/entrypoint.sh | 27 ++ app/email/build/opendkim/Dockerfile | 8 + app/email/build/opendkim/README.md | 12 + app/email/build/opendkim/opendkim.conf | 12 + app/email/build/postfix/Dockerfile | 13 + app/email/build/postfix/README.md | 18 + app/email/build/postfix/entrypoint.sh | 31 ++ app/email/build/sogo/Dockerfile | 17 + app/email/build/sogo/README.md | 20 + app/email/build/sogo/entrypoint | 13 + app/email/build/sogo/sogo.nginx.conf | 83 ++++ app/email/config/dkim/keytable | 1 + app/email/config/dkim/signingtable | 2 + app/email/config/dkim/smtp.private.sample | 0 app/email/config/dkim/smtp.txt.sample | 0 app/email/config/dkim/trusted | 4 + app/email/config/dovecot/certs.gen | 13 + app/email/config/dovecot/dovecot-ldap.conf.tpl | 8 + app/email/config/postfix/certs.gen | 13 + app/email/config/postfix/dynamicmaps.cf | 9 + app/email/config/postfix/header_checks | 3 + app/email/config/postfix/ldap-account.cf.tpl | 12 + app/email/config/postfix/ldap-alias.cf.tpl | 9 + .../config/postfix/ldap-virtual-domains.cf.tpl | 12 + app/email/config/postfix/main.cf | 104 +++++ app/email/config/postfix/master.cf | 114 +++++ app/email/config/postfix/transport | 5 + app/email/config/postfix/transport.db | Bin 0 -> 12288 bytes app/email/config/sogo/sogo.conf.tpl | 69 +++ app/email/deploy/email.hcl | 487 +++++++++++++++++++ app/email/secrets/email/dkim/smtp.private.sample | 0 app/email/secrets/email/dovecot/dovecot.crt.sample | 0 app/email/secrets/email/dovecot/dovecot.key.sample | 0 app/email/secrets/email/dovecot/ldap_binddn.sample | 0 .../secrets/email/dovecot/ldap_bindpwd.sample | 0 app/email/secrets/email/postfix/postfix.crt.sample | 0 app/email/secrets/email/postfix/postfix.key.sample | 0 app/email/secrets/email/sogo/ldap_binddn.sample | 0 app/email/secrets/email/sogo/ldap_bindpw.sample | 0 app/email/secrets/email/sogo/postgre_auth.sample | 0 app/garage/config/garage.toml | 30 ++ app/garage/deploy/garage.hcl | 102 ++++ app/im/build/matrix-synapse/Dockerfile | 47 ++ app/im/build/matrix-synapse/entrypoint.sh | 3 + app/im/build/riotweb/Dockerfile | 13 + app/im/config/coturn/turnserver.conf.tpl | 19 + app/im/config/easybridge/config.json.tpl | 17 + app/im/config/easybridge/registration.yaml.tpl | 14 + app/im/config/fb2mx/config.yaml | 133 ++++++ app/im/config/fb2mx/registration.yaml | 11 + app/im/config/riot_web/config.json | 49 ++ app/im/config/synapse/conf.d/report_stats.yaml | 1 + app/im/config/synapse/conf.d/server_name.yaml | 1 + app/im/config/synapse/homeserver.yaml | 420 +++++++++++++++++ app/im/config/synapse/log.yaml | 41 ++ app/im/deploy/im.hcl | 265 +++++++++++ app/im/secrets/chat/coturn/static-auth.sample | 0 app/im/secrets/chat/fb2mx/as_token.sample | 0 app/im/secrets/chat/fb2mx/db_url.sample | 1 + app/im/secrets/chat/fb2mx/hs_token.sample | 0 .../secrets/chat/synapse/homeserver.tls.crt.sample | 0 .../secrets/chat/synapse/homeserver.tls.dh.sample | 0 .../secrets/chat/synapse/homeserver.tls.key.sample | 0 app/im/secrets/chat/synapse/ldap_binddn.sample | 0 app/im/secrets/chat/synapse/ldap_bindpw.sample | 0 app/im/secrets/chat/synapse/postgres_db.sample | 0 app/im/secrets/chat/synapse/postgres_pwd.sample | 0 app/im/secrets/chat/synapse/postgres_user.sample | 0 .../chat/synapse/registration_shared_secret.sample | 0 app/integration/jitsi/01_gen_certs.yml | 8 - app/integration/jitsi/02_run.yml | 27 -- app/integration/jitsi/README.md | 26 -- app/integration/jitsi/dev.env | 10 - app/integration/jitsi/jitsi-certs/.gitignore | 2 - app/integration/nextcloud/README.md | 20 - app/integration/nextcloud/bottin.json | 31 -- app/integration/nextcloud/docker-compose.yml | 27 -- app/integration/plume/bottin.json | 31 -- app/integration/plume/docker-compose.yml | 28 -- app/integration/plume/plume.env | 31 -- app/jitsi/build/jitsi-conference-focus/Dockerfile | 27 ++ app/jitsi/build/jitsi-conference-focus/jicofo | 16 + .../sip-communicator.properties | 2 + app/jitsi/build/jitsi-meet/Dockerfile | 28 ++ app/jitsi/build/jitsi-meet/config.js | 517 +++++++++++++++++++++ app/jitsi/build/jitsi-meet/entrypoint.sh | 38 ++ app/jitsi/build/jitsi-videobridge/Dockerfile | 30 ++ app/jitsi/build/jitsi-videobridge/jvb_run | 54 +++ app/jitsi/build/jitsi-xmpp/Dockerfile | 13 + .../build/jitsi-xmpp/external_components.cfg.lua | 2 + app/jitsi/build/jitsi-xmpp/xmpp_conf | 49 ++ app/jitsi/build/jitsi-xmpp/xmpp_gen | 9 + app/jitsi/build/jitsi-xmpp/xmpp_run | 20 + app/jitsi/config/global_env.tpl | 10 + app/jitsi/deploy/jitsi.hcl | 234 ++++++++++ app/jitsi/integratio/01_gen_certs.yml | 8 + app/jitsi/integratio/02_run.yml | 27 ++ app/jitsi/integratio/README.md | 26 ++ app/jitsi/integratio/dev.env | 10 + app/jitsi/integratio/jitsi-certs/.gitignore | 2 + .../jitsi/auth.jitsi.deuxfleurs.fr.crt.sample | 0 .../jitsi/auth.jitsi.deuxfleurs.fr.key.sample | 0 .../secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample | 0 .../secrets/jitsi/jitsi.deuxfleurs.fr.key.sample | 0 app/nextcloud/build/nextcloud/Dockerfile | 27 ++ app/nextcloud/build/nextcloud/container-setup.sh | 37 ++ app/nextcloud/build/nextcloud/entrypoint.sh | 8 + app/nextcloud/config/config.php.tpl | 49 ++ app/nextcloud/deploy/nextcloud.hcl | 65 +++ app/nextcloud/integration/README.md | 20 + app/nextcloud/integration/bottin.json | 31 ++ app/nextcloud/integration/docker-compose.yml | 27 ++ app/platoo/deploy/platoo.hcl | 64 +++ app/platoo/secrets/platoo/bddpw.sample | 0 app/plume/build/plume/Dockerfile | 54 +++ app/plume/build/plume/README.md | 3 + app/plume/build/plume/plm-start | 9 + app/plume/config/app.env | 30 ++ app/plume/deploy/plume.hcl | 69 +++ app/plume/integration/bottin.json | 31 ++ app/plume/integration/docker-compose.yml | 28 ++ app/plume/integration/plume.env | 31 ++ app/plume/secrets/plume/pgsql_pw.sh | 2 + app/plume/secrets/plume/secret_key.sh | 2 + app/postgres/build/postgres/Dockerfile | 19 + app/postgres/build/postgres/README.md | 4 + app/postgres/build/postgres/postgresql.conf | 25 + app/postgres/build/postgres/start.sh | 22 + app/postgres/config/keeper/env.tpl | 3 + app/postgres/deploy/postgres.hcl | 134 ++++++ .../secrets/postgres/keeper/pg_repl_pwd.sample | 0 .../postgres/keeper/pg_repl_username.sample | 0 .../secrets/postgres/keeper/pg_su_pwd.sample | 0 app/science/deploy/science.hcl | 58 +++ app/seafile/build/mariadb/60-disable-dialog.cnf | 3 + app/seafile/build/mariadb/60-ldap.cnf | 3 + app/seafile/build/mariadb/60-remote.cnf | 2 + app/seafile/build/mariadb/Dockerfile | 14 + app/seafile/build/mariadb/README.md | 19 + app/seafile/build/mariadb/entrypoint.sh | 50 ++ app/seafile/build/mariadb/nsswitch.conf | 21 + app/seafile/build/mariadb/pam-mariadb | 2 + app/seafile/build/seafile/Dockerfile | 46 ++ app/seafile/build/seafile/README.md | 27 ++ app/seafile/build/seafile/seadocker | 4 + app/seafile/build/seafile/seaenv | 7 + app/seafile/config/ccnet/seafile.ini | 1 + app/seafile/config/conf/ccnet.conf.tpl | 29 ++ app/seafile/config/conf/gunicorn.conf | 16 + app/seafile/config/conf/mykey.peer.sample | 0 app/seafile/config/conf/seafdav.conf | 6 + app/seafile/config/conf/seafile.conf.tpl | 19 + app/seafile/config/conf/seahub_settings.py.tpl | 21 + app/seafile/config/mariadb/main/env.tpl | 6 + app/seafile/deploy/seafile.hcl | 222 +++++++++ .../secrets/mariadb/main/ldap_binddn.sample | 0 .../secrets/mariadb/main/ldap_bindpwd.sample | 0 app/seafile/secrets/mariadb/main/mysql_pwd.sample | 0 app/seafile/secrets/seafile/conf/mykey.peer.sample | 0 app/traefik/config/traefik.toml | 50 ++ app/traefik/deploy/traefik.hcl | 72 +++ app/web_static/build/webpull/.gitignore | 1 + app/web_static/build/webpull/Dockerfile.nodejs | 9 + app/web_static/build/webpull/Dockerfile.ruby | 12 + app/web_static/build/webpull/README.md | 23 + app/web_static/build/webpull/main.go | 100 ++++ app/web_static/deploy/web_static.hcl | 112 +++++ app/web_static/secrets/web/home_token.sample | 0 .../secrets/web/quentin.dufour.io_token.sample | 0 366 files changed, 5832 insertions(+), 5892 deletions(-) create mode 100644 app/.gitignore create mode 100644 app/README.md create mode 100644 app/backup/build/backup-consul/Dockerfile create mode 100755 app/backup/build/backup-consul/do_backup.sh create mode 100644 app/backup/deploy/backup.hcl delete mode 100644 app/build/README.md delete mode 100644 app/build/alps/Dockerfile delete mode 100644 app/build/alps/skipverify.patch delete mode 100644 app/build/backup-consul/Dockerfile delete mode 100755 app/build/backup-consul/do_backup.sh delete mode 100755 app/build/blog-quentin/.dockerenv delete mode 100644 app/build/blog-quentin/Dockerfile delete mode 100644 app/build/blog-quentin/README.md delete mode 100644 app/build/coturn/Dockerfile delete mode 100644 app/build/coturn/README.md delete mode 100644 app/build/docker-compose.yml delete mode 100644 app/build/dovecot/.gitignore delete mode 100644 app/build/dovecot/Dockerfile delete mode 100644 app/build/dovecot/README.md delete mode 100644 app/build/dovecot/conf/all_before.sieve delete mode 100644 app/build/dovecot/conf/dovecot-ldap.sample.conf delete mode 100644 app/build/dovecot/conf/dovecot.conf delete mode 100644 app/build/dovecot/conf/report-ham.sieve delete mode 100644 app/build/dovecot/conf/report-spam.sieve delete mode 100755 app/build/dovecot/entrypoint.sh delete mode 100644 app/build/jitsi-conference-focus/Dockerfile delete mode 100755 app/build/jitsi-conference-focus/jicofo delete mode 100644 app/build/jitsi-conference-focus/sip-communicator.properties delete mode 100644 app/build/jitsi-meet/Dockerfile delete mode 100644 app/build/jitsi-meet/config.js delete mode 100755 app/build/jitsi-meet/entrypoint.sh delete mode 100644 app/build/jitsi-videobridge/Dockerfile delete mode 100755 app/build/jitsi-videobridge/jvb_run delete mode 100644 app/build/jitsi-xmpp/Dockerfile delete mode 100644 app/build/jitsi-xmpp/external_components.cfg.lua delete mode 100755 app/build/jitsi-xmpp/xmpp_conf delete mode 100755 app/build/jitsi-xmpp/xmpp_gen delete mode 100755 app/build/jitsi-xmpp/xmpp_run delete mode 100644 app/build/landing/README.md delete mode 100644 app/build/mariadb/60-disable-dialog.cnf delete mode 100644 app/build/mariadb/60-ldap.cnf delete mode 100644 app/build/mariadb/60-remote.cnf delete mode 100644 app/build/mariadb/Dockerfile delete mode 100644 app/build/mariadb/README.md delete mode 100755 app/build/mariadb/entrypoint.sh delete mode 100644 app/build/mariadb/nsswitch.conf delete mode 100644 app/build/mariadb/pam-mariadb delete mode 100644 app/build/matrix-synapse/Dockerfile delete mode 100755 app/build/matrix-synapse/entrypoint.sh delete mode 100644 app/build/nextcloud/Dockerfile delete mode 100755 app/build/nextcloud/container-setup.sh delete mode 100755 app/build/nextcloud/entrypoint.sh delete mode 100644 app/build/opendkim/Dockerfile delete mode 100644 app/build/opendkim/README.md delete mode 100644 app/build/opendkim/opendkim.conf delete mode 100644 app/build/plume/Dockerfile delete mode 100644 app/build/plume/README.md delete mode 100755 app/build/plume/plm-start delete mode 100644 app/build/postfix/Dockerfile delete mode 100644 app/build/postfix/README.md delete mode 100755 app/build/postfix/entrypoint.sh delete mode 100644 app/build/postgres/Dockerfile delete mode 100644 app/build/postgres/README.md delete mode 100644 app/build/postgres/postgresql.conf delete mode 100755 app/build/postgres/start.sh delete mode 100644 app/build/riotweb/Dockerfile delete mode 100644 app/build/seafile/Dockerfile delete mode 100644 app/build/seafile/README.md delete mode 100755 app/build/seafile/seadocker delete mode 100755 app/build/seafile/seaenv delete mode 100644 app/build/sogo/Dockerfile delete mode 100644 app/build/sogo/README.md delete mode 100755 app/build/sogo/entrypoint delete mode 100644 app/build/sogo/sogo.nginx.conf delete mode 100644 app/build/static/Dockerfile delete mode 100644 app/build/static/README.md delete mode 160000 app/build/static/goStatic delete mode 100644 app/build/webpull/.gitignore delete mode 100644 app/build/webpull/Dockerfile.nodejs delete mode 100644 app/build/webpull/Dockerfile.ruby delete mode 100644 app/build/webpull/README.md delete mode 100644 app/build/webpull/main.go delete mode 100644 app/config/configuration/chat/coturn/turnserver.conf.tpl delete mode 100644 app/config/configuration/chat/easybridge/config.json.tpl delete mode 100644 app/config/configuration/chat/easybridge/registration.yaml.tpl delete mode 100644 app/config/configuration/chat/fb2mx/config.yaml delete mode 100644 app/config/configuration/chat/fb2mx/registration.yaml delete mode 100644 app/config/configuration/chat/riot_web/config.json delete mode 100644 app/config/configuration/chat/synapse/conf.d/report_stats.yaml delete mode 100644 app/config/configuration/chat/synapse/conf.d/server_name.yaml delete mode 100644 app/config/configuration/chat/synapse/homeserver.yaml delete mode 100644 app/config/configuration/chat/synapse/log.yaml delete mode 100644 app/config/configuration/directory/bottin/config.json delete mode 100644 app/config/configuration/directory/guichet/config.json.tpl delete mode 100644 app/config/configuration/email/dkim/keytable delete mode 100644 app/config/configuration/email/dkim/signingtable delete mode 100644 app/config/configuration/email/dkim/smtp.private.sample delete mode 100644 app/config/configuration/email/dkim/smtp.txt.sample delete mode 100644 app/config/configuration/email/dkim/trusted delete mode 100755 app/config/configuration/email/dovecot/certs.gen delete mode 100644 app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl delete mode 100755 app/config/configuration/email/postfix/certs.gen delete mode 100644 app/config/configuration/email/postfix/dynamicmaps.cf delete mode 100644 app/config/configuration/email/postfix/header_checks delete mode 100644 app/config/configuration/email/postfix/ldap-account.cf.tpl delete mode 100644 app/config/configuration/email/postfix/ldap-alias.cf.tpl delete mode 100644 app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl delete mode 100644 app/config/configuration/email/postfix/main.cf delete mode 100644 app/config/configuration/email/postfix/master.cf delete mode 100644 app/config/configuration/email/postfix/transport delete mode 100644 app/config/configuration/email/postfix/transport.db delete mode 100644 app/config/configuration/email/sogo/sogo.conf.tpl delete mode 100644 app/config/configuration/garage/garage.toml delete mode 100644 app/config/configuration/jitsi/global_env.tpl delete mode 100644 app/config/configuration/mariadb/main/env.tpl delete mode 100644 app/config/configuration/nextcloud/config.php.tpl delete mode 100644 app/config/configuration/plume/app.env delete mode 100644 app/config/configuration/postgres/keeper/env.tpl delete mode 100644 app/config/configuration/seafile/ccnet/mykey.peer.sample delete mode 100644 app/config/configuration/seafile/ccnet/seafile.ini delete mode 100644 app/config/configuration/seafile/conf/ccnet.conf.tpl delete mode 100644 app/config/configuration/seafile/conf/gunicorn.conf delete mode 100644 app/config/configuration/seafile/conf/mykey.peer.sample delete mode 100644 app/config/configuration/seafile/conf/seafdav.conf delete mode 100644 app/config/configuration/seafile/conf/seafile.conf.tpl delete mode 100644 app/config/configuration/seafile/conf/seahub_settings.py.tpl delete mode 100644 app/config/configuration/traefik/traefik.toml delete mode 100644 app/config/secrets/.gitignore delete mode 100644 app/config/secrets/chat/coturn/static-auth.sample delete mode 100644 app/config/secrets/chat/fb2mx/as_token.sample delete mode 100644 app/config/secrets/chat/fb2mx/db_url.sample delete mode 100644 app/config/secrets/chat/fb2mx/hs_token.sample delete mode 100644 app/config/secrets/chat/synapse/homeserver.tls.crt.sample delete mode 100644 app/config/secrets/chat/synapse/homeserver.tls.dh.sample delete mode 100644 app/config/secrets/chat/synapse/homeserver.tls.key.sample delete mode 100644 app/config/secrets/chat/synapse/ldap_binddn.sample delete mode 100644 app/config/secrets/chat/synapse/ldap_bindpw.sample delete mode 100644 app/config/secrets/chat/synapse/postgres_db.sample delete mode 100644 app/config/secrets/chat/synapse/postgres_pwd.sample delete mode 100644 app/config/secrets/chat/synapse/postgres_user.sample delete mode 100644 app/config/secrets/chat/synapse/registration_shared_secret.sample delete mode 100644 app/config/secrets/email/dkim/smtp.private.sample delete mode 100644 app/config/secrets/email/dovecot/dovecot.crt.sample delete mode 100644 app/config/secrets/email/dovecot/dovecot.key.sample delete mode 100644 app/config/secrets/email/dovecot/ldap_binddn.sample delete mode 100644 app/config/secrets/email/dovecot/ldap_bindpwd.sample delete mode 100644 app/config/secrets/email/postfix/postfix.crt.sample delete mode 100644 app/config/secrets/email/postfix/postfix.key.sample delete mode 100644 app/config/secrets/email/sogo/ldap_binddn.sample delete mode 100644 app/config/secrets/email/sogo/ldap_bindpw.sample delete mode 100644 app/config/secrets/email/sogo/postgre_auth.sample delete mode 100644 app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample delete mode 100644 app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample delete mode 100644 app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample delete mode 100644 app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample delete mode 100644 app/config/secrets/mariadb/main/ldap_binddn.sample delete mode 100644 app/config/secrets/mariadb/main/ldap_bindpwd.sample delete mode 100644 app/config/secrets/mariadb/main/mysql_pwd.sample delete mode 100644 app/config/secrets/platoo/bddpw.sample delete mode 100755 app/config/secrets/plume/pgsql_pw.sh delete mode 100755 app/config/secrets/plume/secret_key.sh delete mode 100644 app/config/secrets/postgres/keeper/pg_repl_pwd.sample delete mode 100644 app/config/secrets/postgres/keeper/pg_repl_username.sample delete mode 100644 app/config/secrets/postgres/keeper/pg_su_pwd.sample delete mode 100644 app/config/secrets/seafile/conf/mykey.peer.sample delete mode 100644 app/config/secrets/web/home_token.sample delete mode 100644 app/config/secrets/web/quentin.dufour.io_token.sample create mode 100644 app/core/deploy/core.hcl delete mode 100644 app/deployment/backup.hcl delete mode 100644 app/deployment/core.hcl delete mode 100644 app/deployment/directory.hcl delete mode 100644 app/deployment/email.hcl delete mode 100644 app/deployment/garage.hcl delete mode 100644 app/deployment/im.hcl delete mode 100644 app/deployment/jitsi.hcl delete mode 100644 app/deployment/nextcloud.hcl delete mode 100644 app/deployment/platoo.hcl delete mode 100644 app/deployment/plume.hcl delete mode 100644 app/deployment/postgres.hcl delete mode 100644 app/deployment/science.hcl delete mode 100644 app/deployment/seafile.hcl delete mode 100644 app/deployment/traefik.hcl delete mode 100644 app/deployment/web_static.hcl create mode 100644 app/directory/config/bottin/config.json create mode 100644 app/directory/config/guichet/config.json.tpl create mode 100644 app/directory/deploy/directory.hcl create mode 100644 app/docker-compose.yml create mode 100644 app/email/build/alps/Dockerfile create mode 100644 app/email/build/alps/skipverify.patch create mode 100644 app/email/build/dovecot/.gitignore create mode 100644 app/email/build/dovecot/Dockerfile create mode 100644 app/email/build/dovecot/README.md create mode 100644 app/email/build/dovecot/conf/all_before.sieve create mode 100644 app/email/build/dovecot/conf/dovecot-ldap.sample.conf create mode 100644 app/email/build/dovecot/conf/dovecot.conf create mode 100644 app/email/build/dovecot/conf/report-ham.sieve create mode 100644 app/email/build/dovecot/conf/report-spam.sieve create mode 100755 app/email/build/dovecot/entrypoint.sh create mode 100644 app/email/build/opendkim/Dockerfile create mode 100644 app/email/build/opendkim/README.md create mode 100644 app/email/build/opendkim/opendkim.conf create mode 100644 app/email/build/postfix/Dockerfile create mode 100644 app/email/build/postfix/README.md create mode 100755 app/email/build/postfix/entrypoint.sh create mode 100644 app/email/build/sogo/Dockerfile create mode 100644 app/email/build/sogo/README.md create mode 100755 app/email/build/sogo/entrypoint create mode 100644 app/email/build/sogo/sogo.nginx.conf create mode 100644 app/email/config/dkim/keytable create mode 100644 app/email/config/dkim/signingtable create mode 100644 app/email/config/dkim/smtp.private.sample create mode 100644 app/email/config/dkim/smtp.txt.sample create mode 100644 app/email/config/dkim/trusted create mode 100755 app/email/config/dovecot/certs.gen create mode 100644 app/email/config/dovecot/dovecot-ldap.conf.tpl create mode 100755 app/email/config/postfix/certs.gen create mode 100644 app/email/config/postfix/dynamicmaps.cf create mode 100644 app/email/config/postfix/header_checks create mode 100644 app/email/config/postfix/ldap-account.cf.tpl create mode 100644 app/email/config/postfix/ldap-alias.cf.tpl create mode 100644 app/email/config/postfix/ldap-virtual-domains.cf.tpl create mode 100644 app/email/config/postfix/main.cf create mode 100644 app/email/config/postfix/master.cf create mode 100644 app/email/config/postfix/transport create mode 100644 app/email/config/postfix/transport.db create mode 100644 app/email/config/sogo/sogo.conf.tpl create mode 100644 app/email/deploy/email.hcl create mode 100644 app/email/secrets/email/dkim/smtp.private.sample create mode 100644 app/email/secrets/email/dovecot/dovecot.crt.sample create mode 100644 app/email/secrets/email/dovecot/dovecot.key.sample create mode 100644 app/email/secrets/email/dovecot/ldap_binddn.sample create mode 100644 app/email/secrets/email/dovecot/ldap_bindpwd.sample create mode 100644 app/email/secrets/email/postfix/postfix.crt.sample create mode 100644 app/email/secrets/email/postfix/postfix.key.sample create mode 100644 app/email/secrets/email/sogo/ldap_binddn.sample create mode 100644 app/email/secrets/email/sogo/ldap_bindpw.sample create mode 100644 app/email/secrets/email/sogo/postgre_auth.sample create mode 100644 app/garage/config/garage.toml create mode 100644 app/garage/deploy/garage.hcl create mode 100644 app/im/build/matrix-synapse/Dockerfile create mode 100755 app/im/build/matrix-synapse/entrypoint.sh create mode 100644 app/im/build/riotweb/Dockerfile create mode 100644 app/im/config/coturn/turnserver.conf.tpl create mode 100644 app/im/config/easybridge/config.json.tpl create mode 100644 app/im/config/easybridge/registration.yaml.tpl create mode 100644 app/im/config/fb2mx/config.yaml create mode 100644 app/im/config/fb2mx/registration.yaml create mode 100644 app/im/config/riot_web/config.json create mode 100644 app/im/config/synapse/conf.d/report_stats.yaml create mode 100644 app/im/config/synapse/conf.d/server_name.yaml create mode 100644 app/im/config/synapse/homeserver.yaml create mode 100644 app/im/config/synapse/log.yaml create mode 100644 app/im/deploy/im.hcl create mode 100644 app/im/secrets/chat/coturn/static-auth.sample create mode 100644 app/im/secrets/chat/fb2mx/as_token.sample create mode 100644 app/im/secrets/chat/fb2mx/db_url.sample create mode 100644 app/im/secrets/chat/fb2mx/hs_token.sample create mode 100644 app/im/secrets/chat/synapse/homeserver.tls.crt.sample create mode 100644 app/im/secrets/chat/synapse/homeserver.tls.dh.sample create mode 100644 app/im/secrets/chat/synapse/homeserver.tls.key.sample create mode 100644 app/im/secrets/chat/synapse/ldap_binddn.sample create mode 100644 app/im/secrets/chat/synapse/ldap_bindpw.sample create mode 100644 app/im/secrets/chat/synapse/postgres_db.sample create mode 100644 app/im/secrets/chat/synapse/postgres_pwd.sample create mode 100644 app/im/secrets/chat/synapse/postgres_user.sample create mode 100644 app/im/secrets/chat/synapse/registration_shared_secret.sample delete mode 100644 app/integration/jitsi/01_gen_certs.yml delete mode 100644 app/integration/jitsi/02_run.yml delete mode 100644 app/integration/jitsi/README.md delete mode 100644 app/integration/jitsi/dev.env delete mode 100644 app/integration/jitsi/jitsi-certs/.gitignore delete mode 100644 app/integration/nextcloud/README.md delete mode 100644 app/integration/nextcloud/bottin.json delete mode 100644 app/integration/nextcloud/docker-compose.yml delete mode 100644 app/integration/plume/bottin.json delete mode 100644 app/integration/plume/docker-compose.yml delete mode 100644 app/integration/plume/plume.env create mode 100644 app/jitsi/build/jitsi-conference-focus/Dockerfile create mode 100755 app/jitsi/build/jitsi-conference-focus/jicofo create mode 100644 app/jitsi/build/jitsi-conference-focus/sip-communicator.properties create mode 100644 app/jitsi/build/jitsi-meet/Dockerfile create mode 100644 app/jitsi/build/jitsi-meet/config.js create mode 100755 app/jitsi/build/jitsi-meet/entrypoint.sh create mode 100644 app/jitsi/build/jitsi-videobridge/Dockerfile create mode 100755 app/jitsi/build/jitsi-videobridge/jvb_run create mode 100644 app/jitsi/build/jitsi-xmpp/Dockerfile create mode 100644 app/jitsi/build/jitsi-xmpp/external_components.cfg.lua create mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_conf create mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_gen create mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_run create mode 100644 app/jitsi/config/global_env.tpl create mode 100644 app/jitsi/deploy/jitsi.hcl create mode 100644 app/jitsi/integratio/01_gen_certs.yml create mode 100644 app/jitsi/integratio/02_run.yml create mode 100644 app/jitsi/integratio/README.md create mode 100644 app/jitsi/integratio/dev.env create mode 100644 app/jitsi/integratio/jitsi-certs/.gitignore create mode 100644 app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample create mode 100644 app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample create mode 100644 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample create mode 100644 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample create mode 100644 app/nextcloud/build/nextcloud/Dockerfile create mode 100755 app/nextcloud/build/nextcloud/container-setup.sh create mode 100755 app/nextcloud/build/nextcloud/entrypoint.sh create mode 100644 app/nextcloud/config/config.php.tpl create mode 100644 app/nextcloud/deploy/nextcloud.hcl create mode 100644 app/nextcloud/integration/README.md create mode 100644 app/nextcloud/integration/bottin.json create mode 100644 app/nextcloud/integration/docker-compose.yml create mode 100644 app/platoo/deploy/platoo.hcl create mode 100644 app/platoo/secrets/platoo/bddpw.sample create mode 100644 app/plume/build/plume/Dockerfile create mode 100644 app/plume/build/plume/README.md create mode 100755 app/plume/build/plume/plm-start create mode 100644 app/plume/config/app.env create mode 100644 app/plume/deploy/plume.hcl create mode 100644 app/plume/integration/bottin.json create mode 100644 app/plume/integration/docker-compose.yml create mode 100644 app/plume/integration/plume.env create mode 100755 app/plume/secrets/plume/pgsql_pw.sh create mode 100755 app/plume/secrets/plume/secret_key.sh create mode 100644 app/postgres/build/postgres/Dockerfile create mode 100644 app/postgres/build/postgres/README.md create mode 100644 app/postgres/build/postgres/postgresql.conf create mode 100755 app/postgres/build/postgres/start.sh create mode 100644 app/postgres/config/keeper/env.tpl create mode 100644 app/postgres/deploy/postgres.hcl create mode 100644 app/postgres/secrets/postgres/keeper/pg_repl_pwd.sample create mode 100644 app/postgres/secrets/postgres/keeper/pg_repl_username.sample create mode 100644 app/postgres/secrets/postgres/keeper/pg_su_pwd.sample create mode 100644 app/science/deploy/science.hcl create mode 100644 app/seafile/build/mariadb/60-disable-dialog.cnf create mode 100644 app/seafile/build/mariadb/60-ldap.cnf create mode 100644 app/seafile/build/mariadb/60-remote.cnf create mode 100644 app/seafile/build/mariadb/Dockerfile create mode 100644 app/seafile/build/mariadb/README.md create mode 100755 app/seafile/build/mariadb/entrypoint.sh create mode 100644 app/seafile/build/mariadb/nsswitch.conf create mode 100644 app/seafile/build/mariadb/pam-mariadb create mode 100644 app/seafile/build/seafile/Dockerfile create mode 100644 app/seafile/build/seafile/README.md create mode 100755 app/seafile/build/seafile/seadocker create mode 100755 app/seafile/build/seafile/seaenv create mode 100644 app/seafile/config/ccnet/seafile.ini create mode 100644 app/seafile/config/conf/ccnet.conf.tpl create mode 100644 app/seafile/config/conf/gunicorn.conf create mode 100644 app/seafile/config/conf/mykey.peer.sample create mode 100644 app/seafile/config/conf/seafdav.conf create mode 100644 app/seafile/config/conf/seafile.conf.tpl create mode 100644 app/seafile/config/conf/seahub_settings.py.tpl create mode 100644 app/seafile/config/mariadb/main/env.tpl create mode 100644 app/seafile/deploy/seafile.hcl create mode 100644 app/seafile/secrets/mariadb/main/ldap_binddn.sample create mode 100644 app/seafile/secrets/mariadb/main/ldap_bindpwd.sample create mode 100644 app/seafile/secrets/mariadb/main/mysql_pwd.sample create mode 100644 app/seafile/secrets/seafile/conf/mykey.peer.sample create mode 100644 app/traefik/config/traefik.toml create mode 100644 app/traefik/deploy/traefik.hcl create mode 100644 app/web_static/build/webpull/.gitignore create mode 100644 app/web_static/build/webpull/Dockerfile.nodejs create mode 100644 app/web_static/build/webpull/Dockerfile.ruby create mode 100644 app/web_static/build/webpull/README.md create mode 100644 app/web_static/build/webpull/main.go create mode 100644 app/web_static/deploy/web_static.hcl create mode 100644 app/web_static/secrets/web/home_token.sample create mode 100644 app/web_static/secrets/web/quentin.dufour.io_token.sample diff --git a/app/.gitignore b/app/.gitignore new file mode 100644 index 0000000..cc6b143 --- /dev/null +++ b/app/.gitignore @@ -0,0 +1,11 @@ +# Blacklist everything cleverly +*/secrets/* +!*/secrets/*/ + +# Whitelist some patterns +!*.sample +!*.gen +!*.sh +!.gitignore + +# Whitelist specific files diff --git a/app/README.md b/app/README.md new file mode 100644 index 0000000..a877cfa --- /dev/null +++ b/app/README.md @@ -0,0 +1,8 @@ +## How to upgrade our packaged apps to a new version? + + 1. Edit `docker-compose.yml` + 2. Change the `VERSION` variable to the desired version + 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14) + 4. Run `docker-compose build` + 5. Run `docker-compose push` + 6. Done diff --git a/app/backup/build/backup-consul/Dockerfile b/app/backup/build/backup-consul/Dockerfile new file mode 100644 index 0000000..0a5c38f --- /dev/null +++ b/app/backup/build/backup-consul/Dockerfile @@ -0,0 +1,28 @@ +FROM golang:buster as builder + +WORKDIR /root +RUN git clone https://filippo.io/age && cd age/cmd/age && go build -o age . + +FROM amd64/debian:buster + +COPY --from=builder /root/age/cmd/age/age /usr/local/bin/age + +RUN apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y rsync wget openssh-client unzip && \ + apt-get clean && \ + rm -f /var/lib/apt/lists/*_* + +RUN mkdir -p /root/.ssh +WORKDIR /root + +RUN wget https://releases.hashicorp.com/consul/1.8.5/consul_1.8.5_linux_amd64.zip && \ + unzip consul_1.8.5_linux_amd64.zip && \ + chmod +x consul && \ + mv consul /usr/local/bin && \ + rm consul_1.8.5_linux_amd64.zip + +COPY do_backup.sh /root/do_backup.sh + +CMD "/root/do_backup.sh" + diff --git a/app/backup/build/backup-consul/do_backup.sh b/app/backup/build/backup-consul/do_backup.sh new file mode 100755 index 0000000..a34e7b7 --- /dev/null +++ b/app/backup/build/backup-consul/do_backup.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +set -x -e + +cd /root + +chmod 0600 .ssh/id_ed25519 + +cat > .ssh/config < $TARGET_SSH_DIR/consul/$(date --iso-8601=minute)_consul_kv_export.gz.age" + diff --git a/app/backup/deploy/backup.hcl b/app/backup/deploy/backup.hcl new file mode 100644 index 0000000..08fd923 --- /dev/null +++ b/app/backup/deploy/backup.hcl @@ -0,0 +1,67 @@ +job "backup_periodic" { + datacenters = ["dc1"] + + type = "batch" + + periodic { + // Launch every hour + cron = "0 * * * * *" + + // Do not allow overlapping runs. + prohibit_overlap = true + } + + task "backup-consul" { + driver = "docker" + + config { + image = "lxpz/backup_consul:12" + volumes = [ + "secrets/id_ed25519:/root/.ssh/id_ed25519", + "secrets/id_ed25519.pub:/root/.ssh/id_ed25519.pub", + "secrets/known_hosts:/root/.ssh/known_hosts" + ] + network_mode = "host" + } + + env { + CONSUL_HTTP_ADDR = "http://consul.service.2.cluster.deuxfleurs.fr:8500" + } + + template { + data = < superboum/riot:v14) - 4. Run `docker-compose build` - 5. Run `docker-compose push` - 6. Done diff --git a/app/build/alps/Dockerfile b/app/build/alps/Dockerfile deleted file mode 100644 index 647d90d..0000000 --- a/app/build/alps/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -FROM golang:1.15.6-buster as builder - -ARG VERSION - -ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64 -WORKDIR /tmp/alps - -RUN git init && \ - git remote add origin https://git.sr.ht/~migadu/alps && \ - git fetch --depth 1 origin ${VERSION} && \ - git checkout FETCH_HEAD - -COPY skipverify.patch skipverify.patch - -RUN git apply skipverify.patch && \ - go build -a -o /usr/local/bin/alps ./cmd/alps - -FROM scratch -COPY --from=builder /usr/local/bin/alps /alps -COPY --from=builder /tmp/alps/themes /themes -ENTRYPOINT ["/alps"] diff --git a/app/build/alps/skipverify.patch b/app/build/alps/skipverify.patch deleted file mode 100644 index 14e14cb..0000000 --- a/app/build/alps/skipverify.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 47765c10f1af2013556f76dc63dfa056167ae5e8 Mon Sep 17 00:00:00 2001 -From: Quentin -Date: Fri, 4 Dec 2020 13:19:24 +0100 -Subject: [PATCH] Skip CA verification - ---- - imap.go | 3 ++- - smtp.go | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/imap.go b/imap.go -index 7554331..1a4931d 100644 ---- a/imap.go -+++ b/imap.go -@@ -3,6 +3,7 @@ package alps - import ( - "fmt" - -+ "crypto/tls" - "github.com/emersion/go-imap" - imapclient "github.com/emersion/go-imap/client" - "github.com/emersion/go-message/charset" -@@ -16,7 +17,7 @@ func (s *Server) dialIMAP() (*imapclient.Client, error) { - var c *imapclient.Client - var err error - if s.imap.tls { -- c, err = imapclient.DialTLS(s.imap.host, nil) -+ c, err = imapclient.DialTLS(s.imap.host, &tls.Config{InsecureSkipVerify: true}) - if err != nil { - return nil, fmt.Errorf("failed to connect to IMAPS server: %v", err) - } -diff --git a/smtp.go b/smtp.go -index 5e178f2..8d22f1d 100644 ---- a/smtp.go -+++ b/smtp.go -@@ -3,6 +3,7 @@ package alps - import ( - "fmt" - -+ "crypto/tls" - "github.com/emersion/go-smtp" - ) - -@@ -14,7 +15,7 @@ func (s *Server) dialSMTP() (*smtp.Client, error) { - var c *smtp.Client - var err error - if s.smtp.tls { -- c, err = smtp.DialTLS(s.smtp.host, nil) -+ c, err = smtp.DialTLS(s.smtp.host, &tls.Config{InsecureSkipVerify: true}) - if err != nil { - return nil, fmt.Errorf("failed to connect to SMTPS server: %v", err) - } --- -2.28.0 - diff --git a/app/build/backup-consul/Dockerfile b/app/build/backup-consul/Dockerfile deleted file mode 100644 index 0a5c38f..0000000 --- a/app/build/backup-consul/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -FROM golang:buster as builder - -WORKDIR /root -RUN git clone https://filippo.io/age && cd age/cmd/age && go build -o age . - -FROM amd64/debian:buster - -COPY --from=builder /root/age/cmd/age/age /usr/local/bin/age - -RUN apt-get update && \ - apt-get -qq -y full-upgrade && \ - apt-get install -y rsync wget openssh-client unzip && \ - apt-get clean && \ - rm -f /var/lib/apt/lists/*_* - -RUN mkdir -p /root/.ssh -WORKDIR /root - -RUN wget https://releases.hashicorp.com/consul/1.8.5/consul_1.8.5_linux_amd64.zip && \ - unzip consul_1.8.5_linux_amd64.zip && \ - chmod +x consul && \ - mv consul /usr/local/bin && \ - rm consul_1.8.5_linux_amd64.zip - -COPY do_backup.sh /root/do_backup.sh - -CMD "/root/do_backup.sh" - diff --git a/app/build/backup-consul/do_backup.sh b/app/build/backup-consul/do_backup.sh deleted file mode 100755 index a34e7b7..0000000 --- a/app/build/backup-consul/do_backup.