From c4a6cf1534b864d3941c839d4a4dca7e505bd828 Mon Sep 17 00:00:00 2001 From: Quentin Date: Sat, 12 Sep 2020 10:03:48 +0200 Subject: Rebase first step --- .gitmodules | 2 +- README.md | 15 +- ansible/README.md | 15 - ansible/README.more.md | 52 --- ansible/cluster_nodes.yml | 19 - ansible/group_vars/all/.gitignore | 1 - ansible/group_vars/all/vars_file.yml.sample | 1 - ansible/production | 4 - ansible/roles/common/tasks/main.yml | 51 -- ansible/roles/consul/files/consul.service | 10 - ansible/roles/consul/tasks/main.yml | 26 -- ansible/roles/consul/templates/consul.json.j2 | 30 -- ansible/roles/consul/templates/resolv.conf.j2 | 2 - ansible/roles/consul/vars/.gitignore | 1 - ansible/roles/consul/vars/main.yml.sample | 2 - ansible/roles/network/files/rules.v6 | 12 - ansible/roles/network/tasks/main.yml | 11 - ansible/roles/network/templates/rules.v4.j2 | 36 -- ansible/roles/nomad/files/nomad.service | 15 - ansible/roles/nomad/tasks/main.yml | 23 - ansible/roles/nomad/templates/nomad.hcl.j2 | 34 -- ansible/roles/storage/handlers/main.yml | 3 - ansible/roles/storage/tasks/main.yml | 72 --- ansible/roles/users/files/alex-key1.pub | 1 - ansible/roles/users/files/alex-key2.pub | 1 - ansible/roles/users/files/florian-key1.pub | 1 - ansible/roles/users/files/florian-key2.pub | 1 - ansible/roles/users/files/maximilien-key1.pub | 1 - ansible/roles/users/files/quentin-key1.pub | 1 - ansible/roles/users/files/quentin-key2.pub | 1 - ansible/roles/users/tasks/main.yml | 39 -- ansible/roles/users/vars/main.yml | 30 -- ansible/site.yml | 2 - app_build/README.md | 8 + app_build/blog-quentin/.dockerenv | 0 app_build/blog-quentin/Dockerfile | 16 + app_build/blog-quentin/README.md | 1 + app_build/coturn/Dockerfile | 8 + app_build/coturn/README.md | 17 + app_build/docker-compose.yml | 60 +++ app_build/dovecot/.gitignore | 1 + app_build/dovecot/Dockerfile | 17 + app_build/dovecot/README.md | 18 + app_build/dovecot/entrypoint.sh | 27 ++ app_build/jitsi-conference-focus/Dockerfile | 22 + app_build/jitsi-conference-focus/jicofo | 16 + app_build/jitsi-meet/Dockerfile | 29 ++ app_build/jitsi-meet/config.js | 517 +++++++++++++++++++++ app_build/jitsi-meet/entrypoint.sh | 38 ++ app_build/jitsi-videobridge/Dockerfile | 27 ++ app_build/jitsi-videobridge/jvb_run | 38 ++ app_build/jitsi-xmpp/Dockerfile | 11 + app_build/jitsi-xmpp/external_components.cfg.lua | 2 + app_build/jitsi-xmpp/xmpp_conf | 42 ++ app_build/jitsi-xmpp/xmpp_gen | 9 + app_build/jitsi-xmpp/xmpp_run | 19 + app_build/landing/README.md | 3 + app_build/mariadb/60-disable-dialog.cnf | 3 + app_build/mariadb/60-ldap.cnf | 3 + app_build/mariadb/60-remote.cnf | 2 + app_build/mariadb/Dockerfile | 14 + app_build/mariadb/README.md | 19 + app_build/mariadb/entrypoint.sh | 50 ++ app_build/mariadb/nsswitch.conf | 21 + app_build/mariadb/pam-mariadb | 2 + app_build/matrix-synapse/Dockerfile | 47 ++ app_build/matrix-synapse/entrypoint.sh | 3 + app_build/nextcloud/Dockerfile | 27 ++ app_build/nextcloud/container-setup.sh | 37 ++ app_build/nextcloud/entrypoint.sh | 8 + app_build/opendkim/Dockerfile | 8 + app_build/opendkim/README.md | 12 + app_build/opendkim/opendkim.conf | 12 + app_build/pithos/0.7.5.tar.gz | Bin 0 -> 93151 bytes app_build/pithos/Dockerfile | 4 + app_build/pithos/README.md | 9 + app_build/pithos/pithos-0.7.5-standalone.jar | Bin 0 -> 21821895 bytes app_build/postfix/Dockerfile | 11 + app_build/postfix/README.md | 18 + app_build/postfix/entrypoint.sh | 30 ++ app_build/postgres/Dockerfile | 19 + app_build/postgres/README.md | 4 + app_build/postgres/postgresql.conf | 25 + app_build/postgres/start.sh | 22 + app_build/riotweb/Dockerfile | 13 + app_build/riotweb/config.json | 24 + app_build/seafile/Dockerfile | 46 ++ app_build/seafile/README.md | 27 ++ app_build/seafile/seadocker | 4 + app_build/seafile/seaenv | 7 + app_build/sogo/Dockerfile | 17 + app_build/sogo/README.md | 20 + app_build/sogo/entrypoint | 13 + app_build/sogo/sogo.nginx.conf | 83 ++++ app_build/static/Dockerfile | 9 + app_build/static/README.md | 5 + app_build/static/goStatic | 1 + app_build/webpull/.gitignore | 1 + app_build/webpull/Dockerfile.nodejs | 9 + app_build/webpull/Dockerfile.ruby | 12 + app_build/webpull/README.md | 23 + app_build/webpull/main.go | 100 ++++ app_config/configuration/.gitignore | 33 ++ .../configuration/chat/coturn/turnserver.conf.tpl | 19 + .../configuration/chat/easybridge/config.json.tpl | 17 + .../chat/easybridge/registration.yaml.tpl | 14 + app_config/configuration/chat/fb2mx/config.yaml | 133 ++++++ .../configuration/chat/fb2mx/registration.yaml | 11 + app_config/configuration/chat/riot_web/config.json | 25 + .../chat/synapse/conf.d/report_stats.yaml | 1 + .../chat/synapse/conf.d/server_name.yaml | 1 + .../configuration/chat/synapse/homeserver.yaml | 420 +++++++++++++++++ app_config/configuration/chat/synapse/log.yaml | 41 ++ .../configuration/directory/bottin/config.json | 31 ++ .../directory/guichet/config.json.tpl | 30 ++ app_config/configuration/email/dkim/keytable | 1 + app_config/configuration/email/dkim/signingtable | 2 + .../configuration/email/dkim/smtp.private.sample | 0 .../configuration/email/dkim/smtp.txt.sample | 0 app_config/configuration/email/dkim/trusted | 4 + app_config/configuration/email/dovecot/certs.gen | 13 + .../email/dovecot/dovecot-ldap.conf.tpl | 8 + app_config/configuration/email/postfix/certs.gen | 13 + .../configuration/email/postfix/dynamicmaps.cf | 9 + .../configuration/email/postfix/header_checks | 3 + .../email/postfix/ldap-account.cf.tpl | 12 + .../configuration/email/postfix/ldap-alias.cf.tpl | 9 + .../email/postfix/ldap-virtual-domains.cf.tpl | 12 + app_config/configuration/email/postfix/main.cf | 104 +++++ app_config/configuration/email/postfix/master.cf | 114 +++++ app_config/configuration/email/postfix/transport | 5 + .../configuration/email/postfix/transport.db | Bin 0 -> 12288 bytes app_config/configuration/email/sogo/sogo.conf.tpl | 68 +++ app_config/configuration/mariadb/main/env.tpl | 6 + app_config/configuration/nextcloud/config.php.tpl | 49 ++ app_config/configuration/postgres/keeper/env.tpl | 3 + .../configuration/seafile/ccnet/mykey.peer.sample | 0 app_config/configuration/seafile/ccnet/seafile.ini | 1 + .../configuration/seafile/conf/ccnet.conf.tpl | 29 ++ .../configuration/seafile/conf/mykey.peer.sample | 0 app_config/configuration/seafile/conf/seafdav.conf | 5 + .../configuration/seafile/conf/seafile.conf.tpl | 19 + .../seafile/conf/seahub_settings.py.tpl | 21 + app_config/configuration/traefik/traefik.toml | 45 ++ app_config/restore_configuration.sh | 7 + app_config/secrets/.gitignore | 10 + app_config/secrets/chat/coturn/static-auth.sample | 0 app_config/secrets/chat/fb2mx/as_token.sample | 0 app_config/secrets/chat/fb2mx/db_url.sample | 1 + app_config/secrets/chat/fb2mx/hs_token.sample | 0 .../secrets/chat/synapse/homeserver.tls.crt.sample | 0 .../secrets/chat/synapse/homeserver.tls.dh.sample | 0 .../secrets/chat/synapse/homeserver.tls.key.sample | 0 app_config/secrets/chat/synapse/ldap_binddn.sample | 0 app_config/secrets/chat/synapse/ldap_bindpw.sample | 0 app_config/secrets/chat/synapse/postgres_db.sample | 0 .../secrets/chat/synapse/postgres_pwd.sample | 0 .../secrets/chat/synapse/postgres_user.sample | 0 .../chat/synapse/registration_shared_secret.sample | 0 app_config/secrets/email/sogo/ldap_binddn.sample | 0 app_config/secrets/email/sogo/ldap_bindpw.sample | 0 app_config/secrets/email/sogo/postgre_auth.sample | 0 .../jitsi/auth.jitsi.deuxfleurs.fr.crt.sample | 0 .../jitsi/auth.jitsi.deuxfleurs.fr.key.sample | 0 app_config/secrets/jitsi/global_env.sample | 9 + .../secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample | 0 .../secrets/jitsi/jitsi.deuxfleurs.fr.key.sample | 0 app_config/secrets/mariadb/main/ldap_binddn.sample | 0 .../secrets/mariadb/main/ldap_bindpwd.sample | 0 app_config/secrets/mariadb/main/mysql_pwd.sample | 0 app_config/secrets/platoo/bddpw.sample | 0 .../secrets/postgres/keeper/pg_repl_pwd.sample | 0 .../postgres/keeper/pg_repl_username.sample | 0 .../secrets/postgres/keeper/pg_su_pwd.sample | 0 app_config/secrets/web/home_token.sample | 0 .../secrets/web/quentin.dufour.io_token.sample | 0 app_deployment/bottin2.hcl | 116 +++++ app_deployment/core.hcl | 43 ++ app_deployment/email.hcl | 475 +++++++++++++++++++ app_deployment/garage.hcl | 99 ++++ app_deployment/im.hcl | 361 ++++++++++++++ app_deployment/jitsi.hcl | 258 ++++++++++ app_deployment/mariadb.hcl | 69 +++ app_deployment/nextcloud.hcl | 67 +++ app_deployment/object_storage.hcl | 159 +++++++ app_deployment/platoo.hcl | 64 +++ app_deployment/postgres.hcl | 145 ++++++ app_deployment/science.hcl | 58 +++ app_deployment/seafile.hcl | 174 +++++++ app_deployment/traefik.hcl | 68 +++ app_deployment/web_static.hcl | 113 +++++ app_deployment/webcap.hcl | 56 +++ app_integration/jitsi/01_gen_certs.yml | 8 + app_integration/jitsi/02_run.yml | 41 ++ app_integration/jitsi/README.md | 26 ++ app_integration/jitsi/dev.env | 10 + app_integration/jitsi/jitsi-certs/.gitignore | 2 + bootstrap/README.md | 1 - bootstrap/build-installer.sh | 139 ------ consul/configuration/.gitignore | 33 -- .../configuration/chat/coturn/turnserver.conf.tpl | 19 - .../configuration/chat/easybridge/config.json.tpl | 17 - .../chat/easybridge/registration.yaml.tpl | 14 - consul/configuration/chat/fb2mx/config.yaml | 133 ------ consul/configuration/chat/fb2mx/registration.yaml | 11 - consul/configuration/chat/riot_web/config.json | 25 - .../chat/synapse/conf.d/report_stats.yaml | 1 - .../chat/synapse/conf.d/server_name.yaml | 1 - consul/configuration/chat/synapse/homeserver.yaml | 420 ----------------- consul/configuration/chat/synapse/log.yaml | 41 -- consul/configuration/directory/bottin/config.json | 31 -- .../directory/guichet/config.json.tpl | 30 -- consul/configuration/email/dkim/keytable | 1 - consul/configuration/email/dkim/signingtable | 2 - .../configuration/email/dkim/smtp.private.sample | 0 consul/configuration/email/dkim/smtp.txt.sample | 0 consul/configuration/email/dkim/trusted | 4 - consul/configuration/email/dovecot/certs.gen | 13 - .../email/dovecot/dovecot-ldap.conf.tpl | 8 - consul/configuration/email/postfix/certs.gen | 13 - consul/configuration/email/postfix/dynamicmaps.cf | 9 - consul/configuration/email/postfix/header_checks | 3 - .../email/postfix/ldap-account.cf.tpl | 12 - .../configuration/email/postfix/ldap-alias.cf.tpl | 9 - .../email/postfix/ldap-virtual-domains.cf.tpl | 12 - consul/configuration/email/postfix/main.cf | 104 ----- consul/configuration/email/postfix/master.cf | 114 ----- consul/configuration/email/postfix/transport | 5 - consul/configuration/email/postfix/transport.db | Bin 12288 -> 0 bytes consul/configuration/email/sogo/sogo.conf.tpl | 68 --- consul/configuration/mariadb/main/env.tpl | 6 - consul/configuration/nextcloud/config.php.tpl | 49 -- consul/configuration/postgres/keeper/env.tpl | 3 - .../configuration/seafile/ccnet/mykey.peer.sample | 0 consul/configuration/seafile/ccnet/seafile.ini | 1 - consul/configuration/seafile/conf/ccnet.conf.tpl | 29 -- .../configuration/seafile/conf/mykey.peer.sample | 0 consul/configuration/seafile/conf/seafdav.conf | 5 - consul/configuration/seafile/conf/seafile.conf.tpl | 19 - .../seafile/conf/seahub_settings.py.tpl | 21 - consul/configuration/traefik/traefik.toml | 45 -- consul/restore_configuration.sh | 7 - consul/secrets/.gitignore | 10 - consul/secrets/chat/coturn/static-auth.sample | 0 consul/secrets/chat/fb2mx/as_token.sample | 0 consul/secrets/chat/fb2mx/db_url.sample | 1 - consul/secrets/chat/fb2mx/hs_token.sample | 0 .../secrets/chat/synapse/homeserver.tls.crt.sample | 0 .../secrets/chat/synapse/homeserver.tls.dh.sample | 0 .../secrets/chat/synapse/homeserver.tls.key.sample | 0 consul/secrets/chat/synapse/ldap_binddn.sample | 0 consul/secrets/chat/synapse/ldap_bindpw.sample | 0 consul/secrets/chat/synapse/postgres_db.sample | 0 consul/secrets/chat/synapse/postgres_pwd.sample | 0 consul/secrets/chat/synapse/postgres_user.sample | 0 .../chat/synapse/registration_shared_secret.sample | 0 consul/secrets/email/sogo/ldap_binddn.sample | 0 consul/secrets/email/sogo/ldap_bindpw.sample | 0 consul/secrets/email/sogo/postgre_auth.sample | 0 .../jitsi/auth.jitsi.deuxfleurs.fr.crt.sample | 0 .../jitsi/auth.jitsi.deuxfleurs.fr.key.sample | 0 consul/secrets/jitsi/global_env.sample | 9 - .../secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample | 0 .../secrets/jitsi/jitsi.deuxfleurs.fr.key.sample | 0 consul/secrets/mariadb/main/ldap_binddn.sample | 0 consul/secrets/mariadb/main/ldap_bindpwd.sample | 0 consul/secrets/mariadb/main/mysql_pwd.sample | 0 consul/secrets/platoo/bddpw.sample | 0 consul/secrets/postgres/keeper/pg_repl_pwd.sample | 0 .../postgres/keeper/pg_repl_username.sample | 0 consul/secrets/postgres/keeper/pg_su_pwd.sample | 0 consul/secrets/web/home_token.sample | 0 consul/secrets/web/quentin.dufour.io_token.sample | 0 docker/README.md | 8 - docker/blog-quentin/.dockerenv | 0 docker/blog-quentin/Dockerfile | 16 - docker/blog-quentin/README.md | 1 - docker/coturn/Dockerfile | 8 - docker/coturn/README.md | 17 - docker/docker-compose.yml | 24 - docker/dovecot/.gitignore | 1 - docker/dovecot/Dockerfile | 17 - docker/dovecot/README.md | 18 - docker/dovecot/entrypoint.sh | 27 -- docker/jitsi/01_gen_certs.yml | 8 - docker/jitsi/02_run.yml | 41 -- docker/jitsi/README.md | 26 -- docker/jitsi/dev.env | 10 - docker/jitsi/jitsi-certs/.gitignore | 2 - docker/jitsi/jitsi-conference-focus/Dockerfile | 22 - docker/jitsi/jitsi-conference-focus/jicofo | 16 - docker/jitsi/jitsi-front/Dockerfile | 29 -- docker/jitsi/jitsi-front/config.js | 517 --------------------- docker/jitsi/jitsi-front/entrypoint.sh | 38 -- docker/jitsi/jitsi-videobridge/Dockerfile | 27 -- docker/jitsi/jitsi-videobridge/jvb_run | 38 -- docker/jitsi/jitsi-xmpp/Dockerfile | 11 - .../jitsi/jitsi-xmpp/external_components.cfg.lua | 2 - docker/jitsi/jitsi-xmpp/xmpp_conf | 42 -- docker/jitsi/jitsi-xmpp/xmpp_gen | 9 - docker/jitsi/jitsi-xmpp/xmpp_run | 19 - docker/landing/README.md | 3 - docker/mariadb/60-disable-dialog.cnf | 3 - docker/mariadb/60-ldap.cnf | 3 - docker/mariadb/60-remote.cnf | 2 - docker/mariadb/Dockerfile | 14 - docker/mariadb/README.md | 19 - docker/mariadb/entrypoint.sh | 50 -- docker/mariadb/nsswitch.conf | 21 - docker/mariadb/pam-mariadb | 2 - docker/matrix-synapse/Dockerfile | 47 -- docker/matrix-synapse/entrypoint.sh | 3 - docker/nextcloud/Dockerfile | 27 -- docker/nextcloud/container-setup.sh | 37 -- docker/nextcloud/entrypoint.sh | 8 - docker/opendkim/Dockerfile | 8 - docker/opendkim/README.md | 12 - docker/opendkim/opendkim.conf | 12 - docker/pithos/0.7.5.tar.gz | Bin 93151 -> 0 bytes docker/pithos/Dockerfile | 4 - docker/pithos/README.md | 9 - docker/pithos/pithos-0.7.5-standalone.jar | Bin 21821895 -> 0 bytes docker/postfix/Dockerfile | 11 - docker/postfix/README.md | 18 - docker/postfix/entrypoint.sh | 30 -- docker/postgres/Dockerfile | 19 - docker/postgres/README.md | 4 - docker/postgres/postgresql.conf | 25 - docker/postgres/start.sh | 22 - docker/riotweb/Dockerfile | 13 - docker/riotweb/config.json | 24 - docker/seafile/Dockerfile | 46 -- docker/seafile/README.md | 27 -- docker/seafile/seadocker | 4 - docker/seafile/seaenv | 7 - docker/sogo/Dockerfile | 17 - docker/sogo/README.md | 20 - docker/sogo/entrypoint | 13 - docker/sogo/sogo.nginx.conf | 83 ---- docker/static/Dockerfile | 9 - docker/static/README.md | 5 - docker/static/goStatic | 1 - docker/webpull/.gitignore | 1 - docker/webpull/Dockerfile.nodejs | 9 - docker/webpull/Dockerfile.ruby | 12 - docker/webpull/README.md | 23 - docker/webpull/main.go | 100 ---- man/create_database/README.md | 15 - man/init_stolon/README.md | 58 --- man/nextcloud/README.md | 60 --- nomad/bottin2.hcl | 116 ----- nomad/core.hcl | 43 -- nomad/email.hcl | 475 ------------------- nomad/garage.hcl | 99 ---- nomad/im.hcl | 361 -------------- nomad/jitsi.hcl | 258 ---------- nomad/mariadb.hcl | 69 --- nomad/nextcloud.hcl | 67 --- nomad/object_storage.hcl | 159 ------- nomad/platoo.hcl | 64 --- nomad/postgres.hcl | 145 ------ nomad/science.hcl | 58 --- nomad/seafile.hcl | 174 ------- nomad/traefik.hcl | 68 --- nomad/web_static.hcl | 113 ----- nomad/webcap.hcl | 56 --- op_guide/create_database/README.md | 15 + op_guide/init_stolon/README.md | 58 +++ op_guide/nextcloud/README.md | 60 +++ os_build/README.md | 1 + os_build/build-installer.sh | 139 ++++++ os_config/README.md | 15 + os_config/README.more.md | 52 +++ os_config/cluster_nodes.yml | 19 + os_config/group_vars/all/.gitignore | 1 + os_config/group_vars/all/vars_file.yml.sample | 1 + os_config/production | 4 + os_config/roles/common/tasks/main.yml | 51 ++ os_config/roles/consul/files/consul.service | 10 + os_config/roles/consul/tasks/main.yml | 26 ++ os_config/roles/consul/templates/consul.json.j2 | 30 ++ os_config/roles/consul/templates/resolv.conf.j2 | 2 + os_config/roles/consul/vars/.gitignore | 1 + os_config/roles/consul/vars/main.yml.sample | 2 + os_config/roles/network/files/rules.v6 | 12 + os_config/roles/network/tasks/main.yml | 11 + os_config/roles/network/templates/rules.v4.j2 | 36 ++ os_config/roles/nomad/files/nomad.service | 15 + os_config/roles/nomad/tasks/main.yml | 23 + os_config/roles/nomad/templates/nomad.hcl.j2 | 34 ++ os_config/roles/storage/handlers/main.yml | 3 + os_config/roles/storage/tasks/main.yml | 72 +++ os_config/roles/users/files/alex-key1.pub | 1 + os_config/roles/users/files/alex-key2.pub | 1 + os_config/roles/users/files/florian-key1.pub | 1 + os_config/roles/users/files/florian-key2.pub | 1 + os_config/roles/users/files/maximilien-key1.pub | 1 + os_config/roles/users/files/quentin-key1.pub | 1 + os_config/roles/users/files/quentin-key2.pub | 1 + os_config/roles/users/tasks/main.yml | 39 ++ os_config/roles/users/vars/main.yml | 30 ++ os_config/site.yml | 2 + 402 files changed, 6326 insertions(+), 6277 deletions(-) delete mode 100644 ansible/README.md delete mode 100644 ansible/README.more.md delete mode 100644 ansible/cluster_nodes.yml delete mode 100644 ansible/group_vars/all/.gitignore delete mode 100644 ansible/group_vars/all/vars_file.yml.sample delete mode 100644 ansible/production delete mode 100644 ansible/roles/common/tasks/main.yml delete mode 100644 ansible/roles/consul/files/consul.service delete mode 100644 ansible/roles/consul/tasks/main.yml delete mode 100644 ansible/roles/consul/templates/consul.json.j2 delete mode 100644 ansible/roles/consul/templates/resolv.conf.j2 delete mode 100644 ansible/roles/consul/vars/.gitignore delete mode 100644 ansible/roles/consul/vars/main.yml.sample delete mode 100644 ansible/roles/network/files/rules.v6 delete mode 100644 ansible/roles/network/tasks/main.yml delete mode 100644 ansible/roles/network/templates/rules.v4.j2 delete mode 100644 ansible/roles/nomad/files/nomad.service delete mode 100644 ansible/roles/nomad/tasks/main.yml delete mode 100644 ansible/roles/nomad/templates/nomad.hcl.j2 delete mode 100644 ansible/roles/storage/handlers/main.yml delete mode 100644 ansible/roles/storage/tasks/main.yml delete mode 100644 ansible/roles/users/files/alex-key1.pub delete mode 100644 ansible/roles/users/files/alex-key2.pub delete mode 100644 ansible/roles/users/files/florian-key1.pub delete mode 100644 ansible/roles/users/files/florian-key2.pub delete mode 100644 ansible/roles/users/files/maximilien-key1.pub delete mode 100644 ansible/roles/users/files/quentin-key1.pub delete mode 100644 ansible/roles/users/files/quentin-key2.pub delete mode 100644 ansible/roles/users/tasks/main.yml delete mode 100644 ansible/roles/users/vars/main.yml delete mode 100644 ansible/site.yml create mode 100644 app_build/README.md create mode 100755 app_build/blog-quentin/.dockerenv create mode 100644 app_build/blog-quentin/Dockerfile create mode 100644 app_build/blog-quentin/README.md create mode 100644 app_build/coturn/Dockerfile create mode 100644 app_build/coturn/README.md create mode 100644 app_build/docker-compose.yml create mode 100644 app_build/dovecot/.gitignore create mode 100644 app_build/dovecot/Dockerfile create mode 100644 app_build/dovecot/README.md create mode 100755 app_build/dovecot/entrypoint.sh create mode 100644 app_build/jitsi-conference-focus/Dockerfile create mode 100755 app_build/jitsi-conference-focus/jicofo create mode 100644 app_build/jitsi-meet/Dockerfile create mode 100644 app_build/jitsi-meet/config.js create mode 100755 app_build/jitsi-meet/entrypoint.sh create mode 100644 app_build/jitsi-videobridge/Dockerfile create mode 100755 app_build/jitsi-videobridge/jvb_run create mode 100644 app_build/jitsi-xmpp/Dockerfile create mode 100644 app_build/jitsi-xmpp/external_components.cfg.lua create mode 100755 app_build/jitsi-xmpp/xmpp_conf create mode 100755 app_build/jitsi-xmpp/xmpp_gen create mode 100755 app_build/jitsi-xmpp/xmpp_run create mode 100644 app_build/landing/README.md create mode 100644 app_build/mariadb/60-disable-dialog.cnf create mode 100644 app_build/mariadb/60-ldap.cnf create mode 100644 app_build/mariadb/60-remote.cnf create mode 100644 app_build/mariadb/Dockerfile create mode 100644 app_build/mariadb/README.md create mode 100755 app_build/mariadb/entrypoint.sh create mode 100644 app_build/mariadb/nsswitch.conf create mode 100644 app_build/mariadb/pam-mariadb create mode 100644 app_build/matrix-synapse/Dockerfile create mode 100755 app_build/matrix-synapse/entrypoint.sh create mode 100644 app_build/nextcloud/Dockerfile create mode 100755 app_build/nextcloud/container-setup.sh create mode 100755 app_build/nextcloud/entrypoint.sh create mode 100644 app_build/opendkim/Dockerfile create mode 100644 app_build/opendkim/README.md create mode 100644 app_build/opendkim/opendkim.conf create mode 100644 app_build/pithos/0.7.5.tar.gz create mode 100644 app_build/pithos/Dockerfile create mode 100644 app_build/pithos/README.md create mode 100644 app_build/pithos/pithos-0.7.5-standalone.jar create mode 100644 app_build/postfix/Dockerfile create mode 100644 app_build/postfix/README.md create mode 100755 app_build/postfix/entrypoint.sh create mode 100644 app_build/postgres/Dockerfile create mode 100644 app_build/postgres/README.md create mode 100644 app_build/postgres/postgresql.conf create mode 100755 app_build/postgres/start.sh create mode 100644 app_build/riotweb/Dockerfile create mode 100644 app_build/riotweb/config.json create mode 100644 app_build/seafile/Dockerfile create mode 100644 app_build/seafile/README.md create mode 100755 app_build/seafile/seadocker create mode 100755 app_build/seafile/seaenv create mode 100644 app_build/sogo/Dockerfile create mode 100644 app_build/sogo/README.md create mode 100755 app_build/sogo/entrypoint create mode 100644 app_build/sogo/sogo.nginx.conf create mode 100644 app_build/static/Dockerfile create mode 100644 app_build/static/README.md create mode 160000 app_build/static/goStatic create mode 100644 app_build/webpull/.gitignore create mode 100644 app_build/webpull/Dockerfile.nodejs create mode 100644 app_build/webpull/Dockerfile.ruby create mode 100644 app_build/webpull/README.md create mode 100644 app_build/webpull/main.go create mode 100644 app_config/configuration/.gitignore create mode 100644 app_config/configuration/chat/coturn/turnserver.conf.tpl create mode 100644 app_config/configuration/chat/easybridge/config.json.tpl create mode 100644 app_config/configuration/chat/easybridge/registration.yaml.tpl create mode 100644 app_config/configuration/chat/fb2mx/config.yaml create mode 100644 app_config/configuration/chat/fb2mx/registration.yaml create mode 100644 app_config/configuration/chat/riot_web/config.json create mode 100644 app_config/configuration/chat/synapse/conf.d/report_stats.yaml create mode 100644 app_config/configuration/chat/synapse/conf.d/server_name.yaml create mode 100644 app_config/configuration/chat/synapse/homeserver.yaml create mode 100644 app_config/configuration/chat/synapse/log.yaml create mode 100644 app_config/configuration/directory/bottin/config.json create mode 100644 app_config/configuration/directory/guichet/config.json.tpl create mode 100644 app_config/configuration/email/dkim/keytable create mode 100644 app_config/configuration/email/dkim/signingtable create mode 100644 app_config/configuration/email/dkim/smtp.private.sample create mode 100644 app_config/configuration/email/dkim/smtp.txt.sample create mode 100644 app_config/configuration/email/dkim/trusted create mode 100755 app_config/configuration/email/dovecot/certs.gen create mode 100644 app_config/configuration/email/dovecot/dovecot-ldap.conf.tpl create mode 100755 app_config/configuration/email/postfix/certs.gen create mode 100644 app_config/configuration/email/postfix/dynamicmaps.cf create mode 100644 app_config/configuration/email/postfix/header_checks create mode 100644 app_config/configuration/email/postfix/ldap-account.cf.tpl create mode 100644 app_config/configuration/email/postfix/ldap-alias.cf.tpl create mode 100644 app_config/configuration/email/postfix/ldap-virtual-domains.cf.tpl create mode 100644 app_config/configuration/email/postfix/main.cf create mode 100644 app_config/configuration/email/postfix/master.cf create mode 100644 app_config/configuration/email/postfix/transport create mode 100644 app_config/configuration/email/postfix/transport.db create mode 100644 app_config/configuration/email/sogo/sogo.conf.tpl create mode 100644 app_config/configuration/mariadb/main/env.tpl create mode 100644 app_config/configuration/nextcloud/config.php.tpl create mode 100644 app_config/configuration/postgres/keeper/env.tpl create mode 100644 app_config/configuration/seafile/ccnet/mykey.peer.sample create mode 100644 app_config/configuration/seafile/ccnet/seafile.ini create mode 100644 app_config/configuration/seafile/conf/ccnet.conf.tpl create mode 100644 app_config/configuration/seafile/conf/mykey.peer.sample create mode 100644 app_config/configuration/seafile/conf/seafdav.conf create mode 100644 app_config/configuration/seafile/conf/seafile.conf.tpl create mode 100644 app_config/configuration/seafile/conf/seahub_settings.py.tpl create mode 100644 app_config/configuration/traefik/traefik.toml create mode 100755 app_config/restore_configuration.sh create mode 100644 app_config/secrets/.gitignore create mode 100644 app_config/secrets/chat/coturn/static-auth.sample create mode 100644 app_config/secrets/chat/fb2mx/as_token.sample create mode 100644 app_config/secrets/chat/fb2mx/db_url.sample create mode 100644 app_config/secrets/chat/fb2mx/hs_token.sample create mode 100644 app_config/secrets/chat/synapse/homeserver.tls.crt.sample create mode 100644 app_config/secrets/chat/synapse/homeserver.tls.dh.sample create mode 100644 app_config/secrets/chat/synapse/homeserver.tls.key.sample create mode 100644 app_config/secrets/chat/synapse/ldap_binddn.sample create mode 100644 app_config/secrets/chat/synapse/ldap_bindpw.sample create mode 100644 app_config/secrets/chat/synapse/postgres_db.sample create mode 100644 app_config/secrets/chat/synapse/postgres_pwd.sample create mode 100644 app_config/secrets/chat/synapse/postgres_user.sample create mode 100644 app_config/secrets/chat/synapse/registration_shared_secret.sample create mode 100644 app_config/secrets/email/sogo/ldap_binddn.sample create mode 100644 app_config/secrets/email/sogo/ldap_bindpw.sample create mode 100644 app_config/secrets/email/sogo/postgre_auth.sample create mode 100644 app_config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample create mode 100644 app_config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample create mode 100644 app_config/secrets/jitsi/global_env.sample create mode 100644 app_config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample create mode 100644 app_config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample create mode 100644 app_config/secrets/mariadb/main/ldap_binddn.sample create mode 100644 app_config/secrets/mariadb/main/ldap_bindpwd.sample create mode 100644 app_config/secrets/mariadb/main/mysql_pwd.sample create mode 100644 app_config/secrets/platoo/bddpw.sample create mode 100644 app_config/secrets/postgres/keeper/pg_repl_pwd.sample create mode 100644 app_config/secrets/postgres/keeper/pg_repl_username.sample create mode 100644 app_config/secrets/postgres/keeper/pg_su_pwd.sample create mode 100644 app_config/secrets/web/home_token.sample create mode 100644 app_config/secrets/web/quentin.dufour.io_token.sample create mode 100644 app_deployment/bottin2.hcl create mode 100644 app_deployment/core.hcl create mode 100644 app_deployment/email.hcl create mode 100644 app_deployment/garage.hcl create mode 100644 app_deployment/im.hcl create mode 100644 app_deployment/jitsi.hcl create mode 100644 app_deployment/mariadb.hcl create mode 100644 app_deployment/nextcloud.hcl create mode 100644 app_deployment/object_storage.hcl create mode 100644 app_deployment/platoo.hcl create mode 100644 app_deployment/postgres.hcl create mode 100644 app_deployment/science.hcl create mode 100644 app_deployment/seafile.hcl create mode 100644 app_deployment/traefik.hcl create mode 100644 app_deployment/web_static.hcl create mode 100644 app_deployment/webcap.hcl create mode 100644 app_integration/jitsi/01_gen_certs.yml create mode 100644 app_integration/jitsi/02_run.yml create mode 100644 app_integration/jitsi/README.md create mode 100644 app_integration/jitsi/dev.env create mode 100644 app_integration/jitsi/jitsi-certs/.gitignore delete mode 100644 bootstrap/README.md delete mode 100644 bootstrap/build-installer.sh delete mode 100644 consul/configuration/.gitignore delete mode 100644 consul/configuration/chat/coturn/turnserver.conf.tpl delete mode 100644 consul/configuration/chat/easybridge/config.json.tpl delete mode 100644 consul/configuration/chat/easybridge/registration.yaml.tpl delete mode 100644 consul/configuration/chat/fb2mx/config.yaml delete mode 100644 consul/configuration/chat/fb2mx/registration.yaml delete mode 100644 consul/configuration/chat/riot_web/config.json delete mode 100644 consul/configuration/chat/synapse/conf.d/report_stats.yaml delete mode 100644 consul/configuration/chat/synapse/conf.d/server_name.yaml delete mode 100644 consul/configuration/chat/synapse/homeserver.yaml delete mode 100644 consul/configuration/chat/synapse/log.yaml delete mode 100644 consul/configuration/directory/bottin/config.json delete mode 100644 consul/configuration/directory/guichet/config.json.tpl delete mode 100644 consul/configuration/email/dkim/keytable delete mode 100644 consul/configuration/email/dkim/signingtable delete mode 100644 consul/configuration/email/dkim/smtp.private.sample delete mode 100644 consul/configuration/email/dkim/smtp.txt.sample delete mode 100644 consul/configuration/email/dkim/trusted delete mode 100755 consul/configuration/email/dovecot/certs.gen delete mode 100644 consul/configuration/email/dovecot/dovecot-ldap.conf.tpl delete mode 100755 consul/configuration/email/postfix/certs.gen delete mode 100644 consul/configuration/email/postfix/dynamicmaps.cf delete mode 100644 consul/configuration/email/postfix/header_checks delete mode 100644 consul/configuration/email/postfix/ldap-account.cf.tpl delete mode 100644 consul/configuration/email/postfix/ldap-alias.cf.tpl delete mode 100644 consul/configuration/email/postfix/ldap-virtual-domains.cf.tpl delete mode 100644 consul/configuration/email/postfix/main.cf delete mode 100644 consul/configuration/email/postfix/master.cf delete mode 100644 consul/configuration/email/postfix/transport delete mode 100644 consul/configuration/email/postfix/transport.db delete mode 100644 consul/configuration/email/sogo/sogo.conf.tpl delete mode 100644 consul/configuration/mariadb/main/env.tpl delete mode 100644 consul/configuration/nextcloud/config.php.tpl delete mode 100644 consul/configuration/postgres/keeper/env.tpl delete mode 100644 consul/configuration/seafile/ccnet/mykey.peer.sample delete mode 100644 consul/configuration/seafile/ccnet/seafile.ini delete mode 100644 consul/configuration/seafile/conf/ccnet.conf.tpl delete mode 100644 consul/configuration/seafile/conf/mykey.peer.sample delete mode 100644 consul/configuration/seafile/conf/seafdav.conf delete mode 100644 consul/configuration/seafile/conf/seafile.conf.tpl delete mode 100644 consul/configuration/seafile/conf/seahub_settings.py.tpl delete mode 100644 consul/configuration/traefik/traefik.toml delete mode 100755 consul/restore_configuration.sh delete mode 100644 consul/secrets/.gitignore delete mode 100644 consul/secrets/chat/coturn/static-auth.sample delete mode 100644 consul/secrets/chat/fb2mx/as_token.sample delete mode 100644 consul/secrets/chat/fb2mx/db_url.sample delete mode 100644 consul/secrets/chat/fb2mx/hs_token.sample delete mode 100644 consul/secrets/chat/synapse/homeserver.tls.crt.sample delete mode 100644 consul/secrets/chat/synapse/homeserver.tls.dh.sample delete mode 100644 consul/secrets/chat/synapse/homeserver.tls.key.sample delete mode 100644 consul/secrets/chat/synapse/ldap_binddn.sample delete mode 100644 consul/secrets/chat/synapse/ldap_bindpw.sample delete mode 100644 consul/secrets/chat/synapse/postgres_db.sample delete mode 100644 consul/secrets/chat/synapse/postgres_pwd.sample delete mode 100644 consul/secrets/chat/synapse/postgres_user.sample delete mode 100644 consul/secrets/chat/synapse/registration_shared_secret.sample delete mode 100644 consul/secrets/email/sogo/ldap_binddn.sample delete mode 100644 consul/secrets/email/sogo/ldap_bindpw.sample delete mode 100644 consul/secrets/email/sogo/postgre_auth.sample delete mode 100644 consul/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample delete mode 100644 consul/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample delete mode 100644 consul/secrets/jitsi/global_env.sample delete mode 100644 consul/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample delete mode 100644 consul/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample delete mode 100644 consul/secrets/mariadb/main/ldap_binddn.sample delete mode 100644 consul/secrets/mariadb/main/ldap_bindpwd.sample delete mode 100644 consul/secrets/mariadb/main/mysql_pwd.sample delete mode 100644 consul/secrets/platoo/bddpw.sample delete mode 100644 consul/secrets/postgres/keeper/pg_repl_pwd.sample delete mode 100644 consul/secrets/postgres/keeper/pg_repl_username.sample delete mode 100644 consul/secrets/postgres/keeper/pg_su_pwd.sample delete mode 100644 consul/secrets/web/home_token.sample delete mode 100644 consul/secrets/web/quentin.dufour.io_token.sample delete mode 100644 docker/README.md delete mode 100755 docker/blog-quentin/.dockerenv delete mode 100644 docker/blog-quentin/Dockerfile delete mode 100644 docker/blog-quentin/README.md delete mode 100644 docker/coturn/Dockerfile delete mode 100644 docker/coturn/README.md delete mode 100644 docker/docker-compose.yml delete mode 100644 docker/dovecot/.gitignore delete mode 100644 docker/dovecot/Dockerfile delete mode 100644 docker/dovecot/README.md delete mode 100755 docker/dovecot/entrypoint.sh delete mode 100644 docker/jitsi/01_gen_certs.yml delete mode 100644 docker/jitsi/02_run.yml delete mode 100644 docker/jitsi/README.md delete mode 100644 docker/jitsi/dev.env delete mode 100644 docker/jitsi/jitsi-certs/.gitignore delete mode 100644 docker/jitsi/jitsi-conference-focus/Dockerfile delete mode 100755 docker/jitsi/jitsi-conference-focus/jicofo delete mode 100644 docker/jitsi/jitsi-front/Dockerfile delete mode 100644 docker/jitsi/jitsi-front/config.js delete mode 100755 docker/jitsi/jitsi-front/entrypoint.sh delete mode 100644 docker/jitsi/jitsi-videobridge/Dockerfile delete mode 100755 docker/jitsi/jitsi-videobridge/jvb_run delete mode 100644 docker/jitsi/jitsi-xmpp/Dockerfile delete mode 100644 docker/jitsi/jitsi-xmpp/external_components.cfg.lua delete mode 100755 docker/jitsi/jitsi-xmpp/xmpp_conf delete mode 100755 docker/jitsi/jitsi-xmpp/xmpp_gen delete mode 100755 docker/jitsi/jitsi-xmpp/xmpp_run delete mode 100644 docker/landing/README.md delete mode 100644 docker/mariadb/60-disable-dialog.cnf delete mode 100644 docker/mariadb/60-ldap.cnf delete mode 100644 docker/mariadb/60-remote.cnf delete mode 100644 docker/mariadb/Dockerfile delete mode 100644 docker/mariadb/README.md delete mode 100755 docker/mariadb/entrypoint.sh delete mode 100644 docker/mariadb/nsswitch.conf delete mode 100644 docker/mariadb/pam-mariadb delete mode 100644 docker/matrix-synapse/Dockerfile delete mode 100755 docker/matrix-synapse/entrypoint.sh delete mode 100644 docker/nextcloud/Dockerfile delete mode 100755 