KAZ/KazV2
11
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Compare commits

base: KAZ:5fbc804edd5750bf633b2869a1240dee687ec8f4
Branches Tags
KAZ:master KAZ:gestionSecrets KAZ:feat/python
..
compare: KAZ:feat/python
Branches Tags
KAZ:gestionSecrets KAZ:master KAZ:feat/python

18 Commits
5fbc804edd ... feat/pytho

Author SHA1 Message Date
Fanch
4d127a57e2 inscription utilisateur complète 2025-07-28 17:07:01 +02:00
Fanch
6e58f328e4 Merge branch 'master' into feat/python 2025-07-26 15:45:22 +02:00
Fanch
813e0e761f typo 2025-07-26 15:41:38 +02:00
Fanch
2e62e9782e mattermost canal creation comptes 2025-07-26 15:40:15 +02:00
Fanch
9f0b8f2e1e paheko standby 2025-07-26 15:39:49 +02:00
Fanch
fc4adc0fae mattermost first launch 2025-07-26 15:32:54 +02:00
Fanch
74812fa79a mattermost admin user/pass 2025-07-26 14:45:27 +02:00
Fanch
490c527d9a smallies 2025-07-26 14:41:31 +02:00
Fanch
3220d862a6 fix mattermost 2025-07-26 13:52:15 +02:00
Fanch
51cd89c16d smallies 2025-07-25 15:55:30 +02:00
Fanch
1936326535 fix default matterport 2025-07-25 15:52:47 +02:00
Fanch
a630e47bfe fix mattermost pgsql 2025-07-25 15:10:43 +02:00
Fanch
b4eee312df python 2025-07-25 14:49:46 +02:00
Fanch
27ca4dfce3 init python 2025-07-24 21:47:54 +02:00
Fanch
33fc237cb8 fix traefik 2025-07-17 18:26:36 +02:00
Fanch
ed5ef23ed2 fix traefik 2025-07-17 17:23:13 +02:00
Fanch
6f33808736 fix vm 2025-07-17 16:13:30 +02:00
nom
477a9155fe upgrade traefik to 3.4.4 2025-07-16 06:43:16 +02:00
65 changed files with 1863 additions and 451 deletions
Expand all files Collapse all files

11
bin/applyTemplate.sh
View File

@@ -16,6 +16,7 @@ KAZ_ROOT=$(cd "$(dirname $0)/.."; pwd)
setKazVars
. "${DOCKERS_ENV}"
. "${KAZ_KEY_DIR}/SetAllPass.sh"
usage () {
echo $(basename "$0") " [-h] [-help] [-timestamp] template dst"
@@ -63,8 +64,8 @@ done
-e "s|__DOKUWIKI_HOST__|${dokuwikiHost}|g"\
-e "s|__DOMAIN__|${domain}|g"\
-e "s|__FILE_HOST__|${fileHost}|g"\
# -e "s|__PAHEKO_API_PASSWORD__|${paheko_API_PASSWORD}|g"\
# -e "s|__PAHEKO_API_USER__|${paheko_API_USER}|g"\
-e "s|__PAHEKO_API_PASSWORD__|${paheko_API_PASSWORD}|g"\
-e "s|__PAHEKO_API_USER__|${paheko_API_USER}|g"\
-e "s|__PAHEKO_HOST__|${pahekoHost}|g"\
-e "s|__GIT_HOST__|${gitHost}|g"\
-e "s|__GRAV_HOST__|${gravHost}|g"\
@@ -78,9 +79,9 @@ done
-e "s|__SMTP_HOST__|${smtpHost}|g"\
-e "s|__SYMPADB__|${sympaDBName}|g"\
-e "s|__SYMPA_HOST__|${sympaHost}|g"\
# -e "s|__SYMPA_MYSQL_DATABASE__|${sympa_MYSQL_DATABASE}|g"\
# -e "s|__SYMPA_MYSQL_PASSWORD__|${sympa_MYSQL_PASSWORD}|g"\
# -e "s|__SYMPA_MYSQL_USER__|${sympa_MYSQL_USER}|g"\
-e "s|__SYMPA_MYSQL_DATABASE__|${sympa_MYSQL_DATABASE}|g"\
-e "s|__SYMPA_MYSQL_PASSWORD__|${sympa_MYSQL_PASSWORD}|g"\
-e "s|__SYMPA_MYSQL_USER__|${sympa_MYSQL_USER}|g"\
-e "s|__VIGILO_HOST__|${vigiloHost}|g"\
-e "s|__WEBMAIL_HOST__|${webmailHost}|g"\
-e "s|__CASTOPOD_HOST__|${castopodHost}|g"\