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -set -x -e - -cd /root - -chmod 0600 .ssh/id_ed25519 - -cat > .ssh/config < $TARGET_SSH_DIR/consul/$(date --iso-8601=minute)_consul_kv_export.gz.age" - diff --git a/app/build/blog-quentin/.dockerenv b/app/build/blog-quentin/.dockerenv deleted file mode 100755 index e69de29..0000000 diff --git a/app/build/blog-quentin/Dockerfile b/app/build/blog-quentin/Dockerfile deleted file mode 100644 index 61f5c40..0000000 --- a/app/build/blog-quentin/Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -FROM amd64/debian:stretch as builder - -COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile - -WORKDIR /root/quentin.dufour.io - -RUN apt-get update && \ - apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \ - bundle install - -COPY ./quentin.dufour.io/ /root/quentin.dufour.io/ -RUN bundle exec jekyll build - -FROM superboum/amd64_webserver:v2 -COPY --from=builder /root/quentin.dufour.io/_site /srv/http - diff --git a/app/build/blog-quentin/README.md b/app/build/blog-quentin/README.md deleted file mode 100644 index 25ac463..0000000 --- a/app/build/blog-quentin/README.md +++ /dev/null @@ -1 +0,0 @@ -sudo docker build -t superboum/amd64_blog:v19 . diff --git a/app/build/coturn/Dockerfile b/app/build/coturn/Dockerfile deleted file mode 100644 index 0d23161..0000000 --- a/app/build/coturn/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM amd64/debian:buster - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - apt-get install -y \ - coturn - -CMD ["/usr/bin/turnserver"] diff --git a/app/build/coturn/README.md b/app/build/coturn/README.md deleted file mode 100644 index e882146..0000000 --- a/app/build/coturn/README.md +++ /dev/null @@ -1,17 +0,0 @@ - -## Génère l'image -``` -sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 . -``` - -## Run bash dans le container -``` -sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash -sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 -``` - -## Used ports -- udp/tcp 3478 3479 - -## Publish -sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 diff --git a/app/build/docker-compose.yml b/app/build/docker-compose.yml deleted file mode 100644 index f58bf1f..0000000 --- a/app/build/docker-compose.yml +++ /dev/null @@ -1,92 +0,0 @@ -version: '3.4' -services: - - mariadb: - build: - context: ./mariadb - args: - VERSION: 4 # fake for now - image: superboum/amd64_mariadb:v4 - - # Instant Messaging - riot: - build: - context: ./riotweb - args: - # https://github.com/vector-im/riot-web/releases - VERSION: 1.7.16 - image: superboum/amd64_riotweb:v19 - - synapse: - build: - context: ./matrix-synapse - args: - # https://github.com/matrix-org/synapse/releases - VERSION: 1.25.0 - image: superboum/amd64_synapse:v40 - - # Email - sogo: - build: - context: ./sogo - args: - # fake for now - VERSION: 5.0.0 - image: superboum/amd64_sogo:v7 - - alps: - build: - context: ./alps - args: - VERSION: 5cef0aaff2b8b6ee3e00b566123517e241d8cfb8 - image: superboum/amd64_alps:v1 - - # VoIP - jitsi-meet: - build: - context: ./jitsi-meet - args: - # https://github.com/jitsi/jitsi-meet - PREFIXV: stable/jitsi-meet_ - VERSION: 5390 - image: superboum/amd64_jitsi_meet:v3 - - jitsi-conference-focus: - build: - context: ./jitsi-conference-focus - args: - # https://github.com/jitsi/jicofo - PREFIXV: stable/jitsi-meet_ - VERSION: 5390 - image: superboum/amd64_jitsi_conference_focus:v6 - - jitsi-videobridge: - build: - context: ./jitsi-videobridge - args: - # https://github.com/jitsi/jitsi-videobridge - PREFIXV: stable/jitsi-meet_ - VERSION: 5390 - image: superboum/amd64_jitsi_videobridge:v16 - - jitsi-xmpp: - build: - context: ./jitsi-xmpp - args: - VERSION: 0.11.2-1 - image: superboum/amd64_jitsi_xmpp:v8 - - plume: - build: - context: ./plume - args: - VERSION: 0.6.0 - image: superboum/plume:v2 - - postfix: - build: - context: ./postfix - args: - # https://packages.debian.org/fr/buster/postfix - VERSION: 3.4.14-0+deb10u1 - image: superboum/amd64_postfix:v3 diff --git a/app/build/dovecot/.gitignore b/app/build/dovecot/.gitignore deleted file mode 100644 index 71a04e2..0000000 --- a/app/build/dovecot/.gitignore +++ /dev/null @@ -1 +0,0 @@ -dovecot-ldap.conf diff --git a/app/build/dovecot/Dockerfile b/app/build/dovecot/Dockerfile deleted file mode 100644 index 9b87627..0000000 --- a/app/build/dovecot/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -FROM amd64/debian:stretch - -RUN apt-get update && \ - apt-get install -y \ - dovecot-antispam \ - dovecot-core \ - dovecot-imapd \ - dovecot-ldap \ - dovecot-managesieved \ - dovecot-sieve \ - dovecot-lmtpd && \ - rm -rf /etc/dovecot/* -RUN useradd mailstore -COPY ./conf/* /etc/dovecot/ -COPY entrypoint.sh /usr/local/bin/entrypoint - -ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/build/dovecot/README.md b/app/build/dovecot/README.md deleted file mode 100644 index 8c9f372..0000000 --- a/app/build/dovecot/README.md +++ /dev/null @@ -1,18 +0,0 @@ -``` -sudo docker build -t superboum/amd64_dovecot:v2 . -``` - - -``` -sudo docker run -t -i \ - -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \ - -p 993:993 \ - -p 143:143 \ - -p 24:24 \ - -p 1337:1337 \ - -v /mnt/glusterfs/email/ssl:/etc/ssl/ \ - -v /mnt/glusterfs/email/mail:/var/mail \ - -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \ - superboum/amd64_dovecot:v1 \ - dovecot -F -``` diff --git a/app/build/dovecot/conf/all_before.sieve b/app/build/dovecot/conf/all_before.sieve deleted file mode 100644 index 7d2e57e..0000000 --- a/app/build/dovecot/conf/all_before.sieve +++ /dev/null @@ -1,5 +0,0 @@ -require ["fileinto", "mailbox"]; -if header :contains "X-Spam-Flag" "YES" { - fileinto :create "Junk"; -} - diff --git a/app/build/dovecot/conf/dovecot-ldap.sample.conf b/app/build/dovecot/conf/dovecot-ldap.sample.conf deleted file mode 100644 index 472d5e8..0000000 --- a/app/build/dovecot/conf/dovecot-ldap.sample.conf +++ /dev/null @@ -1,8 +0,0 @@ -hosts = ldap.example.com -dn = cn=admin,dc=example,dc=com -dnpass = s3cr3t -base = dc=example,dc=com -scope = subtree -user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) -pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) -user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/app/build/dovecot/conf/dovecot.conf b/app/build/dovecot/conf/dovecot.conf deleted file mode 100644 index 0d5068c..0000000 --- a/app/build/dovecot/conf/dovecot.conf +++ /dev/null @@ -1,79 +0,0 @@ -auth_mechanisms = plain login -auth_username_format = %u -log_timestamp = "%Y-%m-%d %H:%M:%S " -mail_location = maildir:/var/mail/%u -mail_privileged_group = mail - -log_path = /dev/stderr -info_log_path = /dev/stdout -debug_log_path = /dev/stdout - -protocols = imap sieve lmtp - -ssl_cert = < /etc/ssl/certs/dovecot.crt -ssl_key = < /etc/ssl/private/dovecot.key - -service auth { - inet_listener { - port = 1337 - } -} - -passdb { - args = /etc/dovecot/dovecot-ldap.conf - driver = ldap -} - -service lmtp { - inet_listener lmtp { - address = 0.0.0.0 - port = 24 - } -} - -service imap-login { - inet_listener imap { - port = 143 - } - inet_listener imaps { - port = 993 - } -} - -userdb { - args = uid=mailstore gid=mailstore home=/var/mail/%u - driver = static -} - -protocol imap { - mail_plugins = $mail_plugins imap_sieve -} - -protocol lda { - auth_socket_path = /var/run/dovecot/auth-master - info_log_path = /var/log/dovecot-deliver.log - log_path = /var/log/dovecot-deliver-errors.log - postmaster_address = postmaster@deuxfleurs.fr - mail_plugins = $mail_plugins sieve -} - -plugin { - sieve = file:~/sieve;active=~/dovecot.sieve - sieve_before = /etc/dovecot/all_before.sieve - - # antispam learn - sieve_plugins = sieve_imapsieve sieve_extprograms - sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment +vnd.dovecot.debug - sieve_pipe_bin_dir = /usr/bin - - imapsieve_mailbox1_name = Junk - imapsieve_mailbox1_causes = COPY FLAG APPEND - imapsieve_mailbox1_before = file:/etc/dovecot/report-spam.sieve - - imapsieve_mailbox2_name = * - imapsieve_mailbox2_from = Spam - imapsieve_mailbox2_causes = COPY APPEND - imapsieve_mailbox2_before = file:/etc/dovecot/report-ham.sieve - -} - diff --git a/app/build/dovecot/conf/report-ham.sieve b/app/build/dovecot/conf/report-ham.sieve deleted file mode 100644 index c5a994a..0000000 --- a/app/build/dovecot/conf/report-ham.sieve +++ /dev/null @@ -1,17 +0,0 @@ -require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; - -if environment :matches "imap.mailbox" "*" { - set "mailbox" "${1}"; -} - -if string "${mailbox}" "Trash" { - stop; -} - -if environment :matches "imap.user" "*" { - set "username" "${1}"; -} - -pipe :copy "sa-learn" [ "--ham", "-u", "debian-spamd" ]; -debug_log "ham reported by ${username}"; - diff --git a/app/build/dovecot/conf/report-spam.sieve b/app/build/dovecot/conf/report-spam.sieve deleted file mode 100644 index 1be7389..0000000 --- a/app/build/dovecot/conf/report-spam.sieve +++ /dev/null @@ -1,9 +0,0 @@ -require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; - -if environment :matches "imap.user" "*" { - set "username" "${1}"; -} - -pipe :copy "sa-learn" [ "--spam", "-u", "debian-spamd"]; -debug_log "spam reported by ${username}"; - diff --git a/app/build/dovecot/entrypoint.sh b/app/build/dovecot/entrypoint.sh deleted file mode 100755 index 2165d8f..0000000 --- a/app/build/dovecot/entrypoint.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then - cd /root - openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout dovecot.key \ - -out dovecot.crt - - mkdir -p /etc/ssl/{certs,private}/ - - cp dovecot.crt /etc/ssl/certs/dovecot.crt - cp dovecot.key /etc/ssl/private/dovecot.key - chmod 400 /etc/ssl/certs/dovecot.crt - chmod 400 /etc/ssl/private/dovecot.key -fi - -if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then - chown -R mailstore /var/mail -fi - -exec "$@" diff --git a/app/build/jitsi-conference-focus/Dockerfile b/app/build/jitsi-conference-focus/Dockerfile deleted file mode 100644 index e2c459c..0000000 --- a/app/build/jitsi-conference-focus/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -FROM debian:buster AS builder - -ARG PREFIXV -ARG VERSION -RUN apt-get update && \ - apt-get install -y openjdk-11-jdk maven wget unzip && \ - wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip - -RUN unzip jicofo.zip && \ - mv jicofo*${VERSION} jicofo && \ - cd jicofo && \ - mvn package -DskipTests -Dassembly.skipAssembly=false && \ - unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ - mv jicofo-1.1-SNAPSHOT /srv/build - -FROM debian:buster - -RUN apt-get update && \ - apt-get install -y openjdk-11-jre-headless ca-certificates - -ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi" - -COPY --from=builder /srv/build /srv/jicofo -COPY jicofo /usr/local/bin/jicofo -COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties - -CMD ["/usr/local/bin/jicofo"] diff --git a/app/build/jitsi-conference-focus/jicofo b/app/build/jitsi-conference-focus/jicofo deleted file mode 100755 index 2bc6e3f..0000000 --- a/app/build/jitsi-conference-focus/jicofo +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt -update-ca-certificates -f - -cat >> /etc/hosts <. - // authdomain: 'jitsi-meet.example.com', - - // Jirecon recording component domain. - // jirecon: 'jirecon.jitsi-meet.example.com', - - // Call control component (Jigasi). - // call_control: 'callcontrol.jitsi-meet.example.com', - - // Focus component domain. Defaults to focus.. - // focus: 'focus.jitsi-meet.example.com', - - // XMPP MUC domain. FIXME: use XEP-0030 to discover it. - muc: 'conference.jitsi.deuxfleurs.fr' - }, - - // BOSH URL. FIXME: use XEP-0156 to discover it. - bosh: '//jitsi.deuxfleurs.fr/http-bind', - - // Websocket URL - // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', - - // The name of client node advertised in XEP-0115 'c' stanza - clientNode: 'http://jitsi.org/jitsimeet', - - // The real JID of focus participant - can be overridden here - // focusUserJid: 'focus@auth.jitsi-meet.example.com', - - - // Testing / experimental features. - // - - testing: { - // Enables experimental simulcast support on Firefox. - enableFirefoxSimulcast: false, - - // P2P test mode disables automatic switching to P2P when there are 2 - // participants in the conference. - p2pTestMode: false - - // Enables the test specific features consumed by jitsi-meet-torture - // testMode: false - - // Disables the auto-play behavior of *all* newly created video element. - // This is useful when the client runs on a host with limited resources. - // noAutoPlayVideo: false - }, - - // Disables ICE/UDP by filtering out local and remote UDP candidates in - // signalling. - // webrtcIceUdpDisable: false, - - // Disables ICE/TCP by filtering out local and remote TCP candidates in - // signalling. - // webrtcIceTcpDisable: false, - - - // Media - // - - // Audio - - // Disable measuring of audio levels. - // disableAudioLevels: false, - // audioLevelsInterval: 200, - - // Enabling this will run the lib-jitsi-meet no audio detection module which - // will notify the user if the current selected microphone has no audio - // input and will suggest another valid device if one is present. - enableNoAudioDetection: true, - - // Enabling this will run the lib-jitsi-meet noise detection module which will - // notify the user if there is noise, other than voice, coming from the current - // selected microphone. The purpose it to let the user know that the input could - // be potentially unpleasant for other meeting participants. - enableNoisyMicDetection: true, - - // Start the conference in audio only mode (no video is being received nor - // sent). - // startAudioOnly: false, - - // Every participant after the Nth will start audio muted. - // startAudioMuted: 10, - - // Start calls with audio muted. Unlike the option above, this one is only - // applied locally. FIXME: having these 2 options is confusing. - // startWithAudioMuted: false, - - // Enabling it (with #params) will disable local audio output of remote - // participants and to enable it back a reload is needed. - // startSilent: false - - // Video - - // Sets the preferred resolution (height) for local video. Defaults to 720. - resolution: 480, - - // w3c spec-compliant video constraints to use for video capture. Currently - // used by browsers that return true from lib-jitsi-meet's - // util#browser#usesNewGumFlow. The constraints are independency from - // this config's resolution value. Defaults to requesting an ideal aspect - // ratio of 16:9 with an ideal resolution of 720. - constraints: { - video: { - aspectRatio: 16 / 9, - height: { - ideal: 480, - max: 720, - min: 240 - } - } - }, - - // Enable / disable simulcast support. - // disableSimulcast: false, - - // Enable / disable layer suspension. If enabled, endpoints whose HD - // layers are not in use will be suspended (no longer sent) until they - // are requested again. - // enableLayerSuspension: false, - - // Every participant after the Nth will start video muted. - // startVideoMuted: 10, - - // Start calls with video muted. Unlike the option above, this one is only - // applied locally. FIXME: having these 2 options is confusing. - // startWithVideoMuted: false, - - // If set to true, prefer to use the H.264 video codec (if supported). - // Note that it's not recommended to do this because simulcast is not - // supported when using H.264. For 1-to-1 calls this setting is enabled by - // default and can be toggled in the p2p section. - // preferH264: true, - - // If set to true, disable H.264 video codec by stripping it out of the - // SDP. - // disableH264: false, - - // Desktop sharing - - // The ID of the jidesha extension for Chrome. - desktopSharingChromeExtId: null, - - // Whether desktop sharing should be disabled on Chrome. - // desktopSharingChromeDisabled: false, - - // The media sources to use when using screen sharing with the Chrome - // extension. - desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], - - // Required version of Chrome extension - desktopSharingChromeMinExtVersion: '0.1', - - // Whether desktop sharing should be disabled on Firefox. - // desktopSharingFirefoxDisabled: false, - - // Optional desktop sharing frame rate options. Default value: min:5, max:5. - // desktopSharingFrameRate: { - // min: 5, - // max: 5 - // }, - - // Try to start calls with screen-sharing instead of camera video. - // startScreenSharing: false, - - // Recording - - // Whether to enable file recording or not. - // fileRecordingsEnabled: false, - // Enable the dropbox integration. - // dropbox: { - // appKey: '' // Specify your app key here. - // // A URL to redirect the user to, after authenticating - // // by default uses: - // // 'https://jitsi-meet.example.com/static/oauth.html' - // redirectURI: - // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' - // }, - // When integrations like dropbox are enabled only that will be shown, - // by enabling fileRecordingsServiceEnabled, we show both the integrations - // and the generic recording service (its configuration and storage type - // depends on jibri configuration) - // fileRecordingsServiceEnabled: false, - // Whether to show the possibility to share file recording with other people - // (e.g. meeting participants), based on the actual implementation - // on the backend. - // fileRecordingsServiceSharingEnabled: false, - - // Whether to enable live streaming or not. - // liveStreamingEnabled: false, - - // Transcription (in interface_config, - // subtitles and buttons can be configured) - // transcribingEnabled: false, - - // Enables automatic turning on captions when recording is started - // autoCaptionOnRecord: false, - - // Misc - - // Default value for the channel "last N" attribute. -1 for unlimited. - channelLastN: -1, - - // Disables or enables RTX (RFC 4588) (defaults to false). - // disableRtx: false, - - // Disables or enables TCC (the default is in Jicofo and set to true) - // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting - // affects congestion control, it practically enables send-side bandwidth - // estimations. - // enableTcc: true, - - // Disables or enables REMB (the default is in Jicofo and set to false) - // (draft-alvestrand-rmcat-remb-03). This setting affects congestion - // control, it practically enables recv-side bandwidth estimations. When - // both TCC and REMB are enabled, TCC takes precedence. When both are - // disabled, then bandwidth estimations are disabled. - // enableRemb: false, - - // Defines the minimum number of participants to start a call (the default - // is set in Jicofo and set to 2). - // minParticipants: 2, - - // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, - - // Enable IPv6 support. - // useIPv6: true, - - // Enables / disables a data communication channel with the Videobridge. - // Values can be 'datachannel', 'websocket', true (treat it as - // 'datachannel'), undefined (treat it as 'datachannel') and false (don't - // open any channel). - // openBridgeChannel: true, - - - // UI - // - - // Use display name as XMPP nickname. - // useNicks: false, - - // Require users to always specify a display name. - // requireDisplayName: true, - - // Whether to use a welcome page or not. In case it's false a random room - // will be joined when no room is specified. - enableWelcomePage: true, - - // Enabling the close page will ignore the welcome page redirection when - // a call is hangup. - // enableClosePage: false, - - // Disable hiding of remote thumbnails when in a 1-on-1 conference call. - // disable1On1Mode: false, - - // Default language for the user interface. - defaultLanguage: 'fr', - - // If true all users without a token will be considered guests and all users - // with token will be considered non-guests. Only guests will be allowed to - // edit their profile. - enableUserRolesBasedOnToken: false, - - // Whether or not some features are checked based on token. - // enableFeaturesBasedOnToken: false, - - // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. - // lockRoomGuestEnabled: false, - - // When enabled the password used for locking a room is restricted to up to the number of digits specified - // roomPasswordNumberOfDigits: 10, - // default: roomPasswordNumberOfDigits: false, - - // Message to show the users. Example: 'The service will be down for - // maintenance at 01:00 AM GMT, - // noticeMessage: '', - - // Enables calendar integration, depends on googleApiApplicationClientID - // and microsoftApiApplicationClientID - // enableCalendarIntegration: false, - - // Stats - // - - // Whether to enable stats collection or not in the TraceablePeerConnection. - // This can be useful for debugging purposes (post-processing/analysis of - // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth - // estimation tests. - // gatherStats: false, - - // The interval at which PeerConnection.getStats() is called. Defaults to 10000 - // pcStatsInterval: 10000, - - // To enable sending statistics to callstats.io you must provide the - // Application ID and Secret. - // callStatsID: '', - // callStatsSecret: '', - - // enables sending participants display name to callstats - // enableDisplayNameInStats: false - - // enables sending participants email if available to callstats and other analytics - // enableEmailInStats: false - - // Privacy - // - - // If third party requests are disabled, no other server will be contacted. - // This means avatars will be locally generated and callstats integration - // will not function. - // disableThirdPartyRequests: false, - - - // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. - // - - p2p: { - // Enables peer to peer mode. When enabled the system will try to - // establish a direct connection when there are exactly 2 participants - // in the room. If that succeeds the conference will stop sending data - // through the JVB and use the peer to peer connection instead. When a - // 3rd participant joins the conference will be moved back to the JVB - // connection. - enabled: true, - - // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, - - // The STUN servers that will be used in the peer to peer connections - stunServers: [ - - // { urls: 'stun:jitsi-meet.example.com:443' }, - { urls: 'stun:stun.l.google.com:19302' }, - { urls: 'stun:stun1.l.google.com:19302' }, - { urls: 'stun:stun2.l.google.com:19302' } - ], - - // Sets the ICE transport policy for the p2p connection. At the time - // of this writing the list of possible values are 'all' and 'relay', - // but that is subject to change in the future. The enum is defined in - // the WebRTC standard: - // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. - // If not set, the effective value is 'all'. - // iceTransportPolicy: 'all', - - // If set to true, it will prefer to use H.264 for P2P calls (if H.264 - // is supported). - preferH264: true, - - // If set to true, disable H.264 video codec by stripping it out of the - // SDP. - // disableH264: false, - - // How long we're going to wait, before going back to P2P after the 3rd - // participant has left the conference (to filter out page reload). - backToP2PDelay: 60 - }, - - analytics: { - // The Google Analytics Tracking ID: - // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' - - // The Amplitude APP Key: - // amplitudeAPPKey: '' - - // Array of script URLs to load as lib-jitsi-meet "analytics handlers". - // scriptURLs: [ - // "libs/analytics-ga.min.js", // google-analytics - // "https://example.com/my-custom-analytics.js" - // ], - }, - - // Information about the jitsi-meet instance we are connecting to, including - // the user region as seen by the server. - deploymentInfo: { - // shard: "shard1", - // region: "europe", - // userRegion: "asia" - } - - // Information for the chrome extension banner - // chromeExtensionBanner: { - // // The chrome extension to be installed address - // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', - - // // Extensions info which allows checking if they are installed or not - // chromeExtensionsInfo: [ - // { - // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', - // path: 'jitsi-logo-48x48.png' - // } - // ] - // } - - // Local Recording - // - - // localRecording: { - // Enables local recording. - // Additionally, 'localrecording' (all lowercase) needs to be added to - // TOOLBAR_BUTTONS in interface_config.js for the Local Recording - // button to show up on the toolbar. - // - // enabled: true, - // - - // The recording format, can be one of 'ogg', 'flac' or 'wav'. - // format: 'flac' - // - - // } - - // Options related to end-to-end (participant to participant) ping. - // e2eping: { - // // The interval in milliseconds at which pings will be sent. - // // Defaults to 10000, set to <= 0 to disable. - // pingInterval: 10000, - // - // // The interval in milliseconds at which analytics events - // // with the measured RTT will be sent. Defaults to 60000, set - // // to <= 0 to disable. - // analyticsInterval: 60000, - // } - - // If set, will attempt to use the provided video input device label when - // triggering a screenshare, instead of proceeding through the normal flow - // for obtaining a desktop stream. - // NOTE: This option is experimental and is currently intended for internal - // use only. - // _desktopSharingSourceDevice: 'sample-id-or-label' - - // If true, any checks to handoff to another application will be prevented - // and instead the app will continue to display in the current browser. - // disableDeepLinking: false - - // A property to disable the right click context menu for localVideo - // the menu has option to flip the locally seen video for local presentations - // disableLocalVideoFlip: false - - // Deployment specific URLs. - // deploymentUrls: { - // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for - // // user documentation. - // userDocumentationURL: 'https://docs.example.com/video-meetings.html', - // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link - // // to the specified URL for an app download page. - // downloadAppsUrl: 'https://docs.example.com/our-apps.html' - // } - - // List of undocumented settings used in jitsi-meet - /** - _immediateReloadThreshold - autoRecord - autoRecordToken - debug - debugAudioLevels - deploymentInfo - dialInConfCodeUrl - dialInNumbersUrl - dialOutAuthUrl - dialOutCodesUrl - disableRemoteControl - displayJids - etherpad_base - externalConnectUrl - firefox_fake_device - googleApiApplicationClientID - iAmRecorder - iAmSipGateway - microsoftApiApplicationClientID - peopleSearchQueryTypes - peopleSearchUrl - requireDisplayName - tokenAuthUrl - */ - - // List of undocumented settings used in lib-jitsi-meet - /** - _peerConnStatusOutOfLastNTimeout - _peerConnStatusRtcMuteTimeout - abTesting - avgRtpStatsN - callStatsConfIDNamespace - callStatsCustomScriptUrl - desktopSharingSources - disableAEC - disableAGC - disableAP - disableHPF - disableNS - enableLipSync - enableTalkWhileMuted - forceJVB121Ratio - hiddenDomain - ignoreStartMuted - nick - startBitrate - */ - -}; - -/* eslint-enable no-unused-vars, no-var */ - diff --git a/app/build/jitsi-meet/entrypoint.sh b/app/build/jitsi-meet/entrypoint.sh deleted file mode 100755 index 1cd96dc..0000000 --- a/app/build/jitsi-meet/entrypoint.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -cat > /etc/nginx/sites-available/jitsi <> /etc/hosts < /root/.sip-communicator/sip-communicator.properties <> /root/.sip-communicator/sip-communicator.properties <> /etc/hosts < /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua < /etc/nslcd.conf < /tmp/nextcloud.zip -cd /var/www -unzip /tmp/nextcloud.zip -rm /tmp/nextcloud.zip -mv html html.old -mv nextcloud html - -cd html -mkdir data - -cd apps -wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz -tar xf tasks.tar.gz -wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz -tar xf maps-0.1.6.tar.gz -wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz -tar xf calendar.tar.gz -wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz -tar xf news.tar.gz -wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz -tar xf notes.tar.gz -wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz -tar xf contacts.tar.gz -wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz -tar xf mail.tar.gz -wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz -tar xf groupfolders.tar.gz -rm *.tar.gz - -chown -R www-data:www-data /var/www/html - -cd /var/www/html -php occ diff --git a/app/build/nextcloud/entrypoint.sh b/app/build/nextcloud/entrypoint.sh deleted file mode 100755 index 72b4f94..0000000 --- a/app/build/nextcloud/entrypoint.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -set -xe - -chown www-data:www-data /var/www/html/config/config.php -touch /var/www/html/data/.ocdata - -exec apachectl -DFOREGROUND diff --git a/app/build/opendkim/Dockerfile b/app/build/opendkim/Dockerfile deleted file mode 100644 index 70a39e4..0000000 --- a/app/build/opendkim/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM amd64/debian:buster - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - apt-get install -y opendkim opendkim-tools - -COPY ./opendkim.conf /etc/opendkim.conf -CMD opendkim -f -v -x /etc/opendkim.conf diff --git a/app/build/opendkim/README.md b/app/build/opendkim/README.md deleted file mode 100644 index e146125..0000000 --- a/app/build/opendkim/README.md +++ /dev/null @@ -1,12 +0,0 @@ -``` -sudo docker build -t superboum/amd64_opendkim:v1 . -``` - -``` -sudo docker run -t -i \ - -v `pwd`/conf:/etc/dkim \ - -v /dev/log:/dev/log \ - -p 8999:8999 - superboum/amd64_opendkim:v1 - opendkim -f -v -x /etc/opendkim.conf -``` diff --git a/app/build/opendkim/opendkim.conf b/app/build/opendkim/opendkim.conf deleted file mode 100644 index 0d6465f..0000000 --- a/app/build/opendkim/opendkim.conf +++ /dev/null @@ -1,12 +0,0 @@ -Syslog yes -SyslogSuccess yes -LogWhy yes -UMask 007 -Mode sv -OversignHeaders From -TrustAnchorFile /usr/share/dns/root.key -KeyTable refile:/etc/dkim/keytable -SigningTable refile:/etc/dkim/signingtable -ExternalIgnoreList refile:/etc/dkim/trusted -InternalHosts refile:/etc/dkim/trusted -Socket inet:8999 diff --git a/app/build/plume/Dockerfile b/app/build/plume/Dockerfile deleted file mode 100644 index 4e05424..0000000 --- a/app/build/plume/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -FROM rust:1.47.0-slim-buster as builder - -RUN apt-get update && \ - apt-get install -y \ - pkg-config \ - git \ - curl \ - postgresql \ - postgresql-contrib \ - libpq-dev \ - gettext \ - git \ - curl \ - gcc \ - make \ - openssl \ - libssl-dev \ - libclang-dev - -ARG VERSION -WORKDIR /opt -RUN git clone -n https://git.joinplu.me/Plume/Plume.git plume - -WORKDIR /opt/plume -RUN git checkout ${VERSION} - -RUN cargo install diesel_cli --no-default-features --features postgres --version '=1.3.0' - -# frontend -RUN cargo install cargo-web -RUN cargo web deploy -p plume-front --release -# backend -RUN cargo install --no-default-features --features postgres -f --path . -# cli -RUN cargo install --no-default-features --features postgres --path plume-cli -RUN cargo clean - -#----------------------------- -FROM debian:bullseye-slim - -RUN apt-get update && apt-get install -y --no-install-recommends \ - ca-certificates \ - libpq5 \ - libssl1.1 - -WORKDIR /app - -COPY --from=builder /opt/plume /app -COPY --from=builder /usr/local/cargo/bin/diesel /usr/local/bin/ -COPY --from=builder /usr/local/cargo/bin/plm /usr/local/bin/ -COPY --from=builder /usr/local/cargo/bin/plume /usr/local/bin/ -COPY plm-start /usr/local/bin/ - -CMD ["plm-start"] diff --git a/app/build/plume/README.md b/app/build/plume/README.md deleted file mode 100644 index 6d86d81..0000000 --- a/app/build/plume/README.md +++ /dev/null @@ -1,3 +0,0 @@ -Try build: - -sudo docker build -t superboum/plume:v1 --build-arg VERSION=003dcf861a9f55720b03d52f2f95f5f59e338809 . diff --git a/app/build/plume/plm-start b/app/build/plume/plm-start deleted file mode 100755 index da9d288..0000000 --- a/app/build/plume/plm-start +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -until plm migration run; - do sleep 2; -done -plm search init -plm instance new --domain "$DOMAIN_NAME" --name "$INSTANCE_NAME" --private - -plume diff --git a/app/build/postfix/Dockerfile b/app/build/postfix/Dockerfile deleted file mode 100644 index 0c74fdc..0000000 --- a/app/build/postfix/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM amd64/debian:buster - -ARG VERSION - -RUN apt-get update && \ - apt-get install -y \ - postfix=$VERSION \ - postfix-ldap - -COPY entrypoint.sh /usr/local/bin/entrypoint - -ENTRYPOINT ["/usr/local/bin/entrypoint"] -CMD ["postfix", "start-fg"] diff --git a/app/build/postfix/README.md b/app/build/postfix/README.md deleted file mode 100644 index ac44fc0..0000000 --- a/app/build/postfix/README.md +++ /dev/null @@ -1,18 +0,0 @@ -``` -sudo docker build -t superboum/amd64_postfix:v1 . -``` - -``` -sudo docker run -t -i \ - -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \ - -e MAILNAME="smtp.deuxfleurs.fr" \ - -p 25:25 \ - -p 465:465 \ - -p 587:587 \ - -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \ - -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \ - -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \ - superboum/amd64_postfix:v1 \ - bash -``` - diff --git a/app/build/postfix/entrypoint.sh b/app/build/postfix/entrypoint.sh deleted file mode 100755 index fcf1a66..0000000 --- a/app/build/postfix/entrypoint.