docker/nextcloud/container-setup.sh delete mode 100755 docker/nextcloud/entrypoint.sh delete mode 100644 docker/opendkim/Dockerfile delete mode 100644 docker/opendkim/README.md delete mode 100644 docker/opendkim/opendkim.conf delete mode 100644 docker/pithos/0.7.5.tar.gz delete mode 100644 docker/pithos/Dockerfile delete mode 100644 docker/pithos/README.md delete mode 100644 docker/pithos/pithos-0.7.5-standalone.jar delete mode 100644 docker/postfix/Dockerfile delete mode 100644 docker/postfix/README.md delete mode 100755 docker/postfix/entrypoint.sh delete mode 100644 docker/postgres/Dockerfile delete mode 100644 docker/postgres/README.md delete mode 100644 docker/postgres/postgresql.conf delete mode 100755 docker/postgres/start.sh delete mode 100644 docker/riotweb/Dockerfile delete mode 100644 docker/riotweb/config.json delete mode 100644 docker/seafile/Dockerfile delete mode 100644 docker/seafile/README.md delete mode 100755 docker/seafile/seadocker delete mode 100755 docker/seafile/seaenv delete mode 100644 docker/sogo/Dockerfile delete mode 100644 docker/sogo/README.md delete mode 100755 docker/sogo/entrypoint delete mode 100644 docker/sogo/sogo.nginx.conf delete mode 100644 docker/static/Dockerfile delete mode 100644 docker/static/README.md delete mode 160000 docker/static/goStatic delete mode 100644 docker/webpull/.gitignore delete mode 100644 docker/webpull/Dockerfile.nodejs delete mode 100644 docker/webpull/Dockerfile.ruby delete mode 100644 docker/webpull/README.md delete mode 100644 docker/webpull/main.go delete mode 100644 man/create_database/README.md delete mode 100644 man/init_stolon/README.md delete mode 100644 man/nextcloud/README.md delete mode 100644 nomad/bottin2.hcl delete mode 100644 nomad/core.hcl delete mode 100644 nomad/email.hcl delete mode 100644 nomad/garage.hcl delete mode 100644 nomad/im.hcl delete mode 100644 nomad/jitsi.hcl delete mode 100644 nomad/mariadb.hcl delete mode 100644 nomad/nextcloud.hcl delete mode 100644 nomad/object_storage.hcl delete mode 100644 nomad/platoo.hcl delete mode 100644 nomad/postgres.hcl delete mode 100644 nomad/science.hcl delete mode 100644 nomad/seafile.hcl delete mode 100644 nomad/traefik.hcl delete mode 100644 nomad/web_static.hcl delete mode 100644 nomad/webcap.hcl create mode 100644 op_guide/create_database/README.md create mode 100644 op_guide/init_stolon/README.md create mode 100644 op_guide/nextcloud/README.md create mode 100644 os_build/README.md create mode 100644 os_build/build-installer.sh create mode 100644 os_config/README.md create mode 100644 os_config/README.more.md create mode 100644 os_config/cluster_nodes.yml create mode 100644 os_config/group_vars/all/.gitignore create mode 100644 os_config/group_vars/all/vars_file.yml.sample create mode 100644 os_config/production create mode 100644 os_config/roles/common/tasks/main.yml create mode 100644 os_config/roles/consul/files/consul.service create mode 100644 os_config/roles/consul/tasks/main.yml create mode 100644 os_config/roles/consul/templates/consul.json.j2 create mode 100644 os_config/roles/consul/templates/resolv.conf.j2 create mode 100644 os_config/roles/consul/vars/.gitignore create mode 100644 os_config/roles/consul/vars/main.yml.sample create mode 100644 os_config/roles/network/files/rules.v6 create mode 100644 os_config/roles/network/tasks/main.yml create mode 100644 os_config/roles/network/templates/rules.v4.j2 create mode 100644 os_config/roles/nomad/files/nomad.service create mode 100644 os_config/roles/nomad/tasks/main.yml create mode 100644 os_config/roles/nomad/templates/nomad.hcl.j2 create mode 100644 os_config/roles/storage/handlers/main.yml create mode 100644 os_config/roles/storage/tasks/main.yml create mode 100644 os_config/roles/users/files/alex-key1.pub create mode 100644 os_config/roles/users/files/alex-key2.pub create mode 100644 os_config/roles/users/files/florian-key1.pub create mode 100644 os_config/roles/users/files/florian-key2.pub create mode 100644 os_config/roles/users/files/maximilien-key1.pub create mode 100644 os_config/roles/users/files/quentin-key1.pub create mode 100644 os_config/roles/users/files/quentin-key2.pub create mode 100644 os_config/roles/users/tasks/main.yml create mode 100644 os_config/roles/users/vars/main.yml create mode 100644 os_config/site.yml diff --git a/.gitmodules b/.gitmodules index aec303d..74f1c95 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,5 +1,5 @@ [submodule "docker/static/goStatic"] - path = docker/static/goStatic + path = app_build/static/goStatic url = https://github.com/PierreZ/goStatic [submodule "docker/blog/quentin.dufour.io"] path = docker/blog-quentin/quentin.dufour.io diff --git a/README.md b/README.md index 1c0375b..d080367 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ We try to build a generic abstraction stack between our different resources (CPU * ansible (physical node conf) * nomad (schedule containers) * consul (distributed key value store / lock / service discovery) - * glusterfs (file storage) + * garage/glusterfs (file storage) * stolon + postgresql (distributed relational database) * docker (container tool) * bottin (LDAP server, auth) @@ -23,6 +23,19 @@ Some services we provide: As a generic abstraction is provided, deploying new services should be easy. +## I am lost, how this repo works? + +To ease the development, we make the choice of a fully integrated environment + + 1. `os_build`: where you will build our OS image based on Debian that you will install on your server + 2. `os_config`: our Ansible recipes to configure and update your freshly installed server + 3. `app_build`: our Docker files to build immutable images of our applications + 4. `app_integration`: Our Docker compose files to test locally how our built images interact together + 5. `app_config`: Files containing application configurations to be deployed on Consul Key Value Store + 6. `app_deployment`: Files containing application definitions to be deployed on Nomad Scheduler + 7. `op_guide`: Guides to explain you operations you can do cluster wide (like configuring postgres) + + ## Start hacking ### Clone the repository diff --git a/ansible/README.md b/ansible/README.md deleted file mode 100644 index db8d960..0000000 --- a/ansible/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# ANSIBLE - -## How to proceed - -For each machine, **one by one** do: - - Check that cluster is healthy - - `sudo gluster peer status` - - `sudo gluster volume status all` (check Online Col, only `Y` must appear) - - Check that Nomad is healthy - - Check that Consul is healthy - - Check that Postgres is healthy - - Run `ansible-playbook -i production --limit site.yml` - - Reboot - - Check that cluster is healthy - diff --git a/ansible/README.more.md b/ansible/README.more.md deleted file mode 100644 index 0d0c607..0000000 --- a/ansible/README.more.md +++ /dev/null @@ -1,52 +0,0 @@ - -## Provisionning - - 1. Need a public IP address - 2. Deploy Debian sid/buster - 3. Add a DNS entry like xxxx.machine.deuxfleurs.fr A 0.0.0.0 in Cloudflare + Havelock - 4. Setup the fqdn in /etc/hosts (127.0.1.1 xxxx.machine.deuxfleurs.fr) - 5. Switch the SSH port to the port 110 - 6. Add the server to the ./production file - 7. Reboot machine - 8. Deploy Ansible - 9. Check that everything works as intended - 10. Update NS 1.cluster.deuxfleurs.fr - -## Useful commands - -Show every variables collected by Ansible for a given host: - -``` -ansible -i production villequin.machine.deuxfleurs.fr -m setup -``` - -Run playbook for only one host: - -``` -ansible-playbook -i production --limit villequin.machine.deuxfleurs.fr site.yml -``` - -Dump hostvars: - -``` -ansible -m debug villequin.machine.deuxfleurs.fr -i ./production -a "var=hostvars" -``` - -Deploy only one tag: - -``` -ansible-playbook -i production site.yml --tags "container" -``` - -Redeploy everything: - -``` -ansible-playbook -i production site.yml -``` - -Upgrade packages and force overwirte to fix bad packing done by GlusterFS: - -``` -apt-get -o Dpkg::Options::="--force-overwrite" dist-upgrade -y -``` - diff --git a/ansible/cluster_nodes.yml b/ansible/cluster_nodes.yml deleted file mode 100644 index ea58630..0000000 --- a/ansible/cluster_nodes.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- hosts: cluster_nodes - serial: 1 - roles: - - role: common - tags: base - - role: users - tags: account - - role: consul - tags: kv - - role: nomad - tags: orchestrator - - role: network - tags: net - -# UNSAFE!! This section configures glusterfs. Once done, don't run it ever again as it may break stuff. -# - role: storage -# tags: sto diff --git a/ansible/group_vars/all/.gitignore b/ansible/group_vars/all/.gitignore deleted file mode 100644 index 9271182..0000000 --- a/ansible/group_vars/all/.gitignore +++ /dev/null @@ -1 +0,0 @@ -vars_file.yml diff --git a/ansible/group_vars/all/vars_file.yml.sample b/ansible/group_vars/all/vars_file.yml.sample deleted file mode 100644 index 191f35c..0000000 --- a/ansible/group_vars/all/vars_file.yml.sample +++ /dev/null @@ -1 +0,0 @@ -consul_gossip_encrypt: 'xxx' diff --git a/ansible/production b/ansible/production deleted file mode 100644 index c8f08f2..0000000 --- a/ansible/production +++ /dev/null @@ -1,4 +0,0 @@ -[cluster_nodes] -veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1 dns_server=80.67.169.40 -silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1 dns_server=80.67.169.40 -wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1 dns_server=80.67.169.40 diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml deleted file mode 100644 index b4d00bb..0000000 --- a/ansible/roles/common/tasks/main.yml +++ /dev/null @@ -1,51 +0,0 @@ -- name: "Check that host runs Debian buster/sid on armv7l or x86_64" - assert: - that: - - "ansible_architecture == 'aarch64' or ansible_architecture == 'armv7l' or ansible_architecture == 'x86_64'" - - "ansible_os_family == 'Debian'" - -- name: "Upgrade system" - apt: - upgrade: dist # Should we do a full uprade instead of a dist one? - update_cache: yes - cache_valid_time: 3600 - autoclean: yes - autoremove: yes - -- name: "Install base tools" - apt: - name: - - vim - - htop - - screen - - iptables - - iptables-persistent - - nftables - - iproute2 - - curl - - iputils-ping - - dnsutils - - bmon - - iftop - - iotop - - docker.io - - unzip - - tar - - tcpdump - - less - - parted - - btrfs-tools - - libnss-resolve - - net-tools - - strace - - sudo - state: present - -- name: "Passwordless sudo" - lineinfile: - path: /etc/sudoers - state: present - regexp: '^%sudo' - line: '%sudo ALL=(ALL) NOPASSWD: ALL' - validate: 'visudo -cf %s' - diff --git a/ansible/roles/consul/files/consul.service b/ansible/roles/consul/files/consul.service deleted file mode 100644 index ffaa2a3..0000000 --- a/ansible/roles/consul/files/consul.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Consul -After=network-online.target -Wants=network-online.target - -[Service] -ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/consul/tasks/main.yml b/ansible/roles/consul/tasks/main.yml deleted file mode 100644 index 2b77080..0000000 --- a/ansible/roles/consul/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: "Set consul version" - set_fact: - consul_version: 1.8.0 - -- name: "Download and install Consul for x86_64" - unarchive: - src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'x86_64'" - -- name: "Create consul configuration directory" - file: path=/etc/consul/ state=directory - -- name: "Deploy consul configuration" - template: src=consul.json.j2 dest=/etc/consul/consul.json - -- name: "Deploy consul systemd service" - copy: src=consul.service dest=/etc/systemd/system/consul.service - -- name: "Enable consul systemd service at boot" - service: name=consul state=started enabled=yes daemon_reload=yes - -- name: "Deploy resolv.conf to use Consul" - template: src=resolv.conf.j2 dest=/etc/resolv.conf diff --git a/ansible/roles/consul/templates/consul.json.j2 b/ansible/roles/consul/templates/consul.json.j2 deleted file mode 100644 index b6c86aa..0000000 --- a/ansible/roles/consul/templates/consul.json.j2 +++ /dev/null @@ -1,30 +0,0 @@ -{ - "data_dir": "/var/lib/consul", - "bind_addr": "0.0.0.0", - "advertise_addr": "{{ public_ip }}", - "addresses": { - "dns": "0.0.0.0", - "http": "0.0.0.0" - }, - "retry_join": [ - {% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #} - "{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }} - {% endfor %} - ], - "bootstrap_expect": 3, - "server": true, - "ui": true, - "ports": { - "dns": 53 - }, - "recursors": [ - "{{ dns_server }}" - ], - "encrypt": "{{ consul_gossip_encrypt }}", - "domain": "2.cluster.deuxfleurs.fr", - "performance": { - "raft_multiplier": 10, - "rpc_hold_timeout": "30s", - "leave_drain_time": "30s" - } -} diff --git a/ansible/roles/consul/templates/resolv.conf.j2 b/ansible/roles/consul/templates/resolv.conf.j2 deleted file mode 100644 index 2404034..0000000 --- a/ansible/roles/consul/templates/resolv.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -nameserver {{ private_ip }} -nameserver {{ dns_server }} diff --git a/ansible/roles/consul/vars/.gitignore b/ansible/roles/consul/vars/.gitignore deleted file mode 100644 index ff5c0bd..0000000 --- a/ansible/roles/consul/vars/.gitignore +++ /dev/null @@ -1 +0,0 @@ -main.yml diff --git a/ansible/roles/consul/vars/main.yml.sample b/ansible/roles/consul/vars/main.yml.sample deleted file mode 100644 index 9c44126..0000000 --- a/ansible/roles/consul/vars/main.yml.sample +++ /dev/null @@ -1,2 +0,0 @@ ---- -consul_gossip_encrypt: "" diff --git a/ansible/roles/network/files/rules.v6 b/ansible/roles/network/files/rules.v6 deleted file mode 100644 index 17ff71c..0000000 --- a/ansible/roles/network/files/rules.v6 +++ /dev/null @@ -1,12 +0,0 @@ -# WARNING!! When rules.{v4,v6} are changed, the whole iptables configuration is reloaded. -# This creates issues with Docker, which injects its own configuration in iptables when it starts. -# In practice, most (all?) containers will break if rules.{v4,v6} are changed, -# and docker will have to be restared. - - -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT - diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml deleted file mode 100644 index 1443e0c..0000000 --- a/ansible/roles/network/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: "Deploy iptablesv4 configuration" - template: src=rules.v4.j2 dest=/etc/iptables/rules.v4 - -- name: "Deploy iptablesv6 configuration" - copy: src=rules.v6 dest=/etc/iptables/rules.v6 - -- name: "Activate IP forwarding" - sysctl: - name: net.ipv4.ip_forward - value: "1" - sysctl_set: yes diff --git a/ansible/roles/network/templates/rules.v4.j2 b/ansible/roles/network/templates/rules.v4.j2 deleted file mode 100644 index a446139..0000000 --- a/ansible/roles/network/templates/rules.v4.j2 +++ /dev/null @@ -1,36 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - -# Administration --A INPUT -p tcp --dport 22 -j ACCEPT - -# Cluster --A INPUT -s 192.168.1.254 -j ACCEPT --A INPUT -s 82.253.205.190 -j ACCEPT -{% for selected_host in groups['cluster_nodes'] %} --A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT --A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT -{% endfor %} - -# Local --A INPUT -i docker0 -j ACCEPT --A INPUT -s 127.0.0.1/8 -j ACCEPT --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -COMMIT - -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT - -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT diff --git a/ansible/roles/nomad/files/nomad.service b/ansible/roles/nomad/files/nomad.service deleted file mode 100644 index 50116be..0000000 --- a/ansible/roles/nomad/files/nomad.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Nomad -After=network-online.target -After=glusterd.service -After=consul.service -Wants=network-online.target -Wants=glusterd.service -Wants=consul.service - -[Service] -ExecStart=/usr/local/bin/nomad agent -config /etc/nomad - -[Install] -WantedBy=multi-user.target - diff --git a/ansible/roles/nomad/tasks/main.yml b/ansible/roles/nomad/tasks/main.yml deleted file mode 100644 index 7c73362..0000000 --- a/ansible/roles/nomad/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: "Set nomad version" - set_fact: - nomad_version: 0.12.0-beta2 - -- name: "Download and install Nomad for x86_64" - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" - dest: /usr/local/bin - remote_src: yes - when: - - "ansible_architecture == 'x86_64'" - -- name: "Create Nomad configuration directory" - file: path=/etc/nomad/ state=directory - -- name: "Deploy Nomad configuration" - template: src=nomad.hcl.j2 dest=/etc/nomad/nomad.hcl - -- name: "Deploy Nomad systemd service" - copy: src=nomad.service dest=/etc/systemd/system/nomad.service - -- name: "Enable Nomad systemd service at boot" - service: name=nomad state=started enabled=yes daemon_reload=yes diff --git a/ansible/roles/nomad/templates/nomad.hcl.j2 b/ansible/roles/nomad/templates/nomad.hcl.j2 deleted file mode 100644 index b0be6a8..0000000 --- a/ansible/roles/nomad/templates/nomad.hcl.j2 +++ /dev/null @@ -1,34 +0,0 @@ -addresses { - http = "0.0.0.0" - rpc = "0.0.0.0" - serf = "0.0.0.0" -} - -advertise { - http = "{{ public_ip }}" - rpc = "{{ public_ip }}" - serf = "{{ public_ip }}" -} - -data_dir = "/var/lib/nomad" - -server { - enabled = true - bootstrap_expect = 3 -} - -consul { - address="127.0.0.1:8500" -} - -client { - enabled = true - #cpu_total_compute = 4000 - servers = ["127.0.0.1:4648"] - network_interface = "{{ interface }}" - options { - docker.privileged.enabled = "true" - docker.volumes.enabled = "true" - } -} - diff --git a/ansible/roles/storage/handlers/main.yml b/ansible/roles/storage/handlers/main.yml deleted file mode 100644 index a395c93..0000000 --- a/ansible/roles/storage/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: umount gluster - shell: umount --force --lazy /mnt/glusterfs ; true diff --git a/ansible/roles/storage/tasks/main.yml b/ansible/roles/storage/tasks/main.yml deleted file mode 100644 index a1f2d8f..0000000 --- a/ansible/roles/storage/tasks/main.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: "Add GlusterFS Repo Key" - apt_key: - url: https://download.gluster.org/pub/gluster/glusterfs/5/rsa.pub - state: present - -- name: "Add GlusterFS official repository" - apt_repository: - repo: "deb [arch=amd64] https://download.gluster.org/pub/gluster/glusterfs/5/LATEST/Debian/buster/amd64/apt buster main" - state: present - filename: gluster - -- name: "Install GlusterFS" - apt: - name: - - glusterfs-server - - glusterfs-client - state: present - -- name: "Ensure Gluster Daemon started and enabled" - service: - name: glusterd - enabled: yes - state: started - -- name: "Create directory for GlusterFS bricks" - file: path=/mnt/storage/glusterfs/brick1 recurse=yes state=directory - -- name: "Create GlusterFS volumes" - gluster_volume: - state: present - name: donnees - bricks: /mnt/storage/glusterfs/brick1/g1 - #rebalance: yes - redundancies: 1 - disperses: 3 - #replicas: 3 - force: yes - options: - client.event-threads: "8" - server.event-threads: "8" - performance.stat-prefetch: "on" - nfs.disable: "on" - features.cache-invalidation: "on" - performance.client-io-threads: "on" - config.transport: tcp - performance.quick-read: "on" - performance.io-cache: "on" - nfs.export-volumes: "off" - cluster.lookup-optimize: "on" - - cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}" - run_once: true - -- name: "Create mountpoint" - file: path=/mnt/glusterfs recurse=yes state=directory - -- name: "Flush handlers (umount glusterfs and restart ganesha)" - meta: flush_handlers - -- name: "Add fstab entry" - tags: gluster-fstab - mount: - path: /mnt/glusterfs - src: "{{ private_ip }}:/donnees" - fstype: glusterfs - opts: "defaults,_netdev,noauto,x-systemd.automount" - state: present - -- name: Mount everything - command: mount -a - args: - warn: no diff --git a/ansible/roles/users/files/alex-key1.pub b/ansible/roles/users/files/alex-key1.pub deleted file mode 100644 index 93514ab..0000000 --- a/ansible/roles/users/files/alex-key1.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata diff --git a/ansible/roles/users/files/alex-key2.pub b/ansible/roles/users/files/alex-key2.pub deleted file mode 100644 index 1eddcc8..0000000 --- a/ansible/roles/users/files/alex-key2.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk4tAEhDkLeik9eEHIHMliyckM/gWr/k6fX/CSmayCM katchup@charlotte diff --git a/ansible/roles/users/files/florian-key1.pub b/ansible/roles/users/files/florian-key1.pub deleted file mode 100644 index 47b5593..0000000 --- a/ansible/roles/users/files/florian-key1.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/qOM2BYy3UFycDylioACWrnDwg69AoTNE6Ym9W4WI2R+FXd6A1DDG+NLW2orUfkARcJGYEXkzsd3wjDg0s+FS23QWTP+JTkZbdGzuMAcoNeJBtgsCq6m5Q2kvrQc5RscYBr/OZtx2PUfrGyRE3yiVCj38zOgRLRWY0Iqs97tlH74YP4BG3jQ/MI5zXEptWcXBO86FtISB3QyHPRg5OH0192094X/QcG18GKd2ORxC/ZcwK9GdEbJJHgkxJ0TbsQO3KfNTEFBCiynYpYViBsQZsrdBkw4sHHy5OKEahIexdpUg8EJhpyzLn6pvGSqua/mVxirJazgNgtvLlrUsAuNd4/HoWRSqzh51/4hQJ3BV4Yed/tX0rwlT/ZzIIzpGw+qJF3IVuxdvXIineNAEyjVfLVT6hADyQu52ziHSE0cVmUkWT0R7ZgPku0PRBuSeewJIm8uLM69GU/GeRt+mSNl6xOvtBrY/j6sRHcMROlgSHhJ6YnvmkiYXl0MyrH9YGc8= diff --git a/ansible/roles/users/files/florian-key2.pub b/ansible/roles/users/files/florian-key2.pub deleted file mode 100644 index f9935b3..0000000 --- a/ansible/roles/users/files/florian-key2.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0OcDsEZdiizsz8UIgOIqOQilnHWq0sOxuu6idOqqLVYLPZEv8owdeC5oIgQj94BcKnRzpe8UHxN13GQdEWsqCim6Zn8G5x1HdZDBC83466x3i6KBkMP0dk+h47tENxKFXBPUbh/2sR8r/lZXEhzCCo7tpVuRZpCc/r8WPbAQpLgDO2D0dR7etwf3ndgObxQU0w7WbN+7NzmaHE+VQLu/pqH0op8jZyebfb26XhZ1JnNrDhp86KYbusagn6wUwp3vaJmK9UyEMi21E5HI0ri51+FP8kaTCUpgIRmgIkKFFWiup5I56K8cpgZHcJ4NY7G3jHJeI3KBlazVMyhDVJ5glI1mV0zgdr7BRGqhn70hjf5vbkzcHbRVaMaGzGENLpTFWnaONB/EbqRghWsiVpV75BYzvxSSM8Yrx8pwKUBtLWU+FjljwuumXNLigLIc/FTxdcLvZudn51+XdJXtCBrBI1H22Q7kYXz7Pi800CDLQ8rUWkW8upQ+zu5fSRH+Ptwc= diff --git a/ansible/roles/users/files/maximilien-key1.pub b/ansible/roles/users/files/maximilien-key1.pub deleted file mode 100644 index 963b1f9..0000000 --- a/ansible/roles/users/files/maximilien-key1.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5 diff --git a/ansible/roles/users/files/quentin-key1.pub b/ansible/roles/users/files/quentin-key1.pub deleted file mode 100644 index f3667e0..0000000 --- a/ansible/roles/users/files/quentin-key1.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io diff --git a/ansible/roles/users/files/quentin-key2.pub b/ansible/roles/users/files/quentin-key2.pub deleted file mode 100644 index c1b19fd..0000000 --- a/ansible/roles/users/files/quentin-key2.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr diff --git a/ansible/roles/users/tasks/main.yml b/ansible/roles/users/tasks/main.yml deleted file mode 100644 index 990a041..0000000 --- a/ansible/roles/users/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: Add users in the system - user: - name: "{{ item.username }}" - #groups: docker - shell: "{{ item.shell | default('/bin/bash') }}" - append: no - loop: "{{ active_users - | selectattr('is_admin', 'defined') - | rejectattr('is_admin') - | list - | union( active_users - | selectattr('is_admin', 'undefined') - | list )}}" - -- name: Set admin rights - user: - name: "{{ item.username }}" - groups: docker, sudo - shell: "{{ item.shell | default('/bin/bash') }}" - append: no - loop: "{{ active_users - | selectattr('is_admin', 'defined') - | selectattr('is_admin') - | list }}" - -# [V How SSH Key works] magic is done by subelements, understand the trick at: -# https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter -- name: Add SSH keys - authorized_key: - user: "{{ item.0.username }}" - state: present - key: "{{ lookup('file', item.1) }}" - loop: "{{ active_users | subelements('ssh_keys', skip_missing=True) }}" - -- name: Disable old users - user: - name: "{{ item }}" - state: absent - loop: "{{ disabled_users }}" diff --git a/ansible/roles/users/vars/main.yml b/ansible/roles/users/vars/main.yml deleted file mode 100644 index 5f4df4d..0000000 --- a/ansible/roles/users/vars/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -active_users: - - username: 'quentin' - is_admin: true - ssh_keys: - - 'quentin-key1.pub' - - 'quentin-key2.pub' - - - username: 'alex' - is_admin: true - ssh_keys: - - 'alex-key1.pub' - - 'alex-key2.pub' - - - username: 'maximilien' - is_admin: true - ssh_keys: - - 'maximilien-key1.pub' - - - username: 'florian' - is_admin: false - ssh_keys: - - 'quentin-key1.pub' - #- 'florian-key1.pub' - #- 'florian-key2.pub' - -disabled_users: - - 'john.doe' - - 'erwan' - - 'valentin' diff --git a/ansible/site.yml b/ansible/site.yml deleted file mode 100644 index f66e019..0000000 --- a/ansible/site.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- import_playbook: cluster_nodes.yml diff --git a/app_build/README.md b/app_build/README.md new file mode 100644 index 0000000..a877cfa --- /dev/null +++ b/app_build/README.md @@ -0,0 +1,8 @@ +## How to upgrade our packaged apps to a new version? + + 1. Edit `docker-compose.yml` + 2. Change the `VERSION` variable to the desired version + 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14) + 4. Run `docker-compose build` + 5. Run `docker-compose push` + 6. Done diff --git a/app_build/blog-quentin/.dockerenv b/app_build/blog-quentin/.dockerenv new file mode 100755 index 0000000..e69de29 diff --git a/app_build/blog-quentin/Dockerfile b/app_build/blog-quentin/Dockerfile new file mode 100644 index 0000000..61f5c40 --- /dev/null +++ b/app_build/blog-quentin/Dockerfile @@ -0,0 +1,16 @@ +FROM amd64/debian:stretch as builder + +COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile + +WORKDIR /root/quentin.dufour.io + +RUN apt-get update && \ + apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \ + bundle install + +COPY ./quentin.dufour.io/ /root/quentin.dufour.io/ +RUN bundle exec jekyll build + +FROM superboum/amd64_webserver:v2 +COPY --from=builder /root/quentin.dufour.io/_site /srv/http + diff --git a/app_build/blog-quentin/README.md b/app_build/blog-quentin/README.md new file mode 100644 index 0000000..25ac463 --- /dev/null +++ b/app_build/blog-quentin/README.md @@ -0,0 +1 @@ +sudo docker build -t superboum/amd64_blog:v19 . diff --git a/app_build/coturn/Dockerfile b/app_build/coturn/Dockerfile new file mode 100644 index 0000000..0d23161 --- /dev/null +++ b/app_build/coturn/Dockerfile @@ -0,0 +1,8 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + apt-get install -y \ + coturn + +CMD ["/usr/bin/turnserver"] diff --git a/app_build/coturn/README.md b/app_build/coturn/README.md new file mode 100644 index 0000000..e882146 --- /dev/null +++ b/app_build/coturn/README.md @@ -0,0 +1,17 @@ + +## Génère l'image +``` +sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 . +``` + +## Run bash dans le container +``` +sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash +sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 +``` + +## Used ports +- udp/tcp 3478 3479 + +## Publish +sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 diff --git a/app_build/docker-compose.yml b/app_build/docker-compose.yml new file mode 100644 index 0000000..afe363d --- /dev/null +++ b/app_build/docker-compose.yml @@ -0,0 +1,60 @@ +version: '3.4' +services: + + # Instant Messaging + riot: + build: + context: ./riotweb + args: + # https://github.com/vector-im/riot-web/releases + VERSION: 1.7.5 + image: superboum/amd64_riotweb:v15 + + synapse: + build: + context: ./matrix-synapse + args: + # https://github.com/matrix-org/synapse/releases + VERSION: 1.19.1 + image: superboum/amd64_synapse:v33 + + # Email + sogo: + build: + context: ./sogo + args: + # fake for now + VERSION: 5.0.0 + image: superboum/amd64_sogo:v7 + + # VoIP + jitsi-meet: + build: + context: ./jitsi-meet + args: + # https://github.com/jitsi/jitsi-meet + VERSION: 4966 + image: superboum/amd64_jitsi_meet:v1 + + jitsi-confererence-focus: + build: + context: ./jitsi-conference-focus + args: + # https://github.com/jitsi/jicofo + VERSION: 4966 + image: superboum/amd64_jitsi_conference_focus:v3 + + jitsi-videobridge: + build: + context: ./jitsi-videobridge + args: + # https://github.com/jitsi/jitsi-videobridge + VERSION: 4966 + image: superboum/amd64_jitsi_videobridge:v10 + + jitsi-xmpp: + build: + context: ./jitsi-xmpp + args: + VERSION: fake-1 + image: superboum/amd64_jitsi_xmpp:v2 diff --git a/app_build/dovecot/.gitignore b/app_build/dovecot/.gitignore new file mode 100644 index 0000000..71a04e2 --- /dev/null +++ b/app_build/dovecot/.gitignore @@ -0,0 +1 @@ +dovecot-ldap.conf diff --git a/app_build/dovecot/Dockerfile b/app_build/dovecot/Dockerfile new file mode 100644 index 0000000..9b87627 --- /dev/null +++ b/app_build/dovecot/Dockerfile @@ -0,0 +1,17 @@ +FROM amd64/debian:stretch + +RUN apt-get update && \ + apt-get install -y \ + dovecot-antispam \ + dovecot-core \ + dovecot-imapd \ + dovecot-ldap \ + dovecot-managesieved \ + dovecot-sieve \ + dovecot-lmtpd && \ + rm -rf /etc/dovecot/* +RUN useradd mailstore +COPY ./conf/* /etc/dovecot/ +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/app_build/dovecot/README.md b/app_build/dovecot/README.md new file mode 100644 index 0000000..8c9f372 --- /dev/null +++ b/app_build/dovecot/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_dovecot:v2 . +``` + + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \ + -p 993:993 \ + -p 143:143 \ + -p 24:24 \ + -p 1337:1337 \ + -v /mnt/glusterfs/email/ssl:/etc/ssl/ \ + -v /mnt/glusterfs/email/mail:/var/mail \ + -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \ + superboum/amd64_dovecot:v1 \ + dovecot -F +``` diff --git a/app_build/dovecot/entrypoint.sh b/app_build/dovecot/entrypoint.sh new file mode 100755 index 0000000..2165d8f --- /dev/null +++ b/app_build/dovecot/entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp dovecot.crt /etc/ssl/certs/dovecot.crt + cp dovecot.key /etc/ssl/private/dovecot.key + chmod 400 /etc/ssl/certs/dovecot.crt + chmod 400 /etc/ssl/private/dovecot.key +fi + +if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then + chown -R mailstore /var/mail +fi + +exec "$@" diff --git a/app_build/jitsi-conference-focus/Dockerfile b/app_build/jitsi-conference-focus/Dockerfile new file mode 100644 index 0000000..8999966 --- /dev/null +++ b/app_build/jitsi-conference-focus/Dockerfile @@ -0,0 +1,22 @@ +FROM debian:buster AS builder + +#ENV VERSION=4510 +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk maven wget unzip && \ + wget https://github.com/jitsi/jicofo/archive/jitsi-meet_${VERSION}.zip -O jicofo.zip && \ + unzip jicofo.zip && \ + mv jicofo-jitsi-meet_${VERSION} jicofo && \ + cd jicofo && \ + mvn package -DskipTests -Dassembly.skipAssembly=false && \ + unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ + mv jicofo-1.1-SNAPSHOT /srv/build + +FROM debian:buster + +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk ca-certificates + +COPY --from=builder /srv/build /srv/jicofo +COPY jicofo /usr/local/bin/jicofo + +CMD ["/usr/local/bin/jicofo"] diff --git a/app_build/jitsi-conference-focus/jicofo b/app_build/jitsi-conference-focus/jicofo new file mode 100755 index 0000000..2bc6e3f --- /dev/null +++ b/app_build/jitsi-conference-focus/jicofo @@ -0,0 +1,16 @@ +#!