58
bin/container.sh
View File

@@ -61,6 +61,20 @@ doCompose () {
${SIMU} ln -fs ../../config/dockers.env .env
fi
${SIMU} docker-compose $1
if [ "$2" = "cachet" ] && [ "$1" != "down" ]; then
NEW_KEY=$(cd "${KAZ_COMP_DIR}/$2" ; docker-compose logs | grep APP_KEY=base64: | sed "s/^.*'APP_KEY=\(base64:[^']*\)'.*$/\1/" | tail -1)
if [ -n "${NEW_KEY}" ]; then
printKazMsg "cachet key change"
# change key
${SIMU} sed -i \
-e 's%^\(\s*cachet_APP_KEY=\).*$%\1"'"${NEW_KEY}"'"%' \
"${KAZ_KEY_DIR}/SetAllPass.sh"
${SIMU} "${KAZ_BIN_DIR}/secretGen.sh"
# restart
${SIMU} docker-compose $1
fi
fi
}
doComposes () {
@@ -163,6 +177,7 @@ statusComposes () {
saveComposes () {
. "${DOCKERS_ENV}"
. "${KAZ_ROOT}/secret/SetAllPass.sh"
savedComposes+=( ${enableMailComposes[@]} )
savedComposes+=( ${enableProxyComposes[@]} )
@@ -180,80 +195,67 @@ saveComposes () {
;;
sympa)
echo "save sympa"
. $KAZ_BIN_DIR/getPasswords.sh sympaDB
saveDB ${sympaDBName} "${sympaDB_MYSQL_USER}" "${sympaDB_MYSQL_PASSWORD}" "${sympaDB_MYSQL_DATABASE}" sympa mysql
saveDB ${sympaDBName} "${sympa_MYSQL_USER}" "${sympa_MYSQL_PASSWORD}" "${sympa_MYSQL_DATABASE}" sympa mysql
;;
web)
# rien à faire (fichiers)
;;
etherpad)
echo "save pad"
. $KAZ_BIN_DIR/getPasswords.sh etherpadDB
saveDB ${etherpadDBName} "${etherpadDB_MYSQL_USER}" "${etherpadDB_MYSQL_PASSWORD}" "${etherpadDB_MYSQL_DATABASE}" etherpad mysql
saveDB ${etherpadDBName} "${etherpad_MYSQL_USER}" "${etherpad_MYSQL_PASSWORD}" "${etherpad_MYSQL_DATABASE}" etherpad mysql
;;
framadate)
echo "save date"
. $KAZ_BIN_DIR/getPasswords.sh framadateDB
saveDB ${framadateDBName} "${framadateDB_MYSQL_USER}" "${framadateDB_MYSQL_PASSWORD}" "${framadateDB_MYSQL_DATABASE}" framadate mysql
echo "save date"
saveDB ${framadateDBName} "${framadate_MYSQL_USER}" "${framadate_MYSQL_PASSWORD}" "${framadate_MYSQL_DATABASE}" framadate mysql
;;
cloud)
echo "save cloud"
. $KAZ_BIN_DIR/getPasswords.sh nextcloudDB
saveDB ${nextcloudDBName} "${nextcloudDB_MYSQL_USER}" "${nextcloudDB_MYSQL_PASSWORD}" "${nextcloudDB_MYSQL_DATABASE}" nextcloud mysql
saveDB ${nextcloudDBName} "${nextcloud_MYSQL_USER}" "${nextcloud_MYSQL_PASSWORD}" "${nextcloud_MYSQL_DATABASE}" nextcloud mysql
;;
paheko)
# rien à faire (fichiers)
;;
mattermost)
echo "save mattermost"
. $KAZ_BIN_DIR/getPasswords.sh mattermostDB
saveDB matterPG "${mattermostDB_POSTGRES_USER}" "${mattermostDB_POSTGRES_PASSWORD}" "${mattermostDB_POSTGRES_DB}" mattermost postgres
saveDB matterPG "${mattermost_POSTGRES_USER}" "${mattermost_POSTGRES_PASSWORD}" "${mattermost_POSTGRES_DB}" mattermost postgres
;;
mobilizon)
echo "save mobilizon"
. $KAZ_BIN_DIR/getPasswords.sh mobilizonDB
saveDB ${mobilizonDBName} "${mobilizonDB_POSTGRES_USER}" "${mobilizonDB_POSTGRES_PASSWORD}" "${mobilizonDB_POSTGRES_DB}" mobilizon postgres
saveDB ${mobilizonDBName} "${mobilizon_POSTGRES_USER}" "${mobilizon_POSTGRES_PASSWORD}" "${mobilizon_POSTGRES_DB}" mobilizon postgres
;;
peertube)
echo "save peertube"
. $KAZ_BIN_DIR/getPasswords.sh peertubeDB
saveDB ${peertubeDBName} "${peertubeDB_POSTGRES_USER}" "${peertubeDB_POSTGRES_PASSWORD}" "${peertubeDB_PEERTUBE_DB_HOSTNAME}" peertube postgres
saveDB ${peertubeDBName} "${peertube_POSTGRES_USER}" "${peertube_POSTGRES_PASSWORD}" "${PEERTUBE_DB_HOSTNAME}" peertube postgres
;;
mastodon)
echo "save mastodon"
. $KAZ_BIN_DIR/getPasswords.sh mastodonDB
saveDB ${mastodonDBName} "${mastodonDB_POSTGRES_USER}" "${mastodonDB_POSTGRES_PASSWORD}" "${mastodonDB_POSTGRES_DB}" mastodon postgres
saveDB ${mastodonDBName} "${mastodon_POSTGRES_USER}" "${mastodon_POSTGRES_PASSWORD}" "${mastodon_POSTGRES_DB}" mastodon postgres
;;
roundcube)
echo "save roundcube"
. $KAZ_BIN_DIR/getPasswords.sh roundcubeDB
saveDB ${roundcubeDBName} "${roundcubeDB_MYSQL_USER}" "${roundcubeDB_MYSQL_PASSWORD}" "${roundcubeDB_MYSQL_DATABASE}" roundcube mysql
saveDB ${roundcubeDBName} "${roundcube_MYSQL_USER}" "${roundcube_MYSQL_PASSWORD}" "${roundcube_MYSQL_DATABASE}" roundcube mysql
;;
vaultwarden)
echo "save vaultwarden"
. $KAZ_BIN_DIR/getPasswords.sh vaultwardenDB
saveDB ${vaultwardenDBName} "${vaultwardenDB_MYSQL_USER}" "${vaultwardenDB_MYSQL_PASSWORD}" "${vaultwardenDB_MYSQL_DATABASE}" vaultwarden mysql
saveDB ${vaultwardenDBName} "${vaultwarden_MYSQL_USER}" "${vaultwarden_MYSQL_PASSWORD}" "${vaultwarden_MYSQL_DATABASE}" vaultwarden mysql
;;
dokuwiki)
# rien à faire (fichiers)
;;
*-orga)
ORGA=${compose%-orga}
echo "save ${ORGA}"
echo "save ${ORGA}"
if grep -q "cloud:" "${KAZ_COMP_DIR}/${compose}/docker-compose.yml" 2> /dev/null ; then
echo " => cloud"
. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudDB
saveDB "${ORGA}-DB" "${MYSQL_USER}" "${MYSQL_PASSWORD}" "${MYSQL_DATABASE}" "${ORGA}-cloud" mysql
saveDB "${ORGA}-DB" "${nextcloud_MYSQL_USER}" "${nextcloud_MYSQL_PASSWORD}" "${nextcloud_MYSQL_DATABASE}" "${ORGA}-cloud" mysql
fi
if grep -q "agora:" "${KAZ_COMP_DIR}/${compose}/docker-compose.yml" 2> /dev/null ; then
echo " => mattermost"
. $KAZ_KEY_DIR/orgas/$ORGA/env-mattermostDB
saveDB "${ORGA}-DB" "${MYSQL_USER}" "${MYSQL_PASSWORD}" "${MYSQL_DATABASE}" "${ORGA}-mattermost" mysql
saveDB "${ORGA}-DB" "${mattermost_MYSQL_USER}" "${mattermost_MYSQL_PASSWORD}" "${mattermost_MYSQL_DATABASE}" "${ORGA}-mattermost" mysql
fi
if grep -q "wordpress:" "${KAZ_COMP_DIR}/${compose}/docker-compose.yml" 2> /dev/null ; then
echo " => wordpress"
. $KAZ_KEY_DIR/orgas/$ORGA/env-wpDB
saveDB "${ORGA}-DB" "${MYSQL_USER}" "${MYSQL_PASSWORD}" "${MYSQL_DATABASE}" "${ORGA}-wordpress" mysql
saveDB "${ORGA}-DB" "${wp_MYSQL_USER}" "${wp_MYSQL_PASSWORD}" "${wp_MYSQL_DATABASE}" "${ORGA}-wordpress" mysql
fi
;;
esac