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then - cd /root - openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout postfix.key \ - -out postfix.crt - - mkdir -p /etc/ssl/{certs,private}/ - - cp postfix.crt /etc/ssl/certs/postfix.crt - cp postfix.key /etc/ssl/private/postfix.key - chmod 400 /etc/ssl/certs/postfix.crt - chmod 400 /etc/ssl/private/postfix.key -fi - -# A way to map files inside the postfix folder :s -for file in $(ls /etc/postfix-conf); do - cp /etc/postfix-conf/${file} /etc/postfix/${file} -done - -echo ${MAILNAME} > /etc/mailname -postmap /etc/postfix/transport - -exec "$@" diff --git a/app/build/postgres/Dockerfile b/app/build/postgres/Dockerfile deleted file mode 100644 index bb018b8..0000000 --- a/app/build/postgres/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM amd64/debian:stretch - -RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \ - apt-get update && \ - apt-get -qq -y full-upgrade && \ - apt-get install -y postgresql-all golang-1.11 git && \ - export GOPATH=/usr/local/go && \ - mkdir -p /usr/local/go/src/github.com/sorintlab && \ - cd /usr/local/go/src/github.com/sorintlab && \ - git clone --depth=1 https://github.com/sorintlab/stolon && \ - ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \ - ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \ - cd ./stolon && \ - ./build && \ - mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \ - rm -rf /usr/local/go - -USER postgres - diff --git a/app/build/postgres/README.md b/app/build/postgres/README.md deleted file mode 100644 index d2f7a12..0000000 --- a/app/build/postgres/README.md +++ /dev/null @@ -1,4 +0,0 @@ -``` -docker build -t superboum/arm32v7_postgres . -docker build -t superboum/amd64_postgres:v2 . -``` diff --git a/app/build/postgres/postgresql.conf b/app/build/postgres/postgresql.conf deleted file mode 100644 index 8e0af2b..0000000 --- a/app/build/postgres/postgresql.conf +++ /dev/null @@ -1,25 +0,0 @@ -data_directory = '/var/lib/postgresql/9.6/main' # use data in another directory -hba_file = '/etc/postgresql/9.6/main/pg_hba.conf' # host-based authentication file -ident_file = '/etc/postgresql/9.6/main/pg_ident.conf' # ident configuration file -external_pid_file = '/var/run/postgresql/9.6-main.pid' # write an extra PID file -listen_addresses = '*' #listen on every ip / interfaces -port = 5432 # (change requires restart) -max_connections = 100 # (change requires restart) -unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories -ssl = true # (change requires restart) -ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart) -ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart) -shared_buffers = 128MB # min 128kB -dynamic_shared_memory_type = posix # the default is the first option -log_line_prefix = '%m [%p] %q%u@%d ' # special values: -log_timezone = 'UTC' -cluster_name = '9.6/main' # added to process titles if nonempty -stats_temp_directory = '/var/run/postgresql/9.6-main.pg_stat_tmp' -datestyle = 'iso, mdy' -timezone = 'UTC' -lc_messages = 'C.UTF-8' # locale for system error message -lc_monetary = 'C.UTF-8' # locale for monetary formatting -lc_numeric = 'C.UTF-8' # locale for number formatting -lc_time = 'C.UTF-8' # locale for time formatting -default_text_search_config = 'pg_catalog.english' - diff --git a/app/build/postgres/start.sh b/app/build/postgres/start.sh deleted file mode 100755 index f1d493f..0000000 --- a/app/build/postgres/start.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -if [ -f /local/pg_hba.conf ]; then - echo "Copying Nomad configuration..." - cp /local/pg_hba.conf /etc/postgresql/9.6/main/ - echo "Done" -fi - - -if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then - echo "Copying base" - cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main - echo "Done" -fi - -chmod -R 700 /var/lib/postgresql/9.6/main -chown -R postgres /var/lib/postgresql/9.6/main - -echo "Starting postgres..." -. /usr/share/postgresql-common/init.d-functions -start 9.6 -tail -f /var/log/postgresql/postgresql-9.6-main.log diff --git a/app/build/riotweb/Dockerfile b/app/build/riotweb/Dockerfile deleted file mode 100644 index c768e87..0000000 --- a/app/build/riotweb/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM amd64/debian:buster as builder - -ARG VERSION -WORKDIR /root - -RUN apt-get update && \ - apt-get install -y wget && \ - wget https://github.com/vector-im/element-web/releases/download/v${VERSION}/element-v${VERSION}.tar.gz && \ - tar xf element-v${VERSION}.tar.gz && \ - mv element-v${VERSION}/ riot/ - -FROM superboum/amd64_webserver:v3 -COPY --from=builder /root/riot /srv/http diff --git a/app/build/seafile/Dockerfile b/app/build/seafile/Dockerfile deleted file mode 100644 index 88dee4f..0000000 --- a/app/build/seafile/Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -FROM amd64/debian:buster as builder - -ENV VERSION 7.0.5 - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar && \ - wget https://download.seadrive.org/seafile-server_${VERSION}_x86-64.tar.gz -O ./seafile.tar.gz && \ - tar xf ./seafile.tar.gz && \ - mv seafile-server-${VERSION} seafile-server - -FROM amd64/debian:buster - -COPY --from=builder ./seafile-server /srv/webstore/seafile-server - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y \ - python \ - mariadb-client \ - python2.7 \ - libpython2.7 \ - python-setuptools \ - python-ldap \ - python-urllib3 \ - ffmpeg \ - python-pip \ - python-mysqldb \ - python-memcache \ - procps \ - python-requests && \ - pip install Pillow==4.3.0 && \ - pip install moviepy && \ - useradd -u 1000 -d /srv/webstore seauser && \ - chown -R seauser:1000 /srv/webstore/ - -RUN mkdir -p /usr/local/lib/mariadb/plugin/ && \ - ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/mysql_clear_password.so /usr/local/lib/mariadb/plugin/ && \ - ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/dialog.so /usr/local/lib/mariadb/plugin/ - -WORKDIR /srv/webstore/seafile-server -COPY seadocker /usr/local/bin/seadocker -COPY seaenv /usr/local/bin/seaenv - -ENTRYPOINT ["/usr/local/bin/seaenv"] -CMD ["/usr/local/bin/seadocker"] diff --git a/app/build/seafile/README.md b/app/build/seafile/README.md deleted file mode 100644 index 26d04e0..0000000 --- a/app/build/seafile/README.md +++ /dev/null @@ -1,27 +0,0 @@ - -```bash -sudo docker build -t superboum/amd64_seafile:v5 . -``` - -When upgrading, connect on a production server and run: - -```bash -nomad stop seafile -sudo docker build -t superboum/amd64_seafile:v6 . - -sudo docker run -t -i \ - -v /mnt/glusterfs/seafile:/mnt/seafile-data \ - -v /mnt/glusterfs/seaconf/conf:/srv/webstore/conf \ - -v /mnt/glusterfs/seaconf/ccnet:/srv/webstore/ccnet \ - superboum/amd64_seafile:v5 - -# See: -# * https://download.seafile.com/published/seafile-manual/deploy/upgrade.md -# * https://download.seafile.com/published/seafile-manual/changelog/server-changelog.md - - - -nomad start seafile.hcl -``` - -when upgrading, change the command on start diff --git a/app/build/seafile/seadocker b/app/build/seafile/seadocker deleted file mode 100755 index 5b5982b..0000000 --- a/app/build/seafile/seadocker +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -/srv/webstore/seafile-server/seafile.sh start -/srv/webstore/seafile-server/seahub.sh start -tail -f /srv/webstore/logs/* diff --git a/app/build/seafile/seaenv b/app/build/seafile/seaenv deleted file mode 100755 index 3b0e0bb..0000000 --- a/app/build/seafile/seaenv +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -chown seauser /srv/webstore -chown seauser -R /srv/webstore/ccnet -chown seauser -R /srv/webstore/conf - -runuser -u seauser -- "$@" diff --git a/app/build/sogo/Dockerfile b/app/build/sogo/Dockerfile deleted file mode 100644 index 46880dd..0000000 --- a/app/build/sogo/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -#FROM amd64/debian:stretch as builder - -FROM amd64/debian:buster - -RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf - -RUN apt-get update && \ - apt-get install -y apt-transport-https gnupg2 sudo nginx && \ - rm -rf /etc/nginx/sites-enabled/* && \ - apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \ - echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \ - apt-get update && \ - apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client - -COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf -COPY entrypoint /usr/sbin/entrypoint -ENTRYPOINT ["/usr/sbin/entrypoint"] diff --git a/app/build/sogo/README.md b/app/build/sogo/README.md deleted file mode 100644 index ea12245..0000000 --- a/app/build/sogo/README.md +++ /dev/null @@ -1,20 +0,0 @@ -``` -docker build -t superboum/amd64_sogo:v6 . - -# privileged is only for debug -docker run --rm -ti \ - --privileged \ - -p 8080:8080 \ - -v /tmp/sogo/log:/var/log/sogo \ - -v /tmp/sogo/run:/var/run/sogo \ - -v /tmp/sogo/spool:/var/spool/sogo \ - -v /tmp/sogo/tmp:/tmp \ - -v `pwd`/sogo:/etc/sogo:ro \ - superboum/amd64_sogo:v1 -``` - -Password must be url encoded in sogo.conf for postgres -Will need a nginx instance: http://wiki.sogo.nu/nginxSettings - -Might (or might not) be needed: -traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr diff --git a/app/build/sogo/entrypoint b/app/build/sogo/entrypoint deleted file mode 100755 index 8b39def..0000000 --- a/app/build/sogo/entrypoint +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -mkdir -p /var/log/sogo -mkdir -p /var/run/sogo -mkdir -p /var/spool/sogo -chown sogo /var/log/sogo -chown sogo /var/run/sogo -chown sogo /var/spool/sogo - -nginx -g 'daemon on; master_process on;' -sudo -u sogo memcached -d -sudo -u sogo sogod -sleep 10 -tail -n200 -f /var/log/sogo/sogo.log diff --git a/app/build/sogo/sogo.nginx.conf b/app/build/sogo/sogo.nginx.conf deleted file mode 100644 index ad920a5..0000000 --- a/app/build/sogo/sogo.nginx.conf +++ /dev/null @@ -1,83 +0,0 @@ -server { - listen 8080; - server_name default_server; - root /usr/lib/GNUstep/SOGo/WebServerResources/; - - ## requirement to create new calendars in Thunderbird ## - proxy_http_version 1.1; - - # Message size limit - client_max_body_size 50m; - client_body_buffer_size 128k; - - location = / { - rewrite ^ '/SOGo'; - allow all; - } - - location = /principals/ { - rewrite ^ '/SOGo/dav'; - allow all; - } - - location ^~/SOGo { - proxy_pass 'http://127.0.0.1:20000'; - proxy_redirect 'http://127.0.0.1:20000' default; - # forward user's IP address - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header x-webobjects-server-protocol HTTP/1.0; - proxy_set_header x-webobjects-remote-host 127.0.0.1; - proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $scheme://$host; - proxy_set_header x-webobjects-server-port $server_port; - proxy_connect_timeout 90; - proxy_send_timeout 90; - proxy_read_timeout 90; - proxy_buffer_size 4k; - proxy_buffers 4 32k; - proxy_busy_buffers_size 64k; - proxy_temp_file_write_size 64k; - break; - } - - location /SOGo.woa/WebServerResources/ { - alias /usr/lib/GNUstep/SOGo/WebServerResources/; - allow all; - expires max; - } - - location /SOGo/WebServerResources/ { - alias /usr/lib/GNUstep/SOGo/WebServerResources/; - allow all; - expires max; - } - - location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) { - alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; - expires max; - } - - location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { - alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; - expires max; - } - - location ^~ /Microsoft-Server-ActiveSync { - access_log /var/log/nginx/activesync.log; - error_log /var/log/nginx/activesync-error.log; - - proxy_connect_timeout 75; - proxy_send_timeout 3600; - proxy_read_timeout 3600; - proxy_buffers 64 256k; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; - proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; - } -} diff --git a/app/build/static/Dockerfile b/app/build/static/Dockerfile deleted file mode 100644 index cdba59a..0000000 --- a/app/build/static/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM golang:1.11.1-stretch as builder - -COPY ./goStatic /goStatic -WORKDIR /goStatic -RUN CGO_ENABLED=0 go build -a -o web-server . - -FROM scratch -COPY --from=builder /goStatic/web-server / -ENTRYPOINT ["/web-server"] diff --git a/app/build/static/README.md b/app/build/static/README.md deleted file mode 100644 index d50390c..0000000 --- a/app/build/static/README.md +++ /dev/null @@ -1,5 +0,0 @@ - -``` -sudo docker build -t superboum/amd64_webserver:v3 . -sudo docker push superboum/amd64_webserver:v3 -``` diff --git a/app/build/static/goStatic b/app/build/static/goStatic deleted file mode 160000 index 3f97f57..0000000 --- a/app/build/static/goStatic +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 3f97f57aaee09a142afe3ca0f1a5d51acd856436 diff --git a/app/build/webpull/.gitignore b/app/build/webpull/.gitignore deleted file mode 100644 index ba2906d..0000000 --- a/app/build/webpull/.gitignore +++ /dev/null @@ -1 +0,0 @@ -main diff --git a/app/build/webpull/Dockerfile.nodejs b/app/build/webpull/Dockerfile.nodejs deleted file mode 100644 index acc7e74..0000000 --- a/app/build/webpull/Dockerfile.nodejs +++ /dev/null @@ -1,9 +0,0 @@ -FROM node:13.8-buster - -RUN apt-get update && \ - apt-get install -y git - -COPY ./main /srv/httpd -WORKDIR /srv -CMD ["/srv/httpd"] - diff --git a/app/build/webpull/Dockerfile.ruby b/app/build/webpull/Dockerfile.ruby deleted file mode 100644 index 7578cca..0000000 --- a/app/build/webpull/Dockerfile.ruby +++ /dev/null @@ -1,12 +0,0 @@ -FROM fedora:32 - -ENV LC_ALL=C.UTF-8 -ENV LANG=C.UTF-8 -ENV LANGUAGE=en_US.UTF-8 -ENV RUBYOPT --disable-did_you_mean - -RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel - -COPY ./main /srv/httpd -WORKDIR /srv -CMD ["/srv/httpd"] diff --git a/app/build/webpull/README.md b/app/build/webpull/README.md deleted file mode 100644 index 5d17d17..0000000 --- a/app/build/webpull/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# webpull - -Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL - -You need to specify a secret token at boot: - -``` -WEBPULL_TOKEN=s3cr3et ./webpull -``` - -## Node.js version - -``` -go build ./main.go -sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 . -``` - -## Ruby version - -``` -go build ./main.go -sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 . -``` diff --git a/app/build/webpull/main.go b/app/build/webpull/main.go deleted file mode 100644 index 46c90b9..0000000 --- a/app/build/webpull/main.go +++ /dev/null @@ -1,100 +0,0 @@ -package main - -import ( - "fmt" - "errors" - "io" - "os/exec" - "os" - "log" - "net/http" - "strings" -) - -func myexec(w io.Writer, main string, params ...string) error { - cmd := exec.Command(main, params...) - cmd.Stdout = w - cmd.Stderr = w - err := cmd.Run() - if err != nil { - fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " ")) - } - return err -} - -func update(w io.Writer) error { - fmt.Fprintf(w, "Start update...\n") - _, err := os.Stat("./.git") - if err != nil { - fmt.Fprintf(w, ".git folder does not exist, creating it...\n") - err := myexec(w, "git", "init") - if err != nil { - return err - } - } - - err = myexec(w, "git", "remote", "get-url", "origin") - if err != nil { - repo, exists := os.LookupEnv("WEBPULL_REPO") - if !exists { - fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n") - return errors.New("Missing environment variable WEBPULL_REPO") - } - fmt.Fprintf(w, "git remote is not yet set...\n") - err := myexec(w, "git", "remote", "add", "origin", repo) - if err != nil { - return err - } - } - - err = myexec(w, "git", "pull", "origin", "master") - if err != nil { - fmt.Fprintf(w, "Failed to pull...\n") - return err - } - - _, err = os.Stat("./.webpull") - if err != nil { - fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n") - return err - } - - err = myexec(w, "./.webpull") - if err != nil { - fmt.Fprintf(w, "An error occured during script execution\n") - return err - } - - fmt.Fprintf(w, "Success.\n") - return nil -} - -func main() { - token, exists := os.LookupEnv("WEBPULL_TOKEN") - if !exists { - log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined") - } - - if update(os.Stdout) != nil { - log.Fatal("Initial 'update' failed") - } - - fs := http.FileServer(http.Dir("./static")) - http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) { - keys, ok := r.URL.Query()["token"] - if !ok || len(keys[0]) < 1 { - http.Error(w, "Missing 'token' query parameter", 401) - return - } - - if keys[0] != token { - http.Error(w, "Wrong token", 401) - return - } - - update(w) - }) - http.Handle("/", fs) - - log.Fatal(http.ListenAndServe(":8080", nil)) -} diff --git a/app/config/configuration/chat/coturn/turnserver.conf.tpl b/app/config/configuration/chat/coturn/turnserver.conf.tpl deleted file mode 100644 index f867ac0..0000000 --- a/app/config/configuration/chat/coturn/turnserver.conf.tpl +++ /dev/null @@ -1,19 +0,0 @@ -use-auth-secret -static-auth-secret={{ key "secrets/chat/coturn/static-auth" | trimSpace }} -realm=turn.deuxfleurs.fr - -# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. -#no-tcp-relay - -# don't let the relay ever try to connect to private IP address ranges within your network (if any) -# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. -#denied-peer-ip=10.0.0.0-10.255.255.255 -#denied-peer-ip=192.168.0.0-192.168.255.255 -#denied-peer-ip=172.16.0.0-172.31.255.255 - -# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. -user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. -total-quota=1200 - -min-port=49152 -max-port=49252 diff --git a/app/config/configuration/chat/easybridge/config.json.tpl b/app/config/configuration/chat/easybridge/config.json.tpl deleted file mode 100644 index 40ecc44..0000000 --- a/app/config/configuration/chat/easybridge/config.json.tpl +++ /dev/null @@ -1,17 +0,0 @@ -{ - "log_level": "info", - "easybridge_avatar": "/app/easybridge.jpg", - - "web_bind_addr": "0.0.0.0:8281", - "web_url": "https://easybridge.deuxfleurs.fr", - "web_session_key": "{{ key "secrets/chat/easybridge/web_session_key" | trimSpace }}", - - "appservice_bind_addr": "0.0.0.0:8321", - "registration": "/data/registration.yaml", - "homeserver_url": "https://im.deuxfleurs.fr", - "matrix_domain": "deuxfleurs.fr", - "name_format": "{}_ezbr_", - - "db_type": "postgres", - "db_path": "host=psql-proxy.service.2.cluster.deuxfleurs.fr port=5432 user={{ key "secrets/chat/easybridge/db_user" | trimSpace }} dbname=easybridge password={{ key "secrets/chat/easybridge/db_pass" | trimSpace }} sslmode=disable" -} diff --git a/app/config/configuration/chat/easybridge/registration.yaml.tpl b/app/config/configuration/chat/easybridge/registration.yaml.tpl deleted file mode 100644 index ec098fd..0000000 --- a/app/config/configuration/chat/easybridge/registration.yaml.tpl +++ /dev/null @@ -1,14 +0,0 @@ -id: Easybridge -url: http://easybridge-api.service.2.cluster.deuxfleurs.fr:8321 -as_token: {{ key "secrets/chat/easybridge/as_token" | trimSpace }} -hs_token: {{ key "secrets/chat/easybridge/hs_token" | trimSpace }} -sender_localpart: _ezbr_ -rate_limited: false -namespaces: - users: - - exclusive: true - regex: '@.*_ezbr_' - aliases: - - exclusive: true - regex: '#.*_ezbr_' - rooms: [] diff --git a/app/config/configuration/chat/fb2mx/config.yaml b/app/config/configuration/chat/fb2mx/config.yaml deleted file mode 100644 index 964c681..0000000 --- a/app/config/configuration/chat/fb2mx/config.yaml +++ /dev/null @@ -1,133 +0,0 @@ -# Homeserver details -homeserver: - # The address that this appservice can use to connect to the homeserver. - address: https://im.deuxfleurs.fr - # The domain of the homeserver (for MXIDs, etc). - domain: deuxfleurs.fr - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - -# Application service host/registration related details -# Changing these values requires regeneration of the registration. -appservice: - # The address that the homeserver can use to connect to this appservice. - address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 29319 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}' - - # The unique ID of this appservice. - id: facebook - # Username of the appservice bot. - bot_username: facebookbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Facebook bridge bot - bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv - - # Community ID for bridged users (changes registration file) and rooms. - # Must be created manually. - community_id: "+fbusers:deuxfleurs.fr" - - # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. - as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' - hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' - -# Bridge config -bridge: - # Localpart template of MXIDs for Facebook users. - # {userid} is replaced with the user ID of the Facebook user. - username_template: "facebook_{userid}" - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # - # `facebook_{localpart}={server}` is a good value. - community_template: "facebook_{localpart}={server}" - # Displayname template for Facebook users. - # {displayname} is replaced with the display name of the Facebook user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: "{displayname} (FB)" - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!fb" - - # Number of chats to sync (and create portals for) on startup/login. - # Maximum 20, set 0 to disable automatic syncing. - initial_chat_sync: 10 - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Facebook account. - sync_with_custom_puppets: true - # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast - # presence, but then it won't send other users' presence to the client. - presence: true - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - "deuxfleurs.fr": "user" - -# Python logging configuration. -# -# See section 16.7.2 of the Python documentation for more info: -# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema -logging: - version: 1 - formatters: - colored: - (): mautrix_facebook.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: normal - filename: ./mautrix-facebook.log - maxBytes: 10485760 - backupCount: 10 - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: DEBUG - fbchat: - level: DEBUG - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [file, console] diff --git a/app/config/configuration/chat/fb2mx/registration.yaml b/app/config/configuration/chat/fb2mx/registration.yaml deleted file mode 100644 index c3d8c05..0000000 --- a/app/config/configuration/chat/fb2mx/registration.yaml +++ /dev/null @@ -1,11 +0,0 @@ -id: facebook -as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' -hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' -namespaces: - users: - - exclusive: true - regex: '@facebook_.+:deuxfleurs.fr' - group_id: '+fbusers:deuxfleurs.fr' -url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 -sender_localpart: facebookbot -rate_limited: false diff --git a/app/config/configuration/chat/riot_web/config.json b/app/config/configuration/chat/riot_web/config.json deleted file mode 100644 index 9c898f0..0000000 --- a/app/config/configuration/chat/riot_web/config.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "default_server_config": { - "m.homeserver": { - "base_url": "https://im.deuxfleurs.fr", - "server_name": "deuxfleurs.fr" - }, - "m.identity_server": { - "base_url": "https://vector.im" - } - }, - "disable_custom_urls": false, - "disable_guests": false, - "disable_login_language_selector": false, - "disable_3pid_login": false, - "brand": "Deuxfleurs", - "integrations_ui_url": "https://scalar.vector.im/", - "integrations_rest_url": "https://scalar.vector.im/api", - "integrations_widgets_urls": [ - "https://scalar.vector.im/_matrix/integrations/v1", - "https://scalar.vector.im/api", - "https://scalar-staging.vector.im/_matrix/integrations/v1", - "https://scalar-staging.vector.im/api", - "https://scalar-staging.riot.im/scalar/api" - ], - "bug_report_endpoint_url": "https://element.io/bugreports/submit", - "defaultCountryCode": "FR", - "showLabsSettings": true, - "features": { - "feature_new_spinner": true, - "feature_groups": "labs", - "feature_pinning": "labs" - }, - "default_federate": true, - "default_theme": "light", - "roomDirectory": { - "servers": [ - "deuxfleurs.fr", - "matrix.org", - "tedomum.net", - "zinz.dev" - ] - }, - "settingDefaults": { - "breadcrumbs": true - }, - "jitsi": { - "preferredDomain": "jitsi.deuxfleurs.fr" - } -} diff --git a/app/config/configuration/chat/synapse/conf.d/report_stats.yaml b/app/config/configuration/chat/synapse/conf.d/report_stats.yaml deleted file mode 100644 index cb95cc3..0000000 --- a/app/config/configuration/chat/synapse/conf.d/report_stats.yaml +++ /dev/null @@ -1 +0,0 @@ -report_stats: true diff --git a/app/config/configuration/chat/synapse/conf.d/server_name.yaml b/app/config/configuration/chat/synapse/conf.d/server_name.yaml deleted file mode 100644 index 540ce45..0000000 --- a/app/config/configuration/chat/synapse/conf.d/server_name.yaml +++ /dev/null @@ -1 +0,0 @@ -server_name: deuxfleurs.fr diff --git a/app/config/configuration/chat/synapse/homeserver.yaml b/app/config/configuration/chat/synapse/homeserver.yaml deleted file mode 100644 index 7f313f6..0000000 --- a/app/config/configuration/chat/synapse/homeserver.yaml +++ /dev/null @@ -1,420 +0,0 @@ -# vim:ft=yaml - -server_name: "deuxfleurs.fr" -# PEM encoded X509 certificate for TLS. -# You can replace the self-signed certificate that synapse -# autogenerates on launch with your own SSL certificate + key pair -# if you like. Any required intermediary certificates can be -# appended after the primary certificate in hierarchical order. -tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" - -# PEM encoded private key for TLS -tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" - -# PEM dh parameters for ephemeral keys -tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" - -# Don't bind to the https port -no_tls: True - - -## Server ## - -# When running as a daemon, the file to store the pid in -pid_file: "/var/run/matrix-synapse.pid" - -# Whether to serve a web client from the HTTP/HTTPS root resource. -web_client: False - -# The public-facing base URL for the client API (not including _matrix/...) -public_baseurl: https://im.deuxfleurs.fr/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -soft_file_limit: 0 - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# gc_thresholds: [700, 10, 10] - -# A list of other Home Servers to fetch the public room directory from -# and include in the public room directory of this home server -# This is a temporary stopgap solution to populate new server with a -# list of rooms until there exists a good solution of a decentralized -# room directory. -# secondary_directory_servers: -# - matrix.org -# - vector.im - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -listeners: - # Unsecure HTTP listener, - # For when matrix traffic passes through loadbalancer that unwraps TLS. - - port: 8008 - tls: false - bind_address: '' - type: http - - x_forwarded: false - - resources: - - names: [client] - compress: true - - - port: 8448 - tls: false - bind_address: '' - type: http - - x_forwarded: false - - resources: - - names: [federation] - compress: false - - # Turn on the twisted ssh manhole service on localhost on the given - # port. - # - port: 9000 - # bind_address: 127.0.0.1 - # type: manhole - - -# Database configuration -database: - name: psycopg2 - args: - user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }} - password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} - database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }} - host: psql-proxy.service.2.cluster.deuxfleurs.fr - port: 5432 - cp_min: 5 - cp_max: 10 -# Number of events to cache in memory. -event_cache_size: "10K" - - -# A yaml python logging config file -log_config: "/etc/matrix-synapse/log.yaml" - -# Stop twisted from discarding the stack traces of exceptions in -# deferreds by waiting a reactor tick before running a deferred's -# callbacks. -# full_twisted_stacktraces: true - - -## Ratelimiting ## - -# Number of messages a client can send per second -rc_messages_per_second: 0.2 - -# Number of message a client can send before being throttled -rc_message_burst_count: 10.0 - -# The federation window size in milliseconds -federation_rc_window_size: 1000 - -# The number of federation requests from a single server in a window -# before the server will delay processing the request. -federation_rc_sleep_limit: 10 - -# The duration in milliseconds to delay processing events from -# remote servers by if they go over the sleep limit. -federation_rc_sleep_delay: 500 - -# The maximum number of concurrent federation requests allowed -# from a single server -federation_rc_reject_limit: 50 - -# The number of federation requests to concurrently process from a -# single server -federation_rc_concurrent: 3 - - - -# Directory where uploaded images and attachments are stored. -media_store_path: "/var/lib/matrix-synapse/media" -uploads_path: "/var/lib/matrix-synapse/uploads" - -# The largest allowed upload size in bytes -max_upload_size: "100M" - -# Maximum number of pixels that will be thumbnailed -max_image_pixels: "32M" - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -dynamic_thumbnails: false - -# List of thumbnail to precalculate when an image is uploaded. -thumbnail_sizes: -- width: 32 - height: 32 - method: crop -- width: 96 - height: 96 - method: crop -- width: 320 - height: 240 - method: scale -- width: 640 - height: 480 - method: scale -- width: 800 - height: 600 - method: scale - -# Is the preview URL API enabled? If enabled, you *must* specify -# an explicit url_preview_ip_range_blacklist of IPs that the spider is -# denied from accessing. -url_preview_enabled: True - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' -# -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -# url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -# url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -max_spider_size: "10M" - - - - -## Captcha ## - -# This Home Server's ReCAPTCHA public key. -recaptcha_public_key: "YOUR_PUBLIC_KEY" - -# This Home Server's ReCAPTCHA private key. -recaptcha_private_key: "YOUR_PRIVATE_KEY" - -# Enables ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. -enable_registration_captcha: False - -# A secret key used to bypass the captcha test entirely. -#captcha_bypass_secret: "YOUR_SECRET_HERE" - -# The API endpoint to use for verifying m.login.recaptcha responses. -recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" - - -## Turn ## - -# The public URIs of the TURN server to give to clients -turn_uris: [ "turn:turn.deuxfleurs.fr:3478?transport=udp", "turn:turn.deuxfleurs.fr:3478?transport=tcp" ] - -# The shared secret used to compute passwords for the TURN server -turn_shared_secret: '{{ key "secrets/chat/coturn/static-auth" | trimSpace }}' - -# How long generated TURN credentials last -turn_user_lifetime: "1h" - -turn_allow_guests: True - -## Registration ## - -# Enable registration for new users. -enable_registration: False - -# If set, allows registration by anyone who also has the shared -# secret, even if registration is otherwise disabled. -registration_shared_secret: '{{ key "secrets/chat/synapse/registration_shared_secret" | trimSpace }}' - -# Sets the expiry for the short term user creation in -# milliseconds. For instance the bellow duration is two weeks -# in milliseconds. -user_creation_max_duration: 1209600000 - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number of rounds is 12. -bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -allow_guest_access: True - -# The list of identity servers trusted to verify third party -# identifiers by this server. -trusted_third_party_id_servers: - - matrix.org - - vector.im - - -## Metrics ### - -# Enable collection and rendering of performance metrics -enable_metrics: False - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.name" - - -# A list of application service config file to use -app_service_config_files: - - "/etc/matrix-synapse/easybridge_registration.yaml" - #- "/etc/matrix-synapse/fb2mx_registration.yaml" - - -# macaroon_secret_key: - -# Used to enable access token expiration. -expire_access_token: False - -## Signing Keys ## - -# Path to the signing key to sign messages with -signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. E.g. it has lost its private key -old_signing_keys: {} -# "ed25519:auto": -# # Base64 encoded public key -# key: "The public part of your old signing key." -# # Millisecond POSIX timestamp when the key expired. -# expired_ts: 123456789123 - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -key_refresh_interval: "1d" # 1 Day. - -# The trusted servers to download signing keys from. -perspectives: - servers: - "matrix.org": - verify_keys: - "ed25519:auto": - key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" - - - -# Enable SAML2 for registration and login. Uses pysaml2 -# config_path: Path to the sp_conf.py configuration file -# idp_redirect_url: Identity provider URL which will redirect -# the user back to /login/saml2 with proper info. -# See pysaml2 docs for format of config. -#saml2_config: -# enabled: true -# config_path: "/home/erikj/git/synapse/sp_conf.py" -# idp_redirect_url: "http://test/idp" - - - -# Enable CAS for registration and login. -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homesever.domain.com:8448" -# #required_attributes: -# # name: value - - -# The JWT needs to contain a globally unique "sub" (subject) claim. -# -# jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" - -password_providers: - - module: "ldap_auth_provider.LdapAuthProvider" - config: - enabled: true - uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389" - start_tls: false - bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' - bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' - base: "ou=users,dc=deuxfleurs,dc=fr" - attributes: - uid: "cn" - name: "displayName" - mail: "mail" - -# Enable password for login. -password_config: - enabled: true - -# Enable sending emails for notification events -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 -# notif_from: "Your Friendly %(app)s Home Server " -# app_name: Matrix -# template_dir: res/templates -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# notif_for_new_users: True - -# Key that had to be added after some synapse updates to please matrix developers... -report_stats: false -suppress_key_server_warning: true -enable_group_creation: true diff --git a/app/config/configuration/chat/synapse/log.yaml b/app/config/configuration/chat/synapse/log.yaml deleted file mode 100644 index eb69d8f..0000000 --- a/app/config/configuration/chat/synapse/log.yaml +++ /dev/null @@ -1,41 +0,0 @@ - -version: 1 - -formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' - -filters: - context: - (): synapse.util.logcontext.LoggingContextFilter - request: "" - -handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: precise - filename: /var/log/matrix-synapse/homeserver.log - maxBytes: 10485760 - backupCount: 3 - filters: [context] - level: WARN - console: - class: logging.StreamHandler - formatter: precise - level: WARN - -loggers: - synapse: - level: INFO - - synapse.storage.SQL: - level: INFO - - ldap3: - level: DEBUG - ldap_auth_provider: - level: DEBUG - -root: - level: INFO - handlers: [file, console] diff --git a/app/config/configuration/directory/bottin/config.json b/app/config/configuration/directory/bottin/config.json deleted file mode 100644 index 7867ff0..0000000 --- a/app/config/configuration/directory/bottin/config.