/bin/bash + +cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt +update-ca-certificates -f + +cat >> /etc/hosts <. + // authdomain: 'jitsi-meet.example.com', + + // Jirecon recording component domain. + // jirecon: 'jirecon.jitsi-meet.example.com', + + // Call control component (Jigasi). + // call_control: 'callcontrol.jitsi-meet.example.com', + + // Focus component domain. Defaults to focus.. + // focus: 'focus.jitsi-meet.example.com', + + // XMPP MUC domain. FIXME: use XEP-0030 to discover it. + muc: 'conference.jitsi.deuxfleurs.fr' + }, + + // BOSH URL. FIXME: use XEP-0156 to discover it. + bosh: '//jitsi.deuxfleurs.fr/http-bind', + + // Websocket URL + // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', + + // The name of client node advertised in XEP-0115 'c' stanza + clientNode: 'http://jitsi.org/jitsimeet', + + // The real JID of focus participant - can be overridden here + // focusUserJid: 'focus@auth.jitsi-meet.example.com', + + + // Testing / experimental features. + // + + testing: { + // Enables experimental simulcast support on Firefox. + enableFirefoxSimulcast: false, + + // P2P test mode disables automatic switching to P2P when there are 2 + // participants in the conference. + p2pTestMode: false + + // Enables the test specific features consumed by jitsi-meet-torture + // testMode: false + + // Disables the auto-play behavior of *all* newly created video element. + // This is useful when the client runs on a host with limited resources. + // noAutoPlayVideo: false + }, + + // Disables ICE/UDP by filtering out local and remote UDP candidates in + // signalling. + // webrtcIceUdpDisable: false, + + // Disables ICE/TCP by filtering out local and remote TCP candidates in + // signalling. + // webrtcIceTcpDisable: false, + + + // Media + // + + // Audio + + // Disable measuring of audio levels. + // disableAudioLevels: false, + // audioLevelsInterval: 200, + + // Enabling this will run the lib-jitsi-meet no audio detection module which + // will notify the user if the current selected microphone has no audio + // input and will suggest another valid device if one is present. + enableNoAudioDetection: true, + + // Enabling this will run the lib-jitsi-meet noise detection module which will + // notify the user if there is noise, other than voice, coming from the current + // selected microphone. The purpose it to let the user know that the input could + // be potentially unpleasant for other meeting participants. + enableNoisyMicDetection: true, + + // Start the conference in audio only mode (no video is being received nor + // sent). + // startAudioOnly: false, + + // Every participant after the Nth will start audio muted. + // startAudioMuted: 10, + + // Start calls with audio muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithAudioMuted: false, + + // Enabling it (with #params) will disable local audio output of remote + // participants and to enable it back a reload is needed. + // startSilent: false + + // Video + + // Sets the preferred resolution (height) for local video. Defaults to 720. + resolution: 480, + + // w3c spec-compliant video constraints to use for video capture. Currently + // used by browsers that return true from lib-jitsi-meet's + // util#browser#usesNewGumFlow. The constraints are independency from + // this config's resolution value. Defaults to requesting an ideal aspect + // ratio of 16:9 with an ideal resolution of 720. + constraints: { + video: { + aspectRatio: 16 / 9, + height: { + ideal: 480, + max: 720, + min: 240 + } + } + }, + + // Enable / disable simulcast support. + // disableSimulcast: false, + + // Enable / disable layer suspension. If enabled, endpoints whose HD + // layers are not in use will be suspended (no longer sent) until they + // are requested again. + // enableLayerSuspension: false, + + // Every participant after the Nth will start video muted. + // startVideoMuted: 10, + + // Start calls with video muted. Unlike the option above, this one is only + // applied locally. FIXME: having these 2 options is confusing. + // startWithVideoMuted: false, + + // If set to true, prefer to use the H.264 video codec (if supported). + // Note that it's not recommended to do this because simulcast is not + // supported when using H.264. For 1-to-1 calls this setting is enabled by + // default and can be toggled in the p2p section. + // preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // Desktop sharing + + // The ID of the jidesha extension for Chrome. + desktopSharingChromeExtId: null, + + // Whether desktop sharing should be disabled on Chrome. + // desktopSharingChromeDisabled: false, + + // The media sources to use when using screen sharing with the Chrome + // extension. + desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], + + // Required version of Chrome extension + desktopSharingChromeMinExtVersion: '0.1', + + // Whether desktop sharing should be disabled on Firefox. + // desktopSharingFirefoxDisabled: false, + + // Optional desktop sharing frame rate options. Default value: min:5, max:5. + // desktopSharingFrameRate: { + // min: 5, + // max: 5 + // }, + + // Try to start calls with screen-sharing instead of camera video. + // startScreenSharing: false, + + // Recording + + // Whether to enable file recording or not. + // fileRecordingsEnabled: false, + // Enable the dropbox integration. + // dropbox: { + // appKey: '' // Specify your app key here. + // // A URL to redirect the user to, after authenticating + // // by default uses: + // // 'https://jitsi-meet.example.com/static/oauth.html' + // redirectURI: + // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' + // }, + // When integrations like dropbox are enabled only that will be shown, + // by enabling fileRecordingsServiceEnabled, we show both the integrations + // and the generic recording service (its configuration and storage type + // depends on jibri configuration) + // fileRecordingsServiceEnabled: false, + // Whether to show the possibility to share file recording with other people + // (e.g. meeting participants), based on the actual implementation + // on the backend. + // fileRecordingsServiceSharingEnabled: false, + + // Whether to enable live streaming or not. + // liveStreamingEnabled: false, + + // Transcription (in interface_config, + // subtitles and buttons can be configured) + // transcribingEnabled: false, + + // Enables automatic turning on captions when recording is started + // autoCaptionOnRecord: false, + + // Misc + + // Default value for the channel "last N" attribute. -1 for unlimited. + channelLastN: -1, + + // Disables or enables RTX (RFC 4588) (defaults to false). + // disableRtx: false, + + // Disables or enables TCC (the default is in Jicofo and set to true) + // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting + // affects congestion control, it practically enables send-side bandwidth + // estimations. + // enableTcc: true, + + // Disables or enables REMB (the default is in Jicofo and set to false) + // (draft-alvestrand-rmcat-remb-03). This setting affects congestion + // control, it practically enables recv-side bandwidth estimations. When + // both TCC and REMB are enabled, TCC takes precedence. When both are + // disabled, then bandwidth estimations are disabled. + // enableRemb: false, + + // Defines the minimum number of participants to start a call (the default + // is set in Jicofo and set to 2). + // minParticipants: 2, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // Enable IPv6 support. + // useIPv6: true, + + // Enables / disables a data communication channel with the Videobridge. + // Values can be 'datachannel', 'websocket', true (treat it as + // 'datachannel'), undefined (treat it as 'datachannel') and false (don't + // open any channel). + // openBridgeChannel: true, + + + // UI + // + + // Use display name as XMPP nickname. + // useNicks: false, + + // Require users to always specify a display name. + // requireDisplayName: true, + + // Whether to use a welcome page or not. In case it's false a random room + // will be joined when no room is specified. + enableWelcomePage: true, + + // Enabling the close page will ignore the welcome page redirection when + // a call is hangup. + // enableClosePage: false, + + // Disable hiding of remote thumbnails when in a 1-on-1 conference call. + // disable1On1Mode: false, + + // Default language for the user interface. + defaultLanguage: 'fr', + + // If true all users without a token will be considered guests and all users + // with token will be considered non-guests. Only guests will be allowed to + // edit their profile. + enableUserRolesBasedOnToken: false, + + // Whether or not some features are checked based on token. + // enableFeaturesBasedOnToken: false, + + // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. + // lockRoomGuestEnabled: false, + + // When enabled the password used for locking a room is restricted to up to the number of digits specified + // roomPasswordNumberOfDigits: 10, + // default: roomPasswordNumberOfDigits: false, + + // Message to show the users. Example: 'The service will be down for + // maintenance at 01:00 AM GMT, + // noticeMessage: '', + + // Enables calendar integration, depends on googleApiApplicationClientID + // and microsoftApiApplicationClientID + // enableCalendarIntegration: false, + + // Stats + // + + // Whether to enable stats collection or not in the TraceablePeerConnection. + // This can be useful for debugging purposes (post-processing/analysis of + // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth + // estimation tests. + // gatherStats: false, + + // The interval at which PeerConnection.getStats() is called. Defaults to 10000 + // pcStatsInterval: 10000, + + // To enable sending statistics to callstats.io you must provide the + // Application ID and Secret. + // callStatsID: '', + // callStatsSecret: '', + + // enables sending participants display name to callstats + // enableDisplayNameInStats: false + + // enables sending participants email if available to callstats and other analytics + // enableEmailInStats: false + + // Privacy + // + + // If third party requests are disabled, no other server will be contacted. + // This means avatars will be locally generated and callstats integration + // will not function. + // disableThirdPartyRequests: false, + + + // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. + // + + p2p: { + // Enables peer to peer mode. When enabled the system will try to + // establish a direct connection when there are exactly 2 participants + // in the room. If that succeeds the conference will stop sending data + // through the JVB and use the peer to peer connection instead. When a + // 3rd participant joins the conference will be moved back to the JVB + // connection. + enabled: true, + + // Use XEP-0215 to fetch STUN and TURN servers. + // useStunTurn: true, + + // The STUN servers that will be used in the peer to peer connections + stunServers: [ + + // { urls: 'stun:jitsi-meet.example.com:443' }, + { urls: 'stun:stun.l.google.com:19302' }, + { urls: 'stun:stun1.l.google.com:19302' }, + { urls: 'stun:stun2.l.google.com:19302' } + ], + + // Sets the ICE transport policy for the p2p connection. At the time + // of this writing the list of possible values are 'all' and 'relay', + // but that is subject to change in the future. The enum is defined in + // the WebRTC standard: + // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. + // If not set, the effective value is 'all'. + // iceTransportPolicy: 'all', + + // If set to true, it will prefer to use H.264 for P2P calls (if H.264 + // is supported). + preferH264: true, + + // If set to true, disable H.264 video codec by stripping it out of the + // SDP. + // disableH264: false, + + // How long we're going to wait, before going back to P2P after the 3rd + // participant has left the conference (to filter out page reload). + backToP2PDelay: 60 + }, + + analytics: { + // The Google Analytics Tracking ID: + // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' + + // The Amplitude APP Key: + // amplitudeAPPKey: '' + + // Array of script URLs to load as lib-jitsi-meet "analytics handlers". + // scriptURLs: [ + // "libs/analytics-ga.min.js", // google-analytics + // "https://example.com/my-custom-analytics.js" + // ], + }, + + // Information about the jitsi-meet instance we are connecting to, including + // the user region as seen by the server. + deploymentInfo: { + // shard: "shard1", + // region: "europe", + // userRegion: "asia" + } + + // Information for the chrome extension banner + // chromeExtensionBanner: { + // // The chrome extension to be installed address + // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', + + // // Extensions info which allows checking if they are installed or not + // chromeExtensionsInfo: [ + // { + // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', + // path: 'jitsi-logo-48x48.png' + // } + // ] + // } + + // Local Recording + // + + // localRecording: { + // Enables local recording. + // Additionally, 'localrecording' (all lowercase) needs to be added to + // TOOLBAR_BUTTONS in interface_config.js for the Local Recording + // button to show up on the toolbar. + // + // enabled: true, + // + + // The recording format, can be one of 'ogg', 'flac' or 'wav'. + // format: 'flac' + // + + // } + + // Options related to end-to-end (participant to participant) ping. + // e2eping: { + // // The interval in milliseconds at which pings will be sent. + // // Defaults to 10000, set to <= 0 to disable. + // pingInterval: 10000, + // + // // The interval in milliseconds at which analytics events + // // with the measured RTT will be sent. Defaults to 60000, set + // // to <= 0 to disable. + // analyticsInterval: 60000, + // } + + // If set, will attempt to use the provided video input device label when + // triggering a screenshare, instead of proceeding through the normal flow + // for obtaining a desktop stream. + // NOTE: This option is experimental and is currently intended for internal + // use only. + // _desktopSharingSourceDevice: 'sample-id-or-label' + + // If true, any checks to handoff to another application will be prevented + // and instead the app will continue to display in the current browser. + // disableDeepLinking: false + + // A property to disable the right click context menu for localVideo + // the menu has option to flip the locally seen video for local presentations + // disableLocalVideoFlip: false + + // Deployment specific URLs. + // deploymentUrls: { + // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for + // // user documentation. + // userDocumentationURL: 'https://docs.example.com/video-meetings.html', + // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link + // // to the specified URL for an app download page. + // downloadAppsUrl: 'https://docs.example.com/our-apps.html' + // } + + // List of undocumented settings used in jitsi-meet + /** + _immediateReloadThreshold + autoRecord + autoRecordToken + debug + debugAudioLevels + deploymentInfo + dialInConfCodeUrl + dialInNumbersUrl + dialOutAuthUrl + dialOutCodesUrl + disableRemoteControl + displayJids + etherpad_base + externalConnectUrl + firefox_fake_device + googleApiApplicationClientID + iAmRecorder + iAmSipGateway + microsoftApiApplicationClientID + peopleSearchQueryTypes + peopleSearchUrl + requireDisplayName + tokenAuthUrl + */ + + // List of undocumented settings used in lib-jitsi-meet + /** + _peerConnStatusOutOfLastNTimeout + _peerConnStatusRtcMuteTimeout + abTesting + avgRtpStatsN + callStatsConfIDNamespace + callStatsCustomScriptUrl + desktopSharingSources + disableAEC + disableAGC + disableAP + disableHPF + disableNS + enableLipSync + enableTalkWhileMuted + forceJVB121Ratio + hiddenDomain + ignoreStartMuted + nick + startBitrate + */ + +}; + +/* eslint-enable no-unused-vars, no-var */ + diff --git a/app_build/jitsi-meet/entrypoint.sh b/app_build/jitsi-meet/entrypoint.sh new file mode 100755 index 0000000..1e18bd1 --- /dev/null +++ b/app_build/jitsi-meet/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +cat > /etc/nginx/sites-available/jitsi <> /etc/hosts < /root/.sip-communicator/sip-communicator.properties <> /root/.sip-communicator/sip-communicator.properties <> /etc/hosts < /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua < /etc/nslcd.conf < /tmp/nextcloud.zip +cd /var/www +unzip /tmp/nextcloud.zip +rm /tmp/nextcloud.zip +mv html html.old +mv nextcloud html + +cd html +mkdir data + +cd apps +wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz +tar xf tasks.tar.gz +wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz +tar xf maps-0.1.6.tar.gz +wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz +tar xf calendar.tar.gz +wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz +tar xf news.tar.gz +wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz +tar xf notes.tar.gz +wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz +tar xf contacts.tar.gz +wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz +tar xf mail.tar.gz +wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz +tar xf groupfolders.tar.gz +rm *.tar.gz + +chown -R www-data:www-data /var/www/html + +cd /var/www/html +php occ diff --git a/app_build/nextcloud/entrypoint.sh b/app_build/nextcloud/entrypoint.sh new file mode 100755 index 0000000..72b4f94 --- /dev/null +++ b/app_build/nextcloud/entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -xe + +chown www-data:www-data /var/www/html/config/config.php +touch /var/www/html/data/.ocdata + +exec apachectl -DFOREGROUND diff --git a/app_build/opendkim/Dockerfile b/app_build/opendkim/Dockerfile new file mode 100644 index 0000000..70a39e4 --- /dev/null +++ b/app_build/opendkim/Dockerfile @@ -0,0 +1,8 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + apt-get install -y opendkim opendkim-tools + +COPY ./opendkim.conf /etc/opendkim.conf +CMD opendkim -f -v -x /etc/opendkim.conf diff --git a/app_build/opendkim/README.md b/app_build/opendkim/README.md new file mode 100644 index 0000000..e146125 --- /dev/null +++ b/app_build/opendkim/README.md @@ -0,0 +1,12 @@ +``` +sudo docker build -t superboum/amd64_opendkim:v1 . +``` + +``` +sudo docker run -t -i \ + -v `pwd`/conf:/etc/dkim \ + -v /dev/log:/dev/log \ + -p 8999:8999 + superboum/amd64_opendkim:v1 + opendkim -f -v -x /etc/opendkim.conf +``` diff --git a/app_build/opendkim/opendkim.conf b/app_build/opendkim/opendkim.conf new file mode 100644 index 0000000..0d6465f --- /dev/null +++ b/app_build/opendkim/opendkim.conf @@ -0,0 +1,12 @@ +Syslog yes +SyslogSuccess yes +LogWhy yes +UMask 007 +Mode sv +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +KeyTable refile:/etc/dkim/keytable +SigningTable refile:/etc/dkim/signingtable +ExternalIgnoreList refile:/etc/dkim/trusted +InternalHosts refile:/etc/dkim/trusted +Socket inet:8999 diff --git a/app_build/pithos/0.7.5.tar.gz b/app_build/pithos/0.7.5.tar.gz new file mode 100644 index 0000000..4eb1273 Binary files /dev/null and b/app_build/pithos/0.7.5.tar.gz differ diff --git a/app_build/pithos/Dockerfile b/app_build/pithos/Dockerfile new file mode 100644 index 0000000..70f87d8 --- /dev/null +++ b/app_build/pithos/Dockerfile @@ -0,0 +1,4 @@ +FROM amd64/openjdk:13-alpine + +COPY pithos-0.7.5-standalone.jar /srv/pithos.jar +ENTRYPOINT ["/opt/openjdk-13/bin/java", "-jar", "/srv/pithos.jar"] diff --git a/app_build/pithos/README.md b/app_build/pithos/README.md new file mode 100644 index 0000000..3f0037d --- /dev/null +++ b/app_build/pithos/README.md @@ -0,0 +1,9 @@ +This project is considered as "dangerous" as it is tagged as "Project not under active development". +Consequently, just in case, I am backuping the .jar and the sources in this git repo. +Better safe than sorry or pretty. + +``` +sudo docker build -t superboum/amd64_pithos:v1 . +sudo docker push superboum/amd64_pithos:v1 +sudo docker run --rm -it -p 8080:8080 -v pithos.yaml:/etc/pithos/pithos.yaml superboum/amd64_pithos:v1 +``` diff --git a/app_build/pithos/pithos-0.7.5-standalone.jar b/app_build/pithos/pithos-0.7.5-standalone.jar new file mode 100644 index 0000000..6073e72 Binary files /dev/null and b/app_build/pithos/pithos-0.7.5-standalone.jar differ diff --git a/app_build/postfix/Dockerfile b/app_build/postfix/Dockerfile new file mode 100644 index 0000000..9e4c067 --- /dev/null +++ b/app_build/postfix/Dockerfile @@ -0,0 +1,11 @@ +FROM amd64/debian:buster + +RUN apt-get update && \ + apt-get install -y \ + postfix \ + postfix-ldap + +COPY entrypoint.sh /usr/local/bin/entrypoint + +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["postfix", "start-fg"] diff --git a/app_build/postfix/README.md b/app_build/postfix/README.md new file mode 100644 index 0000000..ac44fc0 --- /dev/null +++ b/app_build/postfix/README.md @@ -0,0 +1,18 @@ +``` +sudo docker build -t superboum/amd64_postfix:v1 . +``` + +``` +sudo docker run -t -i \ + -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \ + -e MAILNAME="smtp.deuxfleurs.fr" \ + -p 25:25 \ + -p 465:465 \ + -p 587:587 \ + -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \ + -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \ + -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \ + superboum/amd64_postfix:v1 \ + bash +``` + diff --git a/app_build/postfix/entrypoint.sh b/app_build/postfix/entrypoint.sh new file mode 100755 index 0000000..c7ace3d --- /dev/null +++ b/app_build/postfix/entrypoint.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then + cd /root + openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + + mkdir -p /etc/ssl/{certs,private}/ + + cp postfix.crt /etc/ssl/certs/postfix.crt + cp postfix.key /etc/ssl/private/postfix.key + chmod 400 /etc/ssl/certs/postfix.crt + chmod 400 /etc/ssl/private/postfix.key +fi + +# A way to map files inside the postfix folder :s +for file in $(ls /etc/postfix-conf); do + cp /etc/postfix-conf/${file} /etc/postfix/${file} +done + +echo ${MAILNAME} > /etc/mailname + +exec "$@" diff --git a/app_build/postgres/Dockerfile b/app_build/postgres/Dockerfile new file mode 100644 index 0000000..bb018b8 --- /dev/null +++ b/app_build/postgres/Dockerfile @@ -0,0 +1,19 @@ +FROM amd64/debian:stretch + +RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \ + apt-get update && \ + apt-get -qq -y full-upgrade && \ + apt-get install -y postgresql-all golang-1.11 git && \ + export GOPATH=/usr/local/go && \ + mkdir -p /usr/local/go/src/github.com/sorintlab && \ + cd /usr/local/go/src/github.com/sorintlab && \ + git clone --depth=1 https://github.com/sorintlab/stolon && \ + ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \ + ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \ + cd ./stolon && \ + ./build && \ + mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \ + rm -rf /usr/local/go + +USER postgres + diff --git a/app_build/postgres/README.md b/app_build/postgres/README.md new file mode 100644 index 0000000..d2f7a12 --- /dev/null +++ b/app_build/postgres/README.md @@ -0,0 +1,4 @@ +``` +docker build -t superboum/arm32v7_postgres . +docker build -t superboum/amd64_postgres:v2 . +``` diff --git a/app_build/postgres/postgresql.conf b/app_build/postgres/postgresql.conf new file mode 100644 index 0000000..8e0af2b --- /dev/null +++ b/app_build/postgres/postgresql.conf @@ -0,0 +1,25 @@ +data_directory = '/var/lib/postgresql/9.6/main' # use data in another directory +hba_file = '/etc/postgresql/9.6/main/pg_hba.conf' # host-based authentication file +ident_file = '/etc/postgresql/9.6/main/pg_ident.conf' # ident configuration file +external_pid_file = '/var/run/postgresql/9.6-main.pid' # write an extra PID file +listen_addresses = '*' #listen on every ip / interfaces +port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories +ssl = true # (change requires restart) +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart) +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart) +shared_buffers = 128MB # min 128kB +dynamic_shared_memory_type = posix # the default is the first option +log_line_prefix = '%m [%p] %q%u@%d ' # special values: +log_timezone = 'UTC' +cluster_name = '9.6/main' # added to process titles if nonempty +stats_temp_directory = '/var/run/postgresql/9.6-main.pg_stat_tmp' +datestyle = 'iso, mdy' +timezone = 'UTC' +lc_messages = 'C.UTF-8' # locale for system error message +lc_monetary = 'C.UTF-8' # locale for monetary formatting +lc_numeric = 'C.UTF-8' # locale for number formatting +lc_time = 'C.UTF-8' # locale for time formatting +default_text_search_config = 'pg_catalog.english' + diff --git a/app_build/postgres/start.sh b/app_build/postgres/start.sh new file mode 100755 index 0000000..f1d493f --- /dev/null +++ b/app_build/postgres/start.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +if [ -f /local/pg_hba.conf ]; then + echo "Copying Nomad configuration..." + cp /local/pg_hba.conf /etc/postgresql/9.6/main/ + echo "Done" +fi + + +if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then + echo "Copying base" + cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main + echo "Done" +fi + +chmod -R 700 /var/lib/postgresql/9.6/main +chown -R postgres /var/lib/postgresql/9.6/main + +echo "Starting postgres..." +. /usr/share/postgresql-common/init.d-functions +start 9.6 +tail -f /var/log/postgresql/postgresql-9.6-main.log diff --git a/app_build/riotweb/Dockerfile b/app_build/riotweb/Dockerfile new file mode 100644 index 0000000..862e2e5 --- /dev/null +++ b/app_build/riotweb/Dockerfile @@ -0,0 +1,13 @@ +FROM amd64/debian:buster as builder + +ARG VERSION +WORKDIR /root + +RUN apt-get update && \ + apt-get install -y wget && \ + wget https://github.com/vector-im/riot-web/releases/download/v${VERSION}/riot-v${VERSION}.tar.gz && \ + tar xf riot-v${VERSION}.tar.gz && \ + mv riot-v${VERSION}/ riot/ + +FROM superboum/amd64_webserver:v3 +COPY --from=builder /root/riot /srv/http diff --git a/app_build/riotweb/config.json b/app_build/riotweb/config.json new file mode 100644 index 0000000..8ce8e4c --- /dev/null +++ b/app_build/riotweb/config.json @@ -0,0 +1,24 @@ +{ + "default_hs_url": "https://im.deuxfleurs.fr", + "default_is_url": "https://vector.im", + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Deuxfleurs", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html", + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "features": { + "feature_groups": "labs", + "feature_pinning": "labs" + }, + "default_federate": true, + "welcomePageUrl": "home.html", + "default_theme": "light", + "roomDirectory": { + "servers": [ "im.deuxfleurs.fr", "matrix.org" ] + } +} + diff --git a/app_build/seafile/Dockerfile b/app_build/seafile/Dockerfile new file mode 100644 index 0000000..88dee4f --- /dev/null +++ b/app_build/seafile/Dockerfile @@ -0,0 +1,46 @@ +FROM amd64/debian:buster as builder + +ENV VERSION 7.0.5 + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar && \ + wget https://download.seadrive.org/seafile-server_${VERSION}_x86-64.tar.gz -O ./seafile.tar.gz && \ + tar xf ./seafile.tar.gz && \ + mv seafile-server-${VERSION} seafile-server + +FROM amd64/debian:buster + +COPY --from=builder ./seafile-server /srv/webstore/seafile-server + +RUN apt-get update && \ + apt-get dist-upgrade -y && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y \ + python \ + mariadb-client \ + python2.7 \ + libpython2.7 \ + python-setuptools \ + python-ldap \ + python-urllib3 \ + ffmpeg \ + python-pip \ + python-mysqldb \ + python-memcache \ + procps \ + python-requests && \ + pip install Pillow==4.3.0 && \ + pip install moviepy && \ + useradd -u 1000 -d /srv/webstore seauser && \ + chown -R seauser:1000 /srv/webstore/ + +RUN mkdir -p /usr/local/lib/mariadb/plugin/ && \ + ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/mysql_clear_password.so /usr/local/lib/mariadb/plugin/ && \ + ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/dialog.so /usr/local/lib/mariadb/plugin/ + +WORKDIR /srv/webstore/seafile-server +COPY seadocker /usr/local/bin/seadocker +COPY seaenv /usr/local/bin/seaenv + +ENTRYPOINT ["/usr/local/bin/seaenv"] +CMD ["/usr/local/bin/seadocker"] diff --git a/app_build/seafile/README.md b/app_build/seafile/README.md new file mode 100644 index 0000000..26d04e0 --- /dev/null +++ b/app_build/seafile/README.md @@ -0,0 +1,27 @@ + +```bash +sudo docker build -t superboum/amd64_seafile:v5 . +``` + +When upgrading, connect on a production server and run: + +```bash +nomad stop seafile +sudo docker build -t superboum/amd64_seafile:v6 . + +sudo docker run -t -i \ + -v /mnt/glusterfs/seafile:/mnt/seafile-data \ + -v /mnt/glusterfs/seaconf/conf:/srv/webstore/conf \ + -v /mnt/glusterfs/seaconf/ccnet:/srv/webstore/ccnet \ + superboum/amd64_seafile:v5 + +# See: +# * https://download.seafile.com/published/seafile-manual/deploy/upgrade.md +# * https://download.seafile.com/published/seafile-manual/changelog/server-changelog.md + + + +nomad start seafile.hcl +``` + +when upgrading, change the command on start diff --git a/app_build/seafile/seadocker b/app_build/seafile/seadocker new file mode 100755 index 0000000..5b5982b --- /dev/null +++ b/app_build/seafile/seadocker @@ -0,0 +1,4 @@ +#!/bin/bash +/srv/webstore/seafile-server/seafile.sh start +/srv/webstore/seafile-server/seahub.sh start +tail -f /srv/webstore/logs/* diff --git a/app_build/seafile/seaenv b/app_build/seafile/seaenv new file mode 100755 index 0000000..3b0e0bb --- /dev/null +++ b/app_build/seafile/seaenv @@ -0,0 +1,7 @@ +#!/bin/bash + +chown seauser /srv/webstore +chown seauser -R /srv/webstore/ccnet +chown seauser -R /srv/webstore/conf + +runuser -u seauser -- "$@" diff --git a/app_build/sogo/Dockerfile b/app_build/sogo/Dockerfile new file mode 100644 index 0000000..46880dd --- /dev/null +++ b/app_build/sogo/Dockerfile @@ -0,0 +1,17 @@ +#FROM amd64/debian:stretch as builder + +FROM amd64/debian:buster + +RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf + +RUN apt-get update && \ + apt-get install -y apt-transport-https gnupg2 sudo nginx && \ + rm -rf /etc/nginx/sites-enabled/* && \ + apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \ + echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \ + apt-get update && \ + apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client + +COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf +COPY entrypoint /usr/sbin/entrypoint +ENTRYPOINT ["/usr/sbin/entrypoint"] diff --git a/app_build/sogo/README.md b/app_build/sogo/README.md new file mode 100644 index 0000000..ea12245 --- /dev/null +++ b/app_build/sogo/README.md @@ -0,0 +1,20 @@ +``` +docker build -t superboum/amd64_sogo:v6 . + +# privileged is only for debug +docker run --rm -ti \ + --privileged \ + -p 8080:8080 \ + -v /tmp/sogo/log:/var/log/sogo \ + -v /tmp/sogo/run:/var/run/sogo \ + -v /tmp/sogo/spool:/var/spool/sogo \ + -v /tmp/sogo/tmp:/tmp \ + -v `pwd`/sogo:/etc/sogo:ro \ + superboum/amd64_sogo:v1 +``` + +Password must be url encoded in sogo.conf for postgres +Will need a nginx instance: http://wiki.sogo.nu/nginxSettings + +Might (or might not) be needed: +traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr diff --git a/app_build/sogo/entrypoint b/app_build/sogo/entrypoint new file mode 100755 index 0000000..8b39def --- /dev/null +++ b/app_build/sogo/entrypoint @@ -0,0 +1,13 @@ +#!/bin/bash +mkdir -p /var/log/sogo +mkdir -p /var/run/sogo +mkdir -p /var/spool/sogo +chown sogo /var/log/sogo +chown sogo /var/run/sogo +chown sogo /var/spool/sogo + +nginx -g 'daemon on; master_process on;' +sudo -u sogo memcached -d +sudo -u sogo sogod +sleep 10 +tail -n200 -f /var/log/sogo/sogo.log diff --git a/app_build/sogo/sogo.nginx.conf b/app_build/sogo/sogo.nginx.conf new file mode 100644 index 0000000..ad920a5 --- /dev/null +++ b/app_build/sogo/sogo.nginx.conf @@ -0,0 +1,83 @@ +server { + listen 8080; + server_name default_server; + root /usr/lib/GNUstep/SOGo/WebServerResources/; + + ## requirement to create new calendars in Thunderbird ## + proxy_http_version 1.1; + + # Message size limit + client_max_body_size 50m; + client_body_buffer_size 128k; + + location = / { + rewrite ^ '/SOGo'; + allow all; + } + + location = /principals/ { + rewrite ^ '/SOGo/dav'; + allow all; + } + + location ^~/SOGo { + proxy_pass 'http://127.0.0.1:20000'; + proxy_redirect 'http://127.0.0.1:20000' default; + # forward user's IP address + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header x-webobjects-server-protocol HTTP/1.0; + proxy_set_header x-webobjects-remote-host 127.0.0.1; + proxy_set_header x-webobjects-server-name $server_name; + proxy_set_header x-webobjects-server-url $scheme://$host; + proxy_set_header x-webobjects-server-port $server_port; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + break; + } + + location /SOGo.woa/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location /SOGo/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + allow all; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; + } + + location ^~ /Microsoft-Server-ActiveSync { + access_log /var/log/nginx/activesync.log; + error_log /var/log/nginx/activesync-error.log; + + proxy_connect_timeout 75; + proxy_send_timeout 3600; + proxy_read_timeout 3600; + proxy_buffers 64 256k; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; + } +} diff --git a/app_build/static/Dockerfile b/app_build/static/Dockerfile new file mode 100644 index 0000000..cdba59a --- /dev/null +++ b/app_build/static/Dockerfile @@ -0,0 +1,9 @@ +FROM golang:1.11.1-stretch as builder + +COPY ./goStatic /goStatic +WORKDIR /goStatic +RUN CGO_ENABLED=0 go build -a -o web-server . + +FROM scratch +COPY --from=builder /goStatic/web-server / +ENTRYPOINT ["/web-server"] diff --git a/app_build/static/README.md b/app_build/static/README.md new file mode 100644 index 0000000..d50390c --- /dev/null +++ b/app_build/static/README.md @@ -0,0 +1,5 @@ + +``` +sudo docker build -t superboum/amd64_webserver:v3 . +sudo docker push superboum/amd64_webserver:v3 +``` diff --git a/app_build/static/goStatic b/app_build/static/goStatic new file mode 160000 index 0000000..3f97f57 --- /dev/null +++ b/app_build/static/goStatic @@ -0,0 +1 @@ +Subproject commit 3f97f57aaee09a142afe3ca0f1a5d51acd856436 diff --git a/app_build/webpull/.gitignore b/app_build/webpull/.gitignore new file mode 100644 index 0000000..ba2906d --- /dev/null +++ b/app_build/webpull/.gitignore @@ -0,0 +1 @@ +main diff --git a/app_build/webpull/Dockerfile.nodejs b/app_build/webpull/Dockerfile.nodejs new file mode 100644 index 0000000..acc7e74 --- /dev/null +++ b/app_build/webpull/Dockerfile.nodejs @@ -0,0 +1,9 @@ +FROM node:13.8-buster + +RUN apt-get update && \ + apt-get install -y git + +COPY ./main /srv/httpd +WORKDIR /srv +CMD ["/srv/httpd"] + diff --git a/app_build/webpull/Dockerfile.ruby b/app_build/webpull/Dockerfile.ruby new file mode 100644 index 0000000..7578cca --- /dev/null +++ b/app_build/webpull/Dockerfile.ruby @@ -0,0 +1,12 @@ +FROM fedora:32 + +ENV LC_ALL=C.UTF-8 +ENV LANG=C.UTF-8 +ENV LANGUAGE=en_US.UTF-8 +ENV RUBYOPT --disable-did_you_mean + +RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel + +COPY ./main /srv/httpd +WORKDIR /srv +CMD ["/srv/httpd"] diff --git a/app_build/webpull/README.md b/app_build/webpull/README.md new file mode 100644 index 0000000..5d17d17 --- /dev/null +++ b/app_build/webpull/README.md @@ -0,0 +1,23 @@ +# webpull + +Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL + +You need to specify a secret token at boot: + +``` +WEBPULL_TOKEN=s3cr3et ./webpull +``` + +## Node.js version + +``` +go build ./main.go +sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 . +``` + +## Ruby version + +``` +go build ./main.go +sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 . +``` diff --git a/app_build/webpull/main.go b/app_build/webpull/main.go new file mode 100644 index 0000000..46c90b9 --- /dev/null +++ b/app_build/webpull/main.go @@ -0,0 +1,100 @@ +package main + +import ( + "fmt" + "errors" + "io" + "os/exec" + "os" + "log" + "net/http" + "strings" +) + +func myexec(w io.Writer, main string, params ...string) error { + cmd := exec.Command(main, params...) + cmd.Stdout = w + cmd.Stderr = w + err := cmd.Run() + if err != nil { + fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " ")) + } + return err +} + +func update(w io.Writer) error { + fmt.Fprintf(w, "Start update...\n") + _, err := os.Stat("./.git") + if err != nil { + fmt.Fprintf(w, ".git folder does not exist, creating it...\n") + err := myexec(w, "git", "init") + if err != nil { + return err + } + } + + err = myexec(w, "git", "remote", "get-url", "origin") + if err != nil { + repo, exists := os.LookupEnv("WEBPULL_REPO") + if !exists { + fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n") + return errors.New("Missing environment variable WEBPULL_REPO") + } + fmt.Fprintf(w, "git remote is not yet set...\n") + err := myexec(w, "git", "remote", "add", "origin", repo) + if err != nil { + return err + } + } + + err = myexec(w, "git", "pull", "origin", "master") + if err != nil { + fmt.Fprintf(w, "Failed to pull...\n") + return err + } + + _, err = os.Stat("./.webpull") + if err != nil { + fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n") + return err + } + + err = myexec(w, "./.webpull") + if err != nil { + fmt.Fprintf(w, "An error occured during script execution\n") + return err + } + + fmt.Fprintf(w, "Success.\n") + return nil +} + +func main() { + token, exists := os.LookupEnv("WEBPULL_TOKEN") + if !exists { + log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined") + } + + if update(os.Stdout) != nil { + log.Fatal("Initial 'update' failed") + } + + fs := http.FileServer(http.Dir("./static")) + http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) { + keys, ok := r.URL.Query()["token"] + if !ok || len(keys[0]) < 1 { + http.Error(w, "Missing 'token' query parameter", 401) + return + } + + if keys[0] != token { + http.Error(w, "Wrong token", 401) + return + } + + update(w) + }) + http.Handle("/", fs) + + log.Fatal(http.ListenAndServe(":8080", nil)) +} diff --git a/app_config/configuration/.gitignore b/app_config/configuration/.gitignore new file mode 100644 index 0000000..056b4d2 --- /dev/null +++ b/app_config/configuration/.gitignore @@ -0,0 +1,33 @@ +# Blacklist everything cleverly +* +!*/ + +# Whitelist some patterns +!*.sample +!*.gen +!*.tpl +!.gitignore + +# Whitelist specific files +!seafile/conf/seafdav.conf +!seafile/ccnet/seafile.ini + +!email/dkim/keytable +!email/dkim/signingtable +!email/dkim/trusted +!email/postfix/dynamicmaps.cf +!email/postfix/header_checks +!email/postfix/main.cf +!email/postfix/master.cf +!email/postfix/transport +!email/postfix/transport.db + +!email/sogo/sogo.conf.tpl + +!chat/**/* + +!directory/*/* + +!traefik/traefik.toml + +!garage/config.toml diff --git a/app_config/configuration/chat/coturn/turnserver.conf.tpl b/app_config/configuration/chat/coturn/turnserver.conf.tpl new file mode 100644 index 0000000..f867ac0 --- /dev/null +++ b/app_config/configuration/chat/coturn/turnserver.conf.tpl @@ -0,0 +1,19 @@ +use-auth-secret +static-auth-secret={{ key "secrets/chat/coturn/static-auth" | trimSpace }} +realm=turn.deuxfleurs.fr + +# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. +#no-tcp-relay + +# don't let the relay ever try to connect to private IP address ranges within your network (if any) +# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. +#denied-peer-ip=10.0.0.0-10.255.255.255 +#denied-peer-ip=192.168.0.0-192.168.255.255 +#denied-peer-ip=172.16.0.0-172.31.255.255 + +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200 + +min-port=49152 +max-port=49252 diff --git a/app_config/configuration/chat/easybridge/config.json.tpl b/app_config/configuration/chat/easybridge/config.json.tpl new file mode 100644 index 0000000..40ecc44 --- /dev/null +++ b/app_config/configuration/chat/easybridge/config.json.tpl @@ -0,0 +1,17 @@ +{ + "log_level": "info", + "easybridge_avatar": "/app/easybridge.jpg", + + "web_bind_addr": "0.0.0.0:8281", + "web_url": "https://easybridge.deuxfleurs.fr", + "web_session_key": "{{ key "secrets/chat/easybridge/web_session_key" | trimSpace }}", + + "appservice_bind_addr": "0.0.0.0:8321", + "registration": "/data/registration.yaml", + "homeserver_url": "https://im.deuxfleurs.fr", + "matrix_domain": "deuxfleurs.fr", + "name_format": "{}_ezbr_", + + "db_type": "postgres", + "db_path": "host=psql-proxy.service.2.cluster.deuxfleurs.fr port=5432 user={{ key "secrets/chat/easybridge/db_user" | trimSpace }} dbname=easybridge password={{ key "secrets/chat/easybridge/db_pass" | trimSpace }} sslmode=disable" +} diff --git a/app_config/configuration/chat/easybridge/registration.yaml.tpl b/app_config/configuration/chat/easybridge/registration.yaml.tpl new file mode 100644 index 0000000..ec098fd --- /dev/null +++ b/app_config/configuration/chat/easybridge/registration.yaml.tpl @@ -0,0 +1,14 @@ +id: Easybridge +url: http://easybridge-api.service.2.cluster.deuxfleurs.fr:8321 +as_token: {{ key "secrets/chat/easybridge/as_token" | trimSpace }} +hs_token: {{ key "secrets/chat/easybridge/hs_token" | trimSpace }} +sender_localpart: _ezbr_ +rate_limited: false +namespaces: + users: + - exclusive: true + regex: '@.*_ezbr_' + aliases: + - exclusive: true + regex: '#.