87
bin/createDBUsers.sh
View File

@@ -1,87 +0,0 @@
#!/bin/bash
KAZ_ROOT=$(cd $(dirname $0)/..; pwd)
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
setKazVars
# pour mise au point
# SIMU=echo
# Améliorations à prévoir
# - donner en paramètre les services concernés (pour limité les modifications)
# - pour les DB si on déclare un nouveau login, alors les privilèges sont créé mais les anciens pas révoqués
. "${DOCKERS_ENV}"
. "${KAZ_KEY_DIR}/SetAllPass.sh"
createMysqlUser(){
# $1 = envName
# $2 = containerName of DB
. $KAZ_BIN_DIR/getPasswords.sh $1
rootPass="$1_MYSQL_ROOT_PASSWORD"
dbName="$1_MYSQL_DATABASE"
userName="$1_MYSQL_USER"
userPass="$1_MYSQL_PASSWORD"
# seulement si pas de mdp pour root
# pb oeuf et poule (il faudrait les anciennes valeurs) :
# * si rootPass change, faire à la main
# * si dbName change, faire à la main
checkDockerRunning "$2" "$2" || return
echo "change DB pass on docker $2"
echo "grant all privileges on ${!dbName}.* to '${!userName}' identified by '${!userPass}';" | \
docker exec -i $2 bash -c "mysql --user=root --password=${!rootPass}"
}
framadateUpdate(){
[[ "${COMP_ENABLE}" =~ " framadate " ]] || return
if [ ! -f "${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php" ]; then
return 0
fi
.$KAZ_BIN_DIR/getPasswords.sh framadateDB framadateServ
checkDockerRunning "${framadateServName}" "Framadate" &&
${SIMU} docker exec -ti "${framadateServName}" bash -c -i "htpasswd -bc /var/framadate/admin/.htpasswd ${framadateServ_HTTPD_USER} ${framadateServ_HTTPD_PASSWORD}"
${SIMU} sed -i \
-e "s/^#*const DB_USER[ ]*=.*$/const DB_USER= '${framadateDB_MYSQL_USER}';/g" \
-e "s/^#*const DB_PASSWORD[ ]*=.*$/const DB_PASSWORD= '${framadateDB_MYSQL_PASSWORD}';/g" \
"${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php"
}
jirafeauUpdate(){
[[ "${COMP_ENABLE}" =~ " jirafeau " ]] || return
if [ ! -f "${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php" ]; then
return 0
fi
. $KAZ_BIN_DIR/getPasswords.sh jirafeauServ
SHA=$(echo -n "${jirafeauServ_HTTPD_PASSWORD}" | sha256sum | cut -d \ -f 1)
${SIMU} sed -i \
-e "s/'admin_password'[ ]*=>[ ]*'[^']*'/'admin_password' => '${SHA}'/g" \
"${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php"
}
####################
# main
createMysqlUser "etherpadDB" "${etherpadDBName}"
createMysqlUser "framadateDB" "${framadateDBName}"
createMysqlUser "giteaDB" "${gitDBName}"
createMysqlUser "mattermostDB" "${mattermostDBName}"
createMysqlUser "nextcloudDB" "${nextcloudDBName}"
createMysqlUser "roundcubeDB" "${roundcubeDBName}"
createMysqlUser "sympaDB" "${sympaDBName}"
createMysqlUser "vigiloDB" "${vigiloDBName}"
createMysqlUser "wpDB" "${wordpressDBName}"
createMysqlUser "vaultwardenDB" "${vaultwardenDBName}"
createMysqlUser "castopodDB" "${castopodDBName}"
createMysqlUser "spipDB" "${spipDBName}"
createMysqlUser "mastodonDB" "${mastodonDBName}"
framadateUpdate
jirafeauUpdate
exit 0

104
bin/createEmptyPasswd.sh Executable file
View File

@@ -0,0 +1,104 @@
#!/bin/bash
cd $(dirname $0)/..
mkdir -p emptySecret
rsync -aHAX --info=progress2 --delete secret/ emptySecret/
cd emptySecret/
. ../config/dockers.env
. ./SetAllPass.sh
# pour mise au point
# SIMU=echo
cleanEnvDB(){
# $1 = prefix
# $2 = envName
# $3 = containerName of DB
rootPass="--root_password--"
dbName="--database_name--"
userName="--user_name--"
userPass="--user_password--"
${SIMU} sed -i \
-e "s/MYSQL_ROOT_PASSWORD=.*/MYSQL_ROOT_PASSWORD=${rootPass}/g" \
-e "s/MYSQL_DATABASE=.*/MYSQL_DATABASE=${dbName}/g" \
-e "s/MYSQL_USER=.*/MYSQL_USER=${userName}/g" \
-e "s/MYSQL_PASSWORD=.*/MYSQL_PASSWORD=${userPass}/g" \
"$2"
}
cleanEnv(){
# $1 = prefix
# $2 = envName
for varName in $(grep "^[a-zA-Z_]*=" $2 | sed "s/^\([^=]*\)=.*/\1/g")
do
srcName="$1_${varName}"
srcVal="--clean_val--"
${SIMU} sed -i \
-e "s~^[ ]*${varName}=.*$~${varName}=${srcVal}~" \
"$2"
done
}
cleanPasswd(){
${SIMU} sed -i \
-e 's/^\([# ]*[^#= ]*\)=".[^{][^"]*"/\1="--clean_val--"/g' \
./SetAllPass.sh
}
####################
# main
# read -r -p "Do you want to remove all password? [Y/n] " input
# case $input in
# [yY][eE][sS]|[yY])
# echo "Remove all password"
# ;;
# [nN][oO]|[nN])
# echo "Abort"
# ;;
# *)
# echo "Invalid input..."
# exit 1
# ;;
# esac
cleanPasswd
cleanEnvDB "etherpad" "./env-${etherpadDBName}" "${etherpadDBName}"
cleanEnvDB "framadate" "./env-${framadateDBName}" "${framadateDBName}"
cleanEnvDB "git" "./env-${gitDBName}" "${gitDBName}"
cleanEnvDB "mattermost" "./env-${mattermostDBName}" "${mattermostDBName}"
cleanEnvDB "nextcloud" "./env-${nextcloudDBName}" "${nextcloudDBName}"
cleanEnvDB "roundcube" "./env-${roundcubeDBName}" "${roundcubeDBName}"
cleanEnvDB "sso" "./env-${ssoDBName}" "${ssoDBName}"
cleanEnvDB "sympa" "./env-${sympaDBName}" "${sympaDBName}"
cleanEnvDB "vigilo" "./env-${vigiloDBName}" "${vigiloDBName}"
cleanEnvDB "wp" "./env-${wordpressDBName}" "${wordpressDBName}"
cleanEnv "etherpad" "./env-${etherpadServName}"
cleanEnv "gandi" "./env-gandi"
cleanEnv "jirafeau" "./env-${jirafeauServName}"
cleanEnv "mattermost" "./env-${mattermostServName}"
cleanEnv "nextcloud" "./env-${nextcloudServName}"
cleanEnv "office" "./env-${officeServName}"
cleanEnv "roundcube" "./env-${roundcubeServName}"
cleanEnv "sso" "./env-${ssoServName}"
cleanEnv "vigilo" "./env-${vigiloServName}"
cleanEnv "wp" "./env-${wordpressServName}"
cat > allow_admin_ip <<EOF
# ip for admin access only
# local test
allow 127.0.0.0/8;
allow 192.168.0.0/16;
EOF
chmod -R go= .
chmod -R +X .