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "suffix": "dc=deuxfleurs,dc=fr", - "bind": "0.0.0.0:389", - "consul_host": "http://consul.service.2.cluster.deuxfleurs.fr:8500", - "log_level": "debug", - "acl": [ - "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword", - "*::read modify:SELF:*", - "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", - "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*", - "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:", - "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*", - - "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", - "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*" - ] -} diff --git a/app/config/configuration/directory/guichet/config.json.tpl b/app/config/configuration/directory/guichet/config.json.tpl deleted file mode 100644 index 98e2297..0000000 --- a/app/config/configuration/directory/guichet/config.json.tpl +++ /dev/null @@ -1,30 +0,0 @@ -{ - "http_bind_addr": ":9991", - "ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389", - - "base_dn": "dc=deuxfleurs,dc=fr", - "user_base_dn": "ou=users,dc=deuxfleurs,dc=fr", - "user_name_attr": "cn", - "group_base_dn": "ou=groups,dc=deuxfleurs,dc=fr", - "group_name_attr": "cn", - - "invitation_base_dn": "ou=invitations,dc=deuxfleurs,dc=fr", - "invitation_name_attr": "cn", - "invited_mail_format": "{}@deuxfleurs.fr", - "invited_auto_groups": [ - "cn=email,ou=groups,dc=deuxfleurs,dc=fr", - "cn=seafile,ou=groups,dc=deuxfleurs,dc=fr", - "cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr" - ], - - "web_address": "https://guichet.deuxfleurs.fr", - "mail_from": "coucou@deuxfleurs.fr", - "smtp_server": "adnab.me:25", - "smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}", - "smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}", - - "admin_account": "cn=admin,dc=deuxfleurs,dc=fr", - "group_can_admin": "cn=admin,ou=groups,dc=deuxfleurs,dc=fr", - "group_can_invite": "cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr" -} - diff --git a/app/config/configuration/email/dkim/keytable b/app/config/configuration/email/dkim/keytable deleted file mode 100644 index f4ac7cd..0000000 --- a/app/config/configuration/email/dkim/keytable +++ /dev/null @@ -1 +0,0 @@ -smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private diff --git a/app/config/configuration/email/dkim/signingtable b/app/config/configuration/email/dkim/signingtable deleted file mode 100644 index 60d66ff..0000000 --- a/app/config/configuration/email/dkim/signingtable +++ /dev/null @@ -1,2 +0,0 @@ -*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr -*@dufour.io smtp._domainkey.deuxfleurs.fr diff --git a/app/config/configuration/email/dkim/smtp.private.sample b/app/config/configuration/email/dkim/smtp.private.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/configuration/email/dkim/smtp.txt.sample b/app/config/configuration/email/dkim/smtp.txt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/configuration/email/dkim/trusted b/app/config/configuration/email/dkim/trusted deleted file mode 100644 index a01170d..0000000 --- a/app/config/configuration/email/dkim/trusted +++ /dev/null @@ -1,4 +0,0 @@ -127.0.0.1 -localhost -192.168.1.0/24 -172.16.0.0/12 diff --git a/app/config/configuration/email/dovecot/certs.gen b/app/config/configuration/email/dovecot/certs.gen deleted file mode 100755 index f26e917..0000000 --- a/app/config/configuration/email/dovecot/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout dovecot.key \ - -out dovecot.crt - diff --git a/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl b/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl deleted file mode 100644 index 9fb1ea6..0000000 --- a/app/config/configuration/email/dovecot/dovecot-ldap.conf.tpl +++ /dev/null @@ -1,8 +0,0 @@ -hosts = bottin2.service.2.cluster.deuxfleurs.fr -dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }} -dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }} -base = dc=deuxfleurs,dc=fr -scope = subtree -user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) -pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) -user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/app/config/configuration/email/postfix/certs.gen b/app/config/configuration/email/postfix/certs.gen deleted file mode 100755 index f25439b..0000000 --- a/app/config/configuration/email/postfix/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout postfix.key \ - -out postfix.crt - diff --git a/app/config/configuration/email/postfix/dynamicmaps.cf b/app/config/configuration/email/postfix/dynamicmaps.cf deleted file mode 100644 index 32d8f62..0000000 --- a/app/config/configuration/email/postfix/dynamicmaps.cf +++ /dev/null @@ -1,9 +0,0 @@ -# Postfix dynamic maps configuration file. -# -# The first match found is the one that is used. Wildcards are not supported -# as of postfix 2.0.2 -# -#type location of .so file open function (mkmap func) -#==== ================================ ============= ============ -ldap postfix-ldap.so dict_ldap_open -sqlite postfix-sqlite.so dict_sqlite_open diff --git a/app/config/configuration/email/postfix/header_checks b/app/config/configuration/email/postfix/header_checks deleted file mode 100644 index cad52ec..0000000 --- a/app/config/configuration/email/postfix/header_checks +++ /dev/null @@ -1,3 +0,0 @@ -/^Received:/ IGNORE -/^X-Originating-IP:/ IGNORE -/^X-Mailer:/ IGNORE diff --git a/app/config/configuration/email/postfix/ldap-account.cf.tpl b/app/config/configuration/email/postfix/ldap-account.cf.tpl deleted file mode 100644 index 2575f10..0000000 --- a/app/config/configuration/email/postfix/ldap-account.cf.tpl +++ /dev/null @@ -1,12 +0,0 @@ -bind = yes -bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} -bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} -version = 3 -timeout = 20 -start_tls = no -tls_require_cert = no -server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr -scope = sub -search_base = ou=users,dc=deuxfleurs,dc=fr -query_filter = mail=%s -result_attribute = mail diff --git a/app/config/configuration/email/postfix/ldap-alias.cf.tpl b/app/config/configuration/email/postfix/ldap-alias.cf.tpl deleted file mode 100644 index 775c0ad..0000000 --- a/app/config/configuration/email/postfix/ldap-alias.cf.tpl +++ /dev/null @@ -1,9 +0,0 @@ -server_host = bottin2.service.2.cluster.deuxfleurs.fr -server_port = 389 -search_base = dc=deuxfleurs,dc=fr -query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) -result_attribute = mail -bind = yes -bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} -bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} -version = 3 diff --git a/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl b/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl deleted file mode 100644 index e013953..0000000 --- a/app/config/configuration/email/postfix/ldap-virtual-domains.cf.tpl +++ /dev/null @@ -1,12 +0,0 @@ -bind = yes -bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} -bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} -version = 3 -timeout = 20 -start_tls = no -tls_require_cert = no -server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr -scope = sub -search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr -query_filter = (&(objectclass=dNSDomain)(domain=%s)) -result_attribute = domain diff --git a/app/config/configuration/email/postfix/main.cf b/app/config/configuration/email/postfix/main.cf deleted file mode 100644 index 4204cb4..0000000 --- a/app/config/configuration/email/postfix/main.cf +++ /dev/null @@ -1,104 +0,0 @@ -#=== -# Base configuration -#=== -myhostname = smtp.deuxfleurs.fr -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = smtp.deuxfleurs.fr -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 -mailbox_size_limit = 0 -recipient_delimiter = + -inet_protocols = all -inet_interfaces = all -message_size_limit = 204800000 -smtpd_banner = $myhostname -biff = no -append_dot_mydomain = no -readme_directory = no -compatibility_level = 2 - -#=== -# TLS parameters -#=== -smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt -smtpd_tls_key_file=/etc/ssl/private/postfix.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy -smtp_tls_security_level = may - -#=== -# Remove privacy related content from emails -#=== -mime_header_checks = regexp:/etc/postfix/header_checks -header_checks = regexp:/etc/postfix/header_checks - -#=== -# Handle user authentication (handled by dovecot) -#=== -smtpd_sasl_auth_enable = yes -smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337 -smtpd_sasl_type = dovecot - -#=== -# Restrictions / Checks -#=== -# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists - -# Require a valid HELO -smtpd_helo_required = yes -# As we use the same postfix to send and receive, -# we can't enforce a valid HELO hostname... -#smtpd_helo_restrictions = -# reject_unknown_helo_hostname - -# Require that sender email has a valid domain -smtpd_sender_restrictions = - reject_unknown_sender_domain - -# Delivering email policy -# MyNetwork is required by sogo -smtpd_recipient_restrictions = - permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination - reject_rbl_client zen.spamhaus.org - reject_rhsbl_reverse_client dbl.spamhaus.org - reject_rhsbl_helo dbl.spamhaus.org - reject_rhsbl_sender dbl.spamhaus.org - -# Sending email policy -# MyNetwork is required by sogo -smtpd_relay_restrictions = - permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination - -smtpd_data_restrictions = reject_unauth_pipelining - -smtpd_client_connection_rate_limit = 2 - -#=== -# Rate limiting -#=== -slow_destination_recipient_limit = 20 -slow_destination_concurrency_limit = 2 - -#==== -# Transport configuration -#==== -transport_maps = hash:/etc/postfix/transport -virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf -virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf -virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf -virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24 - -#=== -# Mail filters -#=== -milter_default_action = accept -milter_protocol = 6 -smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 -non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 diff --git a/app/config/configuration/email/postfix/master.cf b/app/config/configuration/email/postfix/master.cf deleted file mode 100644 index 53bc601..0000000 --- a/app/config/configuration/email/postfix/master.cf +++ /dev/null @@ -1,114 +0,0 @@ -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master"). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) -# ========================================================================== -smtp inet n - n - - smtpd -submission inet n - n - - smtpd - -o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -smtps inet n - n - - smtpd - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -slow unix - - n - 5 smtp - -o syslog_name=postfix-slow - -o smtp_destination_concurrency_limit=3 - -o slow_destination_rate_delay=1 - - -#628 inet n - - - - qmqpd -pickup fifo n - n 60 1 pickup -cleanup unix n - n - 0 cleanup -qmgr fifo n - n 300 1 qmgr -#qmgr fifo n - - 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -# When relaying mail as backup MX, disable fallback_relay to avoid MX loops -smtp unix - - n - - smtp -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -relay unix - - n - - smtp - -o smtp_fallback_relay= -showq unix n - n - - showq -error unix - - n - - error -retry unix - - n - - error -discard unix - - n - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -scache unix - - n - 1 scache -maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# Recent Cyrus versions can use the existing "lmtp" master.cf entry. -# -# Specify in cyrus.conf: -# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 -# -# Specify in main.cf one or more of the following: -# mailbox_transport = lmtp:inet:localhost -# virtual_transport = lmtp:inet:localhost -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# Old example of delivery via Cyrus. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# Other external delivery methods. -# -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} diff --git a/app/config/configuration/email/postfix/transport b/app/config/configuration/email/postfix/transport deleted file mode 100644 index 68f62c5..0000000 --- a/app/config/configuration/email/postfix/transport +++ /dev/null @@ -1,5 +0,0 @@ -#wanadoo.com slow: -#wanadoo.fr slow: -#orange.com slow: -#orange.fr slow: -#smtp.orange.fr slow: diff --git a/app/config/configuration/email/postfix/transport.db b/app/config/configuration/email/postfix/transport.db deleted file mode 100644 index 487f394..0000000 Binary files a/app/config/configuration/email/postfix/transport.db and /dev/null differ diff --git a/app/config/configuration/email/sogo/sogo.conf.tpl b/app/config/configuration/email/sogo/sogo.conf.tpl deleted file mode 100644 index ab4f8f5..0000000 --- a/app/config/configuration/email/sogo/sogo.conf.tpl +++ /dev/null @@ -1,69 +0,0 @@ -{ - WONoDetach = NO; - WOWorkersCount = 3; - SxVMemLimit = 300; - WOPort = "127.0.0.1:20000"; - SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_user_profile"; - OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_folder_info"; - OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_sessions_folder"; - OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_alarms_folder"; - OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_store"; - OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_acl"; - OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_cache_folder"; - SOGoTimeZone = "Europe/Paris"; - SOGoMailDomain = "deuxfleurs.fr"; - SOGoLanguage = French; - SOGoAppointmentSendEMailNotifications = YES; - SOGoEnablePublicAccess = YES; - SOGoMailingMechanism = smtp; - SOGoSMTPServer = postfix-smtp.service.2.cluster.deuxfleurs.fr; - SOGoSMTPAuthenticationType = PLAIN; - SOGoForceExternalLoginWithEmail = YES; - SOGoIMAPAclConformsToIMAPExt = YES; - SOGoTimeZone = UTC; - SOGoSentFolderName = Sent; - SOGoTrashFolderName = Trash; - SOGoDraftsFolderName = Drafts; - SOGoIMAPServer = "imaps://dovecot-imaps.service.2.cluster.deuxfleurs.fr:993/?tlsVerifyMode=none"; - SOGoSieveServer = "sieve://sieve.service.2.cluster.deuxfleurs.fr:4190/?tls=YES"; - SOGoIMAPAclConformsToIMAPExt = YES; - SOGoVacationEnabled = NO; - SOGoForwardEnabled = NO; - SOGoSieveScriptsEnabled = NO; - SOGoFirstDayOfWeek = 1; - SOGoRefreshViewCheck = every_5_minutes; - SOGoMailAuxiliaryUserAccountsEnabled = NO; - SOGoPasswordChangeEnabled = YES; - SOGoPageTitle = "deuxfleurs.fr"; - SOGoLoginModule = Mail; - SOGoMailAddOutgoingAddresses = YES; - SOGoSelectedAddressBook = autobook; - SOGoMailAuxiliaryUserAccountsEnabled = YES; - SOGoCalendarEventsDefaultClassification = PRIVATE; - SOGoMailReplyPlacement = above; - SOGoMailSignaturePlacement = above; - SOGoMailComposeMessageType = html; - - SOGoLDAPContactInfoAttribute = "displayname"; - - SOGoUserSources = ( - { - type = ldap; - CNFieldName = displayname; - IDFieldName = cn; - UIDFieldName = cn; - MailFieldNames = (mail, mailForwardingAddress); - SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber); - IMAPLoginFieldName = mail; - baseDN = "ou=users,dc=deuxfleurs,dc=fr"; - bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}"; - bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}"; - bindFields = (cn, mail); - canAuthenticate = YES; - displayName = "Bottin"; - hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"; - id = bottin; - isAddressBook = NO; - } - ); -} diff --git a/app/config/configuration/garage/garage.toml b/app/config/configuration/garage/garage.toml deleted file mode 100644 index 4d08cf2..0000000 --- a/app/config/configuration/garage/garage.toml +++ /dev/null @@ -1,30 +0,0 @@ -block_size = 1048576 - -metadata_dir = "/garage/meta" -data_dir = "/garage/data" - -rpc_bind_addr = "[::]:3901" - -consul_host = "consul.service.2.cluster.deuxfleurs.fr:8500" -consul_service_name = "garage-rpc" - -bootstrap_peers = [] - -max_concurrent_rpc_requests = 12 -data_replication_factor = 3 -meta_replication_factor = 3 -meta_epidemic_fanout = 3 - -[rpc_tls] -ca_cert = "/garage/garage-ca.crt" -node_cert = "/garage/garage.crt" -node_key = "/garage/garage.key" - -[s3_api] -s3_region = "garage" -api_bind_addr = "[::]:3900" - -[s3_web] -bind_addr = "[::]:3902" -root_domain = ".web.deuxfleurs.fr" -index = "index.html" diff --git a/app/config/configuration/jitsi/global_env.tpl b/app/config/configuration/jitsi/global_env.tpl deleted file mode 100644 index 836a131..0000000 --- a/app/config/configuration/jitsi/global_env.tpl +++ /dev/null @@ -1,10 +0,0 @@ -JITSI_SECRET_VIDEOBRIDGE={{ key "secrets/jitsi/jitsi_secret_videobridge" }} -JITSI_SECRET_JICOFO_COMPONENT={{ key "secrets/jitsi/jitsi_secret_jicofo_component" }} -JITSI_SECRET_JICOFO_USER={{ key "secrets/jitsi/jitsi_secret_jicofo_user" }} -JITSI_PROSODY_BOSH_PORT={{ env "NOMAD_PORT_bosh_port" }} -JITSI_PROSODY_BOSH_HOST=127.0.0.1 -JITSI_PROSODY_HOST=127.0.0.1 -JITSI_CERTS_FOLDER=/secrets/certs/ -JITSI_NAT_PUBLIC_IP=82.253.205.190 -JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }} -NGINX_PORT={{ env "NOMAD_PORT_https_port" }} diff --git a/app/config/configuration/mariadb/main/env.tpl b/app/config/configuration/mariadb/main/env.tpl deleted file mode 100644 index 0fe903b..0000000 --- a/app/config/configuration/mariadb/main/env.tpl +++ /dev/null @@ -1,6 +0,0 @@ -LDAP_URI = "ldap://bottin2.service.2.cluster.deuxfleurs.fr" -LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr" -LDAP_VERSION = 3 -LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}" -LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}" -MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}" diff --git a/app/config/configuration/nextcloud/config.php.tpl b/app/config/configuration/nextcloud/config.php.tpl deleted file mode 100644 index 7dcfc6e..0000000 --- a/app/config/configuration/nextcloud/config.php.tpl +++ /dev/null @@ -1,49 +0,0 @@ - false, - 'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}', - 'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}', - 'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}', - 'trusted_domains' => array ( - 0 => 'nextcloud.deuxfleurs.fr', - ), - 'memcache.local' => '\\OC\\Memcache\\APCu', - - 'objectstore' => array( - 'class' => '\\OC\\Files\\ObjectStore\\S3', - 'arguments' => array( - 'bucket' => 'nextcloud', - 'autocreate' => false, - 'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}', - 'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}', - 'hostname' => 'garage.deuxfleurs.fr', - 'port' => 443, - 'use_ssl' => true, - 'region' => 'garage', - // required for some non Amazon S3 implementations - 'use_path_style' => true - ), - ), - - 'dbtype' => 'pgsql', - 'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr', - 'dbname' => 'nextcloud', - 'dbtableprefix' => 'nc_', - 'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}', - 'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}', - - 'default_language' => 'fr', - 'default_locale' => 'fr_FR', - - 'mail_domain' => 'deuxfleurs.fr', - 'mail_from_address' => 'nextcloud@deuxfleurs.fr', - // TODO SMTP CONFIG - - // TODO REDIS CACHE - - 'version' => '19.0.0.12', - 'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr', - - 'installed' => true, -); - diff --git a/app/config/configuration/plume/app.env b/app/config/configuration/plume/app.env deleted file mode 100644 index 1c234e7..0000000 --- a/app/config/configuration/plume/app.env +++ /dev/null @@ -1,30 +0,0 @@ -BASE_URL=plume.deuxfleurs.fr -# generate one with openssl rand -base64 32 -ROCKET_SECRET_KEY={{ key "secrets/plume/secret_key" | trimSpace }} - -# Mail settings -#MAIL_SERVER=smtp.example.org -#MAIL_USER=example -#MAIL_PASSWORD=123456 -#MAIL_HELO_NAME=example.org - -# DATABASE SETUP -POSTGRES_PASSWORD={{ key "secrets/plume/pgsql_pw" | trimSpace }} -POSTGRES_USER=plume -POSTGRES_DB=plume -DATABASE_URL=postgres://plume:{{ key "secrets/plume/pgsql_pw" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/plume -MIGRATION_DIRECTORY=migrations/postgres - -USE_HTTPS=0 -ROCKET_ADDRESS=:: -ROCKET_PORT={{ env "NOMAD_PORT_web_port" }} - -MEDIA_UPLOAD_DIRECTORY=/app/static/media -SEARCH_INDEX=/app/search_index - -LDAP_ADDR=ldap://bottin2.service.2.cluster.deuxfleurs.fr:389 -LDAP_BASE_DN=ou=users,dc=deuxfleurs,dc=fr -LDAP_USER_NAME_ATTR=cn -LDAP_USER_MAIL_ATTR=mail -LDAP_TLS=false - diff --git a/app/config/configuration/postgres/keeper/env.tpl b/app/config/configuration/postgres/keeper/env.tpl deleted file mode 100644 index 7831aad..0000000 --- a/app/config/configuration/postgres/keeper/env.tpl +++ /dev/null @@ -1,3 +0,0 @@ -PG_SU_PWD={{ key "secrets/postgres/keeper/pg_su_pwd" | trimSpace }} -PG_REPL_USER={{ key "secrets/postgres/keeper/pg_repl_username" | trimSpace }} -PG_REPL_PWD={{ key "secrets/postgres/keeper/pg_repl_pwd" | trimSpace }} diff --git a/app/config/configuration/seafile/ccnet/mykey.peer.sample b/app/config/configuration/seafile/ccnet/mykey.peer.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/configuration/seafile/ccnet/seafile.ini b/app/config/configuration/seafile/ccnet/seafile.ini deleted file mode 100644 index 306d126..0000000 --- a/app/config/configuration/seafile/ccnet/seafile.ini +++ /dev/null @@ -1 +0,0 @@ -/mnt/seafile-data/ \ No newline at end of file diff --git a/app/config/configuration/seafile/conf/ccnet.conf.tpl b/app/config/configuration/seafile/conf/ccnet.conf.tpl deleted file mode 100644 index 2395a9b..0000000 --- a/app/config/configuration/seafile/conf/ccnet.conf.tpl +++ /dev/null @@ -1,29 +0,0 @@ -[General] -USER_NAME = deuxfleurs -ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }} -NAME = deuxfleurs -SERVICE_URL = https://cloud.deuxfleurs.fr - -[Network] -PORT = 10001 - -[Client] -PORT = 13418 - -[LDAP] -HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/ -BASE = ou=users,dc=deuxfleurs,dc=fr -USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }} -FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr -PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }} -LOGIN_ATTR = mail - -[Database] -ENGINE = mysql -HOST = mariadb.service.2.cluster.deuxfleurs.fr -PORT = 3306 -USER = seafile -PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} -DB = ccnet-db -CONNECTION_CHARSET = utf8 - diff --git a/app/config/configuration/seafile/conf/gunicorn.conf b/app/config/configuration/seafile/conf/gunicorn.conf deleted file mode 100644 index 415fd32..0000000 --- a/app/config/configuration/seafile/conf/gunicorn.conf +++ /dev/null @@ -1,16 +0,0 @@ -import os - -daemon = True -workers = 5 - -# default localhost:8000 -bind = "[::]:8000" - -# Pid -pids_dir = '/srv/webstore/pids' -pidfile = os.path.join(pids_dir, 'seahub.pid') - -# for file upload, we need a longer timeout value (default is only 30s, too short) -timeout = 1200 - -limit_request_line = 8190 diff --git a/app/config/configuration/seafile/conf/mykey.peer.sample b/app/config/configuration/seafile/conf/mykey.peer.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/configuration/seafile/conf/seafdav.conf b/app/config/configuration/seafile/conf/seafdav.conf deleted file mode 100644 index af78547..0000000 --- a/app/config/configuration/seafile/conf/seafdav.conf +++ /dev/null @@ -1,6 +0,0 @@ -[WEBDAV] -host = :: -enabled = true -port = 8084 -fastcgi = false -share_name = /seafdav diff --git a/app/config/configuration/seafile/conf/seafile.conf.tpl b/app/config/configuration/seafile/conf/seafile.conf.tpl deleted file mode 100644 index a6425e9..0000000 --- a/app/config/configuration/seafile/conf/seafile.conf.tpl +++ /dev/null @@ -1,19 +0,0 @@ -[network] -port = 12001 - -[fileserver] -port = 8083 -max_upload_size=8192 -max_download_dir_size=8192 - -[database] -type = mysql -host = mariadb.service.2.cluster.deuxfleurs.fr -port = 3306 -user = seafile -password = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} -db_name = seafile-db -connection_charset = utf8 - -[quota] -default = 50 diff --git a/app/config/configuration/seafile/conf/seahub_settings.py.tpl b/app/config/configuration/seafile/conf/seahub_settings.py.tpl deleted file mode 100644 index 6c63ee4..0000000 --- a/app/config/configuration/seafile/conf/seahub_settings.py.tpl +++ /dev/null @@ -1,21 +0,0 @@ -SECRET_KEY = "8ep+sgi&s1-f2cq2178!ekk!0h0nw2y4z1-olbaopxmodsd8vk" -FILE_SERVER_ROOT = 'https://cloud.deuxfleurs.fr/seafhttp' -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.mysql', - 'NAME': 'seahub-db', - 'USER': 'seafile', - 'PASSWORD': '{{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}', - 'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr', - 'PORT': '3306', - 'OPTIONS': { - 'init_command': 'SET storage_engine=INNODB', - } - } -} -FILE_PREVIEW_MAX_SIZE = 100 * 1024 * 1024 -ENABLE_THUMBNAIL = True -THUMBNAIL_ROOT = '/mnt/seafile-data/thumbnail/thumb/' -THUMBNAIL_EXTENSION = 'png' -THUMBNAIL_DEFAULT_SIZE = '24' -PREVIEW_DEFAULT_SIZE = '300' diff --git a/app/config/configuration/traefik/traefik.toml b/app/config/configuration/traefik/traefik.toml deleted file mode 100644 index 4a48fde..0000000 --- a/app/config/configuration/traefik/traefik.toml +++ /dev/null @@ -1,50 +0,0 @@ -InsecureSkipVerify = true -defaultEntryPoints = ["http", "https"] - -[entryPoints] - [entryPoints.admin] - address = ":8082" - - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - - [entryPoints.https] - address = ":443" - compress = true - [entryPoints.https.tls] - -[ping] -entrypoint = "admin" - -[retry] - -[acme] - email = "quentin@dufour.io" - storage = "traefik/acme/account" - entryPoint = "https" - onHostRule = true - - [acme.httpChallenge] - entryPoint = "http" - -[api] - entryPoint = "admin" - dashboard = true - -[consul] - endpoint = "172.17.0.1:8500" - watch = true - prefix = "traefik" - -[consulCatalog] - endpoint = "172.17.0.1:8500" - prefix = "traefik" - domain = "web.deuxfleurs.fr" - exposedByDefault = false - -[metrics] - [metrics.prometheus] - # -- below is for traefik 1.7 see https://doc.traefik.io/traefik/v1.7/configuration/metrics/ - entryPoint = "admin" diff --git a/app/config/secrets/.gitignore b/app/config/secrets/.gitignore deleted file mode 100644 index 2ff3cd5..0000000 --- a/app/config/secrets/.gitignore +++ /dev/null @@ -1,11 +0,0 @@ -# Blacklist everything cleverly -* -!*/ - -# Whitelist some patterns -!*.sample -!*.gen -!*.sh -!.gitignore - -# Whitelist specific files diff --git a/app/config/secrets/chat/coturn/static-auth.sample b/app/config/secrets/chat/coturn/static-auth.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/fb2mx/as_token.sample b/app/config/secrets/chat/fb2mx/as_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/fb2mx/db_url.sample b/app/config/secrets/chat/fb2mx/db_url.sample deleted file mode 100644 index aff4635..0000000 --- a/app/config/secrets/chat/fb2mx/db_url.sample +++ /dev/null @@ -1 +0,0 @@ -postgres://username:password@hostname/dbname diff --git a/app/config/secrets/chat/fb2mx/hs_token.sample b/app/config/secrets/chat/fb2mx/hs_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/homeserver.tls.crt.sample b/app/config/secrets/chat/synapse/homeserver.tls.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/homeserver.tls.dh.sample b/app/config/secrets/chat/synapse/homeserver.tls.dh.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/homeserver.tls.key.sample b/app/config/secrets/chat/synapse/homeserver.tls.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/ldap_binddn.sample b/app/config/secrets/chat/synapse/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/ldap_bindpw.sample b/app/config/secrets/chat/synapse/ldap_bindpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/postgres_db.sample b/app/config/secrets/chat/synapse/postgres_db.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/postgres_pwd.sample b/app/config/secrets/chat/synapse/postgres_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/postgres_user.sample b/app/config/secrets/chat/synapse/postgres_user.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/chat/synapse/registration_shared_secret.sample b/app/config/secrets/chat/synapse/registration_shared_secret.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/dkim/smtp.private.sample b/app/config/secrets/email/dkim/smtp.private.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/dovecot/dovecot.crt.sample b/app/config/secrets/email/dovecot/dovecot.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/dovecot/dovecot.key.sample b/app/config/secrets/email/dovecot/dovecot.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/dovecot/ldap_binddn.sample b/app/config/secrets/email/dovecot/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/dovecot/ldap_bindpwd.sample b/app/config/secrets/email/dovecot/ldap_bindpwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/postfix/postfix.crt.sample b/app/config/secrets/email/postfix/postfix.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/postfix/postfix.key.sample b/app/config/secrets/email/postfix/postfix.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/sogo/ldap_binddn.sample b/app/config/secrets/email/sogo/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/sogo/ldap_bindpw.sample b/app/config/secrets/email/sogo/ldap_bindpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/email/sogo/postgre_auth.sample b/app/config/secrets/email/sogo/postgre_auth.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample b/app/config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/mariadb/main/ldap_binddn.sample b/app/config/secrets/mariadb/main/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/mariadb/main/ldap_bindpwd.sample b/app/config/secrets/mariadb/main/ldap_bindpwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/mariadb/main/mysql_pwd.sample b/app/config/secrets/mariadb/main/mysql_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/platoo/bddpw.sample b/app/config/secrets/platoo/bddpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/plume/pgsql_pw.sh b/app/config/secrets/plume/pgsql_pw.sh deleted file mode 100755 index 519a30a..0000000 --- a/app/config/secrets/plume/pgsql_pw.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -openssl rand -base64 32 > pgsql_pw diff --git a/app/config/secrets/plume/secret_key.sh b/app/config/secrets/plume/secret_key.sh deleted file mode 100755 index f4bbee5..0000000 --- a/app/config/secrets/plume/secret_key.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -openssl rand -base64 32 > secret_key diff --git a/app/config/secrets/postgres/keeper/pg_repl_pwd.sample b/app/config/secrets/postgres/keeper/pg_repl_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/postgres/keeper/pg_repl_username.sample b/app/config/secrets/postgres/keeper/pg_repl_username.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/postgres/keeper/pg_su_pwd.sample b/app/config/secrets/postgres/keeper/pg_su_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/seafile/conf/mykey.peer.sample b/app/config/secrets/seafile/conf/mykey.peer.