*_ezbr_' + rooms: [] diff --git a/app_config/configuration/chat/fb2mx/config.yaml b/app_config/configuration/chat/fb2mx/config.yaml new file mode 100644 index 0000000..964c681 --- /dev/null +++ b/app_config/configuration/chat/fb2mx/config.yaml @@ -0,0 +1,133 @@ +# Homeserver details +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: https://im.deuxfleurs.fr + # The domain of the homeserver (for MXIDs, etc). + domain: deuxfleurs.fr + # Whether or not to verify the SSL certificate of the homeserver. + # Only applies if address starts with https:// + verify_ssl: true + +# Application service host/registration related details +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29319 + # The maximum body size of appservice API requests (from the homeserver) in mebibytes + # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s + max_body_size: 1 + + # The full URI to the database. SQLite and Postgres are fully supported. + # Other DBMSes supported by SQLAlchemy may or may not work. + # Format examples: + # SQLite: sqlite:///filename.db + # Postgres: postgres://username:password@hostname/dbname + database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}' + + # The unique ID of this appservice. + id: facebook + # Username of the appservice bot. + bot_username: facebookbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + bot_displayname: Facebook bridge bot + bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv + + # Community ID for bridged users (changes registration file) and rooms. + # Must be created manually. + community_id: "+fbusers:deuxfleurs.fr" + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' + hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' + +# Bridge config +bridge: + # Localpart template of MXIDs for Facebook users. + # {userid} is replaced with the user ID of the Facebook user. + username_template: "facebook_{userid}" + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + # {localpart} is the MXID localpart and {server} is the MXID server part of the user. + # + # `facebook_{localpart}={server}` is a good value. + community_template: "facebook_{localpart}={server}" + # Displayname template for Facebook users. + # {displayname} is replaced with the display name of the Facebook user + # as defined below in displayname_preference. + # Keys available for displayname_preference are also available here. + displayname_template: "{displayname} (FB)" + # Available keys: + # "name" (full name) + # "first_name" + # "last_name" + # "nickname" + # "own_nickname" (user-specific!) + displayname_preference: + - name + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!fb" + + # Number of chats to sync (and create portals for) on startup/login. + # Maximum 20, set 0 to disable automatic syncing. + initial_chat_sync: 10 + # Whether or not the Facebook users of logged in Matrix users should be + # invited to private chats when the user sends a message from another client. + invite_own_puppet_to_pm: false + # Whether or not to use /sync to get presence, read receipts and typing notifications when using + # your own Matrix account as the Matrix puppet for your Facebook account. + sync_with_custom_puppets: true + # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast + # presence, but then it won't send other users' presence to the client. + presence: true + # Whether or not to update avatars when syncing all contacts at startup. + update_avatar_initial_sync: true + + # Permissions for using the bridge. + # Permitted values: + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "deuxfleurs.fr": "user" + +# Python logging configuration. +# +# See section 16.7.2 of the Python documentation for more info: +# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema +logging: + version: 1 + formatters: + colored: + (): mautrix_facebook.util.ColorFormatter + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + normal: + format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" + handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: normal + filename: ./mautrix-facebook.log + maxBytes: 10485760 + backupCount: 10 + console: + class: logging.StreamHandler + formatter: colored + loggers: + mau: + level: DEBUG + fbchat: + level: DEBUG + aiohttp: + level: INFO + root: + level: DEBUG + handlers: [file, console] diff --git a/app_config/configuration/chat/fb2mx/registration.yaml b/app_config/configuration/chat/fb2mx/registration.yaml new file mode 100644 index 0000000..c3d8c05 --- /dev/null +++ b/app_config/configuration/chat/fb2mx/registration.yaml @@ -0,0 +1,11 @@ +id: facebook +as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' +hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' +namespaces: + users: + - exclusive: true + regex: '@facebook_.+:deuxfleurs.fr' + group_id: '+fbusers:deuxfleurs.fr' +url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 +sender_localpart: facebookbot +rate_limited: false diff --git a/app_config/configuration/chat/riot_web/config.json b/app_config/configuration/chat/riot_web/config.json new file mode 100644 index 0000000..5844afc --- /dev/null +++ b/app_config/configuration/chat/riot_web/config.json @@ -0,0 +1,25 @@ +{ + "default_hs_url": "https://im.deuxfleurs.fr", + "default_is_url": "https://vector.im", + "disable_custom_urls": false, + "disable_guests": false, + "disable_login_language_selector": false, + "disable_3pid_login": false, + "brand": "Deuxfleurs", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "features": { + "feature_groups": "labs", + "feature_pinning": "labs" + }, + "default_federate": true, + "welcomePageUrl": "home.html", + "default_theme": "light", + "roomDirectory": { + "servers": [ "im.deuxfleurs.fr", "matrix.org" ] + }, + "jitsi": { + "preferredDomain": "jitsi.deuxfleurs.fr" + } +} diff --git a/app_config/configuration/chat/synapse/conf.d/report_stats.yaml b/app_config/configuration/chat/synapse/conf.d/report_stats.yaml new file mode 100644 index 0000000..cb95cc3 --- /dev/null +++ b/app_config/configuration/chat/synapse/conf.d/report_stats.yaml @@ -0,0 +1 @@ +report_stats: true diff --git a/app_config/configuration/chat/synapse/conf.d/server_name.yaml b/app_config/configuration/chat/synapse/conf.d/server_name.yaml new file mode 100644 index 0000000..540ce45 --- /dev/null +++ b/app_config/configuration/chat/synapse/conf.d/server_name.yaml @@ -0,0 +1 @@ +server_name: deuxfleurs.fr diff --git a/app_config/configuration/chat/synapse/homeserver.yaml b/app_config/configuration/chat/synapse/homeserver.yaml new file mode 100644 index 0000000..7f313f6 --- /dev/null +++ b/app_config/configuration/chat/synapse/homeserver.yaml @@ -0,0 +1,420 @@ +# vim:ft=yaml + +server_name: "deuxfleurs.fr" +# PEM encoded X509 certificate for TLS. +# You can replace the self-signed certificate that synapse +# autogenerates on launch with your own SSL certificate + key pair +# if you like. Any required intermediary certificates can be +# appended after the primary certificate in hierarchical order. +tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" + +# PEM encoded private key for TLS +tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" + +# PEM dh parameters for ephemeral keys +tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" + +# Don't bind to the https port +no_tls: True + + +## Server ## + +# When running as a daemon, the file to store the pid in +pid_file: "/var/run/matrix-synapse.pid" + +# Whether to serve a web client from the HTTP/HTTPS root resource. +web_client: False + +# The public-facing base URL for the client API (not including _matrix/...) +public_baseurl: https://im.deuxfleurs.fr/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# A list of other Home Servers to fetch the public room directory from +# and include in the public room directory of this home server +# This is a temporary stopgap solution to populate new server with a +# list of rooms until there exists a good solution of a decentralized +# room directory. +# secondary_directory_servers: +# - matrix.org +# - vector.im + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + # Unsecure HTTP listener, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: 8008 + tls: false + bind_address: '' + type: http + + x_forwarded: false + + resources: + - names: [client] + compress: true + + - port: 8448 + tls: false + bind_address: '' + type: http + + x_forwarded: false + + resources: + - names: [federation] + compress: false + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # - port: 9000 + # bind_address: 127.0.0.1 + # type: manhole + + +# Database configuration +database: + name: psycopg2 + args: + user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }} + password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} + database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }} + host: psql-proxy.service.2.cluster.deuxfleurs.fr + port: 5432 + cp_min: 5 + cp_max: 10 +# Number of events to cache in memory. +event_cache_size: "10K" + + +# A yaml python logging config file +log_config: "/etc/matrix-synapse/log.yaml" + +# Stop twisted from discarding the stack traces of exceptions in +# deferreds by waiting a reactor tick before running a deferred's +# callbacks. +# full_twisted_stacktraces: true + + +## Ratelimiting ## + +# Number of messages a client can send per second +rc_messages_per_second: 0.2 + +# Number of message a client can send before being throttled +rc_message_burst_count: 10.0 + +# The federation window size in milliseconds +federation_rc_window_size: 1000 + +# The number of federation requests from a single server in a window +# before the server will delay processing the request. +federation_rc_sleep_limit: 10 + +# The duration in milliseconds to delay processing events from +# remote servers by if they go over the sleep limit. +federation_rc_sleep_delay: 500 + +# The maximum number of concurrent federation requests allowed +# from a single server +federation_rc_reject_limit: 50 + +# The number of federation requests to concurrently process from a +# single server +federation_rc_concurrent: 3 + + + +# Directory where uploaded images and attachments are stored. +media_store_path: "/var/lib/matrix-synapse/media" +uploads_path: "/var/lib/matrix-synapse/uploads" + +# The largest allowed upload size in bytes +max_upload_size: "100M" + +# Maximum number of pixels that will be thumbnailed +max_image_pixels: "32M" + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +dynamic_thumbnails: false + +# List of thumbnail to precalculate when an image is uploaded. +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +# Is the preview URL API enabled? If enabled, you *must* specify +# an explicit url_preview_ip_range_blacklist of IPs that the spider is +# denied from accessing. +url_preview_enabled: True + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + + + + +## Captcha ## + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +turn_uris: [ "turn:turn.deuxfleurs.fr:3478?transport=udp", "turn:turn.deuxfleurs.fr:3478?transport=tcp" ] + +# The shared secret used to compute passwords for the TURN server +turn_shared_secret: '{{ key "secrets/chat/coturn/static-auth" | trimSpace }}' + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + +turn_allow_guests: True + +## Registration ## + +# Enable registration for new users. +enable_registration: False + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +registration_shared_secret: '{{ key "secrets/chat/synapse/registration_shared_secret" | trimSpace }}' + +# Sets the expiry for the short term user creation in +# milliseconds. For instance the bellow duration is two weeks +# in milliseconds. +user_creation_max_duration: 1209600000 + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number of rounds is 12. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: True + +# The list of identity servers trusted to verify third party +# identifiers by this server. +trusted_third_party_id_servers: + - matrix.org + - vector.im + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: + - "/etc/matrix-synapse/easybridge_registration.yaml" + #- "/etc/matrix-synapse/fb2mx_registration.yaml" + + +# macaroon_secret_key: + +# Used to enable access token expiration. +expire_access_token: False + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2 +# config_path: Path to the sp_conf.py configuration file +# idp_redirect_url: Identity provider URL which will redirect +# the user back to /login/saml2 with proper info. +# See pysaml2 docs for format of config. +#saml2_config: +# enabled: true +# config_path: "/home/erikj/git/synapse/sp_conf.py" +# idp_redirect_url: "http://test/idp" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homesever.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + +password_providers: + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389" + start_tls: false + bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' + bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' + base: "ou=users,dc=deuxfleurs,dc=fr" + attributes: + uid: "cn" + name: "displayName" + mail: "mail" + +# Enable password for login. +password_config: + enabled: true + +# Enable sending emails for notification events +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# notif_from: "Your Friendly %(app)s Home Server " +# app_name: Matrix +# template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True + +# Key that had to be added after some synapse updates to please matrix developers... +report_stats: false +suppress_key_server_warning: true +enable_group_creation: true diff --git a/app_config/configuration/chat/synapse/log.yaml b/app_config/configuration/chat/synapse/log.yaml new file mode 100644 index 0000000..eb69d8f --- /dev/null +++ b/app_config/configuration/chat/synapse/log.yaml @@ -0,0 +1,41 @@ + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/homeserver.log + maxBytes: 10485760 + backupCount: 3 + filters: [context] + level: WARN + console: + class: logging.StreamHandler + formatter: precise + level: WARN + +loggers: + synapse: + level: INFO + + synapse.storage.SQL: + level: INFO + + ldap3: + level: DEBUG + ldap_auth_provider: + level: DEBUG + +root: + level: INFO + handlers: [file, console] diff --git a/app_config/configuration/directory/bottin/config.json b/app_config/configuration/directory/bottin/config.json new file mode 100644 index 0000000..c30a4d5 --- /dev/null +++ b/app_config/configuration/directory/bottin/config.json @@ -0,0 +1,31 @@ +{ + "suffix": "dc=deuxfleurs,dc=fr", + "bind": "0.0.0.0:1389", + "consul_host": "http://consul.service.2.cluster.deuxfleurs.fr:8500", + "log_level": "debug", + "acl": [ + "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword", + "*::read modify:SELF:*", + "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", + "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*", + "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:", + "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*", + + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", + "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*", + "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*", + + "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", + "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*" + ] +} diff --git a/app_config/configuration/directory/guichet/config.json.tpl b/app_config/configuration/directory/guichet/config.json.tpl new file mode 100644 index 0000000..98e2297 --- /dev/null +++ b/app_config/configuration/directory/guichet/config.json.tpl @@ -0,0 +1,30 @@ +{ + "http_bind_addr": ":9991", + "ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389", + + "base_dn": "dc=deuxfleurs,dc=fr", + "user_base_dn": "ou=users,dc=deuxfleurs,dc=fr", + "user_name_attr": "cn", + "group_base_dn": "ou=groups,dc=deuxfleurs,dc=fr", + "group_name_attr": "cn", + + "invitation_base_dn": "ou=invitations,dc=deuxfleurs,dc=fr", + "invitation_name_attr": "cn", + "invited_mail_format": "{}@deuxfleurs.fr", + "invited_auto_groups": [ + "cn=email,ou=groups,dc=deuxfleurs,dc=fr", + "cn=seafile,ou=groups,dc=deuxfleurs,dc=fr", + "cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr" + ], + + "web_address": "https://guichet.deuxfleurs.fr", + "mail_from": "coucou@deuxfleurs.fr", + "smtp_server": "adnab.me:25", + "smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}", + "smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}", + + "admin_account": "cn=admin,dc=deuxfleurs,dc=fr", + "group_can_admin": "cn=admin,ou=groups,dc=deuxfleurs,dc=fr", + "group_can_invite": "cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr" +} + diff --git a/app_config/configuration/email/dkim/keytable b/app_config/configuration/email/dkim/keytable new file mode 100644 index 0000000..f4ac7cd --- /dev/null +++ b/app_config/configuration/email/dkim/keytable @@ -0,0 +1 @@ +smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private diff --git a/app_config/configuration/email/dkim/signingtable b/app_config/configuration/email/dkim/signingtable new file mode 100644 index 0000000..60d66ff --- /dev/null +++ b/app_config/configuration/email/dkim/signingtable @@ -0,0 +1,2 @@ +*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr +*@dufour.io smtp._domainkey.deuxfleurs.fr diff --git a/app_config/configuration/email/dkim/smtp.private.sample b/app_config/configuration/email/dkim/smtp.private.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/configuration/email/dkim/smtp.txt.sample b/app_config/configuration/email/dkim/smtp.txt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/configuration/email/dkim/trusted b/app_config/configuration/email/dkim/trusted new file mode 100644 index 0000000..a01170d --- /dev/null +++ b/app_config/configuration/email/dkim/trusted @@ -0,0 +1,4 @@ +127.0.0.1 +localhost +192.168.1.0/24 +172.16.0.0/12 diff --git a/app_config/configuration/email/dovecot/certs.gen b/app_config/configuration/email/dovecot/certs.gen new file mode 100755 index 0000000..f26e917 --- /dev/null +++ b/app_config/configuration/email/dovecot/certs.gen @@ -0,0 +1,13 @@ +#!/bin/bash + +TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" +openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout dovecot.key \ + -out dovecot.crt + diff --git a/app_config/configuration/email/dovecot/dovecot-ldap.conf.tpl b/app_config/configuration/email/dovecot/dovecot-ldap.conf.tpl new file mode 100644 index 0000000..9fb1ea6 --- /dev/null +++ b/app_config/configuration/email/dovecot/dovecot-ldap.conf.tpl @@ -0,0 +1,8 @@ +hosts = bottin2.service.2.cluster.deuxfleurs.fr +dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }} +dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }} +base = dc=deuxfleurs,dc=fr +scope = subtree +user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) +pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) +user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/app_config/configuration/email/postfix/certs.gen b/app_config/configuration/email/postfix/certs.gen new file mode 100755 index 0000000..f25439b --- /dev/null +++ b/app_config/configuration/email/postfix/certs.gen @@ -0,0 +1,13 @@ +#!/bin/bash + +TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" +openssl req \ + -new \ + -newkey rsa:4096 \ + -days 3650 \ + -nodes \ + -x509 \ + -subj ${TLSINFO} \ + -keyout postfix.key \ + -out postfix.crt + diff --git a/app_config/configuration/email/postfix/dynamicmaps.cf b/app_config/configuration/email/postfix/dynamicmaps.cf new file mode 100644 index 0000000..32d8f62 --- /dev/null +++ b/app_config/configuration/email/postfix/dynamicmaps.cf @@ -0,0 +1,9 @@ +# Postfix dynamic maps configuration file. +# +# The first match found is the one that is used. Wildcards are not supported +# as of postfix 2.0.2 +# +#type location of .so file open function (mkmap func) +#==== ================================ ============= ============ +ldap postfix-ldap.so dict_ldap_open +sqlite postfix-sqlite.so dict_sqlite_open diff --git a/app_config/configuration/email/postfix/header_checks b/app_config/configuration/email/postfix/header_checks new file mode 100644 index 0000000..cad52ec --- /dev/null +++ b/app_config/configuration/email/postfix/header_checks @@ -0,0 +1,3 @@ +/^Received:/ IGNORE +/^X-Originating-IP:/ IGNORE +/^X-Mailer:/ IGNORE diff --git a/app_config/configuration/email/postfix/ldap-account.cf.tpl b/app_config/configuration/email/postfix/ldap-account.cf.tpl new file mode 100644 index 0000000..2575f10 --- /dev/null +++ b/app_config/configuration/email/postfix/ldap-account.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=users,dc=deuxfleurs,dc=fr +query_filter = mail=%s +result_attribute = mail diff --git a/app_config/configuration/email/postfix/ldap-alias.cf.tpl b/app_config/configuration/email/postfix/ldap-alias.cf.tpl new file mode 100644 index 0000000..775c0ad --- /dev/null +++ b/app_config/configuration/email/postfix/ldap-alias.cf.tpl @@ -0,0 +1,9 @@ +server_host = bottin2.service.2.cluster.deuxfleurs.fr +server_port = 389 +search_base = dc=deuxfleurs,dc=fr +query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) +result_attribute = mail +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 diff --git a/app_config/configuration/email/postfix/ldap-virtual-domains.cf.tpl b/app_config/configuration/email/postfix/ldap-virtual-domains.cf.tpl new file mode 100644 index 0000000..e013953 --- /dev/null +++ b/app_config/configuration/email/postfix/ldap-virtual-domains.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr +query_filter = (&(objectclass=dNSDomain)(domain=%s)) +result_attribute = domain diff --git a/app_config/configuration/email/postfix/main.cf b/app_config/configuration/email/postfix/main.cf new file mode 100644 index 0000000..4204cb4 --- /dev/null +++ b/app_config/configuration/email/postfix/main.cf @@ -0,0 +1,104 @@ +#=== +# Base configuration +#=== +myhostname = smtp.deuxfleurs.fr +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = smtp.deuxfleurs.fr +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_protocols = all +inet_interfaces = all +message_size_limit = 204800000 +smtpd_banner = $myhostname +biff = no +append_dot_mydomain = no +readme_directory = no +compatibility_level = 2 + +#=== +# TLS parameters +#=== +smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt +smtpd_tls_key_file=/etc/ssl/private/postfix.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +smtp_tls_security_level = may + +#=== +# Remove privacy related content from emails +#=== +mime_header_checks = regexp:/etc/postfix/header_checks +header_checks = regexp:/etc/postfix/header_checks + +#=== +# Handle user authentication (handled by dovecot) +#=== +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337 +smtpd_sasl_type = dovecot + +#=== +# Restrictions / Checks +#=== +# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists + +# Require a valid HELO +smtpd_helo_required = yes +# As we use the same postfix to send and receive, +# we can't enforce a valid HELO hostname... +#smtpd_helo_restrictions = +# reject_unknown_helo_hostname + +# Require that sender email has a valid domain +smtpd_sender_restrictions = + reject_unknown_sender_domain + +# Delivering email policy +# MyNetwork is required by sogo +smtpd_recipient_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + reject_rbl_client zen.spamhaus.org + reject_rhsbl_reverse_client dbl.spamhaus.org + reject_rhsbl_helo dbl.spamhaus.org + reject_rhsbl_sender dbl.spamhaus.org + +# Sending email policy +# MyNetwork is required by sogo +smtpd_relay_restrictions = + permit_sasl_authenticated + permit_mynetworks + reject_unauth_destination + +smtpd_data_restrictions = reject_unauth_pipelining + +smtpd_client_connection_rate_limit = 2 + +#=== +# Rate limiting +#=== +slow_destination_recipient_limit = 20 +slow_destination_concurrency_limit = 2 + +#==== +# Transport configuration +#==== +transport_maps = hash:/etc/postfix/transport +virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf +virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf +virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf +virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24 + +#=== +# Mail filters +#=== +milter_default_action = accept +milter_protocol = 6 +smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 +non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 diff --git a/app_config/configuration/email/postfix/master.cf b/app_config/configuration/email/postfix/master.cf new file mode 100644 index 0000000..53bc601 --- /dev/null +++ b/app_config/configuration/email/postfix/master.cf @@ -0,0 +1,114 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - n - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +slow unix - - n - 5 smtp + -o syslog_name=postfix-slow + -o smtp_destination_concurrency_limit=3 + -o slow_destination_rate_delay=1 + + +#628 inet n - - - - qmqpd +pickup fifo n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +smtp unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +relay unix - - n - - smtp + -o smtp_fallback_relay= +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +scache unix - - n - 1 scache +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} diff --git a/app_config/configuration/email/postfix/transport b/app_config/configuration/email/postfix/transport new file mode 100644 index 0000000..68f62c5 --- /dev/null +++ b/app_config/configuration/email/postfix/transport @@ -0,0 +1,5 @@ +#wanadoo.com slow: +#wanadoo.fr slow: +#orange.com slow: +#orange.fr slow: +#smtp.orange.fr slow: diff --git a/app_config/configuration/email/postfix/transport.db b/app_config/configuration/email/postfix/transport.db new file mode 100644 index 0000000..487f394 Binary files /dev/null and b/app_config/configuration/email/postfix/transport.db differ diff --git a/app_config/configuration/email/sogo/sogo.conf.tpl b/app_config/configuration/email/sogo/sogo.conf.tpl new file mode 100644 index 0000000..d4261e5 --- /dev/null +++ b/app_config/configuration/email/sogo/sogo.conf.tpl @@ -0,0 +1,68 @@ +{ + WONoDetach = NO; + WOWorkersCount = 10; + WOPort = "127.0.0.1:20000"; + SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_user_profile"; + OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_sessions_folder"; + OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_alarms_folder"; + OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_store"; + OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_acl"; + OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_cache_folder"; + SOGoTimeZone = "Europe/Paris"; + SOGoMailDomain = "deuxfleurs.fr"; + SOGoLanguage = French; + SOGoAppointmentSendEMailNotifications = YES; + SOGoEnablePublicAccess = YES; + SOGoMailingMechanism = smtp; + SOGoSMTPServer = postfix-smtp.service.2.cluster.deuxfleurs.fr; + SOGoSMTPAuthenticationType = PLAIN; + SOGoForceExternalLoginWithEmail = YES; + SOGoIMAPAclConformsToIMAPExt = YES; + SOGoTimeZone = UTC; + SOGoSentFolderName = Sent; + SOGoTrashFolderName = Trash; + SOGoDraftsFolderName = Drafts; + SOGoIMAPServer = "imaps://dovecot-imaps.service.2.cluster.deuxfleurs.fr:993/?tlsVerifyMode=none"; + SOGoSieveServer = "sieve://sieve.service.2.cluster.deuxfleurs.fr:4190/?tls=YES"; + SOGoIMAPAclConformsToIMAPExt = YES; + SOGoVacationEnabled = NO; + SOGoForwardEnabled = NO; + SOGoSieveScriptsEnabled = NO; + SOGoFirstDayOfWeek = 1; + SOGoRefreshViewCheck = every_5_minutes; + SOGoMailAuxiliaryUserAccountsEnabled = NO; + SOGoPasswordChangeEnabled = YES; + SOGoPageTitle = "deuxfleurs.fr"; + SOGoLoginModule = Mail; + SOGoMailAddOutgoingAddresses = YES; + SOGoSelectedAddressBook = autobook; + SOGoMailAuxiliaryUserAccountsEnabled = YES; + SOGoCalendarEventsDefaultClassification = PRIVATE; + SOGoMailReplyPlacement = above; + SOGoMailSignaturePlacement = above; + SOGoMailComposeMessageType = html; + + SOGoLDAPContactInfoAttribute = "displayname"; + + SOGoUserSources = ( + { + type = ldap; + CNFieldName = displayname; + IDFieldName = cn; + UIDFieldName = cn; + MailFieldNames = (mail, mailForwardingAddress); + SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber); + IMAPLoginFieldName = mail; + baseDN = "ou=users,dc=deuxfleurs,dc=fr"; + bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}"; + bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}"; + bindFields = (cn, mail); + canAuthenticate = YES; + displayName = "Bottin"; + hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"; + id = bottin; + isAddressBook = NO; + } + ); +} diff --git a/app_config/configuration/mariadb/main/env.tpl b/app_config/configuration/mariadb/main/env.tpl new file mode 100644 index 0000000..0fe903b --- /dev/null +++ b/app_config/configuration/mariadb/main/env.tpl @@ -0,0 +1,6 @@ +LDAP_URI = "ldap://bottin2.service.2.cluster.deuxfleurs.fr" +LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr" +LDAP_VERSION = 3 +LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}" +LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}" +MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}" diff --git a/app_config/configuration/nextcloud/config.php.tpl b/app_config/configuration/nextcloud/config.php.tpl new file mode 100644 index 0000000..7dcfc6e --- /dev/null +++ b/app_config/configuration/nextcloud/config.php.tpl @@ -0,0 +1,49 @@ + false, + 'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}', + 'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}', + 'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}', + 'trusted_domains' => array ( + 0 => 'nextcloud.deuxfleurs.fr', + ), + 'memcache.local' => '\\OC\\Memcache\\APCu', + + 'objectstore' => array( + 'class' => '\\OC\\Files\\ObjectStore\\S3', + 'arguments' => array( + 'bucket' => 'nextcloud', + 'autocreate' => false, + 'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}', + 'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}', + 'hostname' => 'garage.deuxfleurs.fr', + 'port' => 443, + 'use_ssl' => true, + 'region' => 'garage', + // required for some non Amazon S3 implementations + 'use_path_style' => true + ), + ), + + 'dbtype' => 'pgsql', + 'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr', + 'dbname' => 'nextcloud', + 'dbtableprefix' => 'nc_', + 'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}', + 'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}', + + 'default_language' => 'fr', + 'default_locale' => 'fr_FR', + + 'mail_domain' => 'deuxfleurs.fr', + 'mail_from_address' => 'nextcloud@deuxfleurs.fr', + // TODO SMTP CONFIG + + // TODO REDIS CACHE + + 'version' => '19.0.0.12', + 'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr', + + 'installed' => true, +); + diff --git a/app_config/configuration/postgres/keeper/env.tpl b/app_config/configuration/postgres/keeper/env.tpl new file mode 100644 index 0000000..7831aad --- /dev/null +++ b/app_config/configuration/postgres/keeper/env.tpl @@ -0,0 +1,3 @@ +PG_SU_PWD={{ key "secrets/postgres/keeper/pg_su_pwd" | trimSpace }} +PG_REPL_USER={{ key "secrets/postgres/keeper/pg_repl_username" | trimSpace }} +PG_REPL_PWD={{ key "secrets/postgres/keeper/pg_repl_pwd" | trimSpace }} diff --git a/app_config/configuration/seafile/ccnet/mykey.peer.sample b/app_config/configuration/seafile/ccnet/mykey.peer.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/configuration/seafile/ccnet/seafile.ini b/app_config/configuration/seafile/ccnet/seafile.ini new file mode 100644 index 0000000..306d126 --- /dev/null +++ b/app_config/configuration/seafile/ccnet/seafile.ini @@ -0,0 +1 @@ +/mnt/seafile-data/ \ No newline at end of file diff --git a/app_config/configuration/seafile/conf/ccnet.conf.tpl b/app_config/configuration/seafile/conf/ccnet.conf.tpl new file mode 100644 index 0000000..2395a9b --- /dev/null +++ b/app_config/configuration/seafile/conf/ccnet.conf.tpl @@ -0,0 +1,29 @@ +[General] +USER_NAME = deuxfleurs +ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }} +NAME = deuxfleurs +SERVICE_URL = https://cloud.deuxfleurs.fr + +[Network] +PORT = 10001 + +[Client] +PORT = 13418 + +[LDAP] +HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/ +BASE = ou=users,dc=deuxfleurs,dc=fr +USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }} +FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr +PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }} +LOGIN_ATTR = mail + +[Database] +ENGINE = mysql +HOST = mariadb.service.2.cluster.deuxfleurs.fr +PORT = 3306 +USER = seafile +PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} +DB = ccnet-db +CONNECTION_CHARSET = utf8 + diff --git a/app_config/configuration/seafile/conf/mykey.peer.sample b/app_config/configuration/seafile/conf/mykey.peer.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/configuration/seafile/conf/seafdav.conf b/app_config/configuration/seafile/conf/seafdav.conf new file mode 100644 index 0000000..49a79a2 --- /dev/null +++ b/app_config/configuration/seafile/conf/seafdav.conf @@ -0,0 +1,5 @@ +[WEBDAV] +enabled = true +port = 8084 +fastcgi = false +share_name = /seafdav diff --git a/app_config/configuration/seafile/conf/seafile.conf.tpl b/app_config/configuration/seafile/conf/seafile.conf.tpl new file mode 100644 index 0000000..f224234 --- /dev/null +++ b/app_config/configuration/seafile/conf/seafile.conf.tpl @@ -0,0 +1,19 @@ +[network] +port = 12001 + +[fileserver] +port = 8082 +max_upload_size=8192 +max_download_dir_size=8192 + +[database] +type = mysql +host = mariadb.service.2.cluster.deuxfleurs.fr +port = 3306 +user = seafile +password = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} +db_name = seafile-db +connection_charset = utf8 + +[quota] +default = 50 diff --git a/app_config/configuration/seafile/conf/seahub_settings.py.tpl b/app_config/configuration/seafile/conf/seahub_settings.py.tpl new file mode 100644 index 0000000..6c63ee4 --- /dev/null +++ b/app_config/configuration/seafile/conf/seahub_settings.py.tpl @@ -0,0 +1,21 @@ +SECRET_KEY = "8ep+sgi&s1-f2cq2178!ekk!0h0nw2y4z1-olbaopxmodsd8vk" +FILE_SERVER_ROOT = 'https://cloud.deuxfleurs.fr/seafhttp' +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.mysql', + 'NAME': 'seahub-db', + 'USER': 'seafile', + 'PASSWORD': '{{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}', + 'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr', + 'PORT': '3306', + 'OPTIONS': { + 'init_command': 'SET storage_engine=INNODB', + } + } +} +FILE_PREVIEW_MAX_SIZE = 100 * 1024 * 1024 +ENABLE_THUMBNAIL = True +THUMBNAIL_ROOT = '/mnt/seafile-data/thumbnail/thumb/' +THUMBNAIL_EXTENSION = 'png' +THUMBNAIL_DEFAULT_SIZE = '24' +PREVIEW_DEFAULT_SIZE = '300' diff --git a/app_config/configuration/traefik/traefik.toml b/app_config/configuration/traefik/traefik.toml new file mode 100644 index 0000000..03fca8a --- /dev/null +++ b/app_config/configuration/traefik/traefik.toml @@ -0,0 +1,45 @@ +InsecureSkipVerify = true +defaultEntryPoints = ["http", "https"] + +[entryPoints] + [entryPoints.admin] + address = ":8082" + + [entryPoints.http] + address = ":80" + [entryPoints.http.redirect] + entryPoint = "https" + + [entryPoints.https] + address = ":443" + compress = true + [entryPoints.https.tls] + +[ping] +entrypoint = "admin" + +[retry] + +[acme] + email = "quentin@dufour.io" + storage = "traefik/acme/account" + entryPoint = "https" + onHostRule = true + + [acme.httpChallenge] + entryPoint = "http" + +[api] + entryPoint = "admin" + dashboard = true + +[consul] + endpoint = "172.17.0.1:8500" + watch = true + prefix = "traefik" + +[consulCatalog] + endpoint = "172.17.0.1:8500" + prefix = "traefik" + domain = "web.deuxfleurs.fr" + exposedByDefault = false diff --git a/app_config/restore_configuration.sh b/app_config/restore_configuration.sh new file mode 100755 index 0000000..33742e5 --- /dev/null +++ b/app_config/restore_configuration.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +find {configuration,secrets}/$1 -type f \ + | grep --perl-regexp --invert-match "\.sample$|\.gen$|/.gitignore$" \ + | while read filename; do + consul kv put "${filename}" "@${filename}" + done diff --git a/app_config/secrets/.gitignore b/app_config/secrets/.gitignore new file mode 100644 index 0000000..1d7b40b --- /dev/null +++ b/app_config/secrets/.gitignore @@ -0,0 +1,10 @@ +# Blacklist everything cleverly +* +!*/ + +# Whitelist some patterns +!*.sample +!*.gen +!.gitignore + +# Whitelist specific files diff --git a/app_config/secrets/chat/coturn/static-auth.sample b/app_config/secrets/chat/coturn/static-auth.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/fb2mx/as_token.sample b/app_config/secrets/chat/fb2mx/as_token.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/fb2mx/db_url.sample b/app_config/secrets/chat/fb2mx/db_url.sample new file mode 100644 index 0000000..aff4635 --- /dev/null +++ b/app_config/secrets/chat/fb2mx/db_url.sample @@ -0,0 +1 @@ +postgres://username:password@hostname/dbname diff --git a/app_config/secrets/chat/fb2mx/hs_token.sample b/app_config/secrets/chat/fb2mx/hs_token.