7
bin/createSrcDocker.sh
View File

@@ -3,13 +3,14 @@
cd $(dirname $0)
./setOwner.sh
./createEmptyPasswd.sh
cd ../..
FILE_NAME="/tmp/$(date +'%Y%m%d')-KAZ.tar.bz2"
FILE_NAME="/tmp/$(date +'%Y%M%d')-KAZ.tar.bz2"
tar -cjf "${FILE_NAME}" --transform s/secret.tmpl/secret/ \
./kaz/secret.tmpl/ ./kaz/bin ./kaz/config ./kaz/dockers
tar -cjf "${FILE_NAME}" --transform s/emptySecret/secret/ \
./kaz/emptySecret/ ./kaz/bin ./kaz/config ./kaz/dockers
ls -l "${FILE_NAME}"

5
bin/createUser.py Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/python3
from lib.user import create_users_from_file
create_users_from_file()

42
bin/createUser.sh
View File

@@ -37,9 +37,7 @@ setKazVars
cd "${KAZ_ROOT}"
. "${DOCKERS_ENV}"
. $KAZ_BIN_DIR/getPasswords.sh ldapServ sympaServ paheko
. "${KAZ_KEY_DIR}/SetAllPass.sh"
# DOCK_DIR="${KAZ_COMP_DIR}" # ???
@@ -223,7 +221,6 @@ dos2unix "${TFILE_MM}"
echo "done"
# se connecter à l'agora pour ensuite pouvoir passer toutes les commandes mmctl
. $KAZ_KEY_DIR/env-mattermostAdmin
echo "docker exec -i mattermostServ bin/mmctl auth login ${httpProto}://${URL_AGORA} --name local-server --username ${mattermost_user} --password ${mattermost_pass}" | tee -a "${CMD_INIT}"
# vérif des emails
@@ -396,9 +393,9 @@ nextcloudEnabled: TRUE\n\
nextcloudQuota: ${QUOTA} GB\n\
mobilizonEnabled: TRUE\n\
agoraEnabled: TRUE\n\
userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldap_LDAP_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
fi
#userPassword: {CRYPT}\$6\$${pass}\n\n\" | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldapServ_LDAP_CONFIG_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldapServ_LDAP_CONFIG_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
#userPassword: {CRYPT}\$6\$${pass}\n\n\" | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldap_LDAP_CONFIG_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldap_LDAP_CONFIG_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
CREATE_ORGA_SERVICES=""
@@ -427,16 +424,15 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
MESSAGE_MAIL_ORGA_1="${MESSAGE_MAIL_ORGA_1}${NL}* un bureau virtuel pour stocker des fichiers/calendriers/contacts et partager avec vos connaissances : ${httpProto}://${URL_NC}"
# le user existe t-il déjà sur NC ?
. $KAZ_KEY_DIR/env-nextcloudServ
curl -o "${TEMP_USER_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
curl -o "${TEMP_USER_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
if grep -q "<element>${IDENT_KAZ}</element>" "${TEMP_USER_NC}"; then
echo "${IDENT_KAZ} existe déjà sur ${URL_NC}" | tee -a "${LOG}"
else
# on créé l'utilisateur sur NC sauf si c'est le NC général, on ne créé jamais l'utilisateur7
if [ ${URL_NC} != "${cloudHost}.${domain}" ]; then
. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudServ
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
-d userid='${IDENT_KAZ}' \
-d displayName='${PRENOM} ${NOM}' \
-d password='${PASSWORD}' \
@@ -449,22 +445,19 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
# s'il est admin de son orga, on le met admin
if [ "${service[ADMIN_ORGA]}" == "O" -a "${ORGA}" != "" -a "${service[NC_ORGA]}" == "O" ]; then
. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudServ
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid='admin'" | tee -a "${CMD_INIT}"
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${nextcloud_NEXTCLOUD_ADMIN_USER}:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid='admin'" | tee -a "${CMD_INIT}"
fi
# faut-il mettre le user NC dans un groupe particulier sur le NC de base ?
if [ "${GROUPE_NC_BASE}" != "" -a "${service[NC_BASE]}" == "O" ]; then
# ici on travaille à nouveau sur le NC commun, donc on rechoppe les bons mdp
. $KAZ_KEY_DIR/env-nextcloudServ
# le groupe existe t-il déjà ?
curl -o "${TEMP_GROUP_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups?search=${GROUPE_NC_BASE}"
curl -o "${TEMP_GROUP_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups?search=${GROUPE_NC_BASE}"
nb=$(grep "<element>${GROUPE_NC_BASE}</element>" "${TEMP_GROUP_NC}" | wc -l)
if [ "${nb}" == "0" ];then
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
fi
# puis attacher le user au groupe
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
fi
fi
@@ -490,8 +483,7 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
# TODO : vérif existance user
# # le user existe t-il déjà sur le wp ?
# . $KAZ_BIN_DIR/getPasswords.sh wpServ
# curl -o "${TEMP_USER_WP}" -X GET "${httpProto}://${wpServ_WORDPRESS_ADMIN_USER}:${wpServ_WORDPRESS_ADMIN_PASSWORD}@${URL_WP_ORGA}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
# curl -o "${TEMP_USER_WP}" -X GET "${httpProto}://${wp_WORDPRESS_ADMIN_USER}:${wp_WORDPRESS_ADMIN_PASSWORD}@${URL_WP_ORGA}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
# nb_user_wp_orga=$(grep "<element>${IDENT_KAZ}</element>" "${TEMP_USER_WP}" | wc -l)
# if [ "${nb_user_wp_orga}" != "0" ];then
# (
@@ -509,7 +501,7 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
# ) | tee -a "${LOG}"
#
# # on supprime l'utilisateur sur NC.
# echo "curl -X DELETE -H 'OCS-APIRequest:true' ${httpProto}://admin:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
# echo "curl -X DELETE -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
# -d userid='${IDENT_KAZ}' \
# " | tee -a "${CMD_INIT}"
# fi
@@ -627,13 +619,13 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
# docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=https://listes.kaz.sns/sympasoap --trusted_application=SOAP_USER --trusted_application_password=SOAP_PASSWORD --proxy_vars="USER_EMAIL=contact1@kaz.sns" --service=which
if [[ "${mode}" = "dev" ]]; then
echo "# DEV, on teste l'inscription à sympa"| tee -a "${CMD_SYMPA}"
LISTMASTER=$(echo ${sympaServ_LISTMASTERS} | cut -d',' -f1)
echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\"" | tee -a "${CMD_SYMPA}"
LISTMASTER=$(echo ${sympa_LISTMASTERS} | cut -d',' -f1)
echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\"" | tee -a "${CMD_SYMPA}"
else
echo "# PROD, on inscrit à sympa"| tee -a "${CMD_SYMPA}"
LISTMASTER=$(echo ${sympaServ_LISTMASTERS} | cut -d',' -f1)
echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\"" | tee -a "${CMD_SYMPA}"
echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SECOURS}\"" | tee -a "${CMD_SYMPA}"
LISTMASTER=$(echo ${sympa_LISTMASTERS} | cut -d',' -f1)
echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\"" | tee -a "${CMD_SYMPA}"
echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SECOURS}\"" | tee -a "${CMD_SYMPA}"
fi
if [ "${service[ADMIN_ORGA]}" == "O" ]; then