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/web/home_token.sample b/app/config/secrets/web/home_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/config/secrets/web/quentin.dufour.io_token.sample b/app/config/secrets/web/quentin.dufour.io_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/core/deploy/core.hcl b/app/core/deploy/core.hcl new file mode 100644 index 0000000..5b17b8e --- /dev/null +++ b/app/core/deploy/core.hcl @@ -0,0 +1,44 @@ +job "core" { + datacenters = ["dc1"] + type = "system" + priority = 90 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + update { + max_parallel = 1 + stagger = "1m" + } + + group "network" { + task "diplonat" { + driver = "docker" + + config { + image = "darkgallium/amd64_diplonat:v2" + network_mode = "host" + readonly_rootfs = true + privileged = true + } + + template { + data = < +Date: Fri, 4 Dec 2020 13:19:24 +0100 +Subject: [PATCH] Skip CA verification + +--- + imap.go | 3 ++- + smtp.go | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/imap.go b/imap.go +index 7554331..1a4931d 100644 +--- a/imap.go ++++ b/imap.go +@@ -3,6 +3,7 @@ package alps + import ( + "fmt" + ++ "crypto/tls" + "github.com/emersion/go-imap" + imapclient "github.com/emersion/go-imap/client" + "github.com/emersion/go-message/charset" +@@ -16,7 +17,7 @@ func (s *Server) dialIMAP() (*imapclient.Client, error) { + var c *imapclient.Client + var err error + if s.imap.tls { +- c, err = imapclient.DialTLS(s.imap.host, nil) ++ c, err = imapclient.DialTLS(s.imap.host, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return nil, fmt.Errorf("failed to connect to IMAPS server: %v", err) + } +diff --git a/smtp.go b/smtp.go +index 5e178f2..8d22f1d 100644 +--- a/smtp.go ++++ b/smtp.go +@@ -3,6 +3,7 @@ package alps + import ( + "fmt" + ++ "crypto/tls" + "github.com/emersion/go-smtp" + ) + +@@ -14,7 +15,7 @@ func (s *Server) dialSMTP() (*smtp.Client, error) { + var c *smtp.Client + var err error + if s.smtp.tls { +- c, err = smtp.DialTLS(s.smtp.host, nil) ++ c, err = smtp.DialTLS(s.smtp.host, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return nil, fmt.Errorf("failed to connect to SMTPS server: %v", err) + } +-- +2.28.0 + diff --git a/app/email/build/dovecot/.gitignore b/app/email/build/dovecot/.gitignore new file mode 100644 index 0000000..71a04e2 --- /dev/null +++ b/app/email/build/dovecot/.gitignore @@ -0,0 +1 @@ +dovecot-ldap.conf diff --git a/app/email/build/dovecot/Dockerfile b/app/email/build/dovecot/Dockerfile new file mode 100644 index 0000000..9b87627 --- /dev/null +++ b/app/email/build/dovecot/Dockerfile @@ -0,0 +1,17 @@ +FROM amd64/debian:stretch + +RUN apt-get update && \ + apt-get install -y \ + dovecot-antispam \ + dovecot-core \ + dovecot-imapd \ + dovecot-ldap \ + dovecot-managesieved \ + dovecot-sieve \ + dovecot-lmtpd && \ + rm -rf /etc/dovecot/* +RUN useradd mailstore +COPY ./conf/* /etc/dovecot/ +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/email/build/dovecot/README.md b/app/email/build/dovecot/README.md new file mode 100644 index 0000000..8c9f372 --- /dev/null +++ b/app/email/build/dovecot/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_dovecot:v2 . +``` + + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \ + -p 993:993 \ + -p 143:143 \ + -p 24:24 \ + -p 1337:1337 \ + -v /mnt/glusterfs/email/ssl:/etc/ssl/ \ + -v /mnt/glusterfs/email/mail:/var/mail \ + -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \ + superboum/amd64_dovecot:v1 \ + dovecot -F +``` diff --git a/app/email/build/dovecot/conf/all_before.sieve b/app/email/build/dovecot/conf/all_before.sieve new file mode 100644 index 0000000..7d2e57e --- /dev/null +++ b/app/email/build/dovecot/conf/all_before.sieve @@ -0,0 +1,5 @@ +require ["fileinto", "mailbox"]; +if header :contains "X-Spam-Flag" "YES" { + fileinto :create "Junk"; +} + diff --git a/app/email/build/dovecot/conf/dovecot-ldap.sample.conf b/app/email/build/dovecot/conf/dovecot-ldap.sample.conf new file mode 100644 index 0000000..472d5e8 --- /dev/null +++ b/app/email/build/dovecot/conf/dovecot-ldap.sample.conf @@ -0,0 +1,8 @@ +hosts = ldap.example.com +dn = cn=admin,dc=example,dc=com +dnpass = s3cr3t +base = dc=example,dc=com +scope = subtree +user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) +pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=example,dc=com))) +user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/app/email/build/dovecot/conf/dovecot.conf b/app/email/build/dovecot/conf/dovecot.conf new file mode 100644 index 0000000..0d5068c --- /dev/null +++ b/app/email/build/dovecot/conf/dovecot.conf @@ -0,0 +1,79 @@ +auth_mechanisms = plain login +auth_username_format = %u +log_timestamp = "%Y-%m-%d %H:%M:%S " +mail_location = maildir:/var/mail/%u +mail_privileged_group = mail + +log_path = /dev/stderr +info_log_path = /dev/stdout +debug_log_path = /dev/stdout + +protocols = imap sieve lmtp + +ssl_cert = < /etc/ssl/certs/dovecot.crt +ssl_key = < /etc/ssl/private/dovecot.key + +service auth { + inet_listener { + port = 1337 + } +} + +passdb { + args = /etc/dovecot/dovecot-ldap.conf + driver = ldap +} + +service lmtp { + inet_listener lmtp { + address = 0.0.0.0 + port = 24 + } +} + +service imap-login { + inet_listener imap { + port = 143 + } + inet_listener imaps { + port = 993 + } +} + +userdb { + args = uid=mailstore gid=mailstore home=/var/mail/%u + driver = static +} + +protocol imap { + mail_plugins = $mail_plugins imap_sieve +} + +protocol lda { + auth_socket_path = /var/run/dovecot/auth-master + info_log_path = /var/log/dovecot-deliver.log + log_path = /var/log/dovecot-deliver-errors.log + postmaster_address = postmaster@deuxfleurs.fr + mail_plugins = $mail_plugins sieve +} + +plugin { + sieve = file:~/sieve;active=~/dovecot.sieve + sieve_before = /etc/dovecot/all_before.sieve + + # antispam learn + sieve_plugins = sieve_imapsieve sieve_extprograms + sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment +vnd.dovecot.debug + sieve_pipe_bin_dir = /usr/bin + + imapsieve_mailbox1_name = Junk + imapsieve_mailbox1_causes = COPY FLAG APPEND + imapsieve_mailbox1_before = file:/etc/dovecot/report-spam.sieve + + imapsieve_mailbox2_name = * + imapsieve_mailbox2_from = Spam + imapsieve_mailbox2_causes = COPY APPEND + imapsieve_mailbox2_before = file:/etc/dovecot/report-ham.sieve + +} + diff --git a/app/email/build/dovecot/conf/report-ham.sieve b/app/email/build/dovecot/conf/report-ham.sieve new file mode 100644 index 0000000..c5a994a --- /dev/null +++ b/app/email/build/dovecot/conf/report-ham.sieve @@ -0,0 +1,17 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; + +if environment :matches "imap.mailbox" "*" { + set "mailbox" "${1}"; +} + +if string "${mailbox}" "Trash" { + stop; +} + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn" [ "--ham", "-u", "debian-spamd" ]; +debug_log "ham reported by ${username}"; + diff --git a/app/email/build/dovecot/conf/report-spam.sieve b/app/email/build/dovecot/conf/report-spam.sieve new file mode 100644 index 0000000..1be7389 --- /dev/null +++ b/app/email/build/dovecot/conf/report-spam.sieve @@ -0,0 +1,9 @@ +require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "vnd.dovecot.debug"]; + +if environment :matches "imap.user" "*" { + set "username" "${1}"; +} + +pipe :copy "sa-learn" [ "--spam", "-u", "debian-spamd"]; +debug_log "spam reported by ${username}"; + diff --git a/app/email/build/dovecot/entrypoint.sh b/app/email/build/dovecot/entrypoint.sh new file mode 100755 index 0000000..2165d8f --- /dev/null +++ b/app/email/build/dovecot/entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp dovecot.crt /etc/ssl/certs/dovecot.crt + cp dovecot.key /etc/ssl/private/dovecot.key + chmod 400 /etc/ssl/certs/dovecot.crt + chmod 400 /etc/ssl/private/dovecot.key +fi + +if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then + chown -R mailstore /var/mail +fi + +exec "$@" diff --git a/app/email/build/opendkim/Dockerfile b/app/email/build/opendkim/Dockerfile new file mode 100644 index 0000000..70a39e4 --- /dev/null +++ b/app/email/build/opendkim/Dockerfile @@ -0,0 +1,8 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + apt-get install -y opendkim opendkim-tools + +COPY ./opendkim.conf /etc/opendkim.conf +CMD opendkim -f -v -x /etc/opendkim.conf diff --git a/app/email/build/opendkim/README.md b/app/email/build/opendkim/README.md new file mode 100644 index 0000000..e146125 --- /dev/null +++ b/app/email/build/opendkim/README.md @@ -0,0 +1,12 @@ +``` +sudo docker build -t superboum/amd64_opendkim:v1 . +``` + +``` +sudo docker run -t -i \ + -v `pwd`/conf:/etc/dkim \ + -v /dev/log:/dev/log \ + -p 8999:8999 + superboum/amd64_opendkim:v1 + opendkim -f -v -x /etc/opendkim.conf +``` diff --git a/app/email/build/opendkim/opendkim.conf b/app/email/build/opendkim/opendkim.conf new file mode 100644 index 0000000..0d6465f --- /dev/null +++ b/app/email/build/opendkim/opendkim.conf @@ -0,0 +1,12 @@ +Syslog yes +SyslogSuccess yes +LogWhy yes +UMask 007 +Mode sv +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +KeyTable refile:/etc/dkim/keytable +SigningTable refile:/etc/dkim/signingtable +ExternalIgnoreList refile:/etc/dkim/trusted +InternalHosts refile:/etc/dkim/trusted +Socket inet:8999 diff --git a/app/email/build/postfix/Dockerfile b/app/email/build/postfix/Dockerfile new file mode 100644 index 0000000..0c74fdc --- /dev/null +++ b/app/email/build/postfix/Dockerfile @@ -0,0 +1,13 @@ +FROM amd64/debian:buster + +ARG VERSION + +RUN apt-get update && \ + apt-get install -y \ + postfix=$VERSION \ + postfix-ldap + +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["postfix", "start-fg"] diff --git a/app/email/build/postfix/README.md b/app/email/build/postfix/README.md new file mode 100644 index 0000000..ac44fc0 --- /dev/null +++ b/app/email/build/postfix/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_postfix:v1 . +``` + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \ + -e MAILNAME="smtp.deuxfleurs.fr" \ + -p 25:25 \ + -p 465:465 \ + -p 587:587 \ + -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \ + -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \ + -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \ + superboum/amd64_postfix:v1 \ + bash +``` + diff --git a/app/email/build/postfix/entrypoint.sh b/app/email/build/postfix/entrypoint.sh new file mode 100755 index 0000000..fcf1a66 --- /dev/null +++ b/app/email/build/postfix/entrypoint.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp postfix.crt /etc/ssl/certs/postfix.crt + cp postfix.key /etc/ssl/private/postfix.key + chmod 400 /etc/ssl/certs/postfix.crt + chmod 400 /etc/ssl/private/postfix.key +fi + +# A way to map files inside the postfix folder :s +for file in $(ls /etc/postfix-conf); do + cp /etc/postfix-conf/${file} /etc/postfix/${file} +done + +echo ${MAILNAME} > /etc/mailname +postmap /etc/postfix/transport + +exec "$@" diff --git a/app/email/build/sogo/Dockerfile b/app/email/build/sogo/Dockerfile new file mode 100644 index 0000000..46880dd --- /dev/null +++ b/app/email/build/sogo/Dockerfile @@ -0,0 +1,17 @@ +#FROM amd64/debian:stretch as builder + +FROM amd64/debian:buster + +RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf + +RUN apt-get update && \ + apt-get install -y apt-transport-https gnupg2 sudo nginx && \ + rm -rf /etc/nginx/sites-enabled/* && \ + apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \ + echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \ + apt-get update && \ + apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client + +COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf +COPY entrypoint /usr/sbin/entrypoint +ENTRYPOINT ["/usr/sbin/entrypoint"] diff --git a/app/email/build/sogo/README.md b/app/email/build/sogo/README.md new file mode 100644 index 0000000..ea12245 --- /dev/null +++ b/app/email/build/sogo/README.md @@ -0,0 +1,20 @@ +``` +docker build -t superboum/amd64_sogo:v6 . + +# privileged is only for debug +docker run --rm -ti \ + --privileged \ + -p 8080:8080 \ + -v /tmp/sogo/log:/var/log/sogo \ + -v /tmp/sogo/run:/var/run/sogo \ + -v /tmp/sogo/spool:/var/spool/sogo \ + -v /tmp/sogo/tmp:/tmp \ + -v `pwd`/sogo:/etc/sogo:ro \ + superboum/amd64_sogo:v1 +``` + +Password must be url encoded in sogo.conf for postgres +Will need a nginx instance: http://wiki.sogo.nu/nginxSettings + +Might (or might not) be needed: +traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr diff --git a/app/email/build/sogo/entrypoint b/app/email/build/sogo/entrypoint new file mode 100755 index 0000000..8b39def --- /dev/null +++ b/app/email/build/sogo/entrypoint @@ -0,0 +1,13 @@ +#!/bin/bash +mkdir -p /var/log/sogo +mkdir -p /var/run/sogo +mkdir -p /var/spool/sogo +chown sogo /var/log/sogo +chown sogo /var/run/sogo +chown sogo /var/spool/sogo + +nginx -g 'daemon on; master_process on;' +sudo -u sogo memcached -d +sudo -u sogo sogod +sleep 10 +tail -n200 -f /var/log/sogo/sogo.log diff --git a/app/email/build/sogo/sogo.nginx.conf b/app/email/build/sogo/sogo.nginx.conf new file mode 100644 index 0000000..ad920a5 --- /dev/null +++ b/app/email/build/sogo/sogo.nginx.conf @@ -0,0 +1,83 @@ +server { + listen 8080; + server_name default_server; + root /usr/lib/GNUstep/SOGo/WebServerResources/; + + ## requirement to create new calendars in Thunderbird ## + proxy_http_version 1.1; + + # Message size limit + client_max_body_size 50m; + client_body_buffer_size 128k; + + location = / { + rewrite ^ '/SOGo'; + allow all; + } + + location = /principals/ { + rewrite ^ '/SOGo/dav'; + allow all; + } + + location ^~/SOGo { + proxy_pass 'http://127.0.0.1:20000'; + proxy_redirect 'http://127.0.0.1:20000' default; + # forward user's IP address + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header x-webobjects-server-protocol HTTP/1.0; + proxy_set_header x-webobjects-remote-host 127.0.0.1; + proxy_set_header x-webobjects-server-name $server_name; + proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_set_header x-webobjects-server-port $server_port; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + break; + } + + location /SOGo.woa/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location /SOGo/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location ^~ /Microsoft-Server-ActiveSync { + access_log /var/log/nginx/activesync.log; + error_log /var/log/nginx/activesync-error.log; + + proxy_connect_timeout 75; + proxy_send_timeout 3600; + proxy_read_timeout 3600; + proxy_buffers 64 256k; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; + } +} diff --git a/app/email/config/dkim/keytable b/app/email/config/dkim/keytable new file mode 100644 index 0000000..f4ac7cd --- /dev/null +++ b/app/email/config/dkim/keytable @@ -0,0 +1 @@ +smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private diff --git a/app/email/config/dkim/signingtable b/app/email/config/dkim/signingtable new file mode 100644 index 0000000..60d66ff --- /dev/null +++ b/app/email/config/dkim/signingtable @@ -0,0 +1,2 @@ +*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr +*@dufour.io smtp._domainkey.deuxfleurs.fr diff --git a/app/email/config/dkim/smtp.private.sample b/app/email/config/dkim/smtp.private.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/config/dkim/smtp.txt.sample b/app/email/config/dkim/smtp.txt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/config/dkim/trusted b/app/email/config/dkim/trusted new file mode 100644 index 0000000..a01170d --- /dev/null +++ b/app/email/config/dkim/trusted @@ -0,0 +1,4 @@ +127.0.0.1 +localhost +192.168.1.0/24 +172.16.0.0/12 diff --git a/app/email/config/dovecot/certs.gen b/app/email/config/dovecot/certs.gen new file mode 100755 index 0000000..f26e917 --- /dev/null +++ b/app/email/config/dovecot/certs.gen @@ -0,0 +1,13 @@ +#!/bin/bash + +TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" +openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + diff --git a/app/email/config/dovecot/dovecot-ldap.conf.tpl b/app/email/config/dovecot/dovecot-ldap.conf.tpl new file mode 100644 index 0000000..9fb1ea6 --- /dev/null +++ b/app/email/config/dovecot/dovecot-ldap.conf.tpl @@ -0,0 +1,8 @@ +hosts = bottin2.service.2.cluster.deuxfleurs.fr +dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }} +dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }} +base = dc=deuxfleurs,dc=fr +scope = subtree +user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) +pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) +user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/app/email/config/postfix/certs.gen b/app/email/config/postfix/certs.gen new file mode 100755 index 0000000..f25439b --- /dev/null +++ b/app/email/config/postfix/certs.gen @@ -0,0 +1,13 @@ +#!/bin/bash + +TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" +openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + diff --git a/app/email/config/postfix/dynamicmaps.cf b/app/email/config/postfix/dynamicmaps.cf new file mode 100644 index 0000000..32d8f62 --- /dev/null +++ b/app/email/config/postfix/dynamicmaps.cf @@ -0,0 +1,9 @@ +# Postfix dynamic maps configuration file. +# +# The first match found is the one that is used. Wildcards are not supported +# as of postfix 2.0.2 +# +#type location of .so file open function (mkmap func) +#==== ================================ ============= ============ +ldap postfix-ldap.so dict_ldap_open +sqlite postfix-sqlite.so dict_sqlite_open diff --git a/app/email/config/postfix/header_checks b/app/email/config/postfix/header_checks new file mode 100644 index 0000000..cad52ec --- /dev/null +++ b/app/email/config/postfix/header_checks @@ -0,0 +1,3 @@ +/^Received:/ IGNORE +/^X-Originating-IP:/ IGNORE +/^X-Mailer:/ IGNORE diff --git a/app/email/config/postfix/ldap-account.cf.tpl b/app/email/config/postfix/ldap-account.cf.tpl new file mode 100644 index 0000000..2575f10 --- /dev/null +++ b/app/email/config/postfix/ldap-account.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=users,dc=deuxfleurs,dc=fr +query_filter = mail=%s +result_attribute = mail diff --git a/app/email/config/postfix/ldap-alias.cf.tpl b/app/email/config/postfix/ldap-alias.cf.tpl new file mode 100644 index 0000000..775c0ad --- /dev/null +++ b/app/email/config/postfix/ldap-alias.cf.tpl @@ -0,0 +1,9 @@ +server_host = bottin2.service.2.cluster.deuxfleurs.fr +server_port = 389 +search_base = dc=deuxfleurs,dc=fr +query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) +result_attribute = mail +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 diff --git a/app/email/config/postfix/ldap-virtual-domains.cf.tpl b/app/email/config/postfix/ldap-virtual-domains.cf.tpl new file mode 100644 index 0000000..e013953 --- /dev/null +++ b/app/email/config/postfix/ldap-virtual-domains.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr +query_filter = (&(objectclass=dNSDomain)(domain=%s)) +result_attribute = domain diff --git a/app/email/config/postfix/main.cf b/app/email/config/postfix/main.cf new file mode 100644 index 0000000..4204cb4 --- /dev/null +++ b/app/email/config/postfix/main.cf @@ -0,0 +1,104 @@ +#=== +# Base configuration +#=== +myhostname = smtp.deuxfleurs.fr +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = smtp.deuxfleurs.fr +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_protocols = all +inet_interfaces = all +message_size_limit = 204800000 +smtpd_banner = $myhostname +biff = no +append_dot_mydomain = no +readme_directory = no +compatibility_level = 2 + +#=== +# TLS parameters +#=== +smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt +smtpd_tls_key_file=/etc/ssl/private/postfix.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +smtp_tls_security_level = may + +#=== +# Remove privacy related content from emails +#=== +mime_header_checks = regexp:/etc/postfix/header_checks +header_checks = regexp:/etc/postfix/header_checks + +#=== +# Handle user authentication (handled by dovecot) +#=== +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337 +smtpd_sasl_type = dovecot + +#=== +# Restrictions / Checks +#=== +# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists + +# Require a valid HELO +smtpd_helo_required = yes +# As we use the same postfix to send and receive, +# we can't enforce a valid HELO hostname... +#smtpd_helo_restrictions = +# reject_unknown_helo_hostname + +# Require that sender email has a valid domain +smtpd_sender_restrictions = + reject_unknown_sender_domain + +# Delivering email policy +# MyNetwork is required by sogo +smtpd_recipient_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + reject_rbl_client zen.spamhaus.org + reject_rhsbl_reverse_client dbl.spamhaus.org + reject_rhsbl_helo dbl.spamhaus.org + reject_rhsbl_sender dbl.spamhaus.org + +# Sending email policy +# MyNetwork is required by sogo +smtpd_relay_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + +smtpd_data_restrictions = reject_unauth_pipelining + +smtpd_client_connection_rate_limit = 2 + +#=== +# Rate limiting +#=== +slow_destination_recipient_limit = 20 +slow_destination_concurrency_limit = 2 + +#==== +# Transport configuration +#==== +transport_maps = hash:/etc/postfix/transport +virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf +virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf +virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf +virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24 + +#=== +# Mail filters +#=== +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 +non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 diff --git a/app/email/config/postfix/master.cf b/app/email/config/postfix/master.cf new file mode 100644 index 0000000..53bc601 --- /dev/null +++ b/app/email/config/postfix/master.cf @@ -0,0 +1,114 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - n - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +slow unix - - n - 5 smtp + -o syslog_name=postfix-slow + -o smtp_destination_concurrency_limit=3 + -o slow_destination_rate_delay=1 + + +#628 inet n - - - - qmqpd +pickup fifo n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +smtp unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +relay unix - - n - - smtp + -o smtp_fallback_relay= +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +scache unix - - n - 1 scache +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} diff --git a/app/email/config/postfix/transport b/app/email/config/postfix/transport new file mode 100644 index 0000000..68f62c5 --- /dev/null +++ b/app/email/config/postfix/transport @@ -0,0 +1,5 @@ +#wanadoo.com slow: +#wanadoo.fr slow: +#orange.com slow: +#orange.fr slow: +#smtp.orange.fr slow: diff --git a/app/email/config/postfix/transport.db b/app/email/config/postfix/transport.db new file mode 100644 index 0000000..487f394 Binary files /dev/null and b/app/email/config/postfix/transport.db differ diff --git a/app/email/config/sogo/sogo.conf.tpl b/app/email/config/sogo/sogo.conf.tpl new file mode 100644 index 0000000..ab4f8f5 --- /dev/null +++ b/app/email/config/sogo/sogo.conf.tpl @@ -0,0 +1,69 @@ +{ + WONoDetach = NO; + WOWorkersCount = 3; + SxVMemLimit = 300; + WOPort = "127.0.0.1:20000"; + SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_user_profile"; + OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_sessions_folder"; + OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_alarms_folder"; + OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_store"; + OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_acl"; + OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_cache_folder"; + SOGoTimeZone = "Europe/Paris"; + SOGoMailDomain = "deuxfleurs.fr"; + SOGoLanguage = French; + SOGoAppointmentSendEMailNotifications = YES; + SOGoEnablePublicAccess = YES; + SOGoMailingMechanism = smtp; + SOGoSMTPServer = postfix-smtp.service.2.cluster.deuxfleurs.fr; + SOGoSMTPAuthenticationType = PLAIN; + SOGoForceExternalLoginWithEmail = YES; + SOGoIMAPAclConformsToIMAPExt = YES; + SOGoTimeZone = UTC; + SOGoSentFolderName = Sent; + SOGoTrashFolderName = Trash; + SOGoDraftsFolderName = Drafts; + SOGoIMAPServer = "imaps://dovecot-imaps.service.2.cluster.deuxfleurs.fr:993/?tlsVerifyMode=none"; + SOGoSieveServer = "sieve://sieve.service.2.cluster.deuxfleurs.fr:4190/?tls=YES"; + SOGoIMAPAclConformsToIMAPExt = YES; + SOGoVacationEnabled = NO; + SOGoForwardEnabled = NO; + SOGoSieveScriptsEnabled = NO; + SOGoFirstDayOfWeek = 1; + SOGoRefreshViewCheck = every_5_minutes; + SOGoMailAuxiliaryUserAccountsEnabled = NO; + SOGoPasswordChangeEnabled = YES; + SOGoPageTitle = "deuxfleurs.fr"; + SOGoLoginModule = Mail; + SOGoMailAddOutgoingAddresses = YES; + SOGoSelectedAddressBook = autobook; + SOGoMailAuxiliaryUserAccountsEnabled = YES; + SOGoCalendarEventsDefaultClassification = PRIVATE; + SOGoMailReplyPlacement = above; + SOGoMailSignaturePlacement = above; + SOGoMailComposeMessageType = html; + + SOGoLDAPContactInfoAttribute = "displayname"; + + SOGoUserSources = ( + { + type = ldap; + CNFieldName = displayname; + IDFieldName = cn; + UIDFieldName = cn; + MailFieldNames = (mail, mailForwardingAddress); + SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber); + IMAPLoginFieldName = mail; + baseDN = "ou=users,dc=deuxfleurs,dc=fr"; + bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}"; + bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}"; + bindFields = (cn, mail); + canAuthenticate = YES; + displayName = "Bottin"; + hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"; + id = bottin; + isAddressBook = NO; + } + ); +} diff --git a/app/email/deploy/email.hcl b/app/email/deploy/email.hcl new file mode 100644 index 0000000..bef7268 --- /dev/null +++ b/app/email/deploy/email.hcl @@ -0,0 +1,487 @@ +job "email" { + datacenters = ["dc1"] + type = "service" + priority = 65 + + group "dovecot" { + count = 1 + + network { + port "zauthentication_port" { + static = 1337 + to = 1337 + } + port "imaps_port" { + static = 993 + to = 993 + } + port "imap_port" { + static = 143 + to = 143 + } + port "lmtp_port" { + static = 24 + to = 24 + } + } + + task "server" { + driver = "docker" + + config { + image = "superboum/amd64_dovecot:v2" + readonly_rootfs = false + ports = [ "zauthentication_port", "imaps_port", "imap_port", "lmtp_port" ] + command = "dovecot" + args = [ "-F" ] + volumes = [ + "secrets/ssl/certs:/etc/ssl/certs", + "secrets/ssl/private:/etc/ssl/private", + "secrets/conf/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf", + "/mnt/glusterfs/email/mail:/var/mail/", + ] + } + + env { + TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" + } + + resources { + cpu = 100 + memory = 200 + } + + service { + name = "dovecot-imap" + port = "imap_port" + tags = [ + "dovecot" + ] + check { + type = "tcp" + port = "imap_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "dovecot-imaps" + port = "imaps_port" + tags = [ + "dovecot", + "(diplonat (tcp_port 993))" + ] + + check { + type = "tcp" + port = "imaps_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "dovecot-lmtp" + port = "lmtp_port" + tags = [ + "dovecot", + ] + + check { + type = "tcp" + port = "lmtp_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "dovecot-auth" + port = "zauthentication_port" + tags = [ + "dovecot", + ] + check { + type = "tcp" + port = "zauthentication_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + template { + data = file("../config/dovecot/dovecot-ldap.conf.tpl") + destination = "secrets/conf/dovecot-ldap.conf" + perms = "400" + } + + # ----- secrets ------ + template { + data = "{{ key \"secrets/email/dovecot/dovecot.crt\" }}" + destination = "secrets/ssl/certs/dovecot.crt" + perms = "400" + } + template { + data = "{{ key \"secrets/email/dovecot/dovecot.key\" }}" + destination = "secrets/ssl/private/dovecot.key" + perms = "400" + } + } + } + + group "opendkim" { + count = 1 + + network { + port "dkim_port" { + static = 8999 + to = 8999 + } + } + + task "server" { + driver = "docker" + config { + image = "superboum/amd64_opendkim:v1" + readonly_rootfs = false + ports = [ "dkim_port" ] + command = "opendkim" + args = [ "-f", "-v", "-x", "/etc/opendkim.conf" ] + volumes = [ + "secrets/dkim:/etc/dkim", + "/dev/log:/dev/log", + ] + } + + resources { + cpu = 100 + memory = 50 + } + + service { + name = "opendkim" + port = "dkim_port" + address_mode = "host" + tags = [ + "opendkim", + ] + check { + type = "tcp" + port = "dkim_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + template { + data = file("../config/dkim/keytable") + destination = "secrets/dkim/keytable" + } + template { + data = file("../config/dkim/signingtable") + destination = "secrets/dkim/signingtable" + } + template { + data = file("../config/dkim/trusted") + destination = "secrets/dkim/trusted" + } + + # --- secrets --- + template { + data = "{{ key \"secrets/email/dkim/smtp.private\" }}" + destination = "secrets/dkim/smtp.private" + perms = "600" + } + } + } + + group "postfix" { + count = 1 + + network { + port "smtp_port" { + static = 25 + to = 25 + } + port "smtps_port" { + static = 465 + to = 465 + } + port "submission_port" { + static = 587 + to = 587 + } + } + + task "server" { + driver = "docker" + config { + image = "superboum/amd64_postfix:v3" + readonly_rootfs = false + ports = [ "smtp_port", "smtps_port", "submission_port" ] + command = "postfix" + args = [ "start-fg" ] + volumes = [ + "secrets/ssl/certs:/etc/ssl/certs", + "secrets/ssl/private:/etc/ssl/private", + "secrets/postfix:/etc/postfix-conf", + "/dev/log:/dev/log" + ] + } + + env { + TLSINFO = "/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" + MAILNAME = "smtp.deuxfleurs.fr" + } + + resources { + cpu = 100 + memory = 200 + } + + service { + name = "postfix-smtp" + port = "smtp_port" + address_mode = "host" + tags = [ + "postfix", + "(diplonat (tcp_port 25 465 587))" + ] + check { + type = "tcp" + port = "smtp_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "postfix-smtps" + port = "smtps_port" + address_mode = "host" + tags = [ + "postfix", + ] + + check { + type = "tcp" + port = "smtps_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "postfix-submission" + port = "submission_port" + address_mode = "host" + tags = [ + "postfix", + ] + + check { + type = "tcp" + port = "submission_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + template { + data = file("../config/postfix/ldap-account.cf.tpl") + destination = "secrets/postfix/ldap-account.cf" + } + + template { + data = file("../config/postfix/ldap-alias.cf.tpl") + destination = "secrets/postfix/ldap-alias.cf" + } + + template { + data = file("../config/postfix/ldap-virtual-domains.cf.tpl") + destination = "secrets/postfix/ldap-virtual-domains.cf" + } + + template { + data = file("../config/postfix/dynamicmaps.cf") + destination = "secrets/postfix/dynamicmaps.cf" + } + + template { + data = file("../config/postfix/header_checks") + destination = "secrets/postfix/header_checks" + } + + template { + data = file("../config/postfix/main.cf") + destination = "secrets/postfix/main.cf" + } + + template { + data = file("../config/postfix/master.cf") + destination = "secrets/postfix/master.cf" + } + + template { + data = file("../config/postfix/transport") + destination = "secrets/postfix/transport" + } + + # --- secrets --- + template { + data = "{{ key \"secrets/email/postfix/postfix.crt\" }}" + destination = "secrets/ssl/certs/postfix.crt" + perms = "400" + } + + template { + data = "{{ key \"secrets/email/postfix/postfix.key\" }}" + destination = "secrets/ssl/private/postfix.key" + perms = "400" + } + } + } + + group "alps" { + count = 1 + + network { + port "alps_web_port" { to = 1323 } + } + + task "main" { + driver = "docker" + config { + image = "superboum/amd64_alps:v1" + readonly_rootfs = true + ports = [ "alps_web_port" ] + command = "-theme" + args = [ "alps", "imaps://imap.deuxfleurs.fr:993", "smtps://smtp.deuxfleurs.fr:465" ] + } + + resources { + cpu = 50 + memory = 40 + } + + service { + name = "alps" + port = "alps_web_port" + address_mode = "host" + tags = [ + "alps", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:alps.deuxfleurs.fr" + ] + check { + type = "tcp" + port = "alps_web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "5m" + ignore_warnings = false + } + } + } + } + } + + + group "sogo" { + count = 1 + + network { + port "sogo_web_port" { to = 8080 } + } + + task "bundle" { + driver = "docker" + config { + image = "superboum/amd64_sogo:v7" + readonly_rootfs = false + ports = [ "sogo_web_port" ] + volumes = [ + "secrets/sogo.conf:/etc/sogo/sogo.conf", + ] + } + + template { + data = file("../config/sogo/sogo.conf.tpl") + destination = "secrets/sogo.conf" + } + + resources { + cpu = 200 + memory = 1000 + } + + service { + name = "sogo" + port = "sogo_web_port" + address_mode = "host" + tags = [ + "sogo", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:www.sogo.deuxfleurs.fr,sogo.deuxfleurs.fr;PathPrefix:/" + ] + check { + type = "tcp" + port = "sogo_web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "5m" + ignore_warnings = false + } + } + } + + } + } +} diff --git a/app/email/secrets/email/dkim/smtp.private.sample b/app/email/secrets/email/dkim/smtp.private.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/dovecot/dovecot.crt.sample b/app/email/secrets/email/dovecot/dovecot.crt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/dovecot/dovecot.key.sample b/app/email/secrets/email/dovecot/dovecot.key.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/dovecot/ldap_binddn.sample b/app/email/secrets/email/dovecot/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/dovecot/ldap_bindpwd.sample b/app/email/secrets/email/dovecot/ldap_bindpwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/postfix/postfix.crt.sample b/app/email/secrets/email/postfix/postfix.crt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/postfix/postfix.key.sample b/app/email/secrets/email/postfix/postfix.key.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/sogo/ldap_binddn.sample b/app/email/secrets/email/sogo/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/sogo/ldap_bindpw.sample b/app/email/secrets/email/sogo/ldap_bindpw.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/email/secrets/email/sogo/postgre_auth.sample b/app/email/secrets/email/sogo/postgre_auth.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/garage/config/garage.toml b/app/garage/config/garage.toml new file mode 100644 index 0000000..4d08cf2 --- /dev/null +++ b/app/garage/config/garage.toml @@ -0,0 +1,30 @@ +block_size = 1048576 + +metadata_dir = "/garage/meta" +data_dir = "/garage/data" + +rpc_bind_addr = "[::]:3901" + +consul_host = "consul.service.2.cluster.deuxfleurs.fr:8500" +consul_service_name = "garage-rpc" + +bootstrap_peers = [] + +max_concurrent_rpc_requests = 12 +data_replication_factor = 3 +meta_replication_factor = 3 +meta_epidemic_fanout = 3 + +[rpc_tls] +ca_cert = "/garage/garage-ca.crt" +node_cert = "/garage/garage.crt" +node_key = "/garage/garage.key" + +[s3_api] +s3_region = "garage" +api_bind_addr = "[::]:3900" + +[s3_web] +bind_addr = "[::]:3902" +root_domain = ".web.deuxfleurs.fr" +index = "index.html" diff --git a/app/garage/deploy/garage.hcl b/app/garage/deploy/garage.hcl new file mode 100644 index 0000000..1be68aa --- /dev/null +++ b/app/garage/deploy/garage.hcl @@ -0,0 +1,102 @@ +job "garage" { + datacenters = ["dc1", "belair", "saturne"] + type = "system" + priority = 40 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "garage" { + network { + port "s3" { static = 3900 } + port "rpc" { static = 3901 } + port "web" { static = 3902 } + } + + task "server" { + driver = "docker" + config { + advertise_ipv6_address = true + image = "lxpz/garage_amd64:v0.1.1b" + network_mode = "host" + volumes = [ + "/mnt/storage/garage/data:/garage/data", + "/mnt/ssd/garage/meta:/garage/meta", + "secrets/garage.toml:/garage/config.toml", + "secrets/garage-ca.crt:/garage/garage-ca.crt", + "secrets/garage.crt:/garage/garage.crt", + "secrets/garage.key:/garage/garage.key", + ] + } + + template { + data = file("../config/garage.toml") + destination = "secrets/garage.toml" + } + + # --- secrets --- + template { + data = "{{ key \"secrets/garage/garage-ca.crt\" }}" + destination = "secrets/garage-ca.crt" + } + template { + data = "{{ key \"secrets/garage/garage.crt\" }}" + destination = "secrets/garage.crt" + } + template { + data = "{{ key \"secrets/garage/garage.key\" }}" + destination = "secrets/garage.key" + } + + resources { + memory = 500 + cpu = 1000 + } + + service { + tags = [ + "garage_api", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:garage.deuxfleurs.fr" + ] + port = 3900 + address_mode = "driver" + name = "garage-api" + check { + type = "tcp" + port = 3900 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + tags = ["garage-rpc"] + port = 3901 + address_mode = "driver" + name = "garage-rpc" + check { + type = "tcp" + port = 3901 + address_mode = "driver" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} diff --git a/app/im/build/matrix-synapse/Dockerfile b/app/im/build/matrix-synapse/Dockerfile new file mode 100644 index 0000000..b8480d5 --- /dev/null +++ b/app/im/build/matrix-synapse/Dockerfile @@ -0,0 +1,47 @@ +FROM amd64/debian:buster as builder + +ARG VERSION +RUN apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y \ + python3 \ + python3-pip \ + python3-dev \ + python3-setuptools \ + libffi-dev \ + build-essential \ + libssl-dev \ + libjpeg-dev \ + libjpeg62-turbo-dev \ + libxml2-dev \ + zlib1g-dev \ + # postgresql-dev \ + libpq-dev \ + virtualenv \ + libxslt1-dev && \ + virtualenv /root/matrix-env -p /usr/bin/python3 && \ + . /root/matrix-env/bin/activate && \ + pip3 install \ + https://github.com/matrix-org/synapse/archive/v${VERSION}.tar.gz#egg=matrix-synapse[matrix-synapse-ldap3,postgres,resources.consent,saml2,url_preview] + +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y \ + python3 \ + python3-distutils \ + libffi6 \ + libjpeg62-turbo \ + libssl1.1 \ + libxslt1.1 \ + libpq5 \ + zlib1g \ + libjemalloc2 \ + ca-certificates + +ENV LD_PRELOAD /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 +COPY --from=builder /root/matrix-env /root/matrix-env +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/im/build/matrix-synapse/entrypoint.sh b/app/im/build/matrix-synapse/entrypoint.sh new file mode 100755 index 0000000..b93a702 --- /dev/null +++ b/app/im/build/matrix-synapse/entrypoint.sh @@ -0,0 +1,3 @@ +#!