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/homeserver.tls.crt.sample b/app_config/secrets/chat/synapse/homeserver.tls.crt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/homeserver.tls.dh.sample b/app_config/secrets/chat/synapse/homeserver.tls.dh.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/homeserver.tls.key.sample b/app_config/secrets/chat/synapse/homeserver.tls.key.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/ldap_binddn.sample b/app_config/secrets/chat/synapse/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/ldap_bindpw.sample b/app_config/secrets/chat/synapse/ldap_bindpw.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/postgres_db.sample b/app_config/secrets/chat/synapse/postgres_db.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/postgres_pwd.sample b/app_config/secrets/chat/synapse/postgres_pwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/postgres_user.sample b/app_config/secrets/chat/synapse/postgres_user.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/chat/synapse/registration_shared_secret.sample b/app_config/secrets/chat/synapse/registration_shared_secret.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/email/sogo/ldap_binddn.sample b/app_config/secrets/email/sogo/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/email/sogo/ldap_bindpw.sample b/app_config/secrets/email/sogo/ldap_bindpw.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/email/sogo/postgre_auth.sample b/app_config/secrets/email/sogo/postgre_auth.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample b/app_config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample b/app_config/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/jitsi/global_env.sample b/app_config/secrets/jitsi/global_env.sample new file mode 100644 index 0000000..658c9c9 --- /dev/null +++ b/app_config/secrets/jitsi/global_env.sample @@ -0,0 +1,9 @@ +JITSI_SECRET_VIDEOBRIDGE=redacted +JITSI_SECRET_JICOFO_COMPONENT=redacted +JITSI_SECRET_JICOFO_USER=redacted +JITSI_PROSODY_BOSH_PORT=5280 +JITSI_PROSODY_BOSH_HOST=127.0.0.1 +JITSI_PROSODY_HOST=127.0.0.1 +JITSI_CERTS_FOLDER=/secrets/certs/ +JITSI_NAT_PUBLIC_IP=redacted +JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }} diff --git a/app_config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample b/app_config/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample b/app_config/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/mariadb/main/ldap_binddn.sample b/app_config/secrets/mariadb/main/ldap_binddn.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/mariadb/main/ldap_bindpwd.sample b/app_config/secrets/mariadb/main/ldap_bindpwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/mariadb/main/mysql_pwd.sample b/app_config/secrets/mariadb/main/mysql_pwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/platoo/bddpw.sample b/app_config/secrets/platoo/bddpw.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/postgres/keeper/pg_repl_pwd.sample b/app_config/secrets/postgres/keeper/pg_repl_pwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/postgres/keeper/pg_repl_username.sample b/app_config/secrets/postgres/keeper/pg_repl_username.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/postgres/keeper/pg_su_pwd.sample b/app_config/secrets/postgres/keeper/pg_su_pwd.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/web/home_token.sample b/app_config/secrets/web/home_token.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_config/secrets/web/quentin.dufour.io_token.sample b/app_config/secrets/web/quentin.dufour.io_token.sample new file mode 100644 index 0000000..e69de29 diff --git a/app_deployment/bottin2.hcl b/app_deployment/bottin2.hcl new file mode 100644 index 0000000..85bda59 --- /dev/null +++ b/app_deployment/bottin2.hcl @@ -0,0 +1,116 @@ +job "directory2" { + datacenters = ["dc1"] + type = "service" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + group "bottin" { + count = 1 + task "bottin" { + driver = "docker" + config { + image = "lxpz/bottin_amd64:14" + readonly_rootfs = true + port_map { + ldap_port = 1389 + } + volumes = [ + "secrets/config.json:/config.json" + ] + } + + resources { + memory = 100 + network { + port "ldap_port" { + static = "389" + } + } + } + + template { + data = "{{ key \"configuration/directory/bottin/config.json\" }}" + destination = "secrets/config.json" + } + + service { + tags = ["bottin"] + port = "ldap_port" + address_mode = "host" + name = "bottin2" + check { + type = "tcp" + port = "ldap_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } + + group "guichet" { + count = 1 + task "guichet" { + driver = "docker" + config { + image = "lxpz/guichet_amd64:10" + readonly_rootfs = true + port_map { + web_port = 9991 + } + volumes = [ + "secrets/config.json:/config.json" + ] + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/directory/guichet/config.json.tpl?raw" + destination = "secrets/config.json.tpl" + mode = "file" + } + template { + source = "secrets/config.json.tpl" + destination = "secrets/config.json" + } + + resources { + memory = 200 + network { + port "web_port" {} + } + } + + service { + name = "guichet" + tags = [ + "guichet", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:guichet.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "tcp" + port = "web_port" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} + diff --git a/app_deployment/core.hcl b/app_deployment/core.hcl new file mode 100644 index 0000000..43774a6 --- /dev/null +++ b/app_deployment/core.hcl @@ -0,0 +1,43 @@ +job "core" { + datacenters = ["dc1"] + type = "system" + + constraint { + attribute = "${attr.cpu.arch}" + value = "amd64" + } + + update { + max_parallel = 1 + stagger = "1m" + } + + group "network" { + task "diplonat" { + driver = "docker" + + config { + image = "darkgallium/amd64_diplonat:v2" + network_mode = "host" + readonly_rootfs = true + privileged = true + } + + template { + data = <>" -echo "WARNING! BUG! The UUID is not set in the fstab. Either because this command failed (empty UUID above) or because of chroot scoping. Please fix it." -echo "Your OS will still be able to boot normally and remount the filesystem as RW but it could crash some apps like fsck" -read -p "[Press enter to continue or CTRL+C to stop]" -fi - -echo "Mount OS partition" -ROOTFS="/tmp/installing-rootfs" -mkdir -p ${ROOTFS} -mount ${DEVICE}2 ${ROOTFS} - -echo "Debootstrap system" -debootstrap --variant=minbase --arch amd64 buster ${ROOTFS} http://deb.debian.org/debian/ - -echo "Mount EFI partition" -mkdir -p ${ROOTFS}/boot/efi -mount ${DEVICE}1 ${ROOTFS}/boot/efi - -echo "Get ready for chroot" -mount --bind /dev ${ROOTFS}/dev -mount -t devpts /dev/pts ${ROOTFS}/dev/pts -mount -t proc proc ${ROOTFS}/proc -mount -t sysfs sysfs ${ROOTFS}/sys -mount -t tmpfs tmpfs ${ROOTFS}/tmp - -echo "Entering chroot, installing Linux kernel and Grub" -cat << EOF | chroot ${ROOTFS} - set -e - export HOME=/root - export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin - export DEBIAN_FRONTEND=noninteractive - debconf-set-selections <<< "grub-efi-amd64 grub2/update_nvram boolean false" - apt-get remove -y grub-efi grub-efi-amd64 - apt-get update - apt-get install -y linux-image-generic linux-headers-generic grub-efi - grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-nvram --removable - update-grub -EOF - -echo "Install script based on dd" -cat << 'EOF' > ${ROOTFS}/usr/local/sbin/os-install - #!/bin/bash - - set -e - - SOURCE=$1 - TARGET=$2 - # We write partitions until 4GiB = 4 * 1024^3 (https://en.wikipedia.org/wiki/Gibibyte) - # In dd, M means 1048576 bytes = 1024^2 (man dd) - # So we need to copy (4 * 1024^3) / (4 * 1024^2) = 0.5 * 1024 = 1024 blocks - dd if=${SOURCE} of=${TARGET} bs=4M status=progress count=1030 - growpart ${TARGET} 2 - mount ${TARGET}2 /mnt - btrfs filesystem resize max /mnt - umount /mnt - echo "you might want to run: btrfstune -u ${TARGET}2 but you will need to update the fstab" - echo "you might want to change systemd machine UUID" - echo "you might want to change /etc/systemd/network/en.network configuration" -EOF - -chmod +x ${ROOTFS}/usr/local/sbin/os-install - -echo "Entering chroot (bis), installing daemon" -cat << EOF | chroot ${ROOTFS} - set -e - export HOME=/root - export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin - export DEBIAN_FRONTEND=noninteractive - - # Set fstab - echo "UUID=${ROOTFS_UUID} / btrfs defaults 0 0" > /etc/fstab - - # Install systemd and OpenSSH - apt-get update - apt-get install -y systemd openssh-server sudo btrfs-tools cloud-utils python - systemctl enable ssh - - # Enable systemd services - systemctl enable systemd-networkd systemd-timesyncd systemd-resolved - - # Listen on any ethernet interface for DHCP - tee /etc/systemd/network/en.network << EOG -[Match] -Name=en* - -[Network] -DHCP=ipv4 -EOG - - # Add SSH keys - mkdir -p /root/.ssh - tee /root/.ssh/authorized_keys << EOG -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io -EOG - - echo "Done" -EOF - -echo "Unmounting filesystems" -umount ${ROOTFS}/dev/pts -umount ${ROOTFS}/dev -umount ${ROOTFS}/proc -umount ${ROOTFS}/sys -umount ${ROOTFS}/tmp -umount ${ROOTFS}/boot/efi -umount ${ROOTFS} - -echo "Done" diff --git a/consul/configuration/.gitignore b/consul/configuration/.gitignore deleted file mode 100644 index 056b4d2..0000000 --- a/consul/configuration/.gitignore +++ /dev/null @@ -1,33 +0,0 @@ -# Blacklist everything cleverly -* -!*/ - -# Whitelist some patterns -!*.sample -!*.gen -!*.tpl -!.gitignore - -# Whitelist specific files -!seafile/conf/seafdav.conf -!seafile/ccnet/seafile.ini - -!email/dkim/keytable -!email/dkim/signingtable -!email/dkim/trusted -!email/postfix/dynamicmaps.cf -!email/postfix/header_checks -!email/postfix/main.cf -!email/postfix/master.cf -!email/postfix/transport -!email/postfix/transport.db - -!email/sogo/sogo.conf.tpl - -!chat/**/* - -!directory/*/* - -!traefik/traefik.toml - -!garage/config.toml diff --git a/consul/configuration/chat/coturn/turnserver.conf.tpl b/consul/configuration/chat/coturn/turnserver.conf.tpl deleted file mode 100644 index f867ac0..0000000 --- a/consul/configuration/chat/coturn/turnserver.conf.tpl +++ /dev/null @@ -1,19 +0,0 @@ -use-auth-secret -static-auth-secret={{ key "secrets/chat/coturn/static-auth" | trimSpace }} -realm=turn.deuxfleurs.fr - -# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. -#no-tcp-relay - -# don't let the relay ever try to connect to private IP address ranges within your network (if any) -# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. -#denied-peer-ip=10.0.0.0-10.255.255.255 -#denied-peer-ip=192.168.0.0-192.168.255.255 -#denied-peer-ip=172.16.0.0-172.31.255.255 - -# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. -user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. -total-quota=1200 - -min-port=49152 -max-port=49252 diff --git a/consul/configuration/chat/easybridge/config.json.tpl b/consul/configuration/chat/easybridge/config.json.tpl deleted file mode 100644 index 40ecc44..0000000 --- a/consul/configuration/chat/easybridge/config.json.tpl +++ /dev/null @@ -1,17 +0,0 @@ -{ - "log_level": "info", - "easybridge_avatar": "/app/easybridge.jpg", - - "web_bind_addr": "0.0.0.0:8281", - "web_url": "https://easybridge.deuxfleurs.fr", - "web_session_key": "{{ key "secrets/chat/easybridge/web_session_key" | trimSpace }}", - - "appservice_bind_addr": "0.0.0.0:8321", - "registration": "/data/registration.yaml", - "homeserver_url": "https://im.deuxfleurs.fr", - "matrix_domain": "deuxfleurs.fr", - "name_format": "{}_ezbr_", - - "db_type": "postgres", - "db_path": "host=psql-proxy.service.2.cluster.deuxfleurs.fr port=5432 user={{ key "secrets/chat/easybridge/db_user" | trimSpace }} dbname=easybridge password={{ key "secrets/chat/easybridge/db_pass" | trimSpace }} sslmode=disable" -} diff --git a/consul/configuration/chat/easybridge/registration.yaml.tpl b/consul/configuration/chat/easybridge/registration.yaml.tpl deleted file mode 100644 index ec098fd..0000000 --- a/consul/configuration/chat/easybridge/registration.yaml.tpl +++ /dev/null @@ -1,14 +0,0 @@ -id: Easybridge -url: http://easybridge-api.service.2.cluster.deuxfleurs.fr:8321 -as_token: {{ key "secrets/chat/easybridge/as_token" | trimSpace }} -hs_token: {{ key "secrets/chat/easybridge/hs_token" | trimSpace }} -sender_localpart: _ezbr_ -rate_limited: false -namespaces: - users: - - exclusive: true - regex: '@.*_ezbr_' - aliases: - - exclusive: true - regex: '#.*_ezbr_' - rooms: [] diff --git a/consul/configuration/chat/fb2mx/config.yaml b/consul/configuration/chat/fb2mx/config.yaml deleted file mode 100644 index 964c681..0000000 --- a/consul/configuration/chat/fb2mx/config.yaml +++ /dev/null @@ -1,133 +0,0 @@ -# Homeserver details -homeserver: - # The address that this appservice can use to connect to the homeserver. - address: https://im.deuxfleurs.fr - # The domain of the homeserver (for MXIDs, etc). - domain: deuxfleurs.fr - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - -# Application service host/registration related details -# Changing these values requires regeneration of the registration. -appservice: - # The address that the homeserver can use to connect to this appservice. - address: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 29319 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname - database: '{{ key "secrets/chat/fb2mx/db_url" | trimSpace }}' - - # The unique ID of this appservice. - id: facebook - # Username of the appservice bot. - bot_username: facebookbot - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Facebook bridge bot - bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv - - # Community ID for bridged users (changes registration file) and rooms. - # Must be created manually. - community_id: "+fbusers:deuxfleurs.fr" - - # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. - as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' - hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' - -# Bridge config -bridge: - # Localpart template of MXIDs for Facebook users. - # {userid} is replaced with the user ID of the Facebook user. - username_template: "facebook_{userid}" - # Localpart template for per-user room grouping community IDs. - # The bridge will create these communities and add all of the specific user's portals to the community. - # {localpart} is the MXID localpart and {server} is the MXID server part of the user. - # - # `facebook_{localpart}={server}` is a good value. - community_template: "facebook_{localpart}={server}" - # Displayname template for Facebook users. - # {displayname} is replaced with the display name of the Facebook user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: "{displayname} (FB)" - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "!fb" - - # Number of chats to sync (and create portals for) on startup/login. - # Maximum 20, set 0 to disable automatic syncing. - initial_chat_sync: 10 - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications when using - # your own Matrix account as the Matrix puppet for your Facebook account. - sync_with_custom_puppets: true - # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast - # presence, but then it won't send other users' presence to the client. - presence: true - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: - "deuxfleurs.fr": "user" - -# Python logging configuration. -# -# See section 16.7.2 of the Python documentation for more info: -# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema -logging: - version: 1 - formatters: - colored: - (): mautrix_facebook.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: normal - filename: ./mautrix-facebook.log - maxBytes: 10485760 - backupCount: 10 - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: DEBUG - fbchat: - level: DEBUG - aiohttp: - level: INFO - root: - level: DEBUG - handlers: [file, console] diff --git a/consul/configuration/chat/fb2mx/registration.yaml b/consul/configuration/chat/fb2mx/registration.yaml deleted file mode 100644 index c3d8c05..0000000 --- a/consul/configuration/chat/fb2mx/registration.yaml +++ /dev/null @@ -1,11 +0,0 @@ -id: facebook -as_token: '{{ key "secrets/chat/fb2mx/as_token" | trimSpace }}' -hs_token: '{{ key "secrets/chat/fb2mx/hs_token" | trimSpace }}' -namespaces: - users: - - exclusive: true - regex: '@facebook_.+:deuxfleurs.fr' - group_id: '+fbusers:deuxfleurs.fr' -url: http://fb2mx.service.2.cluster.deuxfleurs.fr:29319 -sender_localpart: facebookbot -rate_limited: false diff --git a/consul/configuration/chat/riot_web/config.json b/consul/configuration/chat/riot_web/config.json deleted file mode 100644 index 5844afc..0000000 --- a/consul/configuration/chat/riot_web/config.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "default_hs_url": "https://im.deuxfleurs.fr", - "default_is_url": "https://vector.im", - "disable_custom_urls": false, - "disable_guests": false, - "disable_login_language_selector": false, - "disable_3pid_login": false, - "brand": "Deuxfleurs", - "integrations_ui_url": "https://scalar.vector.im/", - "integrations_rest_url": "https://scalar.vector.im/api", - "bug_report_endpoint_url": "https://riot.im/bugreports/submit", - "features": { - "feature_groups": "labs", - "feature_pinning": "labs" - }, - "default_federate": true, - "welcomePageUrl": "home.html", - "default_theme": "light", - "roomDirectory": { - "servers": [ "im.deuxfleurs.fr", "matrix.org" ] - }, - "jitsi": { - "preferredDomain": "jitsi.deuxfleurs.fr" - } -} diff --git a/consul/configuration/chat/synapse/conf.d/report_stats.yaml b/consul/configuration/chat/synapse/conf.d/report_stats.yaml deleted file mode 100644 index cb95cc3..0000000 --- a/consul/configuration/chat/synapse/conf.d/report_stats.yaml +++ /dev/null @@ -1 +0,0 @@ -report_stats: true diff --git a/consul/configuration/chat/synapse/conf.d/server_name.yaml b/consul/configuration/chat/synapse/conf.d/server_name.yaml deleted file mode 100644 index 540ce45..0000000 --- a/consul/configuration/chat/synapse/conf.d/server_name.yaml +++ /dev/null @@ -1 +0,0 @@ -server_name: deuxfleurs.fr diff --git a/consul/configuration/chat/synapse/homeserver.yaml b/consul/configuration/chat/synapse/homeserver.yaml deleted file mode 100644 index 7f313f6..0000000 --- a/consul/configuration/chat/synapse/homeserver.yaml +++ /dev/null @@ -1,420 +0,0 @@ -# vim:ft=yaml - -server_name: "deuxfleurs.fr" -# PEM encoded X509 certificate for TLS. -# You can replace the self-signed certificate that synapse -# autogenerates on launch with your own SSL certificate + key pair -# if you like. Any required intermediary certificates can be -# appended after the primary certificate in hierarchical order. -tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" - -# PEM encoded private key for TLS -tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" - -# PEM dh parameters for ephemeral keys -tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" - -# Don't bind to the https port -no_tls: True - - -## Server ## - -# When running as a daemon, the file to store the pid in -pid_file: "/var/run/matrix-synapse.pid" - -# Whether to serve a web client from the HTTP/HTTPS root resource. -web_client: False - -# The public-facing base URL for the client API (not including _matrix/...) -public_baseurl: https://im.deuxfleurs.fr/ - -# Set the soft limit on the number of file descriptors synapse can use -# Zero is used to indicate synapse should set the soft limit to the -# hard limit. -soft_file_limit: 0 - -# The GC threshold parameters to pass to `gc.set_threshold`, if defined -# gc_thresholds: [700, 10, 10] - -# A list of other Home Servers to fetch the public room directory from -# and include in the public room directory of this home server -# This is a temporary stopgap solution to populate new server with a -# list of rooms until there exists a good solution of a decentralized -# room directory. -# secondary_directory_servers: -# - matrix.org -# - vector.im - -# List of ports that Synapse should listen on, their purpose and their -# configuration. -listeners: - # Unsecure HTTP listener, - # For when matrix traffic passes through loadbalancer that unwraps TLS. - - port: 8008 - tls: false - bind_address: '' - type: http - - x_forwarded: false - - resources: - - names: [client] - compress: true - - - port: 8448 - tls: false - bind_address: '' - type: http - - x_forwarded: false - - resources: - - names: [federation] - compress: false - - # Turn on the twisted ssh manhole service on localhost on the given - # port. - # - port: 9000 - # bind_address: 127.0.0.1 - # type: manhole - - -# Database configuration -database: - name: psycopg2 - args: - user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }} - password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} - database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }} - host: psql-proxy.service.2.cluster.deuxfleurs.fr - port: 5432 - cp_min: 5 - cp_max: 10 -# Number of events to cache in memory. -event_cache_size: "10K" - - -# A yaml python logging config file -log_config: "/etc/matrix-synapse/log.yaml" - -# Stop twisted from discarding the stack traces of exceptions in -# deferreds by waiting a reactor tick before running a deferred's -# callbacks. -# full_twisted_stacktraces: true - - -## Ratelimiting ## - -# Number of messages a client can send per second -rc_messages_per_second: 0.2 - -# Number of message a client can send before being throttled -rc_message_burst_count: 10.0 - -# The federation window size in milliseconds -federation_rc_window_size: 1000 - -# The number of federation requests from a single server in a window -# before the server will delay processing the request. -federation_rc_sleep_limit: 10 - -# The duration in milliseconds to delay processing events from -# remote servers by if they go over the sleep limit. -federation_rc_sleep_delay: 500 - -# The maximum number of concurrent federation requests allowed -# from a single server -federation_rc_reject_limit: 50 - -# The number of federation requests to concurrently process from a -# single server -federation_rc_concurrent: 3 - - - -# Directory where uploaded images and attachments are stored. -media_store_path: "/var/lib/matrix-synapse/media" -uploads_path: "/var/lib/matrix-synapse/uploads" - -# The largest allowed upload size in bytes -max_upload_size: "100M" - -# Maximum number of pixels that will be thumbnailed -max_image_pixels: "32M" - -# Whether to generate new thumbnails on the fly to precisely match -# the resolution requested by the client. If true then whenever -# a new resolution is requested by the client the server will -# generate a new thumbnail. If false the server will pick a thumbnail -# from a precalculated list. -dynamic_thumbnails: false - -# List of thumbnail to precalculate when an image is uploaded. -thumbnail_sizes: -- width: 32 - height: 32 - method: crop -- width: 96 - height: 96 - method: crop -- width: 320 - height: 240 - method: scale -- width: 640 - height: 480 - method: scale -- width: 800 - height: 600 - method: scale - -# Is the preview URL API enabled? If enabled, you *must* specify -# an explicit url_preview_ip_range_blacklist of IPs that the spider is -# denied from accessing. -url_preview_enabled: True - -# List of IP address CIDR ranges that the URL preview spider is denied -# from accessing. There are no defaults: you must explicitly -# specify a list for URL previewing to work. You should specify any -# internal services in your network that you do not want synapse to try -# to connect to, otherwise anyone in any Matrix room could cause your -# synapse to issue arbitrary GET requests to your internal services, -# causing serious security issues. -# -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' -# -# List of IP address CIDR ranges that the URL preview spider is allowed -# to access even if they are specified in url_preview_ip_range_blacklist. -# This is useful for specifying exceptions to wide-ranging blacklisted -# target IP ranges - e.g. for enabling URL previews for a specific private -# website only visible in your network. -# -# url_preview_ip_range_whitelist: -# - '192.168.1.1' - -# Optional list of URL matches that the URL preview spider is -# denied from accessing. You should use url_preview_ip_range_blacklist -# in preference to this, otherwise someone could define a public DNS -# entry that points to a private IP address and circumvent the blacklist. -# This is more useful if you know there is an entire shape of URL that -# you know that will never want synapse to try to spider. -# -# Each list entry is a dictionary of url component attributes as returned -# by urlparse.urlsplit as applied to the absolute form of the URL. See -# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit -# The values of the dictionary are treated as an filename match pattern -# applied to that component of URLs, unless they start with a ^ in which -# case they are treated as a regular expression match. If all the -# specified component matches for a given list item succeed, the URL is -# blacklisted. -# -# url_preview_url_blacklist: -# # blacklist any URL with a username in its URI -# - username: '*' -# -# # blacklist all *.google.com URLs -# - netloc: 'google.com' -# - netloc: '*.google.com' -# -# # blacklist all plain HTTP URLs -# - scheme: 'http' -# -# # blacklist http(s)://www.acme.com/foo -# - netloc: 'www.acme.com' -# path: '/foo' -# -# # blacklist any URL with a literal IPv4 address -# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - -# The largest allowed URL preview spidering size in bytes -max_spider_size: "10M" - - - - -## Captcha ## - -# This Home Server's ReCAPTCHA public key. -recaptcha_public_key: "YOUR_PUBLIC_KEY" - -# This Home Server's ReCAPTCHA private key. -recaptcha_private_key: "YOUR_PRIVATE_KEY" - -# Enables ReCaptcha checks when registering, preventing signup -# unless a captcha is answered. Requires a valid ReCaptcha -# public/private key. -enable_registration_captcha: False - -# A secret key used to bypass the captcha test entirely. -#captcha_bypass_secret: "YOUR_SECRET_HERE" - -# The API endpoint to use for verifying m.login.recaptcha responses. -recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" - - -## Turn ## - -# The public URIs of the TURN server to give to clients -turn_uris: [ "turn:turn.deuxfleurs.fr:3478?transport=udp", "turn:turn.deuxfleurs.fr:3478?transport=tcp" ] - -# The shared secret used to compute passwords for the TURN server -turn_shared_secret: '{{ key "secrets/chat/coturn/static-auth" | trimSpace }}' - -# How long generated TURN credentials last -turn_user_lifetime: "1h" - -turn_allow_guests: True - -## Registration ## - -# Enable registration for new users. -enable_registration: False - -# If set, allows registration by anyone who also has the shared -# secret, even if registration is otherwise disabled. -registration_shared_secret: '{{ key "secrets/chat/synapse/registration_shared_secret" | trimSpace }}' - -# Sets the expiry for the short term user creation in -# milliseconds. For instance the bellow duration is two weeks -# in milliseconds. -user_creation_max_duration: 1209600000 - -# Set the number of bcrypt rounds used to generate password hash. -# Larger numbers increase the work factor needed to generate the hash. -# The default number of rounds is 12. -bcrypt_rounds: 12 - -# Allows users to register as guests without a password/email/etc, and -# participate in rooms hosted on this server which have been made -# accessible to anonymous users. -allow_guest_access: True - -# The list of identity servers trusted to verify third party -# identifiers by this server. -trusted_third_party_id_servers: - - matrix.org - - vector.im - - -## Metrics ### - -# Enable collection and rendering of performance metrics -enable_metrics: False - -## API Configuration ## - -# A list of event types that will be included in the room_invite_state -room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.name" - - -# A list of application service config file to use -app_service_config_files: - - "/etc/matrix-synapse/easybridge_registration.yaml" - #- "/etc/matrix-synapse/fb2mx_registration.yaml" - - -# macaroon_secret_key: - -# Used to enable access token expiration. -expire_access_token: False - -## Signing Keys ## - -# Path to the signing key to sign messages with -signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" - -# The keys that the server used to sign messages with but won't use -# to sign new messages. E.g. it has lost its private key -old_signing_keys: {} -# "ed25519:auto": -# # Base64 encoded public key -# key: "The public part of your old signing key." -# # Millisecond POSIX timestamp when the key expired. -# expired_ts: 123456789123 - -# How long key response published by this server is valid for. -# Used to set the valid_until_ts in /key/v2 APIs. -# Determines how quickly servers will query to check which keys -# are still valid. -key_refresh_interval: "1d" # 1 Day. - -# The trusted servers to download signing keys from. -perspectives: - servers: - "matrix.org": - verify_keys: - "ed25519:auto": - key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" - - - -# Enable SAML2 for registration and login. Uses pysaml2 -# config_path: Path to the sp_conf.py configuration file -# idp_redirect_url: Identity provider URL which will redirect -# the user back to /login/saml2 with proper info. -# See pysaml2 docs for format of config. -#saml2_config: -# enabled: true -# config_path: "/home/erikj/git/synapse/sp_conf.py" -# idp_redirect_url: "http://test/idp" - - - -# Enable CAS for registration and login. -#cas_config: -# enabled: true -# server_url: "https://cas-server.com" -# service_url: "https://homesever.domain.com:8448" -# #required_attributes: -# # name: value - - -# The JWT needs to contain a globally unique "sub" (subject) claim. -# -# jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" - -password_providers: - - module: "ldap_auth_provider.LdapAuthProvider" - config: - enabled: true - uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389" - start_tls: false - bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' - bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' - base: "ou=users,dc=deuxfleurs,dc=fr" - attributes: - uid: "cn" - name: "displayName" - mail: "mail" - -# Enable password for login. -password_config: - enabled: true - -# Enable sending emails for notification events -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 -# notif_from: "Your Friendly %(app)s Home Server " -# app_name: Matrix -# template_dir: res/templates -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# notif_for_new_users: True - -# Key that had to be added after some synapse updates to please matrix developers... -report_stats: false -suppress_key_server_warning: true -enable_group_creation: true diff --git a/consul/configuration/chat/synapse/log.yaml b/consul/configuration/chat/synapse/log.yaml deleted file mode 100644 index eb69d8f..0000000 --- a/consul/configuration/chat/synapse/log.yaml +++ /dev/null @@ -1,41 +0,0 @@ - -version: 1 - -formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' - -filters: - context: - (): synapse.util.logcontext.LoggingContextFilter - request: "" - -handlers: - file: - class: logging.handlers.RotatingFileHandler - formatter: precise - filename: /var/log/matrix-synapse/homeserver.log - maxBytes: 10485760 - backupCount: 3 - filters: [context] - level: WARN - console: - class: logging.StreamHandler - formatter: precise - level: WARN - -loggers: - synapse: - level: INFO - - synapse.storage.SQL: - level: INFO - - ldap3: - level: DEBUG - ldap_auth_provider: - level: DEBUG - -root: - level: INFO - handlers: [file, console] diff --git a/consul/configuration/directory/bottin/config.json b/consul/configuration/directory/bottin/config.json deleted file mode 100644 index c30a4d5..0000000 --- a/consul/configuration/directory/bottin/config.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "suffix": "dc=deuxfleurs,dc=fr", - "bind": "0.0.0.0:1389", - "consul_host": "http://consul.service.2.cluster.deuxfleurs.fr:8500", - "log_level": "debug", - "acl": [ - "*,dc=deuxfleurs,dc=fr::read:*:* !userpassword", - "*::read modify:SELF:*", - "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", - "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::read:*:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=invitations,dc=deuxfleurs,dc=fr:*", - "ANONYMOUS::bind:*,ou=invitations,dc=deuxfleurs,dc=fr:", - "*,ou=invitations,dc=deuxfleurs,dc=fr::delete:SELF:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:add:*,ou=users,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::add:*,ou=users,dc=deuxfleurs,dc=fr:*", - - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*", - "*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*", - "*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*", - - "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", - "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*" - ] -} diff --git a/consul/configuration/directory/guichet/config.json.tpl b/consul/configuration/directory/guichet/config.json.tpl deleted file mode 100644 index 98e2297..0000000 --- a/consul/configuration/directory/guichet/config.json.tpl +++ /dev/null @@ -1,30 +0,0 @@ -{ - "http_bind_addr": ":9991", - "ldap_server_addr": "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389", - - "base_dn": "dc=deuxfleurs,dc=fr", - "user_base_dn": "ou=users,dc=deuxfleurs,dc=fr", - "user_name_attr": "cn", - "group_base_dn": "ou=groups,dc=deuxfleurs,dc=fr", - "group_name_attr": "cn", - - "invitation_base_dn": "ou=invitations,dc=deuxfleurs,dc=fr", - "invitation_name_attr": "cn", - "invited_mail_format": "{}@deuxfleurs.fr", - "invited_auto_groups": [ - "cn=email,ou=groups,dc=deuxfleurs,dc=fr", - "cn=seafile,ou=groups,dc=deuxfleurs,dc=fr", - "cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr" - ], - - "web_address": "https://guichet.deuxfleurs.fr", - "mail_from": "coucou@deuxfleurs.fr", - "smtp_server": "adnab.me:25", - "smtp_username": "{{ key "secrets/directory/guichet/smtp_user" | trimSpace }}", - "smtp_password": "{{ key "secrets/directory/guichet/smtp_pass" | trimSpace }}", - - "admin_account": "cn=admin,dc=deuxfleurs,dc=fr", - "group_can_admin": "cn=admin,ou=groups,dc=deuxfleurs,dc=fr", - "group_can_invite": "cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr" -} - diff --git a/consul/configuration/email/dkim/keytable b/consul/configuration/email/dkim/keytable deleted file mode 100644 index f4ac7cd..0000000 --- a/consul/configuration/email/dkim/keytable +++ /dev/null @@ -1 +0,0 @@ -smtp._domainkey.deuxfleurs.fr deuxfleurs.fr:smtp:/etc/dkim/smtp.private diff --git a/consul/configuration/email/dkim/signingtable b/consul/configuration/email/dkim/signingtable deleted file mode 100644 index 60d66ff..0000000 --- a/consul/configuration/email/dkim/signingtable +++ /dev/null @@ -1,2 +0,0 @@ -*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr -*@dufour.io smtp._domainkey.deuxfleurs.fr diff --git a/consul/configuration/email/dkim/smtp.private.sample b/consul/configuration/email/dkim/smtp.private.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/configuration/email/dkim/smtp.txt.sample b/consul/configuration/email/dkim/smtp.txt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/configuration/email/dkim/trusted b/consul/configuration/email/dkim/trusted deleted file mode 100644 index a01170d..0000000 --- a/consul/configuration/email/dkim/trusted +++ /dev/null @@ -1,4 +0,0 @@ -127.0.0.1 -localhost -192.168.1.0/24 -172.16.0.0/12 diff --git a/consul/configuration/email/dovecot/certs.gen b/consul/configuration/email/dovecot/certs.gen deleted file mode 100755 index f26e917..0000000 --- a/consul/configuration/email/dovecot/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=imap.