1
bin/gestContainers.sh
View File

@@ -7,6 +7,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
. $KAZ_ROOT/bin/.commonFunctions.sh
setKazVars
. $DOCKERS_ENV
. $KAZ_ROOT/secret/SetAllPass.sh
. $KAZ_ROOT/secret/env-kaz
PRG=$(basename $0)

2
bin/gestContainers_v2.sh
View File

@@ -7,7 +7,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
. $KAZ_ROOT/bin/.commonFunctions.sh
setKazVars
. $DOCKERS_ENV
. $KAZ_ROOT/secret/SetAllPass.sh
PRG=$(basename $0)

90
bin/gestUsers.sh
View File

@@ -8,7 +8,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
setKazVars
. $DOCKERS_ENV
. $KAZ_BIN_DIR/getPasswords.sh ldapServ nextcloudServ sympaServ paheko
. $KAZ_ROOT/secret/SetAllPass.sh
VERSION="18-05-2025"
PRG=$(basename $0)
@@ -24,7 +24,7 @@ URL_PAHEKO="$httpProto://${paheko_API_USER}:${paheko_API_PASSWORD}@kaz-paheko.$(
NL_LIST=infos@listes.kaz.bzh
URL_AGORA_API=${URL_AGORA}/api/v4
EQUIPE=kaz
LISTMASTER=$(echo ${sympaServ_LISTMASTERS} | cut -d',' -f1)
LISTMASTER=$(echo ${sympa_LISTMASTERS} | cut -d',' -f1)
#### Test du serveur sur lequel s' execute le script ####
@@ -47,8 +47,6 @@ rm -rf /tmp/*.json
############################################ Fonctions #######################################################
ExpMail() {
. $KAZ_KEY_DIR/env-mail
MAIL_DEST=$1
MAIL_SUJET=$2
MAIL_TEXTE=$3
@@ -60,7 +58,6 @@ ExpMail() {
}
PostMattermost() {
. $KAZ_KEY_DIR/env-mattermostAdmin
PostM=$1
CHANNEL=$2
TEAMID=$(curl -s -H "Authorization: Bearer ${mattermost_token}" "${URL_AGORA_API}/teams/name/${EQUIPE}" | jq .id | sed -e 's/"//g')
@@ -94,8 +91,8 @@ searchEmail() {
fi
done
ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=${SEARCH_OBJECT_CLASS})(cn=*${RMAIL}*))" cn | grep ^cn | sed -e 's/^cn: //' >$TFILE_EMAILS
COMPTEUR_LIGNE=0
while read LIGNE
@@ -139,8 +136,7 @@ searchEmail() {
searchMattermost() {
#Ici $1 est une adresse email
. $KAZ_KEY_DIR/env-mattermostAdmin
docker exec -ti ${mattermostServName} bin/mmctl --suppress-warnings auth login $httpProto://$URL_AGORA --name local-server --username $mattermost_user --password $mattermost_pass >/dev/null 2>&1
docker exec -ti ${mattermostServName} bin/mmctl --suppress-warnings auth login $httpProto://$URL_AGORA --name local-server --username $mattermost_user --password $mattermost_pass >/dev/null 2>&1
docker exec -ti ${mattermostServName} bin/mmctl --suppress-warnings config set ServiceSettings.EnableAPIUserDeletion "true" >/dev/null 2>&1
#on créé la list des mails dans mattermost
docker exec -ti ${mattermostServName} bin/mmctl --suppress-warnings user list --all >${TFILE_MAILS_MATTERMOST} 2>/dev/null
@@ -186,12 +182,12 @@ infoEmail() {
printKazMsg " DETAILS DU COMPTE DANS NEXTCLOUD PRINCIPAL"
echo -e ""
#TEMP_USER_NC=$(mktemp /tmp/$RACINE.XXXXXXXXX.TEMP_USER_NC)
#curl -s -o $TEMP_USER_NC -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=$CHOIX_MAIL
#curl -s -o $TEMP_USER_NC -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=$CHOIX_MAIL
#cat $TEMP_USER_NC | grep -i "element" | sed -e s/[\<\>\/]//g | sed -e s/element//g
echo -ne "${NC}"
echo -ne " - Nextcloud enable : "
echo -ne "${GREEN}"
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudEnabled | cut -c 18-30
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudEnabled | cut -c 18-30
echo -ne "${NC}"
echo -e "${NC} ------------------------------------------------"
printKazMsg " DETAILS DU COMPTE DANS LDAP ET PAHEKO"
@@ -207,11 +203,11 @@ infoEmail() {
echo -ne "${NC}"
echo -n " - Quota Mail (Ldap) : "
echo -ne "${GREEN}"
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i mailquota | cut -c 11-60
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i mailquota | cut -c 11-60
echo -ne "${NC}"
echo -n " - Quota Nextcloud (Ldap) : "
echo -ne "${GREEN}"
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudquota | cut -c 17-60
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudquota | cut -c 17-60
echo -ne "${NC}"
echo -n " - Mail de secours (Paheko ): "
echo -ne "${GREEN}"
@@ -219,11 +215,11 @@ infoEmail() {
echo -ne "${NC}"
echo -n " - Mail de secours (Ldap): "
echo -ne "${GREEN}"
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i maildeSecours | sed -e 's/mailDeSecours://'
ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i maildeSecours | sed -e 's/mailDeSecours://'
echo -ne "${NC}"
echo -n " - Alias (Ldap) : "
echo -ne "${GREEN}"