/bin/sh +. /root/matrix-env/bin/activate +exec "$@" diff --git a/app/im/build/riotweb/Dockerfile b/app/im/build/riotweb/Dockerfile new file mode 100644 index 0000000..c768e87 --- /dev/null +++ b/app/im/build/riotweb/Dockerfile @@ -0,0 +1,13 @@ +FROM amd64/debian:buster as builder + +ARG VERSION +WORKDIR /root + +RUN apt-get update && \ + apt-get install -y wget && \ + wget https://github.com/vector-im/element-web/releases/download/v${VERSION}/element-v${VERSION}.tar.gz && \ + tar xf element-v${VERSION}.tar.gz && \ + mv element-v${VERSION}/ riot/ + +FROM superboum/amd64_webserver:v3 +COPY --from=builder /root/riot /srv/http diff --git a/app/im/config/coturn/turnserver.conf.tpl b/app/im/config/coturn/turnserver.conf.tpl new file mode 100644 index 0000000..f867ac0 --- /dev/null +++ b/app/im/config/coturn/turnserver.conf.tpl @@ -0,0 +1,19 @@ +use-auth-secret +static-auth-secret={{ key "secrets/chat/coturn/static-auth" | trimSpace }} +realm=turn.deuxfleurs.fr + +# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. +#no-tcp-relay + +# don't let the relay ever try to connect to private IP address ranges within your network (if any) +# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. +#denied-peer-ip=10.0.0.0-10.255.255.255 +#denied-peer-ip=192.168.0.0-192.168.255.255 +#denied-peer-ip=172.16.0.0-172.31.255.255 + +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200 + +min-port=49152 +max-port=49252 diff --git a/app/im/config/easybridge/config.json.tpl b/app/im/config/easybridge/config.json.tpl new file mode 100644 index 0000000..40ecc44 --- /dev/null +++ b/app/im/config/easybridge/config.json.tpl @@ -0,0 +1,17 @@ +{ + "log_level": "info", + "easybridge_avatar": "/app/easybridge.jpg", + + "web_bind_addr": "0.0.0.0:8281", + "web_url": "https://easybridge.deuxfleurs.fr", + "web_session_key": "{{ key "secrets/chat/easybridge/web_session_key" | trimSpace }}", + + "appservice_bind_addr": "0.0.0.0:8321", + "registration": "/data/registration.yaml", + "homeserver_url": "https://im.deuxfleurs.fr", + "matrix_domain": "deuxfleurs.fr", + "name_format": "{}_ezbr_", + + "db_type": "postgres", + "db_path": "host=psql-proxy.service.2.cluster.deuxfleurs.fr port=5432 user={{ key "secrets/chat/easybridge/db_user" | trimSpace }} dbname=easybridge password={{ key "secrets/chat/easybridge/db_pass" | trimSpace }} sslmode=disable" +} diff --git a/app/im/config/easybridge/registration.yaml.tpl b/app/im/config/easybridge/registration.yaml.tpl new file mode 100644 index 0000000..ec098fd --- /dev/null +++ b/app/im/config/easybridge/registration.yaml.tpl @@ -0,0 +1,14 @@ +id: Easybridge +url: http://easybridge-api.service.2.cluster.deuxfleurs.fr:8321 +as_token: {{ key "secrets/chat/easybridge/as_token" | trimSpace }} +hs_token: {{ key "secrets/chat/easybridge/hs_token" | trimSpace }} +sender_localpart: _ezbr_ +rate_limited: false +namespaces: + users: + - exclusive: true + regex: '@.*_ezbr_' + aliases: + - exclusive: true + regex: '#.*_ezbr_' + rooms: [] diff --git a/app/im/config/fb2mx/config.yaml b/app/im/config/fb2mx/config.yaml new file mode 100644 index 0000000..964c681 --- /dev/null +++ b/app/im/config/fb2mx/config.yaml @@ -0,0 +1,133 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: https://im.deuxfleurs.fr + # The domain of the homeserver (for MXIDs, etc). + domain: deuxfleurs.fr + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}' + + # The unique ID of this appservice. + id: facebook + # Username of the appservice bot. + bot_username: facebookbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook bridge bot + bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv + + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + community_id: "+fbusers:deuxfleurs.fr" + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' + hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' + +# Bridge config +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: "facebook_{userid}" + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # + # `facebook_{localpart}={server}` is a good value. + community_template: "facebook_{localpart}={server}" + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: "{displayname} (FB)" + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!fb" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Facebook account. + sync_with_custom_puppets: true + # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast + # presence, but then it won't send other users' presence to the client. + presence: true + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "deuxfleurs.fr": "user" + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: normal + filename: ./mautrix-facebook.log + maxBytes: 10485760 + backupCount: 10 + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + fbchat: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [file, console] diff --git a/app/im/config/fb2mx/registration.yaml b/app/im/config/fb2mx/registration.yaml new file mode 100644 index 0000000..c3d8c05 --- /dev/null +++ b/app/im/config/fb2mx/registration.yaml @@ -0,0 +1,11 @@ +id: facebook +as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' +hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' +namespaces: + users: + - exclusive: true + regex: '@facebook_.+:deuxfleurs.fr' + group_id: '+fbusers:deuxfleurs.fr' +url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 +sender_localpart: facebookbot +rate_limited: false diff --git a/app/im/config/riot_web/config.json b/app/im/config/riot_web/config.json new file mode 100644 index 0000000..9c898f0 --- /dev/null +++ b/app/im/config/riot_web/config.json @@ -0,0 +1,49 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://im.deuxfleurs.fr", + "server_name": "deuxfleurs.fr" + }, + "m.identity_server": { + "base_url": "https://vector.im" + } + }, + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Deuxfleurs", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_widgets_urls": [ + "https://scalar.vector.im/_matrix/integrations/v1", + "https://scalar.vector.im/api", + "https://scalar-staging.vector.im/_matrix/integrations/v1", + "https://scalar-staging.vector.im/api", + "https://scalar-staging.riot.im/scalar/api" + ], + "bug_report_endpoint_url": "https://element.io/bugreports/submit", + "defaultCountryCode": "FR", + "showLabsSettings": true, + "features": { + "feature_new_spinner": true, + "feature_groups": "labs", + "feature_pinning": "labs" + }, + "default_federate": true, + "default_theme": "light", + "roomDirectory": { + "servers": [ + "deuxfleurs.fr", + "matrix.org", + "tedomum.net", + "zinz.dev" + ] + }, + "settingDefaults": { + "breadcrumbs": true + }, + "jitsi": { + "preferredDomain": "jitsi.deuxfleurs.fr" + } +} diff --git a/app/im/config/synapse/conf.d/report_stats.yaml b/app/im/config/synapse/conf.d/report_stats.yaml new file mode 100644 index 0000000..cb95cc3 --- /dev/null +++ b/app/im/config/synapse/conf.d/report_stats.yaml @@ -0,0 +1 @@ +report_stats: true diff --git a/app/im/config/synapse/conf.d/server_name.yaml b/app/im/config/synapse/conf.d/server_name.yaml new file mode 100644 index 0000000..540ce45 --- /dev/null +++ b/app/im/config/synapse/conf.d/server_name.yaml @@ -0,0 +1 @@ +server_name: deuxfleurs.fr diff --git a/app/im/config/synapse/homeserver.yaml b/app/im/config/synapse/homeserver.yaml new file mode 100644 index 0000000..7f313f6 --- /dev/null +++ b/app/im/config/synapse/homeserver.yaml @@ -0,0 +1,420 @@ +# vim:ft=yaml + +server_name: "deuxfleurs.fr" +# PEM encoded X509 certificate for TLS. +# You can replace the self-signed certificate that synapse +# autogenerates on launch with your own SSL certificate + key pair +# if you like. Any required intermediary certificates can be +# appended after the primary certificate in hierarchical order. +tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" + +# PEM encoded private key for TLS +tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" + +# PEM dh parameters for ephemeral keys +tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" + +# Don't bind to the https port +no_tls: True + + +## Server ## + +# When running as a daemon, the file to store the pid in +pid_file: "/var/run/matrix-synapse.pid" + +# Whether to serve a web client from the HTTP/HTTPS root resource. +web_client: False + +# The public-facing base URL for the client API (not including _matrix/...) +public_baseurl: https://im.deuxfleurs.fr/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# A list of other Home Servers to fetch the public room directory from +# and include in the public room directory of this home server +# This is a temporary stopgap solution to populate new server with a +# list of rooms until there exists a good solution of a decentralized +# room directory. +# secondary_directory_servers: +# - matrix.org +# - vector.im + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + # Unsecure HTTP listener, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: 8008 + tls: false + bind_address: '' + type: http + + x_forwarded: false + + resources: + - names: [client] + compress: true + + - port: 8448 + tls: false + bind_address: '' + type: http + + x_forwarded: false + + resources: + - names: [federation] + compress: false + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # - port: 9000 + # bind_address: 127.0.0.1 + # type: manhole + + +# Database configuration +database: + name: psycopg2 + args: + user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }} + password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} + database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }} + host: psql-proxy.service.2.cluster.deuxfleurs.fr + port: 5432 + cp_min: 5 + cp_max: 10 +# Number of events to cache in memory. +event_cache_size: "10K" + + +# A yaml python logging config file +log_config: "/etc/matrix-synapse/log.yaml" + +# Stop twisted from discarding the stack traces of exceptions in +# deferreds by waiting a reactor tick before running a deferred's +# callbacks. +# full_twisted_stacktraces: true + + +## Ratelimiting ## + +# Number of messages a client can send per second +rc_messages_per_second: 0.2 + +# Number of message a client can send before being throttled +rc_message_burst_count: 10.0 + +# The federation window size in milliseconds +federation_rc_window_size: 1000 + +# The number of federation requests from a single server in a window +# before the server will delay processing the request. +federation_rc_sleep_limit: 10 + +# The duration in milliseconds to delay processing events from +# remote servers by if they go over the sleep limit. +federation_rc_sleep_delay: 500 + +# The maximum number of concurrent federation requests allowed +# from a single server +federation_rc_reject_limit: 50 + +# The number of federation requests to concurrently process from a +# single server +federation_rc_concurrent: 3 + + + +# Directory where uploaded images and attachments are stored. +media_store_path: "/var/lib/matrix-synapse/media" +uploads_path: "/var/lib/matrix-synapse/uploads" + +# The largest allowed upload size in bytes +max_upload_size: "100M" + +# Maximum number of pixels that will be thumbnailed +max_image_pixels: "32M" + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +dynamic_thumbnails: false + +# List of thumbnail to precalculate when an image is uploaded. +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +# Is the preview URL API enabled? If enabled, you *must* specify +# an explicit url_preview_ip_range_blacklist of IPs that the spider is +# denied from accessing. +url_preview_enabled: True + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + + + + +## Captcha ## + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +turn_uris: [ "turn:turn.deuxfleurs.fr:3478?transport=udp", "turn:turn.deuxfleurs.fr:3478?transport=tcp" ] + +# The shared secret used to compute passwords for the TURN server +turn_shared_secret: '{{ key "secrets/chat/coturn/static-auth" | trimSpace }}' + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + +turn_allow_guests: True + +## Registration ## + +# Enable registration for new users. +enable_registration: False + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +registration_shared_secret: '{{ key "secrets/chat/synapse/registration_shared_secret" | trimSpace }}' + +# Sets the expiry for the short term user creation in +# milliseconds. For instance the bellow duration is two weeks +# in milliseconds. +user_creation_max_duration: 1209600000 + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number of rounds is 12. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: True + +# The list of identity servers trusted to verify third party +# identifiers by this server. +trusted_third_party_id_servers: + - matrix.org + - vector.im + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: + - "/etc/matrix-synapse/easybridge_registration.yaml" + #- "/etc/matrix-synapse/fb2mx_registration.yaml" + + +# macaroon_secret_key: + +# Used to enable access token expiration. +expire_access_token: False + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2 +# config_path: Path to the sp_conf.py configuration file +# idp_redirect_url: Identity provider URL which will redirect +# the user back to /login/saml2 with proper info. +# See pysaml2 docs for format of config. +#saml2_config: +# enabled: true +# config_path: "/home/erikj/git/synapse/sp_conf.py" +# idp_redirect_url: "http://test/idp" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homesever.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + +password_providers: + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389" + start_tls: false + bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' + bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' + base: "ou=users,dc=deuxfleurs,dc=fr" + attributes: + uid: "cn" + name: "displayName" + mail: "mail" + +# Enable password for login. +password_config: + enabled: true + +# Enable sending emails for notification events +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# notif_from: "Your Friendly %(app)s Home Server " +# app_name: Matrix +# template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True + +# Key that had to be added after some synapse updates to please matrix developers... +report_stats: false +suppress_key_server_warning: true +enable_group_creation: true diff --git a/app/im/config/synapse/log.yaml b/app/im/config/synapse/log.yaml new file mode 100644 index 0000000..eb69d8f --- /dev/null +++ b/app/im/config/synapse/log.yaml @@ -0,0 +1,41 @@ + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/homeserver.log + maxBytes: 10485760 + backupCount: 3 + filters: [context] + level: WARN + console: + class: logging.StreamHandler + formatter: precise + level: WARN + +loggers: + synapse: + level: INFO + + synapse.storage.SQL: + level: INFO + + ldap3: + level: DEBUG + ldap_auth_provider: + level: DEBUG + +root: + level: INFO + handlers: [file, console] diff --git a/app/im/deploy/im.hcl b/app/im/deploy/im.hcl new file mode 100644 index 0000000..c9591e6 --- /dev/null +++ b/app/im/deploy/im.hcl @@ -0,0 +1,265 @@ +job "im" { + datacenters = ["dc1"] + type = "service" + priority = 60 + + group "matrix" { + count = 1 + + network { + port "client_port" { static = 8008 } + port "federation_port" { static = 8448 } + } + + task "synapse" { + driver = "docker" + + config { + image = "superboum/amd64_synapse:v40" + network_mode = "host" + readonly_rootfs = true + ports = [ "client_port", "federation_port" ] + command = "python" + args = [ + "-m", "synapse.app.homeserver", + "-n", + "-c", "/etc/matrix-synapse/homeserver.yaml" + ] + volumes = [ + "secrets/conf:/etc/matrix-synapse", + "/mnt/glusterfs/chat/matrix/synapse/media:/var/lib/matrix-synapse/media", + "/mnt/glusterfs/chat/matrix/synapse/uploads:/var/lib/matrix-synapse/uploads", + "/tmp/synapse-logs:/var/log/matrix-synapse", + "/tmp/synapse:/tmp" + ] + } + + template { + data = file("../config/synapse/homeserver.yaml") + destination = "secrets/conf/homeserver.yaml" + } + + template { + data = file("../config/easybridge/registration.yaml.tpl") + destination = "secrets/conf/easybridge_registration.yaml" + } + + template { + data = file("../config/synapse/log.yaml") + destination = "secrets/conf/log.yaml" + } + + template { + data = file("../config/synapse/conf.d/server_name.yaml") + destination = "secrets/conf/server_name.yaml" + } + + template { + data = file("../config/synapse/conf.d/report_stats.yaml") + destination = "secrets/conf/report_stats.yaml" + } + + # --- secrets --- + template { + data = "{{ key \"secrets/chat/synapse/homeserver.tls.crt\" }}" + destination = "secrets/conf/homeserver.tls.crt" + } + + template { + data = "{{ key \"secrets/chat/synapse/homeserver.tls.dh\" }}" + destination = "secrets/conf/homeserver.tls.dh" + } + + template { + data = "{{ key \"secrets/chat/synapse/homeserver.tls.key\" }}" + destination = "secrets/conf/homeserver.tls.key" + } + + template { + data = "{{ key \"secrets/chat/synapse/homeserver.signing.key\" }}" + destination = "secrets/conf/homeserver.signing.key" + } + + env { + SYNAPSE_CACHE_FACTOR = 1 + } + + resources { + cpu = 1000 + memory = 4000 + } + + service { + name = "synapse-client" + port = "client_port" + address_mode = "host" + tags = [ + "matrix", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:im.deuxfleurs.fr;PathPrefix:/_matrix", + "traefik.frontend.headers.customResponseHeaders=Access-Control-Allow-Origin: *", + "traefik.frontend.priority=100" + ] + check { + type = "tcp" + port = "client_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "synapse-federation" + port = "federation_port" + address_mode = "host" + tags = [ + "matrix", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:deuxfleurs.fr;PathPrefix:/_matrix", + "traefik.frontend.priority=100" + ] + } + } + } + + group "easybridge" { + count = 1 + + network { + port "api_port" { + static = 8321 + to = 8321 + } + port "web_port" { to = 8281 } + } + + task "easybridge" { + driver = "docker" + config { + image = "lxpz/easybridge_amd64:33" + ports = [ "api_port", "web_port" ] + volumes = [ + "secrets/conf:/data" + ] + args = [ "./easybridge", "-config", "/data/config.json" ] + } + + template { + data = file("../config/easybridge/registration.yaml.tpl") + destination = "secrets/conf/registration.yaml" + } + + template { + data = file("../config/easybridge/config.json.tpl") + destination = "secrets/conf/config.json" + } + + resources { + memory = 500 + cpu = 1000 + } + + service { + name = "easybridge-api" + tags = ["easybridge-api"] + port = "api_port" + address_mode = "host" + check { + type = "tcp" + port = "api_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + + service { + name = "easybridge-web" + tags = [ + "easybridge-web", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:easybridge.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } + + + group "riotweb" { + count = 1 + + network { + port "web_port" { to = 8043 } + } + + task "server" { + driver = "docker" + config { + image = "superboum/amd64_riotweb:v19" + ports = [ "web_port" ] + volumes = [ + "secrets/config.json:/srv/http/config.json" + ] + } + + template { + data = file("../config/riot_web/config.json") + destination = "secrets/config.json" + } + + resources { + memory = 21 + } + + service { + tags = [ + "webstatic", + "traefik.enable=true", + "traefik.frontend.entryPoints=https", + "traefik.frontend.rule=Host:im.deuxfleurs.fr,riot.deuxfleurs.fr;PathPrefix:/", + "traefik.frontend.priority=10" + ] + port = "web_port" + address_mode = "host" + name = "webstatic" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/im/secrets/chat/coturn/static-auth.sample b/app/im/secrets/chat/coturn/static-auth.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/fb2mx/as_token.sample b/app/im/secrets/chat/fb2mx/as_token.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/fb2mx/db_url.sample b/app/im/secrets/chat/fb2mx/db_url.sample new file mode 100644 index 0000000..aff4635 --- /dev/null +++ b/app/im/secrets/chat/fb2mx/db_url.sample @@ -0,0 +1 @@ +postgres://username:password@hostname/dbname diff --git a/app/im/secrets/chat/fb2mx/hs_token.sample b/app/im/secrets/chat/fb2mx/hs_token.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/homeserver.tls.crt.sample b/app/im/secrets/chat/synapse/homeserver.tls.crt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/homeserver.tls.dh.sample b/app/im/secrets/chat/synapse/homeserver.tls.dh.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/homeserver.tls.key.sample b/app/im/secrets/chat/synapse/homeserver.tls.key.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/ldap_binddn.sample b/app/im/secrets/chat/synapse/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/ldap_bindpw.sample b/app/im/secrets/chat/synapse/ldap_bindpw.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/postgres_db.sample b/app/im/secrets/chat/synapse/postgres_db.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/postgres_pwd.sample b/app/im/secrets/chat/synapse/postgres_pwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/postgres_user.sample b/app/im/secrets/chat/synapse/postgres_user.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/im/secrets/chat/synapse/registration_shared_secret.sample b/app/im/secrets/chat/synapse/registration_shared_secret.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/integration/jitsi/01_gen_certs.yml b/app/integration/jitsi/01_gen_certs.yml deleted file mode 100644 index bf73291..0000000 --- a/app/integration/jitsi/01_gen_certs.yml +++ /dev/null @@ -1,8 +0,0 @@ -version: '3' -services: - jitsi-xmpp: - image: superboum/amd64_jitsi_xmpp:v2 - command: ["/usr/local/bin/xmpp_gen"] - volumes: [ './jitsi-certs/:/certs:rw' ] - env_file: [ 'dev.env' ] - diff --git a/app/integration/jitsi/02_run.yml b/app/integration/jitsi/02_run.yml deleted file mode 100644 index 73eefad..0000000 --- a/app/integration/jitsi/02_run.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: '3.4' -services: - jitsi-xmpp: - image: superboum/amd64_jitsi_xmpp:v3 - ports: - - "5222:5222" - - "5347:5347" - - "5280:5280" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-meet: - image: superboum/amd64_jitsi_meet:v1 - ports: - - "443:443" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-conference-focus: - image: superboum/amd64_jitsi_conference_focus:v4 - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-videobridge: - image: superboum/amd64_jitsi_videobridge:v14 - ports: - - "8080:8080/tcp" - - "10000:10000/udp" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] diff --git a/app/integration/jitsi/README.md b/app/integration/jitsi/README.md deleted file mode 100644 index 70b59fc..0000000 --- a/app/integration/jitsi/README.md +++ /dev/null @@ -1,26 +0,0 @@ -This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md - -To build images: - -``` -docker-compose -f 02_run.yml build -``` - -To gen the certs: - -``` -docker-compose -f 01_gen_certs.yml up --force-recreate -``` - -To run the stack: - - -``` -docker-compose -f 02_run.yml up --force-recreate -``` - -To push the stack on the docker registry: - -``` -docker-compose -f 02_run.yml push -``` diff --git a/app/integration/jitsi/dev.env b/app/integration/jitsi/dev.env deleted file mode 100644 index 1dd2122..0000000 --- a/app/integration/jitsi/dev.env +++ /dev/null @@ -1,10 +0,0 @@ -JITSI_SECRET_VIDEOBRIDGE=S3CR3T01 -JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02 -JITSI_SECRET_JICOFO_USER=S3CR3T03 -JITSI_PROSODY_BOSH_PORT=5280 -JITSI_PROSODY_BOSH_HOST=172.17.0.1 -JITSI_PROSODY_HOST=172.17.0.1 -JITSI_CERTS_FOLDER=/certs/ -JITSI_NAT_PUBLIC_IP=37.164.35.154 -JITSI_NAT_LOCAL_IP=192.168.0.231 -JITSI_VIDEO_TCP=8080 diff --git a/app/integration/jitsi/jitsi-certs/.gitignore b/app/integration/jitsi/jitsi-certs/.gitignore deleted file mode 100644 index d6b7ef3..0000000 --- a/app/integration/jitsi/jitsi-certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore diff --git a/app/integration/nextcloud/README.md b/app/integration/nextcloud/README.md deleted file mode 100644 index 3d49768..0000000 --- a/app/integration/nextcloud/README.md +++ /dev/null @@ -1,20 +0,0 @@ -Install Owncloud CLI: - -php ./occ \ - --no-interaction \ - --verbose \ - maintenance:install \ - --database pgsql \ - --database-name nextcloud \ - --database-host postgres \ - --database-user nextcloud \ - --database-pass nextcloud \ - --admin-user nextcloud \ - --admin-pass nextcloud \ - --admin-email coucou@deuxfleurs.fr - -Official image entrypoint: - -https://github.com/nextcloud/docker/blob/master/20.0/fpm/entrypoint.sh - - diff --git a/app/integration/nextcloud/bottin.json b/app/integration/nextcloud/bottin.json deleted file mode 100644 index a970762..0000000 --- a/app/integration/nextcloud/bottin.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "suffix": "dc=deuxfleurs,dc=fr", - "bind": "0.0.0.0:389", - "consul_host": "http://consul:8500", - "log_level": "debug", - "acl": [ - "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword", - "*::read modify:SELF:*", - "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", - "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*", - "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:", - "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*", - - "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", - "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*" - ] -} diff --git a/app/integration/nextcloud/docker-compose.yml b/app/integration/nextcloud/docker-compose.yml deleted file mode 100644 index 7ba090b..0000000 --- a/app/integration/nextcloud/docker-compose.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: '3.4' -services: - php: - image: lxpz/deuxfleurs_nextcloud_amd64:8 - depends_on: - - bottin - - postgres - ports: - - "80:80" - - postgres: - image: postgres:9.6.19 - environment: - - POSTGRES_DB=nextcloud - - POSTGRES_USER=nextcloud - - POSTGRES_PASSWORD=nextcloud - - bottin: - image: lxpz/bottin_amd64:14 - depends_on: - - consul - volumes: - - ./bottin.json:/config.json - - consul: - image: consul:1.8.4 - diff --git a/app/integration/plume/bottin.json b/app/integration/plume/bottin.json deleted file mode 100644 index a970762..0000000 --- a/app/integration/plume/bottin.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "suffix": "dc=deuxfleurs,dc=fr", - "bind": "0.0.0.0:389", - "consul_host": "http://consul:8500", - "log_level": "debug", - "acl": [ - "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword", - "*::read modify:SELF:*", - "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", - "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*", - "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:", - "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*", - - "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", - "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*" - ] -} diff --git a/app/integration/plume/docker-compose.yml b/app/integration/plume/docker-compose.yml deleted file mode 100644 index b88de8a..0000000 --- a/app/integration/plume/docker-compose.yml +++ /dev/null @@ -1,28 +0,0 @@ -version: '3.4' -services: - plume: - image: superboum/plume:v1 - env_file: - - plume.env - depends_on: - - consul - - postgres - ports: - - "7878:7878" - - postgres: - image: postgres:9.6.19 - environment: - - POSTGRES_DB=plume - - POSTGRES_USER=plume - - POSTGRES_PASSWORD=plume - - bottin: - image: lxpz/bottin_amd64:14 - depends_on: - - consul - volumes: - - ./bottin.json:/config.json - - consul: - image: consul:1.8.4 diff --git a/app/integration/plume/plume.env b/app/integration/plume/plume.env deleted file mode 100644 index 88c62dc..0000000 --- a/app/integration/plume/plume.env +++ /dev/null @@ -1,31 +0,0 @@ -BASE_URL=integration.env -# generate one with openssl rand -base64 32 -ROCKET_SECRET_KEY=cXZbKoxWIBo0wdaD8tbA1B3BlH2LBSUmgzdyZZr8QxI= - -# Mail settings -#MAIL_SERVER=smtp.example.org -#MAIL_USER=example -#MAIL_PASSWORD=123456 -#MAIL_HELO_NAME=example.org - -# DATABASE SETUP -POSTGRES_PASSWORD=plume -POSTGRES_USER=plume -POSTGRES_DB=plume -DATABASE_URL=postgres://plume:plume@postgres:5432/plume -MIGRATION_DIRECTORY=migrations/postgres - -USE_HTTPS=0 -ROCKET_ADDRESS=0.0.0.0 -ROCKET_PORT=7878 - -MEDIA_UPLOAD_DIRECTORY=/app/static/media -SEARCH_INDEX=/app/search_index -DOMAIN_NAME="integration.env" -INSTANCE_NAME="Integration Instance" - -LDAP_ADDR=ldap://bottin:389 -LDAP_BASE_DN=ou=users,dc=deuxfleurs,dc=fr -LDAP_USER_NAME_ATTR=cn -LDAP_USER_MAIL_ATTR=mail -LDAP_TLS=false diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile new file mode 100644 index 0000000..e2c459c --- /dev/null +++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile @@ -0,0 +1,27 @@ +FROM debian:buster AS builder + +ARG PREFIXV +ARG VERSION +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk maven wget unzip && \ + wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip + +RUN unzip jicofo.zip && \ + mv jicofo*${VERSION} jicofo && \ + cd jicofo && \ + mvn package -DskipTests -Dassembly.skipAssembly=false && \ + unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ + mv jicofo-1.1-SNAPSHOT /srv/build + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jre-headless ca-certificates + +ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi" + +COPY --from=builder /srv/build /srv/jicofo +COPY jicofo /usr/local/bin/jicofo +COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties + +CMD ["/usr/local/bin/jicofo"] diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo new file mode 100755 index 0000000..2bc6e3f --- /dev/null +++ b/app/jitsi/build/jitsi-conference-focus/jicofo @@ -0,0 +1,16 @@ +#!/bin/bash + +cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt +update-ca-certificates -f + +cat >> /etc/hosts <. + // authdomain: 'jitsi-meet.example.com', + + // Jirecon recording component domain. + // jirecon: 'jirecon.jitsi-meet.example.com', + + // Call control component (Jigasi). + // call_control: 'callcontrol.jitsi-meet.example.com', + + // Focus component domain. Defaults to focus.. + // focus: 'focus.jitsi-meet.example.com', + + // XMPP MUC domain. FIXME: use XEP-0030 to discover it. + muc: 'conference.jitsi.deuxfleurs.fr' + }, + + // BOSH URL. FIXME: use XEP-0156 to discover it. + bosh: '//jitsi.deuxfleurs.fr/http-bind', + + // Websocket URL + // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', + + // The name of client node advertised in XEP-0115 'c' stanza + clientNode: 'http://jitsi.org/jitsimeet', + + // The real JID of focus participant - can be overridden here + // focusUserJid: 'focus@auth.jitsi-meet.example.com', + + + // Testing / experimental features. + // + + testing: { + // Enables experimental simulcast support on Firefox. + enableFirefoxSimulcast: false, + + // P2P test mode disables automatic switching to P2P when there are 2 + // participants in the conference. + p2pTestMode: false + + // Enables the test specific features consumed by jitsi-meet-torture + // testMode: false + + // Disables the auto-play behavior of *all* newly created video element. + // This is useful when the client runs on a host with limited resources. + // noAutoPlayVideo: false + }, + + // Disables ICE/UDP by filtering out local and remote UDP candidates in + // signalling. + // webrtcIceUdpDisable: false, + + // Disables ICE/TCP by filtering out local and remote TCP candidates in + // signalling. + // webrtcIceTcpDisable: false, + + + // Media + // + + // Audio + + // Disable measuring of audio levels. + // disableAudioLevels: false, + // audioLevelsInterval: 200, + + // Enabling this will run the lib-jitsi-meet no audio detection module which + // will notify the user if the current selected microphone has no audio + // input and will suggest another valid device if one is present. + enableNoAudioDetection: true, + + // Enabling this will run the lib-jitsi-meet noise detection module which will + // notify the user if there is noise, other than voice, coming from the current + // selected microphone. The purpose it to let the user know that the input could + // be potentially unpleasant for other meeting participants. + enableNoisyMicDetection: true, + + // Start the conference in audio only mode (no video is being received nor + // sent). + // startAudioOnly: false, + + // Every participant after the Nth will start audio muted. + // startAudioMuted: 10, + + // Start calls with audio muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithAudioMuted: false, + + // Enabling it (with #params) will disable local audio output of remote + // participants and to enable it back a reload is needed. + // startSilent: false + + // Video + + // Sets the preferred resolution (height) for local video. Defaults to 720. + resolution: 480, + + // w3c spec-compliant video constraints to use for video capture. Currently + // used by browsers that return true from lib-jitsi-meet's + // util#browser#usesNewGumFlow. The constraints are independency from + // this config's resolution value. Defaults to requesting an ideal aspect + // ratio of 16:9 with an ideal resolution of 720. + constraints: { + video: { + aspectRatio: 16 / 9, + height: { + ideal: 480, + max: 720, + min: 240 + } + } + }, + + // Enable / disable simulcast support. + // disableSimulcast: false, + + // Enable / disable layer suspension. If enabled, endpoints whose HD + // layers are not in use will be suspended (no longer sent) until they + // are requested again. + // enableLayerSuspension: false, + + // Every participant after the Nth will start video muted. + // startVideoMuted: 10, + + // Start calls with video muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithVideoMuted: false, + + // If set to true, prefer to use the H.264 video codec (if supported). + // Note that it's not recommended to do this because simulcast is not + // supported when using H.264. For 1-to-1 calls this setting is enabled by + // default and can be toggled in the p2p section. + // preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // Desktop sharing + + // The ID of the jidesha extension for Chrome. + desktopSharingChromeExtId: null, + + // Whether desktop sharing should be disabled on Chrome. + // desktopSharingChromeDisabled: false, + + // The media sources to use when using screen sharing with the Chrome + // extension. + desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], + + // Required version of Chrome extension + desktopSharingChromeMinExtVersion: '0.1', + + // Whether desktop sharing should be disabled on Firefox. + // desktopSharingFirefoxDisabled: false, + + // Optional desktop sharing frame rate options. Default value: min:5, max:5. + // desktopSharingFrameRate: { + // min: 5, + // max: 5 + // }, + + // Try to start calls with screen-sharing instead of camera video. + // startScreenSharing: false, + + // Recording + + // Whether to enable file recording or not. + // fileRecordingsEnabled: false, + // Enable the dropbox integration. + // dropbox: { + // appKey: '' // Specify your app key here. + // // A URL to redirect the user to, after authenticating + // // by default uses: + // // 'https://jitsi-meet.example.com/static/oauth.html' + // redirectURI: + // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' + // }, + // When integrations like dropbox are enabled only that will be shown, + // by enabling fileRecordingsServiceEnabled, we show both the integrations + // and the generic recording service (its configuration and storage type + // depends on jibri configuration) + // fileRecordingsServiceEnabled: false, + // Whether to show the possibility to share file recording with other people + // (e.g. meeting participants), based on the actual implementation + // on the backend. + // fileRecordingsServiceSharingEnabled: false, + + // Whether to enable live streaming or not. + // liveStreamingEnabled: false, + + // Transcription (in interface_config, + // subtitles and buttons can be configured) + // transcribingEnabled: false, + + // Enables automatic turning on captions when recording is started + // autoCaptionOnRecord: false, + + // Misc + + // Default value for the channel "last N" attribute. -1 for unlimited. + channelLastN: -1, + + // Disables or enables RTX (RFC 4588) (defaults to false). + // disableRtx: false, + + // Disables or enables TCC (the default is in Jicofo and set to true) + // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting + // affects congestion control, it practically enables send-side bandwidth + // estimations. + // enableTcc: true, + + // Disables or enables REMB (the default is in Jicofo and set to false) + // (draft-alvestrand-rmcat-remb-03). This