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout dovecot.key \ - -out dovecot.crt - diff --git a/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl b/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl deleted file mode 100644 index 9fb1ea6..0000000 --- a/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl +++ /dev/null @@ -1,8 +0,0 @@ -hosts = bottin2.service.2.cluster.deuxfleurs.fr -dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }} -dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }} -base = dc=deuxfleurs,dc=fr -scope = subtree -user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) -pass_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) -user_attrs = mail=/var/mail/%{ldap:mail} diff --git a/consul/configuration/email/postfix/certs.gen b/consul/configuration/email/postfix/certs.gen deleted file mode 100755 index f25439b..0000000 --- a/consul/configuration/email/postfix/certs.gen +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" -openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout postfix.key \ - -out postfix.crt - diff --git a/consul/configuration/email/postfix/dynamicmaps.cf b/consul/configuration/email/postfix/dynamicmaps.cf deleted file mode 100644 index 32d8f62..0000000 --- a/consul/configuration/email/postfix/dynamicmaps.cf +++ /dev/null @@ -1,9 +0,0 @@ -# Postfix dynamic maps configuration file. -# -# The first match found is the one that is used. Wildcards are not supported -# as of postfix 2.0.2 -# -#type location of .so file open function (mkmap func) -#==== ================================ ============= ============ -ldap postfix-ldap.so dict_ldap_open -sqlite postfix-sqlite.so dict_sqlite_open diff --git a/consul/configuration/email/postfix/header_checks b/consul/configuration/email/postfix/header_checks deleted file mode 100644 index cad52ec..0000000 --- a/consul/configuration/email/postfix/header_checks +++ /dev/null @@ -1,3 +0,0 @@ -/^Received:/ IGNORE -/^X-Originating-IP:/ IGNORE -/^X-Mailer:/ IGNORE diff --git a/consul/configuration/email/postfix/ldap-account.cf.tpl b/consul/configuration/email/postfix/ldap-account.cf.tpl deleted file mode 100644 index 2575f10..0000000 --- a/consul/configuration/email/postfix/ldap-account.cf.tpl +++ /dev/null @@ -1,12 +0,0 @@ -bind = yes -bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} -bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} -version = 3 -timeout = 20 -start_tls = no -tls_require_cert = no -server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr -scope = sub -search_base = ou=users,dc=deuxfleurs,dc=fr -query_filter = mail=%s -result_attribute = mail diff --git a/consul/configuration/email/postfix/ldap-alias.cf.tpl b/consul/configuration/email/postfix/ldap-alias.cf.tpl deleted file mode 100644 index 775c0ad..0000000 --- a/consul/configuration/email/postfix/ldap-alias.cf.tpl +++ /dev/null @@ -1,9 +0,0 @@ -server_host = bottin2.service.2.cluster.deuxfleurs.fr -server_port = 389 -search_base = dc=deuxfleurs,dc=fr -query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) -result_attribute = mail -bind = yes -bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} -bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} -version = 3 diff --git a/consul/configuration/email/postfix/ldap-virtual-domains.cf.tpl b/consul/configuration/email/postfix/ldap-virtual-domains.cf.tpl deleted file mode 100644 index e013953..0000000 --- a/consul/configuration/email/postfix/ldap-virtual-domains.cf.tpl +++ /dev/null @@ -1,12 +0,0 @@ -bind = yes -bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} -bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} -version = 3 -timeout = 20 -start_tls = no -tls_require_cert = no -server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr -scope = sub -search_base = ou=domains,ou=groups,dc=deuxfleurs,dc=fr -query_filter = (&(objectclass=dNSDomain)(domain=%s)) -result_attribute = domain diff --git a/consul/configuration/email/postfix/main.cf b/consul/configuration/email/postfix/main.cf deleted file mode 100644 index 4204cb4..0000000 --- a/consul/configuration/email/postfix/main.cf +++ /dev/null @@ -1,104 +0,0 @@ -#=== -# Base configuration -#=== -myhostname = smtp.deuxfleurs.fr -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = smtp.deuxfleurs.fr -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 -mailbox_size_limit = 0 -recipient_delimiter = + -inet_protocols = all -inet_interfaces = all -message_size_limit = 204800000 -smtpd_banner = $myhostname -biff = no -append_dot_mydomain = no -readme_directory = no -compatibility_level = 2 - -#=== -# TLS parameters -#=== -smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt -smtpd_tls_key_file=/etc/ssl/private/postfix.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy -smtp_tls_security_level = may - -#=== -# Remove privacy related content from emails -#=== -mime_header_checks = regexp:/etc/postfix/header_checks -header_checks = regexp:/etc/postfix/header_checks - -#=== -# Handle user authentication (handled by dovecot) -#=== -smtpd_sasl_auth_enable = yes -smtpd_sasl_path = inet:dovecot-auth.service.2.cluster.deuxfleurs.fr:1337 -smtpd_sasl_type = dovecot - -#=== -# Restrictions / Checks -#=== -# -- Inspired by: http://www.postfix.org/SMTPD_ACCESS_README.html#lists - -# Require a valid HELO -smtpd_helo_required = yes -# As we use the same postfix to send and receive, -# we can't enforce a valid HELO hostname... -#smtpd_helo_restrictions = -# reject_unknown_helo_hostname - -# Require that sender email has a valid domain -smtpd_sender_restrictions = - reject_unknown_sender_domain - -# Delivering email policy -# MyNetwork is required by sogo -smtpd_recipient_restrictions = - permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination - reject_rbl_client zen.spamhaus.org - reject_rhsbl_reverse_client dbl.spamhaus.org - reject_rhsbl_helo dbl.spamhaus.org - reject_rhsbl_sender dbl.spamhaus.org - -# Sending email policy -# MyNetwork is required by sogo -smtpd_relay_restrictions = - permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination - -smtpd_data_restrictions = reject_unauth_pipelining - -smtpd_client_connection_rate_limit = 2 - -#=== -# Rate limiting -#=== -slow_destination_recipient_limit = 20 -slow_destination_concurrency_limit = 2 - -#==== -# Transport configuration -#==== -transport_maps = hash:/etc/postfix/transport -virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf -virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf -virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf -virtual_transport = lmtp:dovecot-lmtp.service.2.cluster.deuxfleurs.fr:24 - -#=== -# Mail filters -#=== -milter_default_action = accept -milter_protocol = 6 -smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 -non_smtpd_milters = inet:opendkim.service.2.cluster.deuxfleurs.fr:8999 diff --git a/consul/configuration/email/postfix/master.cf b/consul/configuration/email/postfix/master.cf deleted file mode 100644 index 53bc601..0000000 --- a/consul/configuration/email/postfix/master.cf +++ /dev/null @@ -1,114 +0,0 @@ -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master"). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) -# ========================================================================== -smtp inet n - n - - smtpd -submission inet n - n - - smtpd - -o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -smtps inet n - n - - smtpd - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o milter_macro_daemon_name=ORIGINATING -slow unix - - n - 5 smtp - -o syslog_name=postfix-slow - -o smtp_destination_concurrency_limit=3 - -o slow_destination_rate_delay=1 - - -#628 inet n - - - - qmqpd -pickup fifo n - n 60 1 pickup -cleanup unix n - n - 0 cleanup -qmgr fifo n - n 300 1 qmgr -#qmgr fifo n - - 300 1 oqmgr -tlsmgr unix - - n 1000? 1 tlsmgr -rewrite unix - - n - - trivial-rewrite -bounce unix - - n - 0 bounce -defer unix - - n - 0 bounce -trace unix - - n - 0 bounce -verify unix - - n - 1 verify -flush unix n - n 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -# When relaying mail as backup MX, disable fallback_relay to avoid MX loops -smtp unix - - n - - smtp -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -relay unix - - n - - smtp - -o smtp_fallback_relay= -showq unix n - n - - showq -error unix - - n - - error -retry unix - - n - - error -discard unix - - n - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - n - - lmtp -anvil unix - - n - 1 anvil -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -scache unix - - n - 1 scache -maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# Recent Cyrus versions can use the existing "lmtp" master.cf entry. -# -# Specify in cyrus.conf: -# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 -# -# Specify in main.cf one or more of the following: -# mailbox_transport = lmtp:inet:localhost -# virtual_transport = lmtp:inet:localhost -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# Old example of delivery via Cyrus. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# Other external delivery methods. -# -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} diff --git a/consul/configuration/email/postfix/transport b/consul/configuration/email/postfix/transport deleted file mode 100644 index 68f62c5..0000000 --- a/consul/configuration/email/postfix/transport +++ /dev/null @@ -1,5 +0,0 @@ -#wanadoo.com slow: -#wanadoo.fr slow: -#orange.com slow: -#orange.fr slow: -#smtp.orange.fr slow: diff --git a/consul/configuration/email/postfix/transport.db b/consul/configuration/email/postfix/transport.db deleted file mode 100644 index 487f394..0000000 Binary files a/consul/configuration/email/postfix/transport.db and /dev/null differ diff --git a/consul/configuration/email/sogo/sogo.conf.tpl b/consul/configuration/email/sogo/sogo.conf.tpl deleted file mode 100644 index d4261e5..0000000 --- a/consul/configuration/email/sogo/sogo.conf.tpl +++ /dev/null @@ -1,68 +0,0 @@ -{ - WONoDetach = NO; - WOWorkersCount = 10; - WOPort = "127.0.0.1:20000"; - SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_user_profile"; - OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_folder_info"; - OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_sessions_folder"; - OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_alarms_folder"; - OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_store"; - OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_acl"; - OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/sogo/sogo_cache_folder"; - SOGoTimeZone = "Europe/Paris"; - SOGoMailDomain = "deuxfleurs.fr"; - SOGoLanguage = French; - SOGoAppointmentSendEMailNotifications = YES; - SOGoEnablePublicAccess = YES; - SOGoMailingMechanism = smtp; - SOGoSMTPServer = postfix-smtp.service.2.cluster.deuxfleurs.fr; - SOGoSMTPAuthenticationType = PLAIN; - SOGoForceExternalLoginWithEmail = YES; - SOGoIMAPAclConformsToIMAPExt = YES; - SOGoTimeZone = UTC; - SOGoSentFolderName = Sent; - SOGoTrashFolderName = Trash; - SOGoDraftsFolderName = Drafts; - SOGoIMAPServer = "imaps://dovecot-imaps.service.2.cluster.deuxfleurs.fr:993/?tlsVerifyMode=none"; - SOGoSieveServer = "sieve://sieve.service.2.cluster.deuxfleurs.fr:4190/?tls=YES"; - SOGoIMAPAclConformsToIMAPExt = YES; - SOGoVacationEnabled = NO; - SOGoForwardEnabled = NO; - SOGoSieveScriptsEnabled = NO; - SOGoFirstDayOfWeek = 1; - SOGoRefreshViewCheck = every_5_minutes; - SOGoMailAuxiliaryUserAccountsEnabled = NO; - SOGoPasswordChangeEnabled = YES; - SOGoPageTitle = "deuxfleurs.fr"; - SOGoLoginModule = Mail; - SOGoMailAddOutgoingAddresses = YES; - SOGoSelectedAddressBook = autobook; - SOGoMailAuxiliaryUserAccountsEnabled = YES; - SOGoCalendarEventsDefaultClassification = PRIVATE; - SOGoMailReplyPlacement = above; - SOGoMailSignaturePlacement = above; - SOGoMailComposeMessageType = html; - - SOGoLDAPContactInfoAttribute = "displayname"; - - SOGoUserSources = ( - { - type = ldap; - CNFieldName = displayname; - IDFieldName = cn; - UIDFieldName = cn; - MailFieldNames = (mail, mailForwardingAddress); - SearchFieldNames = (displayname, cn, sn, mail, telephoneNumber); - IMAPLoginFieldName = mail; - baseDN = "ou=users,dc=deuxfleurs,dc=fr"; - bindDN = "{{ key "secrets/email/sogo/ldap_binddn" | trimSpace }}"; - bindPassword = "{{ key "secrets/email/sogo/ldap_bindpw" | trimSpace}}"; - bindFields = (cn, mail); - canAuthenticate = YES; - displayName = "Bottin"; - hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"; - id = bottin; - isAddressBook = NO; - } - ); -} diff --git a/consul/configuration/mariadb/main/env.tpl b/consul/configuration/mariadb/main/env.tpl deleted file mode 100644 index 0fe903b..0000000 --- a/consul/configuration/mariadb/main/env.tpl +++ /dev/null @@ -1,6 +0,0 @@ -LDAP_URI = "ldap://bottin2.service.2.cluster.deuxfleurs.fr" -LDAP_BASE = "ou=users,dc=deuxfleurs,dc=fr" -LDAP_VERSION = 3 -LDAP_BIND_DN = "{{ key "secrets/mariadb/main/ldap_binddn" | trimSpace }}" -LDAP_BIND_PW = "{{ key "secrets/mariadb/main/ldap_bindpwd" | trimSpace }}" -MYSQL_PASSWORD = "{{ key "secrets/mariadb/main/mysql_pwd" | trimSpace }}" diff --git a/consul/configuration/nextcloud/config.php.tpl b/consul/configuration/nextcloud/config.php.tpl deleted file mode 100644 index 7dcfc6e..0000000 --- a/consul/configuration/nextcloud/config.php.tpl +++ /dev/null @@ -1,49 +0,0 @@ - false, - 'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}', - 'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}', - 'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}', - 'trusted_domains' => array ( - 0 => 'nextcloud.deuxfleurs.fr', - ), - 'memcache.local' => '\\OC\\Memcache\\APCu', - - 'objectstore' => array( - 'class' => '\\OC\\Files\\ObjectStore\\S3', - 'arguments' => array( - 'bucket' => 'nextcloud', - 'autocreate' => false, - 'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}', - 'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}', - 'hostname' => 'garage.deuxfleurs.fr', - 'port' => 443, - 'use_ssl' => true, - 'region' => 'garage', - // required for some non Amazon S3 implementations - 'use_path_style' => true - ), - ), - - 'dbtype' => 'pgsql', - 'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr', - 'dbname' => 'nextcloud', - 'dbtableprefix' => 'nc_', - 'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}', - 'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}', - - 'default_language' => 'fr', - 'default_locale' => 'fr_FR', - - 'mail_domain' => 'deuxfleurs.fr', - 'mail_from_address' => 'nextcloud@deuxfleurs.fr', - // TODO SMTP CONFIG - - // TODO REDIS CACHE - - 'version' => '19.0.0.12', - 'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr', - - 'installed' => true, -); - diff --git a/consul/configuration/postgres/keeper/env.tpl b/consul/configuration/postgres/keeper/env.tpl deleted file mode 100644 index 7831aad..0000000 --- a/consul/configuration/postgres/keeper/env.tpl +++ /dev/null @@ -1,3 +0,0 @@ -PG_SU_PWD={{ key "secrets/postgres/keeper/pg_su_pwd" | trimSpace }} -PG_REPL_USER={{ key "secrets/postgres/keeper/pg_repl_username" | trimSpace }} -PG_REPL_PWD={{ key "secrets/postgres/keeper/pg_repl_pwd" | trimSpace }} diff --git a/consul/configuration/seafile/ccnet/mykey.peer.sample b/consul/configuration/seafile/ccnet/mykey.peer.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/configuration/seafile/ccnet/seafile.ini b/consul/configuration/seafile/ccnet/seafile.ini deleted file mode 100644 index 306d126..0000000 --- a/consul/configuration/seafile/ccnet/seafile.ini +++ /dev/null @@ -1 +0,0 @@ -/mnt/seafile-data/ \ No newline at end of file diff --git a/consul/configuration/seafile/conf/ccnet.conf.tpl b/consul/configuration/seafile/conf/ccnet.conf.tpl deleted file mode 100644 index 2395a9b..0000000 --- a/consul/configuration/seafile/conf/ccnet.conf.tpl +++ /dev/null @@ -1,29 +0,0 @@ -[General] -USER_NAME = deuxfleurs -ID = {{ key "secrets/seafile/ccnet/seafile_id" | trimSpace }} -NAME = deuxfleurs -SERVICE_URL = https://cloud.deuxfleurs.fr - -[Network] -PORT = 10001 - -[Client] -PORT = 13418 - -[LDAP] -HOST = ldap://bottin2.service.2.cluster.deuxfleurs.fr/ -BASE = ou=users,dc=deuxfleurs,dc=fr -USER_DN = {{ key "secrets/seafile/ccnet/ldap_binddn" | trimSpace }} -FILTER = memberOf=CN=seafile,OU=groups,DC=deuxfleurs,DC=fr -PASSWORD = {{ key "secrets/seafile/ccnet/ldap_bindpwd" | trimSpace }} -LOGIN_ATTR = mail - -[Database] -ENGINE = mysql -HOST = mariadb.service.2.cluster.deuxfleurs.fr -PORT = 3306 -USER = seafile -PASSWD = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} -DB = ccnet-db -CONNECTION_CHARSET = utf8 - diff --git a/consul/configuration/seafile/conf/mykey.peer.sample b/consul/configuration/seafile/conf/mykey.peer.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/configuration/seafile/conf/seafdav.conf b/consul/configuration/seafile/conf/seafdav.conf deleted file mode 100644 index 49a79a2..0000000 --- a/consul/configuration/seafile/conf/seafdav.conf +++ /dev/null @@ -1,5 +0,0 @@ -[WEBDAV] -enabled = true -port = 8084 -fastcgi = false -share_name = /seafdav diff --git a/consul/configuration/seafile/conf/seafile.conf.tpl b/consul/configuration/seafile/conf/seafile.conf.tpl deleted file mode 100644 index f224234..0000000 --- a/consul/configuration/seafile/conf/seafile.conf.tpl +++ /dev/null @@ -1,19 +0,0 @@ -[network] -port = 12001 - -[fileserver] -port = 8082 -max_upload_size=8192 -max_download_dir_size=8192 - -[database] -type = mysql -host = mariadb.service.2.cluster.deuxfleurs.fr -port = 3306 -user = seafile -password = {{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }} -db_name = seafile-db -connection_charset = utf8 - -[quota] -default = 50 diff --git a/consul/configuration/seafile/conf/seahub_settings.py.tpl b/consul/configuration/seafile/conf/seahub_settings.py.tpl deleted file mode 100644 index 6c63ee4..0000000 --- a/consul/configuration/seafile/conf/seahub_settings.py.tpl +++ /dev/null @@ -1,21 +0,0 @@ -SECRET_KEY = "8ep+sgi&s1-f2cq2178!ekk!0h0nw2y4z1-olbaopxmodsd8vk" -FILE_SERVER_ROOT = 'https://cloud.deuxfleurs.fr/seafhttp' -DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.mysql', - 'NAME': 'seahub-db', - 'USER': 'seafile', - 'PASSWORD': '{{ key "secrets/seafile/ccnet/mysql_pwd" | trimSpace }}', - 'HOST': 'mariadb.service.2.cluster.deuxfleurs.fr', - 'PORT': '3306', - 'OPTIONS': { - 'init_command': 'SET storage_engine=INNODB', - } - } -} -FILE_PREVIEW_MAX_SIZE = 100 * 1024 * 1024 -ENABLE_THUMBNAIL = True -THUMBNAIL_ROOT = '/mnt/seafile-data/thumbnail/thumb/' -THUMBNAIL_EXTENSION = 'png' -THUMBNAIL_DEFAULT_SIZE = '24' -PREVIEW_DEFAULT_SIZE = '300' diff --git a/consul/configuration/traefik/traefik.toml b/consul/configuration/traefik/traefik.toml deleted file mode 100644 index 03fca8a..0000000 --- a/consul/configuration/traefik/traefik.toml +++ /dev/null @@ -1,45 +0,0 @@ -InsecureSkipVerify = true -defaultEntryPoints = ["http", "https"] - -[entryPoints] - [entryPoints.admin] - address = ":8082" - - [entryPoints.http] - address = ":80" - [entryPoints.http.redirect] - entryPoint = "https" - - [entryPoints.https] - address = ":443" - compress = true - [entryPoints.https.tls] - -[ping] -entrypoint = "admin" - -[retry] - -[acme] - email = "quentin@dufour.io" - storage = "traefik/acme/account" - entryPoint = "https" - onHostRule = true - - [acme.httpChallenge] - entryPoint = "http" - -[api] - entryPoint = "admin" - dashboard = true - -[consul] - endpoint = "172.17.0.1:8500" - watch = true - prefix = "traefik" - -[consulCatalog] - endpoint = "172.17.0.1:8500" - prefix = "traefik" - domain = "web.deuxfleurs.fr" - exposedByDefault = false diff --git a/consul/restore_configuration.sh b/consul/restore_configuration.sh deleted file mode 100755 index 33742e5..0000000 --- a/consul/restore_configuration.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -find {configuration,secrets}/$1 -type f \ - | grep --perl-regexp --invert-match "\.sample$|\.gen$|/.gitignore$" \ - | while read filename; do - consul kv put "${filename}" "@${filename}" - done diff --git a/consul/secrets/.gitignore b/consul/secrets/.gitignore deleted file mode 100644 index 1d7b40b..0000000 --- a/consul/secrets/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -# Blacklist everything cleverly -* -!*/ - -# Whitelist some patterns -!*.sample -!*.gen -!.gitignore - -# Whitelist specific files diff --git a/consul/secrets/chat/coturn/static-auth.sample b/consul/secrets/chat/coturn/static-auth.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/fb2mx/as_token.sample b/consul/secrets/chat/fb2mx/as_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/fb2mx/db_url.sample b/consul/secrets/chat/fb2mx/db_url.sample deleted file mode 100644 index aff4635..0000000 --- a/consul/secrets/chat/fb2mx/db_url.sample +++ /dev/null @@ -1 +0,0 @@ -postgres://username:password@hostname/dbname diff --git a/consul/secrets/chat/fb2mx/hs_token.sample b/consul/secrets/chat/fb2mx/hs_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/homeserver.tls.crt.sample b/consul/secrets/chat/synapse/homeserver.tls.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/homeserver.tls.dh.sample b/consul/secrets/chat/synapse/homeserver.tls.dh.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/homeserver.tls.key.sample b/consul/secrets/chat/synapse/homeserver.tls.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/ldap_binddn.sample b/consul/secrets/chat/synapse/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/ldap_bindpw.sample b/consul/secrets/chat/synapse/ldap_bindpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/postgres_db.sample b/consul/secrets/chat/synapse/postgres_db.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/postgres_pwd.sample b/consul/secrets/chat/synapse/postgres_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/postgres_user.sample b/consul/secrets/chat/synapse/postgres_user.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/chat/synapse/registration_shared_secret.sample b/consul/secrets/chat/synapse/registration_shared_secret.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/email/sogo/ldap_binddn.sample b/consul/secrets/email/sogo/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/email/sogo/ldap_bindpw.sample b/consul/secrets/email/sogo/ldap_bindpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/email/sogo/postgre_auth.sample b/consul/secrets/email/sogo/postgre_auth.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample b/consul/secrets/jitsi/auth.jitsi.deuxfleurs.fr.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample b/consul/secrets/jitsi/auth.jitsi.deuxfleurs.fr.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/jitsi/global_env.sample b/consul/secrets/jitsi/global_env.sample deleted file mode 100644 index 658c9c9..0000000 --- a/consul/secrets/jitsi/global_env.sample +++ /dev/null @@ -1,9 +0,0 @@ -JITSI_SECRET_VIDEOBRIDGE=redacted -JITSI_SECRET_JICOFO_COMPONENT=redacted -JITSI_SECRET_JICOFO_USER=redacted -JITSI_PROSODY_BOSH_PORT=5280 -JITSI_PROSODY_BOSH_HOST=127.0.0.1 -JITSI_PROSODY_HOST=127.0.0.1 -JITSI_CERTS_FOLDER=/secrets/certs/ -JITSI_NAT_PUBLIC_IP=redacted -JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }} diff --git a/consul/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample b/consul/secrets/jitsi/jitsi.deuxfleurs.fr.crt.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample b/consul/secrets/jitsi/jitsi.deuxfleurs.fr.key.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/mariadb/main/ldap_binddn.sample b/consul/secrets/mariadb/main/ldap_binddn.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/mariadb/main/ldap_bindpwd.sample b/consul/secrets/mariadb/main/ldap_bindpwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/mariadb/main/mysql_pwd.sample b/consul/secrets/mariadb/main/mysql_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/platoo/bddpw.sample b/consul/secrets/platoo/bddpw.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/postgres/keeper/pg_repl_pwd.sample b/consul/secrets/postgres/keeper/pg_repl_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/postgres/keeper/pg_repl_username.sample b/consul/secrets/postgres/keeper/pg_repl_username.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/postgres/keeper/pg_su_pwd.sample b/consul/secrets/postgres/keeper/pg_su_pwd.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/web/home_token.sample b/consul/secrets/web/home_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/consul/secrets/web/quentin.dufour.io_token.sample b/consul/secrets/web/quentin.dufour.io_token.sample deleted file mode 100644 index e69de29..0000000 diff --git a/docker/README.md b/docker/README.md deleted file mode 100644 index a877cfa..0000000 --- a/docker/README.md +++ /dev/null @@ -1,8 +0,0 @@ -## How to upgrade our packaged apps to a new version? - - 1. Edit `docker-compose.yml` - 2. Change the `VERSION` variable to the desired version - 3. Increment the docker image tag by 1 (eg: superboum/riot:v13 -> superboum/riot:v14) - 4. Run `docker-compose build` - 5. Run `docker-compose push` - 6. Done diff --git a/docker/blog-quentin/.dockerenv b/docker/blog-quentin/.dockerenv deleted file mode 100755 index e69de29..0000000 diff --git a/docker/blog-quentin/Dockerfile b/docker/blog-quentin/Dockerfile deleted file mode 100644 index 61f5c40..0000000 --- a/docker/blog-quentin/Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -FROM amd64/debian:stretch as builder - -COPY ./quentin.dufour.io/Gemfile /root/quentin.dufour.io/Gemfile - -WORKDIR /root/quentin.dufour.io - -RUN apt-get update && \ - apt-get install -y ruby-dev gem build-essential bundler zlib1g-dev libxml2-dev && \ - bundle install - -COPY ./quentin.dufour.io/ /root/quentin.dufour.io/ -RUN bundle exec jekyll build - -FROM superboum/amd64_webserver:v2 -COPY --from=builder /root/quentin.dufour.io/_site /srv/http - diff --git a/docker/blog-quentin/README.md b/docker/blog-quentin/README.md deleted file mode 100644 index 25ac463..0000000 --- a/docker/blog-quentin/README.md +++ /dev/null @@ -1 +0,0 @@ -sudo docker build -t superboum/amd64_blog:v19 . diff --git a/docker/coturn/Dockerfile b/docker/coturn/Dockerfile deleted file mode 100644 index 0d23161..0000000 --- a/docker/coturn/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM amd64/debian:buster - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - apt-get install -y \ - coturn - -CMD ["/usr/bin/turnserver"] diff --git a/docker/coturn/README.md b/docker/coturn/README.md deleted file mode 100644 index e882146..0000000 --- a/docker/coturn/README.md +++ /dev/null @@ -1,17 +0,0 @@ - -## Génère l'image -``` -sudo docker build -t registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 . -``` - -## Run bash dans le container -``` -sudo docker run --rm -t -i registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 bash -sudo docker run --rm -t -i -p 3478:3478/udp -p 3479:3479/udp -p 3478:3478/tcp -p 3479:3479/tcp registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 -``` - -## Used ports -- udp/tcp 3478 3479 - -## Publish -sudo docker push registry.gitlab.com/superboum/ankh-morpork/amd64_coturn:v1 diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml deleted file mode 100644 index 966ed90..0000000 --- a/docker/docker-compose.yml +++ /dev/null @@ -1,24 +0,0 @@ -version: '3.4' -services: - riot: - build: - context: ./riotweb - args: - # https://github.com/vector-im/riot-web/releases - VERSION: 1.7.5 - image: superboum/amd64_riotweb:v15 - synapse: - build: - context: ./matrix-synapse - args: - # https://github.com/matrix-org/synapse/releases - VERSION: 1.19.1 - image: superboum/amd64_synapse:v33 - sogo: - build: - context: ./sogo - args: - # fake for now - VERSION: 5.0.0 - image: superboum/amd64_sogo:v7 - diff --git a/docker/dovecot/.gitignore b/docker/dovecot/.gitignore deleted file mode 100644 index 71a04e2..0000000 --- a/docker/dovecot/.gitignore +++ /dev/null @@ -1 +0,0 @@ -dovecot-ldap.conf diff --git a/docker/dovecot/Dockerfile b/docker/dovecot/Dockerfile deleted file mode 100644 index 9b87627..0000000 --- a/docker/dovecot/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -FROM amd64/debian:stretch - -RUN apt-get update && \ - apt-get install -y \ - dovecot-antispam \ - dovecot-core \ - dovecot-imapd \ - dovecot-ldap \ - dovecot-managesieved \ - dovecot-sieve \ - dovecot-lmtpd && \ - rm -rf /etc/dovecot/* -RUN useradd mailstore -COPY ./conf/* /etc/dovecot/ -COPY entrypoint.sh /usr/local/bin/entrypoint - -ENTRYPOINT ["/usr/local/bin/entrypoint"] diff --git a/docker/dovecot/README.md b/docker/dovecot/README.md deleted file mode 100644 index 8c9f372..0000000 --- a/docker/dovecot/README.md +++ /dev/null @@ -1,18 +0,0 @@ -``` -sudo docker build -t superboum/amd64_dovecot:v2 . -``` - - -``` -sudo docker run -t -i \ - -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=www.deuxfleurs.fr" \ - -p 993:993 \ - -p 143:143 \ - -p 24:24 \ - -p 1337:1337 \ - -v /mnt/glusterfs/email/ssl:/etc/ssl/ \ - -v /mnt/glusterfs/email/mail:/var/mail \ - -v `pwd`/dovecot-ldap.conf:/etc/dovecot/dovecot-ldap.conf \ - superboum/amd64_dovecot:v1 \ - dovecot -F -``` diff --git a/docker/dovecot/entrypoint.sh b/docker/dovecot/entrypoint.sh deleted file mode 100755 index 2165d8f..0000000 --- a/docker/dovecot/entrypoint.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -if [[ ! -f /etc/ssl/certs/dovecot.crt || ! -f /etc/ssl/private/dovecot.key ]]; then - cd /root - openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout dovecot.key \ - -out dovecot.crt - - mkdir -p /etc/ssl/{certs,private}/ - - cp dovecot.crt /etc/ssl/certs/dovecot.crt - cp dovecot.key /etc/ssl/private/dovecot.key - chmod 400 /etc/ssl/certs/dovecot.crt - chmod 400 /etc/ssl/private/dovecot.key -fi - -if [[ $(stat -c '%U' /var/mail/) != "mailstore" ]]; then - chown -R mailstore /var/mail -fi - -exec "$@" diff --git a/docker/jitsi/01_gen_certs.yml b/docker/jitsi/01_gen_certs.yml deleted file mode 100644 index 8c97384..0000000 --- a/docker/jitsi/01_gen_certs.yml +++ /dev/null @@ -1,8 +0,0 @@ -version: '3' -services: - jitsi-xmpp: - build: ./jitsi-xmpp - command: ["/usr/local/bin/xmpp_gen"] - volumes: [ './jitsi-certs/:/certs:rw' ] - env_file: [ 'dev.env' ] - diff --git a/docker/jitsi/02_run.yml b/docker/jitsi/02_run.yml deleted file mode 100644 index 3fc0e26..0000000 --- a/docker/jitsi/02_run.yml +++ /dev/null @@ -1,41 +0,0 @@ -version: '3.4' -services: - jitsi-xmpp: - build: ./jitsi-xmpp - image: superboum/amd64_jitsi_xmpp:v1 - network_mode: host - ports: - - "5222:5222" - - "5347:5347" - - "5280:5280" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-front: - build: - context: ./jitsi-front - network: host - #^-- I have some DNS problems on Fedora 32 in Docker - image: superboum/amd64_jitsi_front:v5 - ports: - - "443:443" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-conference-focus: - build: - context: ./jitsi-conference-focus - network: host - image: superboum/amd64_jitsi_conference_focus:v2 - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-videobridge: - build: - context: ./jitsi-videobridge - network: host - image: superboum/amd64_jitsi_videobridge:v9 - network_mode: host - ports: - - "8080:8080/tcp" - - "10000:10000/udp" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - diff --git a/docker/jitsi/README.md b/docker/jitsi/README.md deleted file mode 100644 index 70b59fc..0000000 --- a/docker/jitsi/README.md +++ /dev/null @@ -1,26 +0,0 @@ -This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md - -To build images: - -``` -docker-compose -f 02_run.yml build -``` - -To gen the certs: - -``` -docker-compose -f 01_gen_certs.yml up --force-recreate -``` - -To run the stack: - - -``` -docker-compose -f 02_run.yml up --force-recreate -``` - -To push the stack on the docker registry: - -``` -docker-compose -f 02_run.yml push -``` diff --git a/docker/jitsi/dev.env b/docker/jitsi/dev.env deleted file mode 100644 index 4fff8c1..0000000 --- a/docker/jitsi/dev.env +++ /dev/null @@ -1,10 +0,0 @@ -JITSI_SECRET_VIDEOBRIDGE=S3CR3T01 -JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02 -JITSI_SECRET_JICOFO_USER=S3CR3T03 -JITSI_PROSODY_BOSH_PORT=5280 -JITSI_PROSODY_BOSH_HOST=127.0.0.1 -JITSI_PROSODY_HOST=127.0.0.1 -JITSI_CERTS_FOLDER=/certs/ -JITSI_NAT_PUBLIC_IP=77.204.7.239 -JITSI_NAT_LOCAL_IP=192.168.0.18 -JITSI_VIDEO_TCP=8080 diff --git a/docker/jitsi/jitsi-certs/.gitignore b/docker/jitsi/jitsi-certs/.gitignore deleted file mode 100644 index d6b7ef3..0000000 --- a/docker/jitsi/jitsi-certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore diff --git a/docker/jitsi/jitsi-conference-focus/Dockerfile b/docker/jitsi/jitsi-conference-focus/Dockerfile deleted file mode 100644 index 7b6410a..0000000 --- a/docker/jitsi/jitsi-conference-focus/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -FROM debian:buster AS builder - -ENV VERSION=4510 -RUN apt-get update && \ - apt-get install -y openjdk-11-jdk maven wget unzip && \ - wget https://github.com/jitsi/jicofo/archive/jitsi-meet_${VERSION}.zip -O jicofo.zip && \ - unzip jicofo.zip && \ - mv jicofo-jitsi-meet_${VERSION} jicofo && \ - cd jicofo && \ - mvn package -DskipTests -Dassembly.skipAssembly=false && \ - unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ - mv jicofo-1.1-SNAPSHOT /srv/build - -FROM debian:buster - -RUN apt-get update && \ - apt-get install -y openjdk-11-jdk ca-certificates - -COPY --from=builder /srv/build /srv/jicofo -COPY jicofo /usr/local/bin/jicofo - -CMD ["/usr/local/bin/jicofo"] diff --git a/docker/jitsi/jitsi-conference-focus/jicofo b/docker/jitsi/jitsi-conference-focus/jicofo deleted file mode 100755 index 2bc6e3f..0000000 --- a/docker/jitsi/jitsi-conference-focus/jicofo +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt -update-ca-certificates -f - -cat >> /etc/hosts <. - // authdomain: 'jitsi-meet.example.com', - - // Jirecon recording component domain. - // jirecon: 'jirecon.jitsi-meet.example.com', - - // Call control component (Jigasi). - // call_control: 'callcontrol.jitsi-meet.example.com', - - // Focus component domain. Defaults to focus.. - // focus: 'focus.jitsi-meet.example.com', - - // XMPP MUC domain. FIXME: use XEP-0030 to discover it. - muc: 'conference.jitsi.deuxfleurs.fr' - }, - - // BOSH URL. FIXME: use XEP-0156 to discover it. - bosh: '//jitsi.deuxfleurs.fr/http-bind', - - // Websocket URL - // websocket: 'wss://jitsi-meet.example.com/xmpp-websocket', - - // The name of client node advertised in XEP-0115 'c' stanza - clientNode: 'http://jitsi.org/jitsimeet', - - // The real JID of focus participant - can be overridden here - // focusUserJid: 'focus@auth.jitsi-meet.example.com', - - - // Testing / experimental features. - // - - testing: { - // Enables experimental simulcast support on Firefox. - enableFirefoxSimulcast: false, - - // P2P test mode disables automatic switching to P2P when there are 2 - // participants in the conference. - p2pTestMode: false - - // Enables the test specific features consumed by jitsi-meet-torture - // testMode: false - - // Disables the auto-play behavior of *all* newly created video element. - // This is useful when the client runs on a host with limited resources. - // noAutoPlayVideo: false - }, - - // Disables ICE/UDP by filtering out local and remote UDP candidates in - // signalling. - // webrtcIceUdpDisable: false, - - // Disables ICE/TCP by filtering out local and remote TCP candidates in - // signalling. - // webrtcIceTcpDisable: false, - - - // Media - // - - // Audio - - // Disable measuring of audio levels. - // disableAudioLevels: false, - // audioLevelsInterval: 200, - - // Enabling this will run the lib-jitsi-meet no audio detection module which - // will notify the user if the current selected microphone has no audio - // input and will suggest another valid device if one is present. - enableNoAudioDetection: true, - - // Enabling this will run the lib-jitsi-meet noise detection module which will - // notify the user if there is noise, other than voice, coming from the current - // selected microphone. The purpose it to let the user know that the input could - // be potentially unpleasant for other meeting participants. - enableNoisyMicDetection: true, - - // Start the conference in audio only mode (no video is being received nor - // sent). - // startAudioOnly: false, - - // Every participant after the Nth will start audio muted. - // startAudioMuted: 10, - - // Start calls with audio muted. Unlike the option above, this one is only - // applied locally. FIXME: having these 2 options is confusing. - // startWithAudioMuted: false, - - // Enabling it (with #params) will disable local audio output of remote - // participants and to enable it back a reload is needed. - // startSilent: false - - // Video - - // Sets the preferred resolution (height) for local video. Defaults to 720. - resolution: 480, - - // w3c spec-compliant video constraints to use for video capture. Currently - // used by browsers that return true from lib-jitsi-meet's - // util#browser#usesNewGumFlow. The constraints are independency from - // this config's resolution value. Defaults to requesting an ideal aspect - // ratio of 16:9 with an ideal resolution of 720. - constraints: { - video: { - aspectRatio: 16 / 9, - height: { - ideal: 480, - max: 720, - min: 240 - } - } - }, - - // Enable / disable simulcast support. - // disableSimulcast: false, - - // Enable / disable layer suspension. If enabled, endpoints whose HD - // layers are not in use will be suspended (no longer sent) until they - // are requested again. - // enableLayerSuspension: false, - - // Every participant after the Nth will start video muted. - // startVideoMuted: 10, - - // Start calls with video muted. Unlike the option above, this one is only - // applied locally. FIXME: having these 2 options is confusing. - // startWithVideoMuted: false, - - // If set to true, prefer to use the H.264 video codec (if supported). - // Note that it's not recommended to do this because simulcast is not - // supported when using H.264. For 1-to-1 calls this setting is enabled by - // default and can be toggled in the p2p section. - // preferH264: true, - - // If set to true, disable H.264 video codec by stripping it out of the - // SDP. - // disableH264: false, - - // Desktop sharing - - // The ID of the jidesha extension for Chrome. - desktopSharingChromeExtId: null, - - // Whether desktop sharing should be disabled on Chrome. - // desktopSharingChromeDisabled: false, - - // The media sources to use when using screen sharing with the Chrome - // extension. - desktopSharingChromeSources: [ 'screen', 'window', 'tab' ], - - // Required version of Chrome extension - desktopSharingChromeMinExtVersion: '0.1', - - // Whether desktop sharing should be disabled on Firefox. - // desktopSharingFirefoxDisabled: false, - - // Optional desktop sharing frame rate options. Default value: min:5, max:5. - // desktopSharingFrameRate: { - // min: 5, - // max: 5 - // }, - - // Try to start calls with screen-sharing instead of camera video. - // startScreenSharing: false, - - // Recording - - // Whether to enable file recording or not. - // fileRecordingsEnabled: false, - // Enable the dropbox integration. - // dropbox: { - // appKey: '' // Specify your app key here. - // // A URL to redirect the user to, after authenticating - // // by default uses: - // // 'https://jitsi-meet.example.com/static/oauth.html' - // redirectURI: - // 'https://jitsi-meet.example.com/subfolder/static/oauth.html' - // }, - // When integrations like dropbox are enabled only that will be shown, - // by enabling fileRecordingsServiceEnabled, we show both the integrations - // and the generic recording service (its configuration and storage type - // depends on jibri configuration) - // fileRecordingsServiceEnabled: false, - // Whether to show the possibility to share file recording with other people - // (e.g. meeting participants), based on the actual implementation - // on the backend. - // fileRecordingsServiceSharingEnabled: false, - - // Whether to enable live streaming or not. - // liveStreamingEnabled: false, - - // Transcription (in interface_config, - // subtitles and buttons can be configured) - // transcribingEnabled: false, - - // Enables automatic turning on captions when recording is started - // autoCaptionOnRecord: false, - - // Misc - - // Default value for the channel "last N" attribute. -1 for unlimited. - channelLastN: -1, - - // Disables or enables RTX (RFC 4588) (defaults to false). - // disableRtx: false, - - // Disables or enables TCC (the default is in Jicofo and set to true) - // (draft-holmer-rmcat-transport-wide-cc-extensions-01). This setting - // affects congestion control, it practically enables send-side bandwidth - // estimations. - // enableTcc: true, - - // Disables or enables REMB (the default is in Jicofo and set to false) - // (draft-alvestrand-rmcat-remb-03). This setting affects congestion - // control, it practically enables recv-side bandwidth estimations. When - // both TCC and REMB are enabled, TCC takes precedence. When both are - // disabled, then bandwidth estimations are disabled. - // enableRemb: false, - - // Defines the minimum number of participants to start a call (the default - // is set in Jicofo and set to 2). - // minParticipants: 2, - - // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, - - // Enable IPv6 support. - // useIPv6: true, - - // Enables / disables a data communication channel with the Videobridge. - // Values can be 'datachannel', 'websocket', true (treat it as - // 'datachannel'), undefined (treat it as 'datachannel') and false (don't - // open any channel). - // openBridgeChannel: true, - - - // UI - // - - // Use display name as XMPP nickname. - // useNicks: false, - - // Require users to always specify a display name. - // requireDisplayName: true, - - // Whether to use a welcome page or not. In case it's false a random room - // will be joined when no room is specified. - enableWelcomePage: true, - - // Enabling the close page will ignore the welcome page redirection when - // a call is hangup. - // enableClosePage: false, - - // Disable hiding of remote thumbnails when in a 1-on-1 conference call. - // disable1On1Mode: false, - - // Default language for the user interface. - defaultLanguage: 'fr', - - // If true all users without a token will be considered guests and all users - // with token will be considered non-guests. Only guests will be allowed to - // edit their profile. - enableUserRolesBasedOnToken: false, - - // Whether or not some features are checked based on token. - // enableFeaturesBasedOnToken: false, - - // Enable lock room for all moderators, even when userRolesBasedOnToken is enabled and participants are guests. - // lockRoomGuestEnabled: false, - - // When enabled the password used for locking a room is restricted to up to the number of digits specified - // roomPasswordNumberOfDigits: 10, - // default: roomPasswordNumberOfDigits: false, - - // Message to show the users. Example: 'The service will be down for - // maintenance at 01:00 AM GMT, - // noticeMessage: '', - - // Enables calendar integration, depends on googleApiApplicationClientID - // and microsoftApiApplicationClientID - // enableCalendarIntegration: false, - - // Stats - // - - // Whether to enable stats collection or not in the TraceablePeerConnection. - // This can be useful for debugging purposes (post-processing/analysis of - // the webrtc stats) as it is done in the jitsi-meet-torture bandwidth - // estimation tests. - // gatherStats: false, - - // The interval at which PeerConnection.getStats() is called. Defaults to 10000 - // pcStatsInterval: 10000, - - // To enable sending statistics to callstats.io you must provide the - // Application ID and Secret. - // callStatsID: '', - // callStatsSecret: '', - - // enables sending participants display name to callstats - // enableDisplayNameInStats: false - - // enables sending participants email if available to callstats and other analytics - // enableEmailInStats: false - - // Privacy - // - - // If third party requests are disabled, no other server will be contacted. - // This means avatars will be locally generated and callstats integration - // will not function. - // disableThirdPartyRequests: false, - - - // Peer-To-Peer mode: used (if enabled) when there are just 2 participants. - // - - p2p: { - // Enables peer to peer mode. When enabled the system will try to - // establish a direct connection when there are exactly 2 participants - // in the room. If that succeeds the conference will stop sending data - // through the JVB and use the peer to peer connection instead. When a - // 3rd participant joins the conference will be moved back to the JVB - // connection. - enabled: true, - - // Use XEP-0215 to fetch STUN and TURN servers. - // useStunTurn: true, - - // The STUN servers that will be used in the peer to peer connections - stunServers: [ - - // { urls: 'stun:jitsi-meet.example.com:443' }, - { urls: 'stun:stun.l.google.com:19302' }, - { urls: 'stun:stun1.l.google.com:19302' }, - { urls: 'stun:stun2.l.google.com:19302' } - ], - - // Sets the ICE transport policy for the p2p connection. At the time - // of this writing the list of possible values are 'all' and 'relay', - // but that is subject to change in the future. The enum is defined in - // the WebRTC standard: - // https://www.w3.org/TR/webrtc/#rtcicetransportpolicy-enum. - // If not set, the effective value is 'all'. - // iceTransportPolicy: 'all', - - // If set to true, it will prefer to use H.264 for P2P calls (if H.264 - // is supported). - preferH264: true, - - // If set to true, disable H.264 video codec by stripping it out of the - // SDP. - // disableH264: false, - - // How long we're going to wait, before going back to P2P after the 3rd - // participant has left the conference (to filter out page reload). - backToP2PDelay: 60 - }, - - analytics: { - // The Google Analytics Tracking ID: - // googleAnalyticsTrackingId: 'your-tracking-id-UA-123456-1' - - // The Amplitude APP Key: - // amplitudeAPPKey: '' - - // Array of script URLs to load as lib-jitsi-meet "analytics handlers". - // scriptURLs: [ - // "libs/analytics-ga.min.js", // google-analytics - // "https://example.com/my-custom-analytics.js" - // ], - }, - - // Information about the jitsi-meet instance we are connecting to, including - // the user region as seen by the server. - deploymentInfo: { - // shard: "shard1", - // region: "europe", - // userRegion: "asia" - } - - // Information for the chrome extension banner - // chromeExtensionBanner: { - // // The chrome extension to be installed address - // url: 'https://chrome.google.com/webstore/detail/jitsi-meetings/kglhbbefdnlheedjiejgomgmfplipfeb', - - // // Extensions info which allows checking if they are installed or not - // chromeExtensionsInfo: [ - // { - // id: 'kglhbbefdnlheedjiejgomgmfplipfeb', - // path: 'jitsi-logo-48x48.png' - // } - // ] - // } - - // Local Recording - // - - // localRecording: { - // Enables local recording. - // Additionally, 'localrecording' (all lowercase) needs to be added to - // TOOLBAR_BUTTONS in interface_config.js for the Local Recording - // button to show up on the toolbar. - // - // enabled: true, - // - - // The recording format, can be one of 'ogg', 'flac' or 'wav'. - // format: 'flac' - // - - // } - - // Options related to end-to-end (participant to participant) ping. - // e2eping: { - // // The interval in milliseconds at which pings will be sent. - // // Defaults to 10000, set to <= 0 to disable. - // pingInterval: 10000, - // - // // The interval in milliseconds at which analytics events - // // with the measured RTT will be sent. Defaults to 60000, set - // // to <= 0 to disable. - // analyticsInterval: 60000, - // } - - // If set, will attempt to use the provided video input device label when - // triggering a screenshare, instead of proceeding through the normal flow - // for obtaining a desktop stream. - // NOTE: This option is experimental and is currently intended for internal - // use only. - // _desktopSharingSourceDevice: 'sample-id-or-label' - - // If true, any checks to handoff to another application will be prevented - // and instead the app will continue to display in the current browser. - // disableDeepLinking: false - - // A property to disable the right click context menu for localVideo - // the menu has option to flip the locally seen video for local presentations - // disableLocalVideoFlip: false - - // Deployment specific URLs. - // deploymentUrls: { - // // If specified a 'Help' button will be displayed in the overflow menu with a link to the specified URL for - // // user documentation. - // userDocumentationURL: 'https://docs.example.com/video-meetings.html', - // // If specified a 'Download our apps' button will be displayed in the overflow menu with a link - // // to the specified URL for an app download page. - // downloadAppsUrl: 'https://docs.example.com/our-apps.html' - // } - - // List of undocumented settings used in jitsi-meet - /** - _immediateReloadThreshold - autoRecord - autoRecordToken - debug - debugAudioLevels - deploymentInfo - dialInConfCodeUrl - dialInNumbersUrl - dialOutAuthUrl - dialOutCodesUrl - disableRemoteControl - displayJids - etherpad_base - externalConnectUrl - firefox_fake_device - googleApiApplicationClientID - iAmRecorder - iAmSipGateway - microsoftApiApplicationClientID - peopleSearchQueryTypes - peopleSearchUrl - requireDisplayName - tokenAuthUrl - */ - - // List of undocumented settings used in lib-jitsi-meet - /** - _peerConnStatusOutOfLastNTimeout - _peerConnStatusRtcMuteTimeout - abTesting - avgRtpStatsN - callStatsConfIDNamespace - callStatsCustomScriptUrl - desktopSharingSources - disableAEC - disableAGC - disableAP - disableHPF - disableNS - enableLipSync - enableTalkWhileMuted - forceJVB121Ratio - hiddenDomain - ignoreStartMuted - nick - startBitrate - */ - -}; - -/* eslint-enable no-unused-vars, no-var */ - diff --git a/docker/jitsi/jitsi-front/entrypoint.sh b/docker/jitsi/jitsi-front/entrypoint.sh deleted file mode 100755 index 1e18bd1..0000000 --- a/docker/jitsi/jitsi-front/entrypoint.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -cat > /etc/nginx/sites-available/jitsi <> /etc/hosts < /root/.sip-communicator/sip-communicator.properties <> /root/.sip-communicator/sip-communicator.properties <> /etc/hosts < /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua < /etc/nslcd.conf < /tmp/nextcloud.zip -cd /var/www -unzip /tmp/nextcloud.zip -rm /tmp/nextcloud.zip -mv html html.old -mv nextcloud html - -cd html -mkdir data - -cd apps -wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz -tar xf tasks.tar.gz -wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz -tar xf maps-0.1.6.tar.gz -wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz -tar xf calendar.tar.gz -wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz -tar xf news.tar.gz -wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz -tar xf notes.tar.gz -wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz -tar xf contacts.tar.gz -wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz -tar xf mail.tar.gz -wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz -tar xf groupfolders.tar.gz -rm *.tar.gz - -chown -R www-data:www-data /var/www/html - -cd /var/www/html -php occ diff --git a/docker/nextcloud/entrypoint.sh b/docker/nextcloud/entrypoint.sh deleted file mode 100755 index 72b4f94..0000000 --- a/docker/nextcloud/entrypoint.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -set -xe - -chown www-data:www-data /var/www/html/config/config.php -touch /var/www/html/data/.ocdata - -exec apachectl -DFOREGROUND diff --git a/docker/opendkim/Dockerfile b/docker/opendkim/Dockerfile deleted file mode 100644 index 70a39e4..0000000 --- a/docker/opendkim/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM amd64/debian:buster - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - apt-get install -y opendkim opendkim-tools - -COPY ./opendkim.conf /etc/opendkim.conf -CMD opendkim -f -v -x /etc/opendkim.conf diff --git a/docker/opendkim/README.md b/docker/opendkim/README.md deleted file mode 100644 index e146125..0000000 --- a/docker/opendkim/README.md +++ /dev/null @@ -1,12 +0,0 @@ -``` -sudo docker build -t superboum/amd64_opendkim:v1 . -``` - -``` -sudo docker run -t -i \ - -v `pwd`/conf:/etc/dkim \ - -v /dev/log:/dev/log \ - -p 8999:8999 - superboum/amd64_opendkim:v1 - opendkim -f -v -x /etc/opendkim.conf -``` diff --git a/docker/opendkim/opendkim.conf b/docker/opendkim/opendkim.conf deleted file mode 100644 index 0d6465f..0000000 --- a/docker/opendkim/opendkim.conf +++ /dev/null @@ -1,12 +0,0 @@ -Syslog yes -SyslogSuccess yes -LogWhy yes -UMask 007 -Mode sv -OversignHeaders From -TrustAnchorFile /usr/share/dns/root.key -KeyTable refile:/etc/dkim/keytable -SigningTable refile:/etc/dkim/signingtable -ExternalIgnoreList refile:/etc/dkim/trusted -InternalHosts refile:/etc/dkim/trusted -Socket inet:8999 diff --git a/docker/pithos/0.7.5.tar.gz b/docker/pithos/0.7.5.tar.gz deleted file mode 100644 index 4eb1273..0000000 Binary files a/docker/pithos/0.7.5.tar.gz and /dev/null differ diff --git a/docker/pithos/Dockerfile b/docker/pithos/Dockerfile deleted file mode 100644 index 70f87d8..0000000 --- a/docker/pithos/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM amd64/openjdk:13-alpine - -COPY pithos-0.7.5-standalone.jar /srv/pithos.jar -ENTRYPOINT ["/opt/openjdk-13/bin/java", "-jar", "/srv/pithos.jar"] diff --git a/docker/pithos/README.md b/docker/pithos/README.md deleted file mode 100644 index 3f0037d..0000000 --- a/docker/pithos/README.md +++ /dev/null @@ -1,9 +0,0 @@ -This project is considered as "dangerous" as it is tagged as "Project not under active development". -Consequently, just in case, I am backuping the .jar and the sources in this git repo. -Better safe than sorry or pretty. - -``` -sudo docker build -t superboum/amd64_pithos:v1 . -sudo docker push superboum/amd64_pithos:v1 -sudo docker run --rm -it -p 8080:8080 -v pithos.yaml:/etc/pithos/pithos.yaml superboum/amd64_pithos:v1 -``` diff --git a/docker/pithos/pithos-0.7.5-standalone.jar b/docker/pithos/pithos-0.7.5-standalone.jar deleted file mode 100644 index 6073e72..0000000 Binary files a/docker/pithos/pithos-0.7.5-standalone.jar and /dev/null differ diff --git a/docker/postfix/Dockerfile b/docker/postfix/Dockerfile deleted file mode 100644 index 9e4c067..0000000 --- a/docker/postfix/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM amd64/debian:buster - -RUN apt-get update && \ - apt-get install -y \ - postfix \ - postfix-ldap - -COPY entrypoint.sh /usr/local/bin/entrypoint - -ENTRYPOINT ["/usr/local/bin/entrypoint"] -CMD ["postfix", "start-fg"] diff --git a/docker/postfix/README.md b/docker/postfix/README.md deleted file mode 100644 index ac44fc0..0000000 --- a/docker/postfix/README.md +++ /dev/null @@ -1,18 +0,0 @@ -``` -sudo docker build -t superboum/amd64_postfix:v1 . -``` - -``` -sudo docker run -t -i \ - -e TLSINFO="/C=FR/ST=Bretagne/L=Rennes/O=Deuxfleurs/CN=smtp.deuxfleurs.fr" \ - -e MAILNAME="smtp.deuxfleurs.fr" \ - -p 25:25 \ - -p 465:465 \ - -p 587:587 \ - -v `pwd`/../../ansible/roles/container_conf/files/email/postfix-conf:/etc/postfix-conf \ - -v /mnt/glusterfs/email/postfix-ssl/private:/etc/ssl/private \ - -v /mnt/glusterfs/email/postfix-ssl/certs:/etc/ssl/certs \ - superboum/amd64_postfix:v1 \ - bash -``` - diff --git a/docker/postfix/entrypoint.sh b/docker/postfix/entrypoint.sh deleted file mode 100755 index c7ace3d..0000000 --- a/docker/postfix/entrypoint.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -if [[ ! -f /etc/ssl/certs/postfix.crt || ! -f /etc/ssl/private/postfix.key ]]; then - cd /root - openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj ${TLSINFO} \ - -keyout postfix.key \ - -out postfix.crt - - mkdir -p /etc/ssl/{certs,private}/ - - cp postfix.crt /etc/ssl/certs/postfix.crt - cp postfix.key /etc/ssl/private/postfix.key - chmod 400 /etc/ssl/certs/postfix.crt - chmod 400 /etc/ssl/private/postfix.key -fi - -# A way to map files inside the postfix folder :s -for file in $(ls /etc/postfix-conf); do - cp /etc/postfix-conf/${file} /etc/postfix/${file} -done - -echo ${MAILNAME} > /etc/mailname - -exec "$@" diff --git a/docker/postgres/Dockerfile b/docker/postgres/Dockerfile deleted file mode 100644 index bb018b8..0000000 --- a/docker/postgres/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM amd64/debian:stretch - -RUN echo "deb http://deb.debian.org/debian stretch-backports main contrib non-free # available after stretch release" > /etc/apt/sources.list.d/stretch-backports.list && \ - apt-get update && \ - apt-get -qq -y full-upgrade && \ - apt-get install -y postgresql-all golang-1.11 git && \ - export GOPATH=/usr/local/go && \ - mkdir -p /usr/local/go/src/github.com/sorintlab && \ - cd /usr/local/go/src/github.com/sorintlab && \ - git clone --depth=1 https://github.com/sorintlab/stolon && \ - ln -s /usr/lib/go-1.11/bin/go /usr/bin/go && \ - ln -s /usr/lib/go-1.11/bin/gofmt /usr/bin/gofmt && \ - cd ./stolon && \ - ./build && \ - mv /usr/local/go/src/github.com/sorintlab/stolon/bin/* /usr/local/bin/ && \ - rm -rf /usr/local/go - -USER postgres - diff --git a/docker/postgres/README.md b/docker/postgres/README.md deleted file mode 100644 index d2f7a12..0000000 --- a/docker/postgres/README.md +++ /dev/null @@ -1,4 +0,0 @@ -``` -docker build -t superboum/arm32v7_postgres . -docker build -t superboum/amd64_postgres:v2 . -``` diff --git a/docker/postgres/postgresql.conf b/docker/postgres/postgresql.conf deleted file mode 100644 index 8e0af2b..0000000 --- a/docker/postgres/postgresql.conf +++ /dev/null @@ -1,25 +0,0 @@ -data_directory = '/var/lib/postgresql/9.6/main' # use data in another directory -hba_file = '/etc/postgresql/9.6/main/pg_hba.conf' # host-based authentication file -ident_file = '/etc/postgresql/9.6/main/pg_ident.conf' # ident configuration file -external_pid_file = '/var/run/postgresql/9.6-main.pid' # write an extra PID file -listen_addresses = '*' #listen on every ip / interfaces -port = 5432 # (change requires restart) -max_connections = 100 # (change requires restart) -unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories -ssl = true # (change requires restart) -ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' # (change requires restart) -ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' # (change requires restart) -shared_buffers = 128MB # min 128kB -dynamic_shared_memory_type = posix # the default is the first option -log_line_prefix = '%m [%p] %q%u@%d ' # special values: -log_timezone = 'UTC' -cluster_name = '9.6/main' # added to process titles if nonempty -stats_temp_directory = '/var/run/postgresql/9.6-main.pg_stat_tmp' -datestyle = 'iso, mdy' -timezone = 'UTC' -lc_messages = 'C.UTF-8' # locale for system error message -lc_monetary = 'C.UTF-8' # locale for monetary formatting -lc_numeric = 'C.UTF-8' # locale for number formatting -lc_time = 'C.UTF-8' # locale for time formatting -default_text_search_config = 'pg_catalog.english' - diff --git a/docker/postgres/start.sh b/docker/postgres/start.sh deleted file mode 100755 index f1d493f..0000000 --- a/docker/postgres/start.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -if [ -f /local/pg_hba.conf ]; then - echo "Copying Nomad configuration..." - cp /local/pg_hba.conf /etc/postgresql/9.6/main/ - echo "Done" -fi - - -if [ -z "$(ls -A /var/lib/postgresql/9.6/main)" ]; then - echo "Copying base" - cp -r /var/lib/postgresql/9.6/base/* /var/lib/postgresql/9.6/main - echo "Done" -fi - -chmod -R 700 /var/lib/postgresql/9.6/main -chown -R postgres /var/lib/postgresql/9.6/main - -echo "Starting postgres..." -. /usr/share/postgresql-common/init.d-functions -start 9.6 -tail -f /var/log/postgresql/postgresql-9.6-main.log diff --git a/docker/riotweb/Dockerfile b/docker/riotweb/Dockerfile deleted file mode 100644 index 862e2e5..0000000 --- a/docker/riotweb/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM amd64/debian:buster as builder - -ARG VERSION -WORKDIR /root - -RUN apt-get update && \ - apt-get install -y wget && \ - wget https://github.com/vector-im/riot-web/releases/download/v${VERSION}/riot-v${VERSION}.tar.gz && \ - tar xf riot-v${VERSION}.tar.gz && \ - mv riot-v${VERSION}/ riot/ - -FROM superboum/amd64_webserver:v3 -COPY --from=builder /root/riot /srv/http diff --git a/docker/riotweb/config.json b/docker/riotweb/config.json deleted file mode 100644 index 8ce8e4c..0000000 --- a/docker/riotweb/config.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "default_hs_url": "https://im.deuxfleurs.fr", - "default_is_url": "https://vector.im", - "disable_custom_urls": false, - "disable_guests": false, - "disable_login_language_selector": false, - "disable_3pid_login": false, - "brand": "Deuxfleurs", - "integrations_ui_url": "https://scalar.vector.im/", - "integrations_rest_url": "https://scalar.vector.im/api", - "integrations_jitsi_widget_url": "https://scalar.vector.im/api/widgets/jitsi.html", - "bug_report_endpoint_url": "https://riot.im/bugreports/submit", - "features": { - "feature_groups": "labs", - "feature_pinning": "labs" - }, - "default_federate": true, - "welcomePageUrl": "home.html", - "default_theme": "light", - "roomDirectory": { - "servers": [ "im.deuxfleurs.fr", "matrix.org" ] - } -} - diff --git a/docker/seafile/Dockerfile b/docker/seafile/Dockerfile deleted file mode 100644 index 88dee4f..0000000 --- a/docker/seafile/Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -FROM amd64/debian:buster as builder - -ENV VERSION 7.0.5 - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y wget tar && \ - wget https://download.seadrive.org/seafile-server_${VERSION}_x86-64.tar.gz -O ./seafile.tar.gz && \ - tar xf ./seafile.tar.gz && \ - mv seafile-server-${VERSION} seafile-server - -FROM amd64/debian:buster - -COPY --from=builder ./seafile-server /srv/webstore/seafile-server - -RUN apt-get update && \ - apt-get dist-upgrade -y && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y \ - python \ - mariadb-client \ - python2.7 \ - libpython2.7 \ - python-setuptools \ - python-ldap \ - python-urllib3 \ - ffmpeg \ - python-pip \ - python-mysqldb \ - python-memcache \ - procps \ - python-requests && \ - pip install Pillow==4.3.0 && \ - pip install moviepy && \ - useradd -u 1000 -d /srv/webstore seauser && \ - chown -R seauser:1000 /srv/webstore/ - -RUN mkdir -p /usr/local/lib/mariadb/plugin/ && \ - ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/mysql_clear_password.so /usr/local/lib/mariadb/plugin/ && \ - ln -s /usr/lib/x86_64-linux-gnu/mariadb*/plugin/dialog.so /usr/local/lib/mariadb/plugin/ - -WORKDIR /srv/webstore/seafile-server -COPY seadocker /usr/local/bin/seadocker -COPY seaenv /usr/local/bin/seaenv - -ENTRYPOINT ["/usr/local/bin/seaenv"] -CMD ["/usr/local/bin/seadocker"] diff --git a/docker/seafile/README.md b/docker/seafile/README.md deleted file mode 100644 index 26d04e0..0000000 --- a/docker/seafile/README.md +++ /dev/null @@ -1,27 +0,0 @@ - -```bash -sudo docker build -t superboum/amd64_seafile:v5 . -``` - -When upgrading, connect on a production server and run: - -```bash -nomad stop seafile -sudo docker build -t superboum/amd64_seafile:v6 . - -sudo docker run -t -i \ - -v /mnt/glusterfs/seafile:/mnt/seafile-data \ - -v /mnt/glusterfs/seaconf/conf:/srv/webstore/conf \ - -v /mnt/glusterfs/seaconf/ccnet:/srv/webstore/ccnet \ - superboum/amd64_seafile:v5 - -# See: -# * https://download.seafile.com/published/seafile-manual/deploy/upgrade.md -# * https://download.seafile.com/published/seafile-manual/changelog/server-changelog.md - - - -nomad start seafile.hcl -``` - -when upgrading, change the command on start diff --git a/docker/seafile/seadocker b/docker/seafile/seadocker deleted file mode 100755 index 5b5982b..0000000 --- a/docker/seafile/seadocker +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -/srv/webstore/seafile-server/seafile.sh start -/srv/webstore/seafile-server/seahub.sh start -tail -f /srv/webstore/logs/* diff --git a/docker/seafile/seaenv b/docker/seafile/seaenv deleted file mode 100755 index 3b0e0bb..0000000 --- a/docker/seafile/seaenv +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -chown seauser /srv/webstore -chown seauser -R /srv/webstore/ccnet -chown seauser -R /srv/webstore/conf - -runuser -u seauser -- "$@" diff --git a/docker/sogo/Dockerfile b/docker/sogo/Dockerfile deleted file mode 100644 index 46880dd..0000000 --- a/docker/sogo/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -#FROM amd64/debian:stretch as builder - -FROM amd64/debian:buster - -RUN mkdir ~/.gnupg && echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf - -RUN apt-get update && \ - apt-get install -y apt-transport-https gnupg2 sudo nginx && \ - rm -rf /etc/nginx/sites-enabled/* && \ - apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 && \ - echo "deb http://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster" > /etc/apt/sources.list.d/sogo.list && \ - apt-get update && \ - apt-get install -y sogo sogo-activesync sope4.9-gdl1-postgresql postgresql-client - -COPY sogo.nginx.conf /etc/nginx/sites-enabled/sogo.conf -COPY entrypoint /usr/sbin/entrypoint -ENTRYPOINT ["/usr/sbin/entrypoint"] diff --git a/docker/sogo/README.md b/docker/sogo/README.md deleted file mode 100644 index ea12245..0000000 --- a/docker/sogo/README.md +++ /dev/null @@ -1,20 +0,0 @@ -``` -docker build -t superboum/amd64_sogo:v6 . - -# privileged is only for debug -docker run --rm -ti \ - --privileged \ - -p 8080:8080 \ - -v /tmp/sogo/log:/var/log/sogo \ - -v /tmp/sogo/run:/var/run/sogo \ - -v /tmp/sogo/spool:/var/spool/sogo \ - -v /tmp/sogo/tmp:/tmp \ - -v `pwd`/sogo:/etc/sogo:ro \ - superboum/amd64_sogo:v1 -``` - -Password must be url encoded in sogo.conf for postgres -Will need a nginx instance: http://wiki.sogo.nu/nginxSettings - -Might (or might not) be needed: -traefik.frontend.headers.customRequestHeaders=x-webobjects-server-port:443||x-webobjects-server-name=sogo.deuxfleurs.fr||x-webobjects-server-url:https://sogo.deuxfleurs.fr diff --git a/docker/sogo/entrypoint b/docker/sogo/entrypoint deleted file mode 100755 index 8b39def..0000000 --- a/docker/sogo/entrypoint +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -mkdir -p /var/log/sogo -mkdir -p /var/run/sogo -mkdir -p /var/spool/sogo -chown sogo /var/log/sogo -chown sogo /var/run/sogo -chown sogo /var/spool/sogo - -nginx -g 'daemon on; master_process on;' -sudo -u sogo memcached -d -sudo -u sogo sogod -sleep 10 -tail -n200 -f /var/log/sogo/sogo.log diff --git a/docker/sogo/sogo.nginx.conf b/docker/sogo/sogo.nginx.conf deleted file mode 100644 index ad920a5..0000000 --- a/docker/sogo/sogo.nginx.conf +++ /dev/null @@ -1,83 +0,0 @@ -server { - listen 8080; - server_name default_server; - root /usr/lib/GNUstep/SOGo/WebServerResources/; - - ## requirement to create new calendars in Thunderbird ## - proxy_http_version 1.1; - - # Message size limit - client_max_body_size 50m; - client_body_buffer_size 128k; - - location = / { - rewrite ^ '/SOGo'; - allow all; - } - - location = /principals/ { - rewrite ^ '/SOGo/dav'; - allow all; - } - - location ^~/SOGo { - proxy_pass 'http://127.0.0.1:20000'; - proxy_redirect 'http://127.0.0.1:20000' default; - # forward user's IP address - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header x-webobjects-server-protocol HTTP/1.0; - proxy_set_header x-webobjects-remote-host 127.0.0.1; - proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $scheme://$host; - proxy_set_header x-webobjects-server-port $server_port; - proxy_connect_timeout 90; - proxy_send_timeout 90; - proxy_read_timeout 90; - proxy_buffer_size 4k; - proxy_buffers 4 32k; - proxy_busy_buffers_size 64k; - proxy_temp_file_write_size 64k; - break; - } - - location /SOGo.woa/WebServerResources/ { - alias /usr/lib/GNUstep/SOGo/WebServerResources/; - allow all; - expires max; - } - - location /SOGo/WebServerResources/ { - alias /usr/lib/GNUstep/SOGo/WebServerResources/; - allow all; - expires max; - } - - location (^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$) { - alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; - expires max; - } - - location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { - alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; - expires max; - } - - location ^~ /Microsoft-Server-ActiveSync { - access_log /var/log/nginx/activesync.log; - error_log /var/log/nginx/activesync-error.log; - - proxy_connect_timeout 75; - proxy_send_timeout 3600; - proxy_read_timeout 3600; - proxy_buffers 64 256k; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; - proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; - } -} diff --git a/docker/static/Dockerfile b/docker/static/Dockerfile deleted file mode 100644 index cdba59a..0000000 --- a/docker/static/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM golang:1.11.1-stretch as builder - -COPY ./goStatic /goStatic -WORKDIR /goStatic -RUN CGO_ENABLED=0 go build -a -o web-server . - -FROM scratch -COPY --from=builder /goStatic/web-server / -ENTRYPOINT ["/web-server"] diff --git a/docker/static/README.md b/docker/static/README.md deleted file mode 100644 index d50390c..0000000 --- a/docker/static/README.md +++ /dev/null @@ -1,5 +0,0 @@ - -``` -sudo docker build -t superboum/amd64_webserver:v3 . -sudo docker push superboum/amd64_webserver:v3 -``` diff --git a/docker/static/goStatic b/docker/static/goStatic deleted file mode 160000 index 3f97f57..0000000 --- a/docker/static/goStatic +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 3f97f57aaee09a142afe3ca0f1a5d51acd856436 diff --git a/docker/webpull/.gitignore b/docker/webpull/.gitignore deleted file mode 100644 index ba2906d..0000000 --- a/docker/webpull/.gitignore +++ /dev/null @@ -1 +0,0 @@ -main diff --git a/docker/webpull/Dockerfile.nodejs b/docker/webpull/Dockerfile.nodejs deleted file mode 100644 index acc7e74..0000000 --- a/docker/webpull/Dockerfile.nodejs +++ /dev/null @@ -1,9 +0,0 @@ -FROM node:13.8-buster - -RUN apt-get update && \ - apt-get install -y git - -COPY ./main /srv/httpd -WORKDIR /srv -CMD ["/srv/httpd"] - diff --git a/docker/webpull/Dockerfile.ruby b/docker/webpull/Dockerfile.ruby deleted file mode 100644 index 7578cca..0000000 --- a/docker/webpull/Dockerfile.ruby +++ /dev/null @@ -1,12 +0,0 @@ -FROM fedora:32 - -ENV LC_ALL=C.UTF-8 -ENV LANG=C.UTF-8 -ENV LANGUAGE=en_US.UTF-8 -ENV RUBYOPT --disable-did_you_mean - -RUN dnf install -y git ruby ruby-devel rubygems rubygem-bundler @development-tools redhat-rpm-config gcc-c++ zlib-devel - -COPY ./main /srv/httpd -WORKDIR /srv -CMD ["/srv/httpd"] diff --git a/docker/webpull/README.md b/docker/webpull/README.md deleted file mode 100644 index 5d17d17..0000000 --- a/docker/webpull/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# webpull - -Webpull allows you to update your live website without deploying a new docker container but by simply calling an URL - -You need to specify a secret token at boot: - -``` -WEBPULL_TOKEN=s3cr3et ./webpull -``` - -## Node.js version - -``` -go build ./main.go -sudo docker build -f ./Dockerfile.nodejs -t superboum/amd64_webpull_pug:v1 . -``` - -## Ruby version - -``` -go build ./main.go -sudo docker build -f ./Dockerfile.ruby -t superboum/amd64_webpull_ruby:v1 . -``` diff --git a/docker/webpull/main.go b/docker/webpull/main.go deleted file mode 100644 index 46c90b9..0000000 --- a/docker/webpull/main.go +++ /dev/null @@ -1,100 +0,0 @@ -package main - -import ( - "fmt" - "errors" - "io" - "os/exec" - "os" - "log" - "net/http" - "strings" -) - -func myexec(w io.Writer, main string, params ...string) error { - cmd := exec.Command(main, params...) - cmd.Stdout = w - cmd.Stderr = w - err := cmd.Run() - if err != nil { - fmt.Fprintf(w, "Failed to run: %s %s\n", main, strings.Join(params, " ")) - } - return err -} - -func update(w io.Writer) error { - fmt.Fprintf(w, "Start update...\n") - _, err := os.Stat("./.git") - if err != nil { - fmt.Fprintf(w, ".git folder does not exist, creating it...\n") - err := myexec(w, "git", "init") - if err != nil { - return err - } - } - - err = myexec(w, "git", "remote", "get-url", "origin") - if err != nil { - repo, exists := os.LookupEnv("WEBPULL_REPO") - if !exists { - fmt.Fprintf(w, "You must define WEBPULL_REPO env variable...\n") - return errors.New("Missing environment variable WEBPULL_REPO") - } - fmt.Fprintf(w, "git remote is not yet set...\n") - err := myexec(w, "git", "remote", "add", "origin", repo) - if err != nil { - return err - } - } - - err = myexec(w, "git", "pull", "origin", "master") - if err != nil { - fmt.Fprintf(w, "Failed to pull...\n") - return err - } - - _, err = os.Stat("./.webpull") - if err != nil { - fmt.Fprintf(w, "You must create an executable file named '.webpull' at the root of your repository.\nIf you have nothing to run, just create an empty bash script...\n") - return err - } - - err = myexec(w, "./.webpull") - if err != nil { - fmt.Fprintf(w, "An error occured during script execution\n") - return err - } - - fmt.Fprintf(w, "Success.\n") - return nil -} - -func main() { - token, exists := os.LookupEnv("WEBPULL_TOKEN") - if !exists { - log.Fatal("Environment variable 'WEBPULL_TOKEN' must be defined") - } - - if update(os.Stdout) != nil { - log.Fatal("Initial 'update' failed") - } - - fs := http.FileServer(http.Dir("./static")) - http.