LDAP_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i alias | cut -c 11-60)
LDAP_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i alias | cut -c 11-60)
echo -ne "${NC}"
echo -ne "${GREEN}"
for ldap_alias in ${LDAP_ALIAS}
@@ -243,8 +239,8 @@ infoEmail() {
echo "------------------------------------------------"
echo " Alias : ${CHOIX_MAIL} "
echo ""
for INFOALIAS in $(ldapsearch -H ldap://${LDAP_IP} -x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${CHOIX_MAIL}*))" mail \
for INFOALIAS in $(ldapsearch -H ldap://${LDAP_IP} -x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" -b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${CHOIX_MAIL}*))" mail \
| grep ^mail: | sed -e 's/^mail://')
do
echo -ne "=====> ${GREEN} "
@@ -311,12 +307,12 @@ searchDestroy() {
fi
echo -e "${NC}"
echo -e "Recherche de ${GREEN} ${REP_SEARCH_DESTROY} ${NC} dans nextcloud"
USER_NEXTCLOUD_SUPPR=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${REP_SEARCH_DESTROY} | grep element | sed -s 's/[ \<\>\/]//g' | sed 's/element//g')
USER_NEXTCLOUD_SUPPR=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${REP_SEARCH_DESTROY} | grep element | sed -s 's/[ \<\>\/]//g' | sed 's/element//g')
if [ ! -z ${USER_NEXTCLOUD_SUPPR} ]
then
printKazMsg "le user trouvé est : ${USER_NEXTCLOUD_SUPPR}"
echo -e "${RED} Suppresion de ${USER_NEXTCLOUD_SUPPR}"
curl -H 'OCS-APIREQUEST: true' -X DELETE $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_SUPPR} >/dev/null 2>&1
curl -H 'OCS-APIREQUEST: true' -X DELETE $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_SUPPR} >/dev/null 2>&1
if [ "$?" -eq "0" ]
then
printKazMsg "Suppresion ok"
@@ -331,7 +327,7 @@ searchDestroy() {
echo -e "${RED} suppression de ${REP_SEARCH_DESTROY} dans la liste info de sympa"
echo -e "${NC}"
echo ""
docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${REP_SEARCH_DESTROY}"
docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${REP_SEARCH_DESTROY}"
echo -e "${NC}"
echo ""
echo -e "${RED} suppression de ${REP_SEARCH_DESTROY} dans le serveur de mail"
@@ -348,7 +344,7 @@ searchDestroy() {
echo -e "${RED} suppression de ${REP_SEARCH_DESTROY} dans le ldap"
echo -e "${NC}"
echo ""
ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" "cn=${REP_SEARCH_DESTROY},ou=users,${ldap_root}"
ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" "cn=${REP_SEARCH_DESTROY},ou=users,${ldap_root}"
if [ "$?" -eq "0" ]
then
printKazMsg "Suppresion ok"
@@ -381,8 +377,8 @@ gestPassword() {
# MAIL_SECOURS=$(jq .results[].email_secours $FICMAILSECOURS | sed -e 's/\"//g')
MAIL_SECOURS=$(ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=*${CHOIX_MAIL}*))" | grep ^mailDeSecours | sed -e 's/^mailDeSecours: //')
if [ "$MAIL_SECOURS" = "" ]
then
@@ -409,19 +405,19 @@ gestPassword() {
fi
if [ "$SEARCH_RESET_INPUT" = "o" ] || [ "$SEARCH_RESET_INPUT" = "O" ]
then
USER_NEXTCLOUD_MODIF=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${COMPTE_A_MODIFIER} | grep element | sed -e 's/[ \<\>\/]//g' -e 's/element//g')
USER_NEXTCLOUD_MODIF=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${COMPTE_A_MODIFIER} | grep element | sed -e 's/[ \<\>\/]//g' -e 's/element//g')
echo -e "$GREEN Compte à modifier = $RED ${COMPTE_A_MODIFIER} ${NC}"
echo -e "$GREEN Mail de secours = $RED ${MAIL_SECOURS} ${NC}"
echo -e "$GREEN Compte $RED $(searchMattermost $COMPTE_A_MODIFIER) ${NC}"
echo -e "$GREEN Compte Nextcloud $RED ${USER_NEXTCLOUD_MODIF} ${NC}"
echo -e "$GREEN Le mot de passe sera = $RED ${PASSWORD} ${NC}"
docker exec -ti mattermostServ bin/mmctl user change-password $(searchMattermost $COMPTE_A_MODIFIER) -p $PASSWORD >/dev/null 2>&1
curl -H 'OCS-APIREQUEST: true' -X PUT $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_MODIF} -d key=password -d value=${PASSWORD} >/dev/null 2>&1
curl -H 'OCS-APIREQUEST: true' -X PUT $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_MODIF} -d key=password -d value=${PASSWORD} >/dev/null 2>&1
pass=$(mkpasswd -m sha512crypt ${PASSWORD})
echo -e "\n\ndn: cn=${COMPTE_A_MODIFIER},ou=users,${ldap_root}\n\
changeType: modify\n\
replace: userPassword\n\
userPassword: {CRYPT}${pass}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}"
userPassword: {CRYPT}${pass}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}"
echo -e "Envoi d'un message dans mattermost pour la modification du mot de passe"