setting affects congestion + // control, it practically enables recv-side bandwidth estimations. When + // both TCC and REMB are enabled, TCC takes precedence. When both are + // disabled, then bandwidth estimations are disabled. + // enableRemb: false, + + // Defines the minimum number of participants to start a call (the default + // is set in Jicofo and set to 2). + // minParticipants: 2, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // Enable IPv6 support. + // useIPv6: true, + + // Enables / disables a data communication channel with the Videobridge. + // Values can be 'datachannel', 'websocket', true (treat it as + // 'datachannel'), undefined (treat it as 'datachannel') and false (don't + // open any channel). + // openBridgeChannel: true, + + + // UI + // + + // Use display name as XMPP nickname. + // useNicks: false, + + // Require users to always specify a display name. + // requireDisplayName: true, + + // Whether to use a welcome page or not. In case it's false a random room + // will be joined when no room is specified. + enableWelcomePage: true, + + // Enabling the close page will ignore the welcome page redirection when + // a call is hangup. + // enableClosePage: false, + + // Disable hiding of remote thumbnails when in a 1-on-1 conference call. + // disable1On1Mode: false, + + // Default language for the user interface. + defaultLanguage: 'fr', + + // If true all users without a token will be considered guests and all users + // with token will be considered non-guests. Only guests will be allowed to + // edit their profile. + enableUserRolesBasedOnToken: false, + + // Whether or not some features are checked based on token. + // enableFeaturesBasedOnToken: false, + + // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. + // lockRoomGuestEnabled: false, + + // When enabled the password used for locking a room is restricted to up to the number of digits specified + // roomPasswordNumberOfDigits: 10, + // default: roomPasswordNumberOfDigits: false, + + // Message to show the users. Example: 'The service will be down for + // maintenance at 01:00 AM GMT, + // noticeMessage: '', + + // Enables calendar integration, depends on googleApiApplicationClientID + // and microsoftApiApplicationClientID + // enableCalendarIntegration: false, + + // Stats + // + + // Whether to enable stats collection or not in the TraceablePeerConnection. + // This can be useful for debugging purposes (post-processing/analysis of + // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth + // estimation tests. + // gatherStats: false, + + // The interval at which PeerConnection.getStats() is called. Defaults to 10000 + // pcStatsInterval: 10000, + + // To enable sending statistics to callstats.io you must provide the + // Application ID and Secret. + // callStatsID: '', + // callStatsSecret: '', + + // enables sending participants display name to callstats + // enableDisplayNameInStats: false + + // enables sending participants email if available to callstats and other analytics + // enableEmailInStats: false + + // Privacy + // + + // If third party requests are disabled, no other server will be contacted. + // This means avatars will be locally generated and callstats integration + // will not function. + // disableThirdPartyRequests: false, + + + // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. + // + + p2p: { + // Enables peer to peer mode. When enabled the system will try to + // establish a direct connection when there are exactly 2 participants + // in the room. If that succeeds the conference will stop sending data + // through the JVB and use the peer to peer connection instead. When a + // 3rd participant joins the conference will be moved back to the JVB + // connection. + enabled: true, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:443' }, + { urls: 'stun:stun.l.google.com:19302' }, + { urls: 'stun:stun1.l.google.com:19302' }, + { urls: 'stun:stun2.l.google.com:19302' } + ], + + // Sets the ICE transport policy for the p2p connection. At the time + // of this writing the list of possible values are 'all' and 'relay', + // but that is subject to change in the future. The enum is defined in + // the WebRTC standard: + // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. + // If not set, the effective value is 'all'. + // iceTransportPolicy: 'all', + + // If set to true, it will prefer to use H.264 for P2P calls (if H.264 + // is supported). + preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // How long we're going to wait, before going back to P2P after the 3rd + // participant has left the conference (to filter out page reload). + backToP2PDelay: 60 + }, + + analytics: { + // The Google Analytics Tracking ID: + // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' + + // The Amplitude APP Key: + // amplitudeAPPKey: '' + + // Array of script URLs to load as lib-jitsi-meet "analytics handlers". + // scriptURLs: [ + // "libs/analytics-ga.min.js", // google-analytics + // "https://example.com/my-custom-analytics.js" + // ], + }, + + // Information about the jitsi-meet instance we are connecting to, including + // the user region as seen by the server. + deploymentInfo: { + // shard: "shard1", + // region: "europe", + // userRegion: "asia" + } + + // Information for the chrome extension banner + // chromeExtensionBanner: { + // // The chrome extension to be installed address + // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', + + // // Extensions info which allows checking if they are installed or not + // chromeExtensionsInfo: [ + // { + // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', + // path: 'jitsi-logo-48x48.png' + // } + // ] + // } + + // Local Recording + // + + // localRecording: { + // Enables local recording. + // Additionally, 'localrecording' (all lowercase) needs to be added to + // TOOLBAR_BUTTONS in interface_config.js for the Local Recording + // button to show up on the toolbar. + // + // enabled: true, + // + + // The recording format, can be one of 'ogg', 'flac' or 'wav'. + // format: 'flac' + // + + // } + + // Options related to end-to-end (participant to participant) ping. + // e2eping: { + // // The interval in milliseconds at which pings will be sent. + // // Defaults to 10000, set to <= 0 to disable. + // pingInterval: 10000, + // + // // The interval in milliseconds at which analytics events + // // with the measured RTT will be sent. Defaults to 60000, set + // // to <= 0 to disable. + // analyticsInterval: 60000, + // } + + // If set, will attempt to use the provided video input device label when + // triggering a screenshare, instead of proceeding through the normal flow + // for obtaining a desktop stream. + // NOTE: This option is experimental and is currently intended for internal + // use only. + // _desktopSharingSourceDevice: 'sample-id-or-label' + + // If true, any checks to handoff to another application will be prevented + // and instead the app will continue to display in the current browser. + // disableDeepLinking: false + + // A property to disable the right click context menu for localVideo + // the menu has option to flip the locally seen video for local presentations + // disableLocalVideoFlip: false + + // Deployment specific URLs. + // deploymentUrls: { + // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for + // // user documentation. + // userDocumentationURL: 'https://docs.example.com/video-meetings.html', + // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link + // // to the specified URL for an app download page. + // downloadAppsUrl: 'https://docs.example.com/our-apps.html' + // } + + // List of undocumented settings used in jitsi-meet + /** + _immediateReloadThreshold + autoRecord + autoRecordToken + debug + debugAudioLevels + deploymentInfo + dialInConfCodeUrl + dialInNumbersUrl + dialOutAuthUrl + dialOutCodesUrl + disableRemoteControl + displayJids + etherpad_base + externalConnectUrl + firefox_fake_device + googleApiApplicationClientID + iAmRecorder + iAmSipGateway + microsoftApiApplicationClientID + peopleSearchQueryTypes + peopleSearchUrl + requireDisplayName + tokenAuthUrl + */ + + // List of undocumented settings used in lib-jitsi-meet + /** + _peerConnStatusOutOfLastNTimeout + _peerConnStatusRtcMuteTimeout + abTesting + avgRtpStatsN + callStatsConfIDNamespace + callStatsCustomScriptUrl + desktopSharingSources + disableAEC + disableAGC + disableAP + disableHPF + disableNS + enableLipSync + enableTalkWhileMuted + forceJVB121Ratio + hiddenDomain + ignoreStartMuted + nick + startBitrate + */ + +}; + +/* eslint-enable no-unused-vars, no-var */ + diff --git a/app/jitsi/build/jitsi-meet/entrypoint.sh b/app/jitsi/build/jitsi-meet/entrypoint.sh new file mode 100755 index 0000000..1cd96dc --- /dev/null +++ b/app/jitsi/build/jitsi-meet/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +cat > /etc/nginx/sites-available/jitsi <> /etc/hosts < /root/.sip-communicator/sip-communicator.properties <> /root/.sip-communicator/sip-communicator.properties <> /etc/hosts < /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua < /tmp/nextcloud.zip +cd /var/www +unzip /tmp/nextcloud.zip +rm /tmp/nextcloud.zip +mv html html.old +mv nextcloud html + +cd html +mkdir data + +cd apps +wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz +tar xf tasks.tar.gz +wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz +tar xf maps-0.1.6.tar.gz +wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz +tar xf calendar.tar.gz +wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz +tar xf news.tar.gz +wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz +tar xf notes.tar.gz +wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz +tar xf contacts.tar.gz +wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz +tar xf mail.tar.gz +wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz +tar xf groupfolders.tar.gz +rm *.tar.gz + +chown -R www-data:www-data /var/www/html + +cd /var/www/html +php occ diff --git a/app/nextcloud/build/nextcloud/entrypoint.sh b/app/nextcloud/build/nextcloud/entrypoint.sh new file mode 100755 index 0000000..72b4f94 --- /dev/null +++ b/app/nextcloud/build/nextcloud/entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -xe + +chown www-data:www-data /var/www/html/config/config.php +touch /var/www/html/data/.ocdata + +exec apachectl -DFOREGROUND diff --git a/app/nextcloud/config/config.php.tpl b/app/nextcloud/config/config.php.tpl new file mode 100644 index 0000000..7dcfc6e --- /dev/null +++ b/app/nextcloud/config/config.php.tpl @@ -0,0 +1,49 @@ + false, + 'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}', + 'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}', + 'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}', + 'trusted_domains' => array ( + 0 => 'nextcloud.deuxfleurs.fr', + ), + 'memcache.local' => '\\OC\\Memcache\\APCu', + + 'objectstore' => array( + 'class' => '\\OC\\Files\\ObjectStore\\S3', + 'arguments' => array( + 'bucket' => 'nextcloud', + 'autocreate' => false, + 'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}', + 'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}', + 'hostname' => 'garage.deuxfleurs.fr', + 'port' => 443, + 'use_ssl' => true, + 'region' => 'garage', + // required for some non Amazon S3 implementations + 'use_path_style' => true + ), + ), + + 'dbtype' => 'pgsql', + 'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr', + 'dbname' => 'nextcloud', + 'dbtableprefix' => 'nc_', + 'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}', + 'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}', + + 'default_language' => 'fr', + 'default_locale' => 'fr_FR', + + 'mail_domain' => 'deuxfleurs.fr', + 'mail_from_address' => 'nextcloud@deuxfleurs.fr', + // TODO SMTP CONFIG + + // TODO REDIS CACHE + + 'version' => '19.0.0.12', + 'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr', + + 'installed' => true, +); + diff --git a/app/nextcloud/deploy/nextcloud.hcl b/app/nextcloud/deploy/nextcloud.hcl new file mode 100644 index 0000000..8852787 --- /dev/null +++ b/app/nextcloud/deploy/nextcloud.hcl @@ -0,0 +1,65 @@ +job "nextcloud" { + datacenters = ["dc1", "belair"] + type = "service" + priority = 40 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "nextcloud" { + count = 1 + + network { + port "web_port" { + to = 80 + } + } + + task "nextcloud" { + driver = "docker" + config { + image = "lxpz/deuxfleurs_nextcloud_amd64:8" + ports = [ "web_port" ] + volumes = [ + "secrets/config.php:/var/www/html/config/config.php" + ] + } + + template { + data = file("../config/config.php.tpl") + destination = "secrets/config.php" + } + + resources { + memory = 1000 + cpu = 2000 + } + + service { + name = "nextcloud" + tags = [ + "nextcloud", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:nextcloud.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/nextcloud/integration/README.md b/app/nextcloud/integration/README.md new file mode 100644 index 0000000..3d49768 --- /dev/null +++ b/app/nextcloud/integration/README.md @@ -0,0 +1,20 @@ +Install Owncloud CLI: + +php ./occ \ + --no-interaction \ + --verbose \ + maintenance:install \ + --database pgsql \ + --database-name nextcloud \ + --database-host postgres \ + --database-user nextcloud \ + --database-pass nextcloud \ + --admin-user nextcloud \ + --admin-pass nextcloud \ + --admin-email coucou@deuxfleurs.fr + +Official image entrypoint: + +https://github.com/nextcloud/docker/blob/master/20.0/fpm/entrypoint.sh + + diff --git a/app/nextcloud/integration/bottin.json b/app/nextcloud/integration/bottin.json new file mode 100644 index 0000000..a970762 --- /dev/null +++ b/app/nextcloud/integration/bottin.json @@ -0,0 +1,31 @@ +{ + "suffix": "dc=deuxfleurs,dc=fr", + "bind": "0.0.0.0:389", + "consul_host": "http://consul:8500", + "log_level": "debug", + "acl": [ + "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword", + "*::read modify:SELF:*", + "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", + "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*", + "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:", + "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*", + + "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", + "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*" + ] +} diff --git a/app/nextcloud/integration/docker-compose.yml b/app/nextcloud/integration/docker-compose.yml new file mode 100644 index 0000000..7ba090b --- /dev/null +++ b/app/nextcloud/integration/docker-compose.yml @@ -0,0 +1,27 @@ +version: '3.4' +services: + php: + image: lxpz/deuxfleurs_nextcloud_amd64:8 + depends_on: + - bottin + - postgres + ports: + - "80:80" + + postgres: + image: postgres:9.6.19 + environment: + - POSTGRES_DB=nextcloud + - POSTGRES_USER=nextcloud + - POSTGRES_PASSWORD=nextcloud + + bottin: + image: lxpz/bottin_amd64:14 + depends_on: + - consul + volumes: + - ./bottin.json:/config.json + + consul: + image: consul:1.8.4 + diff --git a/app/platoo/deploy/platoo.hcl b/app/platoo/deploy/platoo.hcl new file mode 100644 index 0000000..ffdda9e --- /dev/null +++ b/app/platoo/deploy/platoo.hcl @@ -0,0 +1,64 @@ +job "platoo" { + datacenters = ["dc1"] + type = "service" + priority = 10 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "core" { + network { + port "web_port" { to = 8080 } + } + + task "nodejs" { + driver = "docker" + config { + image = "victormoi/platoo:v1" + force_pull = true + ports = [ "web_port" ] + } + + template { + data = < pgsql_pw diff --git a/app/plume/secrets/plume/secret_key.sh b/app/plume/secrets/plume/secret_key.sh new file mode 100755 index 0000000..f4bbee5 --- /dev/null +++ b/app/plume/secrets/plume/secret_key.sh @@ -0,0 +1,2 @@ +#!/bin/bash +openssl rand -base64 32 > secret_key diff --git a/app/postgres/build/postgres/Dockerfile b/app/postgres/build/postgres/Dockerfile new file mode 100644 index 0000000..bb018b8 --- /dev/null +++ b/app/postgres/build/postgres/Dockerfile @@ -0,0 +1,19 @@ +FROM amd64/debian:stretch + +RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \ + apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y postgresql-all golang-1.11 git && \ + export GOPATH=/usr/local/go && \ + mkdir -p /usr/local/go/src/github.com/sorintlab && \ + cd /usr/local/go/src/github.com/sorintlab && \ + git clone --depth=1 https://github.com/sorintlab/stolon && \ + ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \ + ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \ + cd ./stolon && \ + ./build && \ + mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \ + rm -rf /usr/local/go + +USER postgres + diff --git a/app/postgres/build/postgres/README.md b/app/postgres/build/postgres/README.md new file mode 100644 index 0000000..d2f7a12 --- /dev/null +++ b/app/postgres/build/postgres/README.md @@ -0,0 +1,4 @@ +``` +docker build -t superboum/arm32v7_postgres . +docker build -t superboum/amd64_postgres:v2 . +``` diff --git a/app/postgres/build/postgres/postgresql.conf b/app/postgres/build/postgres/postgresql.conf new file mode 100644 index 0000000..8e0af2b --- /dev/null +++ b/app/postgres/build/postgres/postgresql.conf @@ -0,0 +1,25 @@ +data_directory = '/var/lib/postgresql/9.6/main' # use data in another directory +hba_file = '/etc/postgresql/9.6/main/pg_hba.conf' # host-based authentication file +ident_file = '/etc/postgresql/9.6/main/pg_ident.conf' # ident configuration file +external_pid_file = '/var/run/postgresql/9.6-main.pid' # write an extra PID file +listen_addresses = '*' #listen on every ip / interfaces +port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories +ssl = true # (change requires restart) +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart) +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart) +shared_buffers = 128MB # min 128kB +dynamic_shared_memory_type = posix # the default is the first option +log_line_prefix = '%m [%p] %q%u@%d ' # special values: +log_timezone = 'UTC' +cluster_name = '9.6/main' # added to process titles if nonempty +stats_temp_directory = '/var/run/postgresql/9.6-main.pg_stat_tmp' +datestyle = 'iso, mdy' +timezone = 'UTC' +lc_messages = 'C.UTF-8' # locale for system error message +lc_monetary = 'C.UTF-8' # locale for monetary formatting +lc_numeric = 'C.UTF-8' # locale for number formatting +lc_time = 'C.UTF-8' # locale for time formatting +default_text_search_config = 'pg_catalog.english' + diff --git a/app/postgres/build/postgres/start.sh b/app/postgres/build/postgres/start.sh new file mode 100755 index 0000000..f1d493f --- /dev/null +++ b/app/postgres/build/postgres/start.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +if [ -f /local/pg_hba.conf ]; then + echo "Copying Nomad configuration..." + cp /local/pg_hba.conf /etc/postgresql/9.6/main/ + echo "Done" +fi + + +if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then + echo "Copying base" + cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main + echo "Done" +fi + +chmod -R 700 /var/lib/postgresql/9.6/main +chown -R postgres /var/lib/postgresql/9.6/main + +echo "Starting postgres..." +. /usr/share/postgresql-common/init.d-functions +start 9.6 +tail -f /var/log/postgresql/postgresql-9.6-main.log diff --git a/app/postgres/config/keeper/env.tpl b/app/postgres/config/keeper/env.tpl new file mode 100644 index 0000000..7831aad --- /dev/null +++ b/app/postgres/config/keeper/env.tpl @@ -0,0 +1,3 @@ +PG_SU_PWD={{ key "secrets/postgres/keeper/pg_su_pwd" | trimSpace }} +PG_REPL_USER={{ key "secrets/postgres/keeper/pg_repl_username" | trimSpace }} +PG_REPL_PWD={{ key "secrets/postgres/keeper/pg_repl_pwd" | trimSpace }} diff --git a/app/postgres/deploy/postgres.hcl b/app/postgres/deploy/postgres.hcl new file mode 100644 index 0000000..f5eec51 --- /dev/null +++ b/app/postgres/deploy/postgres.hcl @@ -0,0 +1,134 @@ +job "postgres" { + datacenters = ["dc1"] + type = "system" + priority = 90 + + update { + max_parallel = 1 + stagger = "2m" + } + + group "postgres" { + network { + port "psql_proxy_port" { static = 5432 } + port "psql_port" { static = 5433 } + } + + task "sentinel" { + driver = "docker" + + config { + image = "superboum/amd64_postgres:v3" + network_mode = "host" + readonly_rootfs = false + command = "/usr/local/bin/stolon-sentinel" + args = [ + "--cluster-name", "pissenlit", + "--store-backend", "consul", + "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500", + ] + } + resources { + memory = 100 + } + } + + task "proxy" { + driver = "docker" + + config { + image = "superboum/amd64_postgres:v3" + network_mode = "host" + readonly_rootfs = false + command = "/usr/local/bin/stolon-proxy" + args = [ + "--cluster-name", "pissenlit", + "--store-backend", "consul", + "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500", + "--port", "${NOMAD_PORT_psql_proxy_port}", + "--listen-address", "0.0.0.0" + ] + ports = [ "psql_proxy_port" ] + } + + resources { + memory = 100 + } + + service { + tags = ["sql"] + port = "psql_proxy_port" + address_mode = "host" + name = "psql-proxy" + check { + type = "tcp" + port = "psql_proxy_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "10m" + ignore_warnings = false + } + } + } + } + + task "keeper" { + driver = "docker" + + config { + image = "superboum/amd64_postgres:v3" + network_mode = "host" + readonly_rootfs = false + command = "/usr/local/bin/stolon-keeper" + args = [ + "--cluster-name", "pissenlit", + "--store-backend", "consul", + "--store-endpoints", "http://consul.service.2.cluster.deuxfleurs.fr:8500", + "--data-dir", "/mnt/persist", + "--pg-su-password", "${PG_SU_PWD}", + "--pg-repl-username", "${PG_REPL_USER}", + "--pg-repl-password", "${PG_REPL_PWD}", + "--pg-listen-address", "${attr.unique.network.ip-address}", + "--pg-port", "${NOMAD_PORT_psql_port}", + "--pg-bin-path", "/usr/lib/postgresql/9.6/bin/" + ] + ports = [ "psql_port" ] + volumes = [ + "/mnt/ssd/postgres:/mnt/persist" + ] + } + + template { + data = file("../config/keeper/env.tpl") + destination = "secrets/env" + env = true + } + + resources { + memory = 500 + } + + service { + tags = ["sql"] + port = "psql_port" + address_mode = "host" + name = "keeper" + check { + type = "tcp" + port = "psql_port" + interval = "60s" + timeout = "5s" + + check_restart { + limit = 3 + grace = "60m" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_pwd.sample b/app/postgres/secrets/postgres/keeper/pg_repl_pwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_username.sample b/app/postgres/secrets/postgres/keeper/pg_repl_username.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/postgres/secrets/postgres/keeper/pg_su_pwd.sample b/app/postgres/secrets/postgres/keeper/pg_su_pwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app/science/deploy/science.hcl b/app/science/deploy/science.hcl new file mode 100644 index 0000000..1aee7a8 --- /dev/null +++ b/app/science/deploy/science.hcl @@ -0,0 +1,58 @@ +job "science" { + datacenters = ["dc1"] + type = "service" + priority = 10 + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "diagnet" { + network { + port "web_port" { to = 8000 } + } + + task "main" { + driver = "docker" + config { + image = "lesterpig/diagnet-landmark:latest" + args = [ + "-name", "landmark-deuxfleurs", + "-chrome", "-chrome-interval", "60m", + "-http", ":8000" + ] + ports = [ "web_port" ] + } + + resources { + cpu = 1000 + memory = 1200 + } + + service { + tags = [ + "diagnet", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:diagnet.science.deuxfleurs.fr;PathPrefix:/" + ] + port = "web_port" + address_mode = "host" + name = "diagnet" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app/seafile/build/mariadb/60-disable-dialog.cnf b/app/seafile/build/mariadb/60-disable-dialog.cnf new file mode 100644 index 0000000..d41731a --- /dev/null +++ b/app/seafile/build/mariadb/60-disable-dialog.cnf @@ -0,0 +1,3 @@ +[mariadb] +pam_use_cleartext_plugin +bind-address = 0.0.0.0 diff --git a/app/seafile/build/mariadb/60-ldap.cnf b/app/seafile/build/mariadb/60-ldap.cnf new file mode 100644 index 0000000..72ffb9f --- /dev/null +++ b/app/seafile/build/mariadb/60-ldap.cnf @@ -0,0 +1,3 @@ +[mariadb] +plugin-load=auth_pam.so + diff --git a/app/seafile/build/mariadb/60-remote.cnf b/app/seafile/build/mariadb/60-remote.cnf new file mode 100644 index 0000000..acf8f9b --- /dev/null +++ b/app/seafile/build/mariadb/60-remote.cnf @@ -0,0 +1,2 @@ +[mysqld] +bind-address = * diff --git a/app/seafile/build/mariadb/Dockerfile b/app/seafile/build/mariadb/Dockerfile new file mode 100644 index 0000000..15ef954 --- /dev/null +++ b/app/seafile/build/mariadb/Dockerfile @@ -0,0 +1,14 @@ +FROM debian:stretch + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y mariadb-server mariadb-client libnss-ldapd + +COPY 60-ldap.cnf /etc/mysql/mariadb.conf.d/60-ldap.cnf +COPY 60-remote.cnf /etc/mysql/mariadb.conf.d/60-remote.cnf +COPY 60-disable-dialog.cnf /etc/mysql/mariadb.conf.d/60-disable-dialog.cnf +COPY pam-mariadb /etc/pam.d/mariadb +COPY nsswitch.conf /etc/nsswitch.conf +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app/seafile/build/mariadb/README.md b/app/seafile/build/mariadb/README.md new file mode 100644 index 0000000..1a3b8aa --- /dev/null +++ b/app/seafile/build/mariadb/README.md @@ -0,0 +1,19 @@ +``` +sudo docker build -t superboum/amd64_mariadb:v3 . + +sudo docker run \ + -t -i \ + -p 3306:3306 \ + -v /tmp/mysql:/var/lib/mysql \ + -e LDAP_URI='ldap://bottin.service.2.cluster.deuxfleurs.fr' \ + -e LDAP_BASE='ou=users,dc=deuxfleurs,dc=fr' \ + -e LDAP_VERSION=3 \ + -e LDAP_BIND_DN='cn=admin,dc=deuxfleurs,dc=fr' \ + -e LDAP_BIND_PW='xxxx' \ + -e MYSQL_PASSWORD='xxxx' \ + superboum/amd64_mariadb:v1 \ + tail -f /var/log/mysql/error.log + +CREATE USER quentin@localhost IDENTIFIED VIA pam USING 'mariadb'; + +``` diff --git a/app/seafile/build/mariadb/entrypoint.sh b/app/seafile/build/mariadb/entrypoint.sh new file mode 100755 index 0000000..7ebf049 --- /dev/null +++ b/app/seafile/build/mariadb/entrypoint.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +set -e + +cat > /etc/nslcd.conf < Date: Sat, 16 Jan 2021 17:37:34 +0100 Subject: Document secrets and add stub utility to manage them --- app/.gitignore | 11 ------ app/email/config/dkim/smtp.private.sample | 0 app/email/config/dkim/smtp.txt.sample | 0 app/email/secrets/email/dkim/smtp.private | 1 + app/email/secrets/email/dkim/smtp.private.sample | 0 app/email/secrets/email/dovecot/dovecot.crt | 1 + app/email/secrets/email/dovecot/dovecot.crt.sample | 0 app/email/secrets/email/dovecot/dovecot.key | 1 + app/email/secrets/email/dovecot/dovecot.key.sample | 0 app/email/secrets/email/dovecot/ldap_binddn | 1 + app/email/secrets/email/dovecot/ldap_binddn.sample | 0 app/email/secrets/email/dovecot/ldap_bindpwd | 1 + .../secrets/email/dovecot/ldap_bindpwd.sample | 0 app/email/secrets/email/postfix/postfix.crt | 1 + app/email/secrets/email/postfix/postfix.crt.sample | 0 app/email/secrets/email/postfix/postfix.key | 1 + app/email/secrets/email/postfix/postfix.key.sample | 0 app/email/secrets/email/sogo/ldap_binddn | 1 + app/email/secrets/email/sogo/ldap_binddn.sample | 0 app/email/secrets/email/sogo/ldap_bindpw | 1 + app/email/secrets/email/sogo/ldap_bindpw.sample | 0 app/email/secrets/email/sogo/postgre_auth | 1 + app/email/secrets/email/sogo/postgre_auth.sample | 0 app/im/secrets/chat/coturn/static-auth | 1 + app/im/secrets/chat/coturn/static-auth.sample | 0 app/im/secrets/chat/fb2mx/as_token | 1 + app/im/secrets/chat/fb2mx/as_token.sample | 0 app/im/secrets/chat/fb2mx/db_url | 1 + app/im/secrets/chat/fb2mx/db_url.sample | 1 - app/im/secrets/chat/fb2mx/hs_token | 1 + app/im/secrets/chat/fb2mx/hs_token.sample | 0 app/im/secrets/chat/synapse/homeserver.tls.crt | 1 + .../secrets/chat/synapse/homeserver.tls.crt.sample | 0 app/im/secrets/chat/synapse/homeserver.tls.dh | 1 + .../secrets/chat/synapse/homeserver.tls.dh.sample | 0 app/im/secrets/chat/synapse/homeserver.tls.key | 1 + .../secrets/chat/synapse/homeserver.tls.key.sample | 0 app/im/secrets/chat/synapse/ldap_binddn | 1 + app/im/secrets/chat/synapse/ldap_binddn.sample | 0 app/im/secrets/chat/synapse/ldap_bindpw | 1 + app/im/secrets/chat/synapse/ldap_bindpw.sample | 0 app/im/secrets/chat/synapse/postgres_db | 1 + app/im/secrets/chat/synapse/postgres_db.sample | 0 app/im/secrets/chat/synapse/postgres_pwd | 1 + app/im/secrets/chat/synapse/postgres_pwd.sample | 0 app/im/secrets/chat/synapse/postgres_user | 1 + app/im/secrets/chat/synapse/postgres_user.sample | 0 .../chat/synapse/registration_shared_secret | 1 + .../chat/synapse/registration_shared_secret.sample | 0 .../secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt | 1 + .../jitsi/auth.jitsi.deuxfleurs.fr.crt.sample | 0 .../secrets/jitsi/auth.jitsi.deuxfleurs.fr.key | 1 + .../jitsi/auth.jitsi.deuxfleurs.fr.key.sample | 0 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt | 1 + .../secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample | 0 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key | 1 + .../secrets/jitsi/jitsi.deuxfleurs.fr.key.sample | 0 app/platoo/secrets/platoo/bddpw | 1 + app/platoo/secrets/platoo/bddpw.sample | 0 app/postgres/secrets/postgres/keeper/pg_repl_pwd | 1 + .../secrets/postgres/keeper/pg_repl_pwd.sample | 0 .../secrets/postgres/keeper/pg_repl_username | 1 + .../postgres/keeper/pg_repl_username.sample | 0 app/postgres/secrets/postgres/keeper/pg_su_pwd | 1 + .../secrets/postgres/keeper/pg_su_pwd.sample | 0 app/seafile/config/conf/mykey.peer.sample | 0 app/seafile/secrets/mariadb/main/ldap_binddn | 1 + .../secrets/mariadb/main/ldap_binddn.sample | 0 app/seafile/secrets/mariadb/main/ldap_bindpwd | 1 + .../secrets/mariadb/main/ldap_bindpwd.sample | 0 app/seafile/secrets/mariadb/main/mysql_pwd | 1 + app/seafile/secrets/mariadb/main/mysql_pwd.sample | 0 app/seafile/secrets/seafile/conf/mykey.peer | 1 + app/seafile/secrets/seafile/conf/mykey.peer.sample | 0 app/secrets.py | 44 ++++++++++++++++++++++ app/web_static/secrets/web/home_token | 1 + app/web_static/secrets/web/home_token.sample | 0 app/web_static/secrets/web/quentin.dufour.io_token | 1 + .../secrets/web/quentin.dufour.io_token.sample | 0 79 files changed, 81 insertions(+), 12 deletions(-) delete mode 100644 app/.gitignore delete mode 100644 app/email/config/dkim/smtp.private.sample delete mode 100644 app/email/config/dkim/smtp.txt.sample create mode 100644 app/email/secrets/email/dkim/smtp.private delete mode 100644 app/email/secrets/email/dkim/smtp.private.sample create mode 100644 app/email/secrets/email/dovecot/dovecot.crt delete mode 100644 app/email/secrets/email/dovecot/dovecot.crt.sample create mode 100644 app/email/secrets/email/dovecot/dovecot.key delete mode 100644 app/email/secrets/email/dovecot/dovecot.key.sample create mode 100644 app/email/secrets/email/dovecot/ldap_binddn delete mode 100644 app/email/secrets/email/dovecot/ldap_binddn.sample create mode 100644 app/email/secrets/email/dovecot/ldap_bindpwd delete mode 100644 app/email/secrets/email/dovecot/ldap_bindpwd.sample create mode 100644 app/email/secrets/email/postfix/postfix.crt delete mode 100644 app/email/secrets/email/postfix/postfix.crt.sample create mode 100644 app/email/secrets/email/postfix/postfix.key delete mode 100644 app/email/secrets/email/postfix/postfix.key.sample create mode 100644 app/email/secrets/email/sogo/ldap_binddn delete mode 100644 app/email/secrets/email/sogo/ldap_binddn.sample create mode 100644 app/email/secrets/email/sogo/ldap_bindpw delete mode 100644 app/email/secrets/email/sogo/ldap_bindpw.sample create mode 100644 app/email/secrets/email/sogo/postgre_auth delete mode 100644 app/email/secrets/email/sogo/postgre_auth.sample create mode 100644 app/im/secrets/chat/coturn/static-auth delete mode 100644 app/im/secrets/chat/coturn/static-auth.sample create mode 100644 app/im/secrets/chat/fb2mx/as_token delete mode 100644 app/im/secrets/chat/fb2mx/as_token.sample create mode 100644 app/im/secrets/chat/fb2mx/db_url delete mode 100644 app/im/secrets/chat/fb2mx/db_url.sample create mode 100644 app/im/secrets/chat/fb2mx/hs_token delete mode 100644 app/im/secrets/chat/fb2mx/hs_token.sample create mode 100644 app/im/secrets/chat/synapse/homeserver.tls.crt delete mode 100644 app/im/secrets/chat/synapse/homeserver.tls.crt.sample create mode 100644 app/im/secrets/chat/synapse/homeserver.tls.dh delete mode 100644 app/im/secrets/chat/synapse/homeserver.tls.dh.sample create mode 100644 app/im/secrets/chat/synapse/homeserver.tls.key delete mode 100644 app/im/secrets/chat/synapse/homeserver.tls.key.sample create mode 100644 app/im/secrets/chat/synapse/ldap_binddn delete mode 100644 app/im/secrets/chat/synapse/ldap_binddn.sample create mode 100644 app/im/secrets/chat/synapse/ldap_bindpw delete mode 100644 app/im/secrets/chat/synapse/ldap_bindpw.sample create mode 100644 app/im/secrets/chat/synapse/postgres_db delete mode 100644 app/im/secrets/chat/synapse/postgres_db.sample create mode 100644 app/im/secrets/chat/synapse/postgres_pwd delete mode 100644 app/im/secrets/chat/synapse/postgres_pwd.sample create mode 100644 app/im/secrets/chat/synapse/postgres_user delete mode 100644 app/im/secrets/chat/synapse/postgres_user.sample create mode 100644 app/im/secrets/chat/synapse/registration_shared_secret delete mode 100644 app/im/secrets/chat/synapse/registration_shared_secret.sample create mode 100644 app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt delete mode 100644 app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample create mode 100644 app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key delete mode 100644 app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample create mode 100644 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt delete mode 100644 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample create mode 100644 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key delete mode 100644 app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample create mode 100644 app/platoo/secrets/platoo/bddpw delete mode 100644 app/platoo/secrets/platoo/bddpw.sample create mode 100644 app/postgres/secrets/postgres/keeper/pg_repl_pwd delete mode 100644 app/postgres/secrets/postgres/keeper/pg_repl_pwd.sample create mode 100644 app/postgres/secrets/postgres/keeper/pg_repl_username delete mode 100644 app/postgres/secrets/postgres/keeper/pg_repl_username.sample create mode 100644 app/postgres/secrets/postgres/keeper/pg_su_pwd delete mode 100644 app/postgres/secrets/postgres/keeper/pg_su_pwd.sample delete mode 100644 app/seafile/config/conf/mykey.peer.sample create mode 100644 app/seafile/secrets/mariadb/main/ldap_binddn delete mode 100644 app/seafile/secrets/mariadb/main/ldap_binddn.sample create mode 100644 app/seafile/secrets/mariadb/main/ldap_bindpwd delete mode 100644 app/seafile/secrets/mariadb/main/ldap_bindpwd.sample create mode 100644 app/seafile/secrets/mariadb/main/mysql_pwd delete mode 100644 app/seafile/secrets/mariadb/main/mysql_pwd.sample create mode 100644 app/seafile/secrets/seafile/conf/mykey.peer delete mode 100644 app/seafile/secrets/seafile/conf/mykey.peer.sample create mode 100644 app/secrets.py create mode 100644 app/web_static/secrets/web/home_token delete mode 100644 app/web_static/secrets/web/home_token.sample create mode 100644 app/web_static/secrets/web/quentin.dufour.io_token delete mode 100644 app/web_static/secrets/web/quentin.dufour.io_token.sample diff --git a/app/.gitignore b/app/.gitignore deleted file mode 100644 index cc6b143..0000000 --- a/app/.gitignore +++ /dev/null @@ -1,11 +0,0 @@ -# Blacklist everything cleverly -*/secrets/* -!