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) { - keys, ok := r.URL.Query()["token"] - if !ok || len(keys[0]) < 1 { - http.Error(w, "Missing 'token' query parameter", 401) - return - } - - if keys[0] != token { - http.Error(w, "Wrong token", 401) - return - } - - update(w) - }) - http.Handle("/", fs) - - log.Fatal(http.ListenAndServe(":8080", nil)) -} diff --git a/man/create_database/README.md b/man/create_database/README.md deleted file mode 100644 index 7084a10..0000000 --- a/man/create_database/README.md +++ /dev/null @@ -1,15 +0,0 @@ -```bash -ssh root@ -docker run -t -i superboum/amd64_postgres:v1 -psql -h psql-proxy.service.2.cluster.deuxfleurs.fr -p 25432 -U postgres -W postgres -``` - -```sql -CREATE USER seafile; -CREATE DATABASE seafile ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER seafile; --- GRANT ALL PRIVILEGES ON DATABASE seafile TO seafile; -``` - -``` -consul kv import @ldapkv_seafile.json -``` diff --git a/man/init_stolon/README.md b/man/init_stolon/README.md deleted file mode 100644 index 618530a..0000000 --- a/man/init_stolon/README.md +++ /dev/null @@ -1,58 +0,0 @@ -Spawn container: - -```bash -docker run -t -i superboum/arm32v7_postgres:v6 -# OR -docker run -t -i superboum/amd64_postgres:v1 -``` - - -Init with: - -``` -stolonctl \ - --cluster-name pissenlit \ - --store-backend=consul \ - --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 \ - init \ - '{ "initMode": "new", "pgHBA": [ "host all postgres all md5", "host replication replicator all md5", "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs, dc=fr\" ldapbinddn=\"\" ldapbindpasswd=\"\" ldapsearchattribute=\"cn\"" ] }' - -``` - -Then set appropriate permission on host: - -``` -chown -R 102:102 /mnt/storage/postgres/ -``` - -(102 is the id of the postgres user used in Docker) -It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command. -Moreover it would enable the usage of the user namespace that shift the UIDs. - - - -## Upgrading the cluster - -To retreive the current stolon config: - -``` -stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 -``` - -The important part for the LDAP: - -``` -{ - "pgHBA": [ - "host all postgres all md5", - "host replication replicator all md5", - "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"\" ldapsearchattribute=\"cn\"" - ] -} -``` - -Once a patch is writen: - -``` -stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json -``` diff --git a/man/nextcloud/README.md b/man/nextcloud/README.md deleted file mode 100644 index f68520b..0000000 --- a/man/nextcloud/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# How to setup NextCloud - -## First setup - -It's complicated. - -First, create a service user `nextcloud` and a database `nextcloud` it owns. Also create a Garage access key and bucket `nextcloud` it is allowed to use. - -Fill in the following Consul keys with actual values: - -``` -secrets/nextcloud/db_user -secrets/nextcloud/db_pass -secrets/nextcloud/garage_access_key -secrets/nextcloud/garage_secret_key -``` - -Create the following Consul keys with empty values: - -``` -secrets/nextcloud/instance_id -secrets/nextcloud/password_salt -secrets/nextcloud/secret -``` - -Start the nextcloud.hcl nomad service. Enter the container and call `occ maintenance:install` with the correct database parameters as user `www-data`. -A possibility: call the admin user `nextcloud` and give it the same password as the `nextcloud` service user. - -Cat the newly generated `config.php` file and copy the instance id, password salt, and secret from there to Consul -(they were generated by the install script and we want to keep them). - -Restart the Nextcloud Nomad server. - -You should now be able to log in to Nextcloud using the admin user (`nextcloud` if you called it that). - -Go to the apps settings and enable desired apps. - -## Configure LDAP login - -LDAP login has to be configured from the admin interface. First, enable the LDAP authentification application. - -Go to settings > LDAP/AD integration. Enter the following parameters: - -- ldap server: `bottin2.service.2.cluster.deuxfleurs.fr` -- bind user: `cn=nextcloud,ou=services,ou=users,dc=deuxfleurs,dc=fr` -- bind password: password of the nextcloud service user -- base DN for users: `ou=users,dc=deuxfleurs,dc=fr` -- check "manually enter LDAP filters" -- in the users tab, edit LDAP query and set it to `(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))` -- in the login attributes tab, edit LDAP query and set it to `(&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))(|(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid))))` -- in the groups tab, edit the LDAP query and set it to `(|(objectclass=groupOfNames))` -- in the advanced tab, enter the "directory setting" section and check/modify the following: - - user display name field: `displayname` - - base user tree: `ou=users,dc=deuxfleurs,dc=fr` - - user search attribute: `cn` - - groupe display name field: `displayname` - - **base group tree**: `ou=groups,dc=deuxfleurs,dc=fr` - - group search attribute: `cn` - -That should be it. Go to the login attributes tab and enter a username (which should have been added to the nextcloud group) to check that nextcloud is able to find it and allows it for login. diff --git a/nomad/bottin2.hcl b/nomad/bottin2.hcl deleted file mode 100644 index 85bda59..0000000 --- a/nomad/bottin2.hcl +++ /dev/null @@ -1,116 +0,0 @@ -job "directory2" { - datacenters = ["dc1"] - type = "service" - - constraint { - attribute = "${attr.cpu.arch}" - value = "amd64" - } - - group "bottin" { - count = 1 - task "bottin" { - driver = "docker" - config { - image = "lxpz/bottin_amd64:14" - readonly_rootfs = true - port_map { - ldap_port = 1389 - } - volumes = [ - "secrets/config.json:/config.json" - ] - } - - resources { - memory = 100 - network { - port "ldap_port" { - static = "389" - } - } - } - - template { - data = "{{ key \"configuration/directory/bottin/config.json\" }}" - destination = "secrets/config.json" - } - - service { - tags = ["bottin"] - port = "ldap_port" - address_mode = "host" - name = "bottin2" - check { - type = "tcp" - port = "ldap_port" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } - - group "guichet" { - count = 1 - task "guichet" { - driver = "docker" - config { - image = "lxpz/guichet_amd64:10" - readonly_rootfs = true - port_map { - web_port = 9991 - } - volumes = [ - "secrets/config.json:/config.json" - ] - } - - artifact { - source = "http://127.0.0.1:8500/v1/kv/configuration/directory/guichet/config.json.tpl?raw" - destination = "secrets/config.json.tpl" - mode = "file" - } - template { - source = "secrets/config.json.tpl" - destination = "secrets/config.json" - } - - resources { - memory = 200 - network { - port "web_port" {} - } - } - - service { - name = "guichet" - tags = [ - "guichet", - "traefik.enable=true", - "traefik.frontend.entryPoints=https,http", - "traefik.frontend.rule=Host:guichet.deuxfleurs.fr", - ] - port = "web_port" - address_mode = "host" - check { - type = "tcp" - port = "web_port" - interval = "60s" - timeout = "5s" - check_restart { - limit = 3 - grace = "90s" - ignore_warnings = false - } - } - } - } - } -} - diff --git a/nomad/core.hcl b/nomad/core.hcl deleted file mode 100644 index 43774a6..0000000 --- a/nomad/core.hcl +++ /dev/null @@ -1,43 +0,0 @@ -job "core" { - datacenters = ["dc1"] - type = "system" - - constraint { - attribute = "${attr.cpu.arch}" - value = "amd64" - } - - update { - max_parallel = 1 - stagger = "1m" - } - - group "network" { - task "diplonat" { - driver = "docker" - - config { - image = "darkgallium/amd64_diplonat:v2" - network_mode = "host" - readonly_rootfs = true - privileged = true - } - - template { - data = < +docker run -t -i superboum/amd64_postgres:v1 +psql -h psql-proxy.service.2.cluster.deuxfleurs.fr -p 25432 -U postgres -W postgres +``` + +```sql +CREATE USER seafile; +CREATE DATABASE seafile ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER seafile; +-- GRANT ALL PRIVILEGES ON DATABASE seafile TO seafile; +``` + +``` +consul kv import @ldapkv_seafile.json +``` diff --git a/op_guide/init_stolon/README.md b/op_guide/init_stolon/README.md new file mode 100644 index 0000000..618530a --- /dev/null +++ b/op_guide/init_stolon/README.md @@ -0,0 +1,58 @@ +Spawn container: + +```bash +docker run -t -i superboum/arm32v7_postgres:v6 +# OR +docker run -t -i superboum/amd64_postgres:v1 +``` + + +Init with: + +``` +stolonctl \ + --cluster-name pissenlit \ + --store-backend=consul \ + --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 \ + init \ + '{ "initMode": "new", "pgHBA": [ "host all postgres all md5", "host replication replicator all md5", "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs, dc=fr\" ldapbinddn=\"\" ldapbindpasswd=\"\" ldapsearchattribute=\"cn\"" ] }' + +``` + +Then set appropriate permission on host: + +``` +chown -R 102:102 /mnt/storage/postgres/ +``` + +(102 is the id of the postgres user used in Docker) +It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command. +Moreover it would enable the usage of the user namespace that shift the UIDs. + + + +## Upgrading the cluster + +To retreive the current stolon config: + +``` +stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 +``` + +The important part for the LDAP: + +``` +{ + "pgHBA": [ + "host all postgres all md5", + "host replication replicator all md5", + "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"\" ldapsearchattribute=\"cn\"" + ] +} +``` + +Once a patch is writen: + +``` +stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json +``` diff --git a/op_guide/nextcloud/README.md b/op_guide/nextcloud/README.md new file mode 100644 index 0000000..f68520b --- /dev/null +++ b/op_guide/nextcloud/README.md @@ -0,0 +1,60 @@ +# How to setup NextCloud + +## First setup + +It's complicated. + +First, create a service user `nextcloud` and a database `nextcloud` it owns. Also create a Garage access key and bucket `nextcloud` it is allowed to use. + +Fill in the following Consul keys with actual values: + +``` +secrets/nextcloud/db_user +secrets/nextcloud/db_pass +secrets/nextcloud/garage_access_key +secrets/nextcloud/garage_secret_key +``` + +Create the following Consul keys with empty values: + +``` +secrets/nextcloud/instance_id +secrets/nextcloud/password_salt +secrets/nextcloud/secret +``` + +Start the nextcloud.hcl nomad service. Enter the container and call `occ maintenance:install` with the correct database parameters as user `www-data`. +A possibility: call the admin user `nextcloud` and give it the same password as the `nextcloud` service user. + +Cat the newly generated `config.php` file and copy the instance id, password salt, and secret from there to Consul +(they were generated by the install script and we want to keep them). + +Restart the Nextcloud Nomad server. + +You should now be able to log in to Nextcloud using the admin user (`nextcloud` if you called it that). + +Go to the apps settings and enable desired apps. + +## Configure LDAP login + +LDAP login has to be configured from the admin interface. First, enable the LDAP authentification application. + +Go to settings > LDAP/AD integration. Enter the following parameters: + +- ldap server: `bottin2.service.2.cluster.deuxfleurs.fr` +- bind user: `cn=nextcloud,ou=services,ou=users,dc=deuxfleurs,dc=fr` +- bind password: password of the nextcloud service user +- base DN for users: `ou=users,dc=deuxfleurs,dc=fr` +- check "manually enter LDAP filters" +- in the users tab, edit LDAP query and set it to `(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))` +- in the login attributes tab, edit LDAP query and set it to `(&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))(|(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid))))` +- in the groups tab, edit the LDAP query and set it to `(|(objectclass=groupOfNames))` +- in the advanced tab, enter the "directory setting" section and check/modify the following: + - user display name field: `displayname` + - base user tree: `ou=users,dc=deuxfleurs,dc=fr` + - user search attribute: `cn` + - groupe display name field: `displayname` + - **base group tree**: `ou=groups,dc=deuxfleurs,dc=fr` + - group search attribute: `cn` + +That should be it. Go to the login attributes tab and enter a username (which should have been added to the nextcloud group) to check that nextcloud is able to find it and allows it for login. diff --git a/os_build/README.md b/os_build/README.md new file mode 100644 index 0000000..c96ae5a --- /dev/null +++ b/os_build/README.md @@ -0,0 +1 @@ +sudo dnf install smartmontools diff --git a/os_build/build-installer.sh b/os_build/build-installer.sh new file mode 100644 index 0000000..7ede0c4 --- /dev/null +++ b/os_build/build-installer.sh @@ -0,0 +1,139 @@ +#!/bin/bash + +set -e # Exit on error + +DEVICE=$1 + +[[ -z "${DEVICE}" ]] && echo "Usage $0 /dev/sdX" && exit 1 + +udevadm info -n ${DEVICE} -q property +echo "Selected device is ${DEVICE}" +read -p "[Press enter to continue or CTRL+C to stop]" + +echo "Umount ${DEVICE}" +umount ${DEVICE}* || true + +echo "Set partition table to GPT (UEFI)" +parted ${DEVICE} --script mktable gpt + +echo "Create EFI partition" +parted ${DEVICE} --script mkpart EFI fat16 1MiB 10MiB +parted ${DEVICE} --script set 1 msftdata on + +echo "Create OS partition" +parted ${DEVICE} --script mkpart LINUX btrfs 10MiB 4GiB + +echo "Format partitions" +mkfs.vfat -n EFI ${DEVICE}1 +mkfs.btrfs -f -L LINUX ${DEVICE}2 + +ROOTFS_UUID=$(btrfs filesystem show ${DEVICE}2 | grep -Po "uuid: [a-f0-9-]+"|cut -c 7-44) +if [[ -z ${ROOTFS_UUID} ]]; then +echo "Rootfs UUID is <<${ROOTFS_UUID}>>" +echo "WARNING! BUG! The UUID is not set in the fstab. Either because this command failed (empty UUID above) or because of chroot scoping. Please fix it." +echo "Your OS will still be able to boot normally and remount the filesystem as RW but it could crash some apps like fsck" +read -p "[Press enter to continue or CTRL+C to stop]" +fi + +echo "Mount OS partition" +ROOTFS="/tmp/installing-rootfs" +mkdir -p ${ROOTFS} +mount ${DEVICE}2 ${ROOTFS} + +echo "Debootstrap system" +debootstrap --variant=minbase --arch amd64 buster ${ROOTFS} http://deb.debian.org/debian/ + +echo "Mount EFI partition" +mkdir -p ${ROOTFS}/boot/efi +mount ${DEVICE}1 ${ROOTFS}/boot/efi + +echo "Get ready for chroot" +mount --bind /dev ${ROOTFS}/dev +mount -t devpts /dev/pts ${ROOTFS}/dev/pts +mount -t proc proc ${ROOTFS}/proc +mount -t sysfs sysfs ${ROOTFS}/sys +mount -t tmpfs tmpfs ${ROOTFS}/tmp + +echo "Entering chroot, installing Linux kernel and Grub" +cat << EOF | chroot ${ROOTFS} + set -e + export HOME=/root + export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin + export DEBIAN_FRONTEND=noninteractive + debconf-set-selections <<< "grub-efi-amd64 grub2/update_nvram boolean false" + apt-get remove -y grub-efi grub-efi-amd64 + apt-get update + apt-get install -y linux-image-generic linux-headers-generic grub-efi + grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-nvram --removable + update-grub +EOF + +echo "Install script based on dd" +cat << 'EOF' > ${ROOTFS}/usr/local/sbin/os-install + #!/bin/bash + + set -e + + SOURCE=$1 + TARGET=$2 + # We write partitions until 4GiB = 4 * 1024^3 (https://en.wikipedia.org/wiki/Gibibyte) + # In dd, M means 1048576 bytes = 1024^2 (man dd) + # So we need to copy (4 * 1024^3) / (4 * 1024^2) = 0.5 * 1024 = 1024 blocks + dd if=${SOURCE} of=${TARGET} bs=4M status=progress count=1030 + growpart ${TARGET} 2 + mount ${TARGET}2 /mnt + btrfs filesystem resize max /mnt + umount /mnt + echo "you might want to run: btrfstune -u ${TARGET}2 but you will need to update the fstab" + echo "you might want to change systemd machine UUID" + echo "you might want to change /etc/systemd/network/en.network configuration" +EOF + +chmod +x ${ROOTFS}/usr/local/sbin/os-install + +echo "Entering chroot (bis), installing daemon" +cat << EOF | chroot ${ROOTFS} + set -e + export HOME=/root + export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin + export DEBIAN_FRONTEND=noninteractive + + # Set fstab + echo "UUID=${ROOTFS_UUID} / btrfs defaults 0 0" > /etc/fstab + + # Install systemd and OpenSSH + apt-get update + apt-get install -y systemd openssh-server sudo btrfs-tools cloud-utils python + systemctl enable ssh + + # Enable systemd services + systemctl enable systemd-networkd systemd-timesyncd systemd-resolved + + # Listen on any ethernet interface for DHCP + tee /etc/systemd/network/en.network << EOG +[Match] +Name=en* + +[Network] +DHCP=ipv4 +EOG + + # Add SSH keys + mkdir -p /root/.ssh + tee /root/.ssh/authorized_keys << EOG +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io +EOG + + echo "Done" +EOF + +echo "Unmounting filesystems" +umount ${ROOTFS}/dev/pts +umount ${ROOTFS}/dev +umount ${ROOTFS}/proc +umount ${ROOTFS}/sys +umount ${ROOTFS}/tmp +umount ${ROOTFS}/boot/efi +umount ${ROOTFS} + +echo "Done" diff --git a/os_config/README.md b/os_config/README.md new file mode 100644 index 0000000..db8d960 --- /dev/null +++ b/os_config/README.md @@ -0,0 +1,15 @@ +# ANSIBLE + +## How to proceed + +For each machine, **one by one** do: + - Check that cluster is healthy + - `sudo gluster peer status` + - `sudo gluster volume status all` (check Online Col, only `Y` must appear) + - Check that Nomad is healthy + - Check that Consul is healthy + - Check that Postgres is healthy + - Run `ansible-playbook -i production --limit site.yml` + - Reboot + - Check that cluster is healthy + diff --git a/os_config/README.more.md b/os_config/README.more.md new file mode 100644 index 0000000..0d0c607 --- /dev/null +++ b/os_config/README.more.md @@ -0,0 +1,52 @@ + +## Provisionning + + 1. Need a public IP address + 2. Deploy Debian sid/buster + 3. Add a DNS entry like xxxx.machine.deuxfleurs.fr A 0.0.0.0 in Cloudflare + Havelock + 4. Setup the fqdn in /etc/hosts (127.0.1.1 xxxx.machine.deuxfleurs.fr) + 5. Switch the SSH port to the port 110 + 6. Add the server to the ./production file + 7. Reboot machine + 8. Deploy Ansible + 9. Check that everything works as intended + 10. Update NS 1.cluster.deuxfleurs.fr + +## Useful commands + +Show every variables collected by Ansible for a given host: + +``` +ansible -i production villequin.machine.deuxfleurs.fr -m setup +``` + +Run playbook for only one host: + +``` +ansible-playbook -i production --limit villequin.machine.deuxfleurs.fr site.yml +``` + +Dump hostvars: + +``` +ansible -m debug villequin.machine.deuxfleurs.fr -i ./production -a "var=hostvars" +``` + +Deploy only one tag: + +``` +ansible-playbook -i production site.yml --tags "container" +``` + +Redeploy everything: + +``` +ansible-playbook -i production site.yml +``` + +Upgrade packages and force overwirte to fix bad packing done by GlusterFS: + +``` +apt-get -o Dpkg::Options::="--force-overwrite" dist-upgrade -y +``` + diff --git a/os_config/cluster_nodes.yml b/os_config/cluster_nodes.yml new file mode 100644 index 0000000..ea58630 --- /dev/null +++ b/os_config/cluster_nodes.yml @@ -0,0 +1,19 @@ +--- + +- hosts: cluster_nodes + serial: 1 + roles: + - role: common + tags: base + - role: users + tags: account + - role: consul + tags: kv + - role: nomad + tags: orchestrator + - role: network + tags: net + +# UNSAFE!! This section configures glusterfs. Once done, don't run it ever again as it may break stuff. +# - role: storage +# tags: sto diff --git a/os_config/group_vars/all/.gitignore b/os_config/group_vars/all/.gitignore new file mode 100644 index 0000000..9271182 --- /dev/null +++ b/os_config/group_vars/all/.gitignore @@ -0,0 +1 @@ +vars_file.yml diff --git a/os_config/group_vars/all/vars_file.yml.sample b/os_config/group_vars/all/vars_file.yml.sample new file mode 100644 index 0000000..191f35c --- /dev/null +++ b/os_config/group_vars/all/vars_file.yml.sample @@ -0,0 +1 @@ +consul_gossip_encrypt: 'xxx' diff --git a/os_config/production b/os_config/production new file mode 100644 index 0000000..c8f08f2 --- /dev/null +++ b/os_config/production @@ -0,0 +1,4 @@ +[cluster_nodes] +veterini ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=110 ansible_user=root public_ip=192.168.1.2 private_ip=192.168.1.2 interface=eno1 dns_server=80.67.169.40 +silicareux ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=111 ansible_user=root public_ip=192.168.1.3 private_ip=192.168.1.3 interface=eno1 dns_server=80.67.169.40 +wonse ansible_host=fbx-rennes2.machine.deuxfleurs.fr ansible_port=112 ansible_user=root public_ip=192.168.1.4 private_ip=192.168.1.4 interface=eno1 dns_server=80.67.169.40 diff --git a/os_config/roles/common/tasks/main.yml b/os_config/roles/common/tasks/main.yml new file mode 100644 index 0000000..b4d00bb --- /dev/null +++ b/os_config/roles/common/tasks/main.yml @@ -0,0 +1,51 @@ +- name: "Check that host runs Debian buster/sid on armv7l or x86_64" + assert: + that: + - "ansible_architecture == 'aarch64' or ansible_architecture == 'armv7l' or ansible_architecture == 'x86_64'" + - "ansible_os_family == 'Debian'" + +- name: "Upgrade system" + apt: + upgrade: dist # Should we do a full uprade instead of a dist one? + update_cache: yes + cache_valid_time: 3600 + autoclean: yes + autoremove: yes + +- name: "Install base tools" + apt: + name: + - vim + - htop + - screen + - iptables + - iptables-persistent + - nftables + - iproute2 + - curl + - iputils-ping + - dnsutils + - bmon + - iftop + - iotop + - docker.io + - unzip + - tar + - tcpdump + - less + - parted + - btrfs-tools + - libnss-resolve + - net-tools + - strace + - sudo + state: present + +- name: "Passwordless sudo" + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' + validate: 'visudo -cf %s' + diff --git a/os_config/roles/consul/files/consul.service b/os_config/roles/consul/files/consul.service new file mode 100644 index 0000000..ffaa2a3 --- /dev/null +++ b/os_config/roles/consul/files/consul.service @@ -0,0 +1,10 @@ +[Unit] +Description=Consul +After=network-online.target +Wants=network-online.target + +[Service] +ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul + +[Install] +WantedBy=multi-user.target diff --git a/os_config/roles/consul/tasks/main.yml b/os_config/roles/consul/tasks/main.yml new file mode 100644 index 0000000..2b77080 --- /dev/null +++ b/os_config/roles/consul/tasks/main.yml @@ -0,0 +1,26 @@ +- name: "Set consul version" + set_fact: + consul_version: 1.8.0 + +- name: "Download and install Consul for x86_64" + unarchive: + src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" + dest: /usr/local/bin + remote_src: yes + when: + - "ansible_architecture == 'x86_64'" + +- name: "Create consul configuration directory" + file: path=/etc/consul/ state=directory + +- name: "Deploy consul configuration" + template: src=consul.json.j2 dest=/etc/consul/consul.json + +- name: "Deploy consul systemd service" + copy: src=consul.service dest=/etc/systemd/system/consul.service + +- name: "Enable consul systemd service at boot" + service: name=consul state=started enabled=yes daemon_reload=yes + +- name: "Deploy resolv.conf to use Consul" + template: src=resolv.conf.j2 dest=/etc/resolv.conf diff --git a/os_config/roles/consul/templates/consul.json.j2 b/os_config/roles/consul/templates/consul.json.j2 new file mode 100644 index 0000000..b6c86aa --- /dev/null +++ b/os_config/roles/consul/templates/consul.json.j2 @@ -0,0 +1,30 @@ +{ + "data_dir": "/var/lib/consul", + "bind_addr": "0.0.0.0", + "advertise_addr": "{{ public_ip }}", + "addresses": { + "dns": "0.0.0.0", + "http": "0.0.0.0" + }, + "retry_join": [ + {% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #} + "{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }} + {% endfor %} + ], + "bootstrap_expect": 3, + "server": true, + "ui": true, + "ports": { + "dns": 53 + }, + "recursors": [ + "{{ dns_server }}" + ], + "encrypt": "{{ consul_gossip_encrypt }}", + "domain": "2.cluster.deuxfleurs.fr", + "performance": { + "raft_multiplier": 10, + "rpc_hold_timeout": "30s", + "leave_drain_time": "30s" + } +} diff --git a/os_config/roles/consul/templates/resolv.conf.j2 b/os_config/roles/consul/templates/resolv.conf.j2 new file mode 100644 index 0000000..2404034 --- /dev/null +++ b/os_config/roles/consul/templates/resolv.conf.j2 @@ -0,0 +1,2 @@ +nameserver {{ private_ip }} +nameserver {{ dns_server }} diff --git a/os_config/roles/consul/vars/.gitignore b/os_config/roles/consul/vars/.gitignore new file mode 100644 index 0000000..ff5c0bd --- /dev/null +++ b/os_config/roles/consul/vars/.gitignore @@ -0,0 +1 @@ +main.yml diff --git a/os_config/roles/consul/vars/main.yml.sample b/os_config/roles/consul/vars/main.yml.sample new file mode 100644 index 0000000..9c44126 --- /dev/null +++ b/os_config/roles/consul/vars/main.yml.sample @@ -0,0 +1,2 @@ +--- +consul_gossip_encrypt: "" diff --git a/os_config/roles/network/files/rules.v6 b/os_config/roles/network/files/rules.v6 new file mode 100644 index 0000000..17ff71c --- /dev/null +++ b/os_config/roles/network/files/rules.v6 @@ -0,0 +1,12 @@ +# WARNING!! When rules.{v4,v6} are changed, the whole iptables configuration is reloaded. +# This creates issues with Docker, which injects its own configuration in iptables when it starts. +# In practice, most (all?) containers will break if rules.{v4,v6} are changed, +# and docker will have to be restared. + + +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT + diff --git a/os_config/roles/network/tasks/main.yml b/os_config/roles/network/tasks/main.yml new file mode 100644 index 0000000..1443e0c --- /dev/null +++ b/os_config/roles/network/tasks/main.yml @@ -0,0 +1,11 @@ +- name: "Deploy iptablesv4 configuration" + template: src=rules.v4.j2 dest=/etc/iptables/rules.v4 + +- name: "Deploy iptablesv6 configuration" + copy: src=rules.v6 dest=/etc/iptables/rules.v6 + +- name: "Activate IP forwarding" + sysctl: + name: net.ipv4.ip_forward + value: "1" + sysctl_set: yes diff --git a/os_config/roles/network/templates/rules.v4.j2 b/os_config/roles/network/templates/rules.v4.j2 new file mode 100644 index 0000000..a446139 --- /dev/null +++ b/os_config/roles/network/templates/rules.v4.j2 @@ -0,0 +1,36 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +# Administration +-A INPUT -p tcp --dport 22 -j ACCEPT + +# Cluster +-A INPUT -s 192.168.1.254 -j ACCEPT +-A INPUT -s 82.253.205.190 -j ACCEPT +{% for selected_host in groups['cluster_nodes'] %} +-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT +-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT +{% endfor %} + +# Local +-A INPUT -i docker0 -j ACCEPT +-A INPUT -s 127.0.0.1/8 -j ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +COMMIT + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT + +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/os_config/roles/nomad/files/nomad.service b/os_config/roles/nomad/files/nomad.service new file mode 100644 index 0000000..50116be --- /dev/null +++ b/os_config/roles/nomad/files/nomad.service @@ -0,0 +1,15 @@ +[Unit] +Description=Nomad +After=network-online.target +After=glusterd.service +After=consul.service +Wants=network-online.target +Wants=glusterd.service +Wants=consul.service + +[Service] +ExecStart=/usr/local/bin/nomad agent -config /etc/nomad + +[Install] +WantedBy=multi-user.target + diff --git a/os_config/roles/nomad/tasks/main.yml b/os_config/roles/nomad/tasks/main.yml new file mode 100644 index 0000000..7c73362 --- /dev/null +++ b/os_config/roles/nomad/tasks/main.yml @@ -0,0 +1,23 @@ +- name: "Set nomad version" + set_fact: + nomad_version: 0.12.0-beta2 + +- name: "Download and install Nomad for x86_64" + unarchive: + src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" + dest: /usr/local/bin + remote_src: yes + when: + - "ansible_architecture == 'x86_64'" + +- name: "Create Nomad configuration directory" + file: path=/etc/nomad/ state=directory + +- name: "Deploy Nomad configuration" + template: src=nomad.hcl.j2 dest=/etc/nomad/nomad.hcl + +- name: "Deploy Nomad systemd service" + copy: src=nomad.service dest=/etc/systemd/system/nomad.service + +- name: "Enable Nomad systemd service at boot" + service: name=nomad state=started enabled=yes daemon_reload=yes diff --git a/os_config/roles/nomad/templates/nomad.hcl.j2 b/os_config/roles/nomad/templates/nomad.hcl.j2 new file mode 100644 index 0000000..b0be6a8 --- /dev/null +++ b/os_config/roles/nomad/templates/nomad.hcl.j2 @@ -0,0 +1,34 @@ +addresses { + http = "0.0.0.0" + rpc = "0.0.0.0" + serf = "0.0.0.0" +} + +advertise { + http = "{{ public_ip }}" + rpc = "{{ public_ip }}" + serf = "{{ public_ip }}" +} + +data_dir = "/var/lib/nomad" + +server { + enabled = true + bootstrap_expect = 3 +} + +consul { + address="127.0.0.1:8500" +} + +client { + enabled = true + #cpu_total_compute = 4000 + servers = ["127.0.0.1:4648"] + network_interface = "{{ interface }}" + options { + docker.privileged.enabled = "true" + docker.volumes.enabled = "true" + } +} + diff --git a/os_config/roles/storage/handlers/main.yml b/os_config/roles/storage/handlers/main.yml new file mode 100644 index 0000000..a395c93 --- /dev/null +++ b/os_config/roles/storage/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: umount gluster + shell: umount --force --lazy /mnt/glusterfs ; true diff --git a/os_config/roles/storage/tasks/main.yml b/os_config/roles/storage/tasks/main.yml new file mode 100644 index 0000000..a1f2d8f --- /dev/null +++ b/os_config/roles/storage/tasks/main.yml @@ -0,0 +1,72 @@ +- name: "Add GlusterFS Repo Key" + apt_key: + url: https://download.gluster.org/pub/gluster/glusterfs/5/rsa.pub + state: present + +- name: "Add GlusterFS official repository" + apt_repository: + repo: "deb [arch=amd64] https://download.gluster.org/pub/gluster/glusterfs/5/LATEST/Debian/buster/amd64/apt buster main" + state: present + filename: gluster + +- name: "Install GlusterFS" + apt: + name: + - glusterfs-server + - glusterfs-client + state: present + +- name: "Ensure Gluster Daemon started and enabled" + service: + name: glusterd + enabled: yes + state: started + +- name: "Create directory for GlusterFS bricks" + file: path=/mnt/storage/glusterfs/brick1 recurse=yes state=directory + +- name: "Create GlusterFS volumes" + gluster_volume: + state: present + name: donnees + bricks: /mnt/storage/glusterfs/brick1/g1 + #rebalance: yes + redundancies: 1 + disperses: 3 + #replicas: 3 + force: yes + options: + client.event-threads: "8" + server.event-threads: "8" + performance.stat-prefetch: "on" + nfs.disable: "on" + features.cache-invalidation: "on" + performance.client-io-threads: "on" + config.transport: tcp + performance.quick-read: "on" + performance.io-cache: "on" + nfs.export-volumes: "off" + cluster.lookup-optimize: "on" + + cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}" + run_once: true + +- name: "Create mountpoint" + file: path=/mnt/glusterfs recurse=yes state=directory + +- name: "Flush handlers (umount glusterfs and restart ganesha)" + meta: flush_handlers + +- name: "Add fstab entry" + tags: gluster-fstab + mount: + path: /mnt/glusterfs + src: "{{ private_ip }}:/donnees" + fstype: glusterfs + opts: "defaults,_netdev,noauto,x-systemd.automount" + state: present + +- name: Mount everything + command: mount -a + args: + warn: no diff --git a/os_config/roles/users/files/alex-key1.pub b/os_config/roles/users/files/alex-key1.pub new file mode 100644 index 0000000..93514ab --- /dev/null +++ b/os_config/roles/users/files/alex-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata diff --git a/os_config/roles/users/files/alex-key2.pub b/os_config/roles/users/files/alex-key2.pub new file mode 100644 index 0000000..1eddcc8 --- /dev/null +++ b/os_config/roles/users/files/alex-key2.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk4tAEhDkLeik9eEHIHMliyckM/gWr/k6fX/CSmayCM katchup@charlotte diff --git a/os_config/roles/users/files/florian-key1.pub b/os_config/roles/users/files/florian-key1.pub new file mode 100644 index 0000000..47b5593 --- /dev/null +++ b/os_config/roles/users/files/florian-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/qOM2BYy3UFycDylioACWrnDwg69AoTNE6Ym9W4WI2R+FXd6A1DDG+NLW2orUfkARcJGYEXkzsd3wjDg0s+FS23QWTP+JTkZbdGzuMAcoNeJBtgsCq6m5Q2kvrQc5RscYBr/OZtx2PUfrGyRE3yiVCj38zOgRLRWY0Iqs97tlH74YP4BG3jQ/MI5zXEptWcXBO86FtISB3QyHPRg5OH0192094X/QcG18GKd2ORxC/ZcwK9GdEbJJHgkxJ0TbsQO3KfNTEFBCiynYpYViBsQZsrdBkw4sHHy5OKEahIexdpUg8EJhpyzLn6pvGSqua/mVxirJazgNgtvLlrUsAuNd4/HoWRSqzh51/4hQJ3BV4Yed/tX0rwlT/ZzIIzpGw+qJF3IVuxdvXIineNAEyjVfLVT6hADyQu52ziHSE0cVmUkWT0R7ZgPku0PRBuSeewJIm8uLM69GU/GeRt+mSNl6xOvtBrY/j6sRHcMROlgSHhJ6YnvmkiYXl0MyrH9YGc8= diff --git a/os_config/roles/users/files/florian-key2.pub b/os_config/roles/users/files/florian-key2.pub new file mode 100644 index 0000000..f9935b3 --- /dev/null +++ b/os_config/roles/users/files/florian-key2.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0OcDsEZdiizsz8UIgOIqOQilnHWq0sOxuu6idOqqLVYLPZEv8owdeC5oIgQj94BcKnRzpe8UHxN13GQdEWsqCim6Zn8G5x1HdZDBC83466x3i6KBkMP0dk+h47tENxKFXBPUbh/2sR8r/lZXEhzCCo7tpVuRZpCc/r8WPbAQpLgDO2D0dR7etwf3ndgObxQU0w7WbN+7NzmaHE+VQLu/pqH0op8jZyebfb26XhZ1JnNrDhp86KYbusagn6wUwp3vaJmK9UyEMi21E5HI0ri51+FP8kaTCUpgIRmgIkKFFWiup5I56K8cpgZHcJ4NY7G3jHJeI3KBlazVMyhDVJ5glI1mV0zgdr7BRGqhn70hjf5vbkzcHbRVaMaGzGENLpTFWnaONB/EbqRghWsiVpV75BYzvxSSM8Yrx8pwKUBtLWU+FjljwuumXNLigLIc/FTxdcLvZudn51+XdJXtCBrBI1H22Q7kYXz7Pi800CDLQ8rUWkW8upQ+zu5fSRH+Ptwc= diff --git a/os_config/roles/users/files/maximilien-key1.pub b/os_config/roles/users/files/maximilien-key1.pub new file mode 100644 index 0000000..963b1f9 --- /dev/null +++ b/os_config/roles/users/files/maximilien-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5 diff --git a/os_config/roles/users/files/quentin-key1.pub b/os_config/roles/users/files/quentin-key1.pub new file mode 100644 index 0000000..f3667e0 --- /dev/null +++ b/os_config/roles/users/files/quentin-key1.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT1+H08FdUSvdPpPKdcafq4+JRHvFVjfvG5Id97LAoROmFRUb/ZOMTLdNuD7FqvW0Da5CPxIMr8ZxfrFLtpGyuG7qdI030iIRZPlKpBh37epZHaV+l9F4ZwJQMIBO9cuyLPXgsyvM/s7tDtrdK1k7JTf2EVvoirrjSzBaMhAnhi7//to8zvujDtgDZzy6aby75bAaDetlYPBq2brWehtrf9yDDG9WAMYJqp//scje/WmhbRR6eSdim1HaUcWk5+4ZPt8sQJcy8iWxQ4jtgjqTvMOe5v8ZPkxJNBine/ZKoJsv7FzKem00xEH7opzktaGukyEqH0VwOwKhmBiqsX2yN quentin@dufour.io diff --git a/os_config/roles/users/files/quentin-key2.pub b/os_config/roles/users/files/quentin-key2.pub new file mode 100644 index 0000000..c1b19fd --- /dev/null +++ b/os_config/roles/users/files/quentin-key2.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBu+KUebaWwlugMC5fGbNhHc6IaQDAC6+1vMc4Ww7nVU1rs2nwI7L5qcWxOwNdhFaorZQZy/fJuCWdFbF61RCKGayBWPLZHGPsfqDuggYNEi1Qil1kpeCECfDQNjyMTK058ZBBhOWNMHBjlLWXUlRJDkRBBECY0vo4jRv22SvSaPUCAnkdJ9rbAp/kqb497PTIb2r1l1/ew8YdhINAlpYQFQezZVfkZdTKxt22n0QCjhupqjfh3gfNnbBX0z/iO+RvAOWRIZsjPFLC+jXl+n7cnu2cq1nvST5eHiYfXXeIgIwmeENLKqp+2Twr7PIdv22PnJkh6iR5kx7eTRxkNZdN quentin@deuxfleurs.fr diff --git a/os_config/roles/users/tasks/main.yml b/os_config/roles/users/tasks/main.yml new file mode 100644 index 0000000..990a041 --- /dev/null +++ b/os_config/roles/users/tasks/main.yml @@ -0,0 +1,39 @@ +- name: Add users in the system + user: + name: "{{ item.username }}" + #groups: docker + shell: "{{ item.shell | default('/bin/bash') }}" + append: no + loop: "{{ active_users + | selectattr('is_admin', 'defined') + | rejectattr('is_admin') + | list + | union( active_users + | selectattr('is_admin', 'undefined') + | list )}}" + +- name: Set admin rights + user: + name: "{{ item.username }}" + groups: docker, sudo + shell: "{{ item.shell | default('/bin/bash') }}" + append: no + loop: "{{ active_users + | selectattr('is_admin', 'defined') + | selectattr('is_admin') + | list }}" + +# [V How SSH Key works] magic is done by subelements, understand the trick at: +# https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter +- name: Add SSH keys + authorized_key: + user: "{{ item.0.username }}" + state: present + key: "{{ lookup('file', item.1) }}" + loop: "{{ active_users | subelements('ssh_keys', skip_missing=True) }}" + +- name: Disable old users + user: + name: "{{ item }}" + state: absent + loop: "{{ disabled_users }}" diff --git a/os_config/roles/users/vars/main.yml b/os_config/roles/users/vars/main.yml new file mode 100644 index 0000000..5f4df4d --- /dev/null +++ b/os_config/roles/users/vars/main.yml @@ -0,0 +1,30 @@ +--- +active_users: + - username: 'quentin' + is_admin: true + ssh_keys: + - 'quentin-key1.pub' + - 'quentin-key2.pub' + + - username: 'alex' + is_admin: true + ssh_keys: + - 'alex-key1.pub' + - 'alex-key2.pub' + + - username: 'maximilien' + is_admin: true + ssh_keys: + - 'maximilien-key1.pub' + + - username: 'florian' + is_admin: false + ssh_keys: + - 'quentin-key1.pub' + #- 'florian-key1.pub' + #- 'florian-key2.pub' + +disabled_users: + - 'john.doe' + - 'erwan' + - 'valentin' diff --git a/os_config/site.yml b/os_config/site.yml new file mode 100644 index 0000000..f66e019 --- /dev/null +++ b/os_config/site.yml @@ -0,0 +1,2 @@ +--- +- import_playbook: cluster_nodes.yml -- cgit v1.2.3