docker exec -ti mattermostServ bin/mmctl post create kaz:Creation-Comptes --message "Le mot de passe du compte ${COMPTE_A_MODIFIER} a été modifié" >/dev/null 2>&1
if [ $ADRESSE_SEC == "OUI" ]
@@ -469,8 +465,8 @@ createMail() {
if [[ ${EMAIL_SOUHAITE} =~ ${regexMail} ]]
then
ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=${EMAIL_SOUHAITE}))" cn | grep ^cn | sed -e 's/^cn: //' >$TFILE_EMAILS
if grep -q "^${EMAIL_SOUHAITE}$" "${TFILE_EMAILS}"
then
@@ -568,7 +564,7 @@ nextcloudEnabled: ${TRUE_KAZ}\n\
nextcloudQuota: ${QUOTA} GB\n\
mobilizonEnabled: ${TRUE_KAZ}\n\
agoraEnabled: ${TRUE_KAZ}\n\
userPassword: {CRYPT}${LDAPPASS}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}" >${TFILE_CREATE_MAIL}
userPassword: {CRYPT}${LDAPPASS}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldap_LDAP_ADMIN_PASSWORD}" >${TFILE_CREATE_MAIL}
# on execute le fichier avec les données ldap pour créer l' entrée dans l' annuaire
bash ${TFILE_CREATE_MAIL} >/dev/null
# on colle le compte et le mot de passe dans le fichier
@@ -614,12 +610,12 @@ createAlias() {
if [[ ${AMAIL} =~ ${regexMail} ]]
then
RESU_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${AMAIL}*))" | grep ^cn | sed -e 's/^cn: //')
RESU_ALIAS_IS_MAIL=$(ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=*${AMAIL}*))" cn | grep ^cn | sed -e 's/^cn: //')
if echo ${RESU_ALIAS} | grep -q "^${AMAIL}$" || echo ${RESU_ALIAS_IS_MAIL} | grep -q "^${AMAIL}$"
@@ -694,7 +690,7 @@ changeType: add\n\
objectClass: organizationalRole\n\
objectClass: PostfixBookMailForward\n\
mailAlias: ${AMAIL}\n\
${LDAPALAISMAIL}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
${LDAPALAISMAIL}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
fait=1
printKazMsg "Création de ${AMAIL}"
sleep 3
@@ -726,8 +722,8 @@ delAlias() {
if [[ ${RALIAS} =~ ${regexMail} ]]
then
RESU_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=${RALIAS}))" cn | grep ^cn | sed -e 's/^cn: //')
if [ ! -z ${RESU_ALIAS} ]
then
@@ -737,7 +733,7 @@ delAlias() {
read -p "suppression de ${RESU_ALIAS} ? (o/n): " REPDELALIAS
case "${REPDELALIAS}" in
o | O )
ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" "cn=${RESU_ALIAS},ou=mailForwardings,${ldap_root}"
ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" "cn=${RESU_ALIAS},ou=mailForwardings,${ldap_root}"
printKazMsg "suppression ${RESU_ALIAS} effectuée"
sleep 2
faitdel=1
@@ -773,8 +769,8 @@ modifyAlias()
ACHANGE=0
searchEmail alias
LISTE_MAIL_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${CHOIX_MAIL}*))" \
| grep -i ^mail: | sed -e 's/^mail: /_/' | tr -d [:space:] | sed -s 's/_/ /g')
echo "-------------------------------------------------------------------"
@@ -849,8 +845,8 @@ modifyAlias()
echo "mail: ${key}" >>${FIC_MODIF_LDIF}
done
echo "-" >>${FIC_MODIF_LDIF}
ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-x -w ${ldapServ_LDAP_ADMIN_PASSWORD} \
ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-x -w ${ldap_LDAP_ADMIN_PASSWORD} \
-f ${FIC_MODIF_LDIF} >/dev/null
else
printKazMsg "Pas de changement"
@@ -876,8 +872,8 @@ updateUser() {
for attribut in mailDeSecours mailAlias mailQuota nextcloudQuota
do
ATTRIB+=([${attribut}]=$(ldapsearch -H ldap://${LDAP_IP} \
-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-w "${ldap_LDAP_ADMIN_PASSWORD}" \
-b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=*${CHOIX_MAIL}*))" \
| grep ^"${attribut}": | sed -e 's/^'${attribut}': //' | tr -s '[:space:]' ' ' ))
# si l' attribut est mailDesecours on l' attrape et on on le stocke pour pouvoir l' enlever de sympa
@@ -1060,15 +1056,15 @@ updateUser() {
done
cat ${FIC_MODIF_LDIF}
sleep 3
ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-x -w ${ldapServ_LDAP_ADMIN_PASSWORD} \
ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
-x -w ${ldap_LDAP_ADMIN_PASSWORD} \
-f ${FIC_MODIF_LDIF}
if [ ! -z ${MAILDESECOURS} ]
then
# suppression du mail de secours de la liste infos
docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${MAILDESECOURSACTUEL}"
docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${MAILDESECOURSACTUEL}"
# ajout de l' adresse de la nouvelle adresse de secours
docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=add --service_parameters="${NL_LIST},${MAILDESECOURS}"
docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=add --service_parameters="${NL_LIST},${MAILDESECOURS}"
fi
updateUser
fi