*/secrets/*/ - -# Whitelist some patterns -!*.sample -!*.gen -!*.sh -!.gitignore - -# Whitelist specific files diff --git a/app/email/config/dkim/smtp.private.sample b/app/email/config/dkim/smtp.private.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/config/dkim/smtp.txt.sample b/app/email/config/dkim/smtp.txt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/dkim/smtp.private b/app/email/secrets/email/dkim/smtp.private new file mode 100644 index 0000000..3aa3621 --- /dev/null +++ b/app/email/secrets/email/dkim/smtp.private @@ -0,0 +1 @@ +RSA_PRIVATE_KEY dkim diff --git a/app/email/secrets/email/dkim/smtp.private.sample b/app/email/secrets/email/dkim/smtp.private.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/dovecot/dovecot.crt b/app/email/secrets/email/dovecot/dovecot.crt new file mode 100644 index 0000000..7229cfc --- /dev/null +++ b/app/email/secrets/email/dovecot/dovecot.crt @@ -0,0 +1 @@ +SSL_CERT dovecot deuxfleurs.fr diff --git a/app/email/secrets/email/dovecot/dovecot.crt.sample b/app/email/secrets/email/dovecot/dovecot.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/dovecot/dovecot.key b/app/email/secrets/email/dovecot/dovecot.key new file mode 100644 index 0000000..0d42c79 --- /dev/null +++ b/app/email/secrets/email/dovecot/dovecot.key @@ -0,0 +1 @@ +SSL_KEY dovecot diff --git a/app/email/secrets/email/dovecot/dovecot.key.sample b/app/email/secrets/email/dovecot/dovecot.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/dovecot/ldap_binddn b/app/email/secrets/email/dovecot/ldap_binddn new file mode 100644 index 0000000..da380f2 --- /dev/null +++ b/app/email/secrets/email/dovecot/ldap_binddn @@ -0,0 +1 @@ +SERVICE_DN dovecot Dovecot IMAP server diff --git a/app/email/secrets/email/dovecot/ldap_binddn.sample b/app/email/secrets/email/dovecot/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/dovecot/ldap_bindpwd b/app/email/secrets/email/dovecot/ldap_bindpwd new file mode 100644 index 0000000..068f663 --- /dev/null +++ b/app/email/secrets/email/dovecot/ldap_bindpwd @@ -0,0 +1 @@ +SERVICE_PASSWORD dovecot diff --git a/app/email/secrets/email/dovecot/ldap_bindpwd.sample b/app/email/secrets/email/dovecot/ldap_bindpwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/postfix/postfix.crt b/app/email/secrets/email/postfix/postfix.crt new file mode 100644 index 0000000..f004d67 --- /dev/null +++ b/app/email/secrets/email/postfix/postfix.crt @@ -0,0 +1 @@ +SSL_CERT postfix deuxfleurs.fr diff --git a/app/email/secrets/email/postfix/postfix.crt.sample b/app/email/secrets/email/postfix/postfix.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/postfix/postfix.key b/app/email/secrets/email/postfix/postfix.key new file mode 100644 index 0000000..2cf1706 --- /dev/null +++ b/app/email/secrets/email/postfix/postfix.key @@ -0,0 +1 @@ +SSL_KEY postfix diff --git a/app/email/secrets/email/postfix/postfix.key.sample b/app/email/secrets/email/postfix/postfix.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/sogo/ldap_binddn b/app/email/secrets/email/sogo/ldap_binddn new file mode 100644 index 0000000..df627d3 --- /dev/null +++ b/app/email/secrets/email/sogo/ldap_binddn @@ -0,0 +1 @@ +SERVICE_DN sogo SoGo email frontend diff --git a/app/email/secrets/email/sogo/ldap_binddn.sample b/app/email/secrets/email/sogo/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/sogo/ldap_bindpw b/app/email/secrets/email/sogo/ldap_bindpw new file mode 100644 index 0000000..8d2f35b --- /dev/null +++ b/app/email/secrets/email/sogo/ldap_bindpw @@ -0,0 +1 @@ +SERVICE_PASSWORD sogo diff --git a/app/email/secrets/email/sogo/ldap_bindpw.sample b/app/email/secrets/email/sogo/ldap_bindpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/email/secrets/email/sogo/postgre_auth b/app/email/secrets/email/sogo/postgre_auth new file mode 100644 index 0000000..4f66253 --- /dev/null +++ b/app/email/secrets/email/sogo/postgre_auth @@ -0,0 +1 @@ +USER SoGo postgres auth (format: sogo:) (TODO: replace this with two separate files and change template) diff --git a/app/email/secrets/email/sogo/postgre_auth.sample b/app/email/secrets/email/sogo/postgre_auth.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/coturn/static-auth b/app/im/secrets/chat/coturn/static-auth new file mode 100644 index 0000000..d23be29 --- /dev/null +++ b/app/im/secrets/chat/coturn/static-auth @@ -0,0 +1 @@ +USER cotorn static-auth (what is this?) diff --git a/app/im/secrets/chat/coturn/static-auth.sample b/app/im/secrets/chat/coturn/static-auth.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/fb2mx/as_token b/app/im/secrets/chat/fb2mx/as_token new file mode 100644 index 0000000..20b76d4 --- /dev/null +++ b/app/im/secrets/chat/fb2mx/as_token @@ -0,0 +1 @@ +USER fb2mx API server token diff --git a/app/im/secrets/chat/fb2mx/as_token.sample b/app/im/secrets/chat/fb2mx/as_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/fb2mx/db_url b/app/im/secrets/chat/fb2mx/db_url new file mode 100644 index 0000000..f06e265 --- /dev/null +++ b/app/im/secrets/chat/fb2mx/db_url @@ -0,0 +1 @@ +USER fb2mx database URL, format: postgres://username:password@hostname/dbname diff --git a/app/im/secrets/chat/fb2mx/db_url.sample b/app/im/secrets/chat/fb2mx/db_url.sample deleted file mode 100644 index aff4635..0000000 --- a/app/im/secrets/chat/fb2mx/db_url.sample +++ /dev/null @@ -1 +0,0 @@ -postgres://username:password@hostname/dbname diff --git a/app/im/secrets/chat/fb2mx/hs_token b/app/im/secrets/chat/fb2mx/hs_token new file mode 100644 index 0000000..8808f8f --- /dev/null +++ b/app/im/secrets/chat/fb2mx/hs_token @@ -0,0 +1 @@ +USER fb2mx homeserver token diff --git a/app/im/secrets/chat/fb2mx/hs_token.sample b/app/im/secrets/chat/fb2mx/hs_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/homeserver.tls.crt b/app/im/secrets/chat/synapse/homeserver.tls.crt new file mode 100644 index 0000000..b696093 --- /dev/null +++ b/app/im/secrets/chat/synapse/homeserver.tls.crt @@ -0,0 +1 @@ +SSL_CERT synapse im.deuxfleurs.fr diff --git a/app/im/secrets/chat/synapse/homeserver.tls.crt.sample b/app/im/secrets/chat/synapse/homeserver.tls.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/homeserver.tls.dh b/app/im/secrets/chat/synapse/homeserver.tls.dh new file mode 100644 index 0000000..0231fed --- /dev/null +++ b/app/im/secrets/chat/synapse/homeserver.tls.dh @@ -0,0 +1 @@ +USER_LONG DH parameters for matrix ssl key? how does this work? diff --git a/app/im/secrets/chat/synapse/homeserver.tls.dh.sample b/app/im/secrets/chat/synapse/homeserver.tls.dh.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/homeserver.tls.key b/app/im/secrets/chat/synapse/homeserver.tls.key new file mode 100644 index 0000000..feee544 --- /dev/null +++ b/app/im/secrets/chat/synapse/homeserver.tls.key @@ -0,0 +1 @@ +SSL_KEY synapse im.deuxfleurs.fr diff --git a/app/im/secrets/chat/synapse/homeserver.tls.key.sample b/app/im/secrets/chat/synapse/homeserver.tls.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/ldap_binddn b/app/im/secrets/chat/synapse/ldap_binddn new file mode 100644 index 0000000..2631bef --- /dev/null +++ b/app/im/secrets/chat/synapse/ldap_binddn @@ -0,0 +1 @@ +SERVICE_DN matrix Matrix chat server diff --git a/app/im/secrets/chat/synapse/ldap_binddn.sample b/app/im/secrets/chat/synapse/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/ldap_bindpw b/app/im/secrets/chat/synapse/ldap_bindpw new file mode 100644 index 0000000..ba07446 --- /dev/null +++ b/app/im/secrets/chat/synapse/ldap_bindpw @@ -0,0 +1 @@ +SERVICE_PASSWORD matrix diff --git a/app/im/secrets/chat/synapse/ldap_bindpw.sample b/app/im/secrets/chat/synapse/ldap_bindpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/postgres_db b/app/im/secrets/chat/synapse/postgres_db new file mode 100644 index 0000000..74eefa7 --- /dev/null +++ b/app/im/secrets/chat/synapse/postgres_db @@ -0,0 +1 @@ +CONST synapse diff --git a/app/im/secrets/chat/synapse/postgres_db.sample b/app/im/secrets/chat/synapse/postgres_db.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/postgres_pwd b/app/im/secrets/chat/synapse/postgres_pwd new file mode 100644 index 0000000..ba07446 --- /dev/null +++ b/app/im/secrets/chat/synapse/postgres_pwd @@ -0,0 +1 @@ +SERVICE_PASSWORD matrix diff --git a/app/im/secrets/chat/synapse/postgres_pwd.sample b/app/im/secrets/chat/synapse/postgres_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/postgres_user b/app/im/secrets/chat/synapse/postgres_user new file mode 100644 index 0000000..b08e86a --- /dev/null +++ b/app/im/secrets/chat/synapse/postgres_user @@ -0,0 +1 @@ +CONST matrix diff --git a/app/im/secrets/chat/synapse/postgres_user.sample b/app/im/secrets/chat/synapse/postgres_user.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/im/secrets/chat/synapse/registration_shared_secret b/app/im/secrets/chat/synapse/registration_shared_secret new file mode 100644 index 0000000..395cccc --- /dev/null +++ b/app/im/secrets/chat/synapse/registration_shared_secret @@ -0,0 +1 @@ +USER Shared secret for homeserver registrations (?) diff --git a/app/im/secrets/chat/synapse/registration_shared_secret.sample b/app/im/secrets/chat/synapse/registration_shared_secret.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt new file mode 100644 index 0000000..f2c4d4b --- /dev/null +++ b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt @@ -0,0 +1 @@ +SSL_CERT jitsi_auth autj.jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key new file mode 100644 index 0000000..4a332f8 --- /dev/null +++ b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key @@ -0,0 +1 @@ +SSL_KEY jitsi_auth autj.jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample b/app/jitsi/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt new file mode 100644 index 0000000..32750d3 --- /dev/null +++ b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt @@ -0,0 +1 @@ +SSL_CERT jitsi jitsi.deuxfleurs.fr diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key new file mode 100644 index 0000000..7676132 --- /dev/null +++ b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key @@ -0,0 +1 @@ +SSL_KEY jitsi diff --git a/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample b/app/jitsi/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/platoo/secrets/platoo/bddpw b/app/platoo/secrets/platoo/bddpw new file mode 100644 index 0000000..1c9d86e --- /dev/null +++ b/app/platoo/secrets/platoo/bddpw @@ -0,0 +1 @@ +SERVICE_PASSWORD platoo diff --git a/app/platoo/secrets/platoo/bddpw.sample b/app/platoo/secrets/platoo/bddpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_pwd b/app/postgres/secrets/postgres/keeper/pg_repl_pwd new file mode 100644 index 0000000..ae0c229 --- /dev/null +++ b/app/postgres/secrets/postgres/keeper/pg_repl_pwd @@ -0,0 +1 @@ +SERVICE_PASSWORD replicator diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_pwd.sample b/app/postgres/secrets/postgres/keeper/pg_repl_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_username b/app/postgres/secrets/postgres/keeper/pg_repl_username new file mode 100644 index 0000000..58e6e46 --- /dev/null +++ b/app/postgres/secrets/postgres/keeper/pg_repl_username @@ -0,0 +1 @@ +CONST replicator diff --git a/app/postgres/secrets/postgres/keeper/pg_repl_username.sample b/app/postgres/secrets/postgres/keeper/pg_repl_username.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/postgres/secrets/postgres/keeper/pg_su_pwd b/app/postgres/secrets/postgres/keeper/pg_su_pwd new file mode 100644 index 0000000..a193b9e --- /dev/null +++ b/app/postgres/secrets/postgres/keeper/pg_su_pwd @@ -0,0 +1 @@ +SERVICE_PASSWORD postgres diff --git a/app/postgres/secrets/postgres/keeper/pg_su_pwd.sample b/app/postgres/secrets/postgres/keeper/pg_su_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/seafile/config/conf/mykey.peer.sample b/app/seafile/config/conf/mykey.peer.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/seafile/secrets/mariadb/main/ldap_binddn b/app/seafile/secrets/mariadb/main/ldap_binddn new file mode 100644 index 0000000..e77ff39 --- /dev/null +++ b/app/seafile/secrets/mariadb/main/ldap_binddn @@ -0,0 +1 @@ +SERVICE_DN mysql MySQL/MariaDB database diff --git a/app/seafile/secrets/mariadb/main/ldap_binddn.sample b/app/seafile/secrets/mariadb/main/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/seafile/secrets/mariadb/main/ldap_bindpwd b/app/seafile/secrets/mariadb/main/ldap_bindpwd new file mode 100644 index 0000000..c29f983 --- /dev/null +++ b/app/seafile/secrets/mariadb/main/ldap_bindpwd @@ -0,0 +1 @@ +SERVICE_PASSWORD mysql diff --git a/app/seafile/secrets/mariadb/main/ldap_bindpwd.sample b/app/seafile/secrets/mariadb/main/ldap_bindpwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/seafile/secrets/mariadb/main/mysql_pwd b/app/seafile/secrets/mariadb/main/mysql_pwd new file mode 100644 index 0000000..ae7fd75 --- /dev/null +++ b/app/seafile/secrets/mariadb/main/mysql_pwd @@ -0,0 +1 @@ +USER mysql_pwd (what is this?) diff --git a/app/seafile/secrets/mariadb/main/mysql_pwd.sample b/app/seafile/secrets/mariadb/main/mysql_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/seafile/secrets/seafile/conf/mykey.peer b/app/seafile/secrets/seafile/conf/mykey.peer new file mode 100644 index 0000000..12f0e5f --- /dev/null +++ b/app/seafile/secrets/seafile/conf/mykey.peer @@ -0,0 +1 @@ +USER Seafile peer key diff --git a/app/seafile/secrets/seafile/conf/mykey.peer.sample b/app/seafile/secrets/seafile/conf/mykey.peer.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/secrets.py b/app/secrets.py new file mode 100644 index 0000000..00f6016 --- /dev/null +++ b/app/secrets.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python3 + +""" +TODO: this will be a utility to handle secrets in the Consul database +for the various components of the Deuxfleurs infrastructure + +Functionnalities: +- check that secrets are correctly configured +- help user fill in secrets +- create LDAP service users and fill in corresponding secrets +- maybe one day: manage SSL certificates and keys + +It uses files placed in /secrets/* to know what secrets +it should handle. These secret files contain directives for what to do +about these secrets. + +Example directives: + +USER +(a secret that must be filled in by the user) + +USER_LONG +(the same, indicates that the secret fits on several lines) + +CONST +(the secret has a constant value set here) + +CONST_LONG + +(same) + +SERVICE_DN +(the LDAP DN of a service user) + +SERVICE_PASSWORD +(the LDAP password for the corresponding service user) + +SSL_CERT +(a SSL domain for the given domains) + +SSL_KEY +(the SSL key going with corresponding certificate) +""" + diff --git a/app/web_static/secrets/web/home_token b/app/web_static/secrets/web/home_token new file mode 100644 index 0000000..d0cf281 --- /dev/null +++ b/app/web_static/secrets/web/home_token @@ -0,0 +1 @@ +USER web home_token (what is this?) diff --git a/app/web_static/secrets/web/home_token.sample b/app/web_static/secrets/web/home_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/app/web_static/secrets/web/quentin.dufour.io_token b/app/web_static/secrets/web/quentin.dufour.io_token new file mode 100644 index 0000000..c47c82c --- /dev/null +++ b/app/web_static/secrets/web/quentin.dufour.io_token @@ -0,0 +1 @@ +USER web quentin.dufour.io token (what is this?) diff --git a/app/web_static/secrets/web/quentin.dufour.io_token.sample b/app/web_static/secrets/web/quentin.dufour.io_token.sample deleted file mode 100644 index e69de29..0000000 -- cgit v1.2.3 From 850ccbf1c7c4ebba28b1971bafae0a6ba922b7c7 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sat, 16 Jan 2021 20:03:00 +0100 Subject: secretmgr.py does quite a few things! --- app/.gitignore | 1 + app/dummy/secrets/dummy/test_cmd | 1 + app/dummy/secrets/dummy/test_const | 1 + app/dummy/secrets/dummy/test_const_long | 5 + app/dummy/secrets/dummy/test_service_dn | 1 + app/dummy/secrets/dummy/test_service_password | 1 + app/dummy/secrets/dummy/test_user | 1 + app/plume/secrets/plume/pgsql_pw | 1 + app/plume/secrets/plume/pgsql_pw.sh | 2 - app/plume/secrets/plume/secret_key | 1 + app/plume/secrets/plume/secret_key.sh | 2 - app/postgres/secrets/postgres/keeper/pg_su_pwd | 2 +- app/secretmgr.py | 369 +++++++++++++++++++++++++ app/secrets.py | 44 --- 14 files changed, 383 insertions(+), 49 deletions(-) create mode 100644 app/.gitignore create mode 100644 app/dummy/secrets/dummy/test_cmd create mode 100644 app/dummy/secrets/dummy/test_const create mode 100644 app/dummy/secrets/dummy/test_const_long create mode 100644 app/dummy/secrets/dummy/test_service_dn create mode 100644 app/dummy/secrets/dummy/test_service_password create mode 100644 app/dummy/secrets/dummy/test_user create mode 100644 app/plume/secrets/plume/pgsql_pw delete mode 100755 app/plume/secrets/plume/pgsql_pw.sh create mode 100644 app/plume/secrets/plume/secret_key delete mode 100755 app/plume/secrets/plume/secret_key.sh create mode 100755 app/secretmgr.py delete mode 100644 app/secrets.py diff --git a/app/.gitignore b/app/.gitignore new file mode 100644 index 0000000..bee8a64 --- /dev/null +++ b/app/.gitignore @@ -0,0 +1 @@ +__pycache__ diff --git a/app/dummy/secrets/dummy/test_cmd b/app/dummy/secrets/dummy/test_cmd new file mode 100644 index 0000000..0c1593f --- /dev/null +++ b/app/dummy/secrets/dummy/test_cmd @@ -0,0 +1 @@ +CMD head -c 10 /dev/urandom | base64 diff --git a/app/dummy/secrets/dummy/test_const b/app/dummy/secrets/dummy/test_const new file mode 100644 index 0000000..ac68954 --- /dev/null +++ b/app/dummy/secrets/dummy/test_const @@ -0,0 +1 @@ +CONST this is a constant diff --git a/app/dummy/secrets/dummy/test_const_long b/app/dummy/secrets/dummy/test_const_long new file mode 100644 index 0000000..f5c2b0a --- /dev/null +++ b/app/dummy/secrets/dummy/test_const_long @@ -0,0 +1,5 @@ +CONST_LONG +this is a +constant +on several +lines diff --git a/app/dummy/secrets/dummy/test_service_dn b/app/dummy/secrets/dummy/test_service_dn new file mode 100644 index 0000000..dbc90f0 --- /dev/null +++ b/app/dummy/secrets/dummy/test_service_dn @@ -0,0 +1 @@ +SERVICE_DN dummy Dummy service for testing secretmgr.py diff --git a/app/dummy/secrets/dummy/test_service_password b/app/dummy/secrets/dummy/test_service_password new file mode 100644 index 0000000..f788a50 --- /dev/null +++ b/app/dummy/secrets/dummy/test_service_password @@ -0,0 +1 @@ +SERVICE_PASSWORD dummy diff --git a/app/dummy/secrets/dummy/test_user b/app/dummy/secrets/dummy/test_user new file mode 100644 index 0000000..b1ab993 --- /dev/null +++ b/app/dummy/secrets/dummy/test_user @@ -0,0 +1 @@ +USER Test user value diff --git a/app/plume/secrets/plume/pgsql_pw b/app/plume/secrets/plume/pgsql_pw new file mode 100644 index 0000000..978be54 --- /dev/null +++ b/app/plume/secrets/plume/pgsql_pw @@ -0,0 +1 @@ +CMD openssl rand -base64 32 diff --git a/app/plume/secrets/plume/pgsql_pw.sh b/app/plume/secrets/plume/pgsql_pw.sh deleted file mode 100755 index 519a30a..0000000 --- a/app/plume/secrets/plume/pgsql_pw.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -openssl rand -base64 32 > pgsql_pw diff --git a/app/plume/secrets/plume/secret_key b/app/plume/secrets/plume/secret_key new file mode 100644 index 0000000..978be54 --- /dev/null +++ b/app/plume/secrets/plume/secret_key @@ -0,0 +1 @@ +CMD openssl rand -base64 32 diff --git a/app/plume/secrets/plume/secret_key.sh b/app/plume/secrets/plume/secret_key.sh deleted file mode 100755 index f4bbee5..0000000 --- a/app/plume/secrets/plume/secret_key.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -openssl rand -base64 32 > secret_key diff --git a/app/postgres/secrets/postgres/keeper/pg_su_pwd b/app/postgres/secrets/postgres/keeper/pg_su_pwd index a193b9e..907e2b8 100644 --- a/app/postgres/secrets/postgres/keeper/pg_su_pwd +++ b/app/postgres/secrets/postgres/keeper/pg_su_pwd @@ -1 +1 @@ -SERVICE_PASSWORD postgres +USER postgres superuser password diff --git a/app/secretmgr.py b/app/secretmgr.py new file mode 100755 index 0000000..6af6d13 --- /dev/null +++ b/app/secretmgr.py @@ -0,0 +1,369 @@ +#!/usr/bin/env python3 + +# DEPENDENCY: python-consul +import consul + +# DEPENDENCY: python-ldap +import ldap + +# DEPENDENCY: passlib +from passlib.hash import ldap_salted_sha1 + +import os +import sys +import glob +import subprocess +import getpass +import base64 +from secrets import token_bytes + + +""" +TODO: this will be a utility to handle secrets in the Consul database +for the various components of the Deuxfleurs infrastructure + +Functionnalities: +- check that secrets are correctly configured +- help user fill in secrets +- create LDAP service users and fill in corresponding secrets +- maybe one day: manage SSL certificates and keys + +It uses files placed in /secrets/* to know what secrets +it should handle. These secret files contain directives for what to do +about these secrets. + +Example directives: + +USER +(a secret that must be filled in by the user) + +USER_LONG +(the same, indicates that the secret fits on several lines) + +CMD +(a secret that is generated by running this command) + +CONST +(the secret has a constant value set here) + +CONST_LONG + +(same) + +SERVICE_DN +(the LDAP DN of a service user) + +SERVICE_PASSWORD +(the LDAP password for the corresponding service user) + +SSL_CERT +(a SSL domain for the given domains) + +SSL_KEY +(the SSL key going with corresponding certificate) + +RSA_PUBLIC_KEY +(a public RSA key) + +RSA_PRIVATE_KEY +(the corresponding private RSA key) +""" + + +# Parameters +LDAP_URL = "ldap://localhost:1389" +SERVICE_DN_SUFFIX = "ou=services,ou=users,dc=deuxfleurs,dc=fr" +consul_server = consul.Consul() + + +# ---- + +USER = "USER" +USER_LONG = "USER_LONG" +CMD = "CMD" +CONST = "CONST" +CONST_LONG = "CONST_LONG" +SERVICE_DN = "SERVICE_DN" +SERVICE_PASSWORD = "SERVICE_PASSWORD" +SSL_CERT = "SSL_CERT" +SSL_KEY = "SSL_KEY" +RSA_PUBLIC_KEY = "RSA_PUBLIC_KEY" +RSA_PRIVATE_KEY = "RSA_PRIVATE_KEY" + +class bcolors: + HEADER = '\033[95m' + OKBLUE = '\033[94m' + OKCYAN = '\033[96m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + FAIL = '\033[91m' + ENDC = '\033[0m' + BOLD = '\033[1m' + UNDERLINE = '\033[4m' + +def read_secret(key, file_path): + lines = [l.strip() for l in open(file_path, "r")] + l0 = lines[0].split(" ") + stype = l0[0] + secret = {"type": stype, "key": key} + if stype in [USER, USER_LONG]: + secret["desc"] = " ".join(l0[1:]) + elif stype == CMD: + secret["cmd"] = " ".join(l0[1:]) + elif stype == CONST: + secret["value"] = " ".join(l0[1:]) + elif stype == CONST_LONG: + secret["value"] = "\n".join(lines[1:]) + elif stype in [SERVICE_DN, SERVICE_PASSWORD]: + secret["service"] = l0[1] + if stype == SERVICE_DN: + secret["service_desc"] = " ".join(l0[2:]) + elif stype in [SSL_CERT, SSL_KEY]: + secret["cert_name"] = l0[1] + if stype == SSL_CERT: + secret["cert_domains"] = l0[2:] + elif stype in [RSA_PUBLIC_KEY, RSA_PRIVATE_KEY]: + secret["key_name"] = l0[1] + if stype == RSA_PUBLIC_KEY: + secret["key_desc"] = " ".join(l0[2:]) + else: + print(bcolors.FAIL, "ERROR:", bcolors.ENDC, "Invalid secret type", stype, "in", file_path) + sys.exit(-1) + + return secret + +def read_secrets(module_list): + secrets = {} + for mod in module_list: + for file_path in glob.glob(mod.strip('/') + "/secrets/**", recursive=True): + if os.path.isfile(file_path): + key = '/'.join(file_path.split("/")[1:]) + secrets[key] = read_secret(key, file_path) + return secrets + +def get_secrets_services(secrets): + services = {} + for key, secret in secrets.items(): + if secret["type"] not in [SERVICE_DN, SERVICE_PASSWORD]: + continue + svc = secret["service"] + print(svc, "@", key, bcolors.OKCYAN, "...", bcolors.ENDC) + if svc not in services: + services[svc] = { + "dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX), + "pass": None, + "dn_at": [], + "pass_at": [], + } + if secret["type"] == SERVICE_DN: + services[svc]["dn_at"].append(key) + services[svc]["desc"] = secret["service_desc"] + + if secret["type"] == SERVICE_PASSWORD: + services[svc]["pass_at"].append(key) + _, data = consul_server.kv.get(key) + if data is not None: + if services[svc]["pass"] is None: + services[svc]["pass"] = data["Value"].decode('ascii').strip() + + return services + +ldap_admin_conn = None +def get_ldap_admin_conn(): + global ldap_admin_conn + if ldap_admin_conn is None: + ldap_admin_conn = ldap.initialize(LDAP_URL) + ldap_user = input("LDAP admin user (full DN, please!): ") + ldap_pass = getpass.getpass("LDAP admin password: ") + ldap_admin_conn.simple_bind_s(ldap_user, ldap_pass) + return ldap_admin_conn + +# ---- CHECK COMMAND ---- + +def check_secrets(module_list): + secrets = read_secrets(module_list) + print("Found", len(secrets), "secrets to check") + print() + + check_secrets_presence(secrets) + check_secrets_services(secrets) + +def check_secrets_presence(secrets): + print("Checking secrets presence...") + for key in secrets.keys(): + _, data = consul_server.kv.get(key) + if data is None: + print(key, bcolors.FAIL, "x", bcolors.ENDC) + else: + print(key, bcolors.OKGREEN, "✓", bcolors.ENDC) + print() + +def check_secrets_services(secrets): + print("Checking secrets for LDAP service users...") + services = get_secrets_services(secrets) + + for svc_name, svc in services.items(): + for dn_key in svc["dn_at"]: + _, data = consul_server.kv.get(dn_key) + if data is not None: + got_val = data["Value"].decode('ascii').strip() + if got_val != svc["dn"]: + print(svc_name, "wrong DN at", dn_key, bcolors.FAIL, "x", bcolors.ENDC) + print("got:", got_val, "instead of:", svc["dn"]) + + if svc["pass"] is None: + print(svc_name, bcolors.FAIL, "no password stored", bcolors.ENDC) + else: + for pass_key in svc["pass_at"]: + _, data = consul_server.kv.get(pass_key) + if data is not None: + got_val = data["Value"].decode('ascii').strip() + if got_val != svc["pass"]: + print(svc_name, "wrong pass at", dn_key, bcolors.FAIL, "x", bcolors.ENDC) + + l = ldap.initialize(LDAP_URL) + try: + l.simple_bind_s(svc["dn"], svc["pass"]) + print(svc_name, bcolors.OKGREEN, "✓", bcolors.ENDC) + except Exception as e: + print(svc_name, bcolors.FAIL, e, bcolors.ENDC) + print() + + +# ---- GEN COMMAND ---- + +def gen_secrets(module_list, regen): + secrets = read_secrets(module_list) + print("Found", len(secrets), "secrets to check and maybe generate") + print() + + gen_secrets_base(secrets, regen) + gen_secrets_services(secrets, regen) + + check_secrets_presence(secrets) + check_secrets_services(secrets) + +def gen_secrets_base(secrets, regen): + print("Filling in user secrets and cmd secrets...") + + for key, secret in secrets.items(): + _, data = consul_server.kv.get(key) + if data is not None and not regen: + continue + + if secret["type"] == USER: + print("----") + print(key) + print("Description:", secret["desc"]) + print("Enter value for secret, or ^C to skip:") + try: + val = input().strip() + consul_server.kv.put(key, val) + print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) + except KeyboardInterrupt: + print(bcolors.WARNING, "Skipped.", bcolors.ENDC) + + if secret["type"] == USER_LONG: + print("----") + print(key) + print("Description:", secret["desc"]) + print("Enter value for secret, or ^C to skip:") + print("THIS IS A LONG VALUE, ENTER SEVERAL LINES AND FINISH WITH A LINE CONTAINING A SINGLE .") + try: + lines = [] + while True: + line = input().strip() + if line == ".": + break + vals.append(line) + val = "\n".join(lines) + consul_server.kv.put(key, val) + print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) + except KeyboardInterrupt: + print(bcolors.WARNING, "Skipped.", bcolors.ENDC) + + if secret["type"] in [CONST, CONST_LONG]: + print("----") + print(key) + print("Resetting to constant value.") + consul_server.kv.put(key, secret["value"]) + print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) + + if secret["type"] == CMD: + print("----") + print(key) + print("Executing command:", secret["cmd"]) + val = subprocess.check_output(["sh", "-c", secret["cmd"]]) + consul_server.kv.put(key, val) + print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) + + print() + +def gen_secrets_services(secrets, regen): + print("Generating LDAP service accounts...") + services = get_secrets_services(secrets) + + for svc_name, svc in services.items(): + print("----") + print("Service:", svc_name) + print("Description:", svc["desc"]) + + for dn_key in svc["dn_at"]: + _, data = consul_server.kv.get(dn_key) + if data is None or data["Value"].decode('ascii').strip() != svc["dn"]: + print(bcolors.OKCYAN, "Setting DN", bcolors.ENDC, "at", dn_key) + consul_server.kv.put(dn_key, svc["dn"]) + + if svc["pass"] is None or regen: + print(bcolors.OKCYAN, "Generating new password", bcolors.ENDC) + svc["pass"] = base64.urlsafe_b64encode(token_bytes(12)).decode('ascii') + + l = ldap.initialize(LDAP_URL) + try: + l.simple_bind_s(svc["dn"], svc["pass"]) + except: + fix_service_user(svc) + + for pass_key in svc["pass_at"]: + _, data = consul_server.kv.get(pass_key) + if data is None or data["Value"].decode('ascii').strip() != svc["pass"]: + print(bcolors.OKCYAN, "Setting password", bcolors.ENDC, "at", pass_key) + consul_server.kv.put(pass_key, svc["pass"]) + + print() + +def fix_service_user(svc): + print("Fixing service user", svc["dn"], "...") + l = get_ldap_admin_conn() + res = l.search_s(svc["dn"], ldap.SCOPE_BASE, "objectclass=*") + pass_crypt = ldap_salted_sha1.hash(svc["pass"]) + if res is None or len(res) == 0: + print(bcolors.OKCYAN, "Creating entity...", bcolors.ENDC) + l.add_s(svc["dn"], + [ + ("objectclass", [b"person", b"top"]), + ("displayname", [svc["desc"].encode('ascii')]), + ("userpassword", [pass_crypt.encode('ascii')]), + ]) + else: + print(bcolors.OKCYAN, "Resetting entity password", bcolors.ENDC) + l.modify_s(svc["dn"], + [ + (ldap.MOD_REPLACE, "userpassword", [pass_crypt.encode('ascii')]) + ]) + +# ---- MAIN ---- + +if __name__ == "__main__": + for i, val in enumerate(sys.argv): + if val == "check": + check_secrets(sys.argv[i+1:]) + break + elif val == "gen": + gen_secrets(sys.argv[i+1:], False) + break + elif val == "regen": + gen_secrets(sys.argv[i+1:], True) + break + + diff --git a/app/secrets.py b/app/secrets.py deleted file mode 100644 index 00f6016..0000000 --- a/app/secrets.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env python3 - -""" -TODO: this will be a utility to handle secrets in the Consul database -for the various components of the Deuxfleurs infrastructure - -Functionnalities: -- check that secrets are correctly configured -- help user fill in secrets -- create LDAP service users and fill in corresponding secrets -- maybe one day: manage SSL certificates and keys - -It uses files placed in /secrets/* to know what secrets -it should handle. These secret files contain directives for what to do -about these secrets. - -Example directives: - -USER -(a secret that must be filled in by the user) - -USER_LONG -(the same, indicates that the secret fits on several lines) - -CONST -(the secret has a constant value set here) - -CONST_LONG - -(same) - -SERVICE_DN -(the LDAP DN of a service user) - -SERVICE_PASSWORD -(the LDAP password for the corresponding service user) - -SSL_CERT -(a SSL domain for the given domains) - -SSL_KEY -(the SSL key going with corresponding certificate) -""" - -- cgit v1.2.3 From 79b7273ff2a487d6721d393682c8ad3927467a75 Mon Sep 17 00:00:00 2001 From: Quentin Date: Mon, 18 Jan 2021 06:51:19 +0100 Subject: Remove my blog --- app/deployment/web_static.hcl | 50 ------------------------------------------- 1 file changed, 50 deletions(-) diff --git a/app/deployment/web_static.hcl b/app/deployment/web_static.hcl index a02d48b..16c8b35 100644 --- a/app/deployment/web_static.hcl +++ b/app/deployment/web_static.hcl @@ -58,55 +58,5 @@ EOH } } } - - group "quentin" { - network { - port "quentin_port" { to = 8080 } - } - - task "server" { - driver = "docker" - config { - image = "superboum/amd64_webpull_ruby:v1" - ports = [ "quentin_port" ] - } - - template { - data = < Date: Mon, 18 Jan 2021 08:06:19 +0100 Subject: Add some documentation + add a requirements file --- README.md | 1 + app/README.md | 34 ++++++++++++++++++++++++++++++++++ app/requirements.txt | 3 +++ 3 files changed, 38 insertions(+) create mode 100644 app/requirements.txt diff --git a/README.md b/README.md index 26a7856..5dc02d1 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ alias bind_df="ssh \ -L 8500:127.0.0.1:8500 \ -L 8082:traefik-admin.service.2.cluster.deuxfleurs.fr:8082 \ -L 5432:psql-proxy.service.2.cluster.deuxfleurs.fr:5432 \ + -L 1389:bottin2.service.2.cluster.deuxfleurs.fr:389 \ " ``` diff --git a/app/README.md b/app/README.md index a877cfa..21eb936 100644 --- a/app/README.md +++ b/app/README.md @@ -1,3 +1,37 @@ +## How to install `secretmgr` + +How to install its dependencies: + +```bash +# on fedora: +dnf install -y openldap-devel +# on ubuntu: +apt-get install -y libldap2-dev + +# for eveyrone: +pip3 install --user --requirement requirements.txt +``` + +## How to use `secretmgr` + +Check that all secrets are correctly deployed for app `dummy`: + +```bash +./secretmgr.py check dummy +``` + +Generate secrets for app `dummy` if they don't already exist: + +```bash +./secretmgr.py gen dummy +``` + +Rotate secrets for app `dummy`, overwriting existing ones (be careful, this is dangerous!): + +```bash +./secretmgr.py regen dummy +``` + ## How to upgrade our packaged apps to a new version? 1. Edit `docker-compose.yml` diff --git a/app/requirements.txt b/app/requirements.txt new file mode 100644 index 0000000..7874d93 --- /dev/null +++ b/app/requirements.txt @@ -0,0 +1,3 @@ +python-consul==1.1.0 +python-ldap==3.3.1 +passlib==1.7.4 -- cgit v1.2.3 From c642370def01f09d966b3b9c643cfe416ea115cf Mon Sep 17 00:00:00 2001 From: Quentin Date: Mon, 18 Jan 2021 08:08:48 +0100 Subject: Add hierarchy to the README --- app/README.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/app/README.md b/app/README.md index 21eb936..3049cac 100644 --- a/app/README.md +++ b/app/README.md @@ -1,4 +1,14 @@ -## How to install `secretmgr` +## Understand this folder hierarchy + +This folder contains the following hierarchy: + +- `/build//`: folders with dockerfiles and other necessary resources for building container images +- `/config/`: folder containing configuration files, referenced by deployment file +- `/secrets/`: folder containing secrets, which can be synchronized with Consul using `secretmgr.py` +- `/deploy/`: folder containing the HCL file(s) necessary for deploying the module +- `/integration/`: folder containing files for integration testing using docker-compose + +## How to install `secretmgr.py` dependencies How to install its dependencies: @@ -12,7 +22,7 @@ apt-get install -y libldap2-dev pip3 install --user --requirement requirements.txt ``` -## How to use `secretmgr` +## How to use `secretmgr.py` Check that all secrets are correctly deployed for app `dummy`: -- cgit v1.2.3