63
bin/getPasswords.sh
View File

@@ -1,63 +0,0 @@
#!/bin/bash
KAZ_ROOT=$(cd "$(dirname $0)/.."; pwd)
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
PRG=$(basename $0)
usage() {
echo "${PRG} [OPTIONS] [envname ...]
Récupère les variables d'environnement présentes dans /kaz/secret/env-envname et crée des variables à partir de ces noms là.
Les variables sont du type envname_NOMVARIABLE=valeur
On peut passer plusieurs fichiers env, à partir du moment ou ils sont tous dans le même répertoire !
OPTIONS
-h|--help Cette aide :-)
-n|--simu SIMULATION
-d foldername prend les envfiles dans un sous dossier /kaz/secret/foldername/ (pour les orgas !)
Les variables seront du type foldername-envname_NOMVARIABLE=valeur
"
}
for ARG in "$@"; do
if [ -n "${DIRECTORYARG}" ]; then # après un -d
SUBDIRECTORY="${ARG}"
DIRECTORYARG=
else
case "${ARG}" in
'-d' | '--directory' | '-f' | '--folder' | '--foldername')
DIRECTORYARG="ON ATTEND UN REPERTOIRE APRES CA" ;;
'-h' | '--help' )
usage && exit ;;
'-n' | '--simu')
SIMU="echo" ;;
*)
ENVFILES="${ENVFILES} ${ARG%}";;
esac
fi
done
NB_FILES=$(echo "${ENVFILES}" | wc -w )
if [[ $NB_FILES = 0 ]]; then
usage
exit 1
fi
for ENVFILE in $ENVFILES; do
FILENAME="$KAZ_KEY_DIR/env-$ENVFILE"
VARNAME="$ENVFILE"_
if [ -n "${SUBDIRECTORY}" ]; then
FILENAME="$KAZ_KEY_DIR/orgas/$SUBDIRECTORY/env-$ENVFILE"
VARNAME="${SUBDIRECTORY}-${ENVFILE}_"
fi
if ! [ -f "$FILENAME" ]; then
echo "$FILENAME does not exist."
continue
fi
# formule magique qui crée des variables envname_NOMVARIABLE=la valeur trouvé (le sed vire les commentaires et les lignes vides)
# on pourrait se contenter d'un "source env-file", mais avec un prefix dans les variables pour savoir ce qu'on manipule c'est bien aussi ...
$SIMU export $(sed -e 's/#.*//' -e '/^\s*$/d' "$FILENAME" | awk -F= -v ENV="$VARNAME" '{output=output" "ENV$1"="$2} END {print output}')
done

3
bin/init.sh
View File

@@ -214,6 +214,7 @@ fi
if [ ! -d "${KAZ_ROOT}/secret" ]; then
rsync -a "${KAZ_ROOT}/secret.tmpl/" "${KAZ_ROOT}/secret/"
. "${KAZ_ROOT}/secret/SetAllPass.sh"
"${KAZ_BIN_DIR}/secretGen.sh"
"${KAZ_BIN_DIR}/createDBUsers.sh"
"${KAZ_BIN_DIR}/updateDockerPassword.sh"
fi

2
bin/install.sh
View File

@@ -123,6 +123,8 @@ export DebugLog="${KAZ_ROOT}/log/log-install-$(date +%y-%m-%d-%T)-"
if [[ " ${DOCKERS_LIST[*]} " =~ " traefik " ]]; then
# on initialise traefik :-(
${KAZ_COMP_DIR}/traefik/first.sh
# on démarre traefik (plus lancé dans container.sh)
docker-compose -f ${KAZ_COMP_DIR}/traefik/docker-compose.yml up -d
fi
if [[ " ${DOCKERS_LIST[*]} " =~ " etherpad " ]]; then

3
bin/interoPaheko.sh
View File

@@ -6,8 +6,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
setKazVars
. $DOCKERS_ENV
. $KAZ_BIN_DIR/getPasswords.sh paheko
. $KAZ_ROOT/secret/SetAllPass.sh
URL_PAHEKO="$httpProto://${paheko_API_USER}:${paheko_API_PASSWORD}@kaz-paheko.$(echo $domain)"

4
bin/ldap/ldapvi.sh
View File

@@ -5,7 +5,7 @@ KAZ_ROOT=/kaz
setKazVars
. $DOCKERS_ENV
. $KAZ_BIN_DIR/getPasswords.sh ldapServ
. $KAZ_ROOT/secret/SetAllPass.sh
LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
@@ -20,4 +20,4 @@ EDITOR=${EDITOR:-vi}
EDITOR=${EDITOR:-vi}
export EDITOR=${EDITOR}
ldapvi -h $LDAP_IP -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldapServ_LDAP_ADMIN_PASSWORD} --discover
ldapvi -h $LDAP_IP -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldap_LDAP_ADMIN_PASSWORD} --discover

10
bin/ldap/migrate_to_ldap.sh
View File

@@ -8,7 +8,7 @@ KAZ_ROOT=/kaz
setKazVars
. $DOCKERS_ENV
. $KAZ_BIN_DIR/getPasswords.sh ldapServ paheko
. $KAZ_ROOT/secret/SetAllPass.sh
ACCOUNTS=/kaz/dockers/postfix/config/postfix-accounts.cf
@@ -126,7 +126,7 @@ replace: agoraEnabled\n\
agoraEnabled: TRUE\n\
-\n\
replace: mobilizonEnabled\n\
mobilizonEnabled: TRUE\n\n" | tee /tmp/ldap/${mail}.ldif | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
mobilizonEnabled: TRUE\n\n" | tee /tmp/ldap/${mail}.ldif | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
done
#replace: nextcloudEnabled\n\
@@ -164,7 +164,7 @@ do
echo -e "dn: cn=${mail},ou=users,${ldap_root}\n\
changeType: modify
replace: mailAlias\n\
$LIST\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
$LIST\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
else
echo "Alias vers un mail externe, go fichier"
echo $line >> ${ALIASES_WITHLDAP}
@@ -185,7 +185,7 @@ replace: mailAlias\n\
mailAlias: ${src}\n\
-\n\
replace: mail\n\
mail: ${dst}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
mail: ${dst}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
fi
else
echo "Forward vers plusieurs adresses, on met dans le fichier"
@@ -215,7 +215,7 @@ replace: mailAlias\n\
mailAlias: ${src}\n\
-\n\
replace: mail\n\
${LIST}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
${LIST}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
fi
done

5
bin/ldap/tests/nc_orphans.sh
View File

@@ -6,16 +6,15 @@ setKazVars
. $DOCKERS_ENV
. $KAZ_ROOT/secret/SetAllPass.sh
. $KAZ_BIN_DIR/getPasswords.sh ldapServ nextcloudDB
LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
docker exec -i nextcloudDB mysql --user=${nextcloudDB_MYSQL_USER} --password=${nextcloudDB_MYSQL_PASSWORD} ${nextcloudDB_MYSQL_DATABASE} <<< "select uid from oc_users;" > /tmp/nc_users.txt
docker exec -i nextcloudDB mysql --user=${nextcloud_MYSQL_USER} --password=${nextcloud_MYSQL_PASSWORD} ${nextcloud_MYSQL_DATABASE} <<< "select uid from oc_users;" > /tmp/nc_users.txt
OLDIFS=${IFS}
IFS=$'\n'
for line in `cat /tmp/nc_users.txt`; do
result=$(ldapsearch -h $LDAP_IP -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldapServ_LDAP_ADMIN_PASSWORD} -b $ldap_root -x "(identifiantKaz=${line})" | grep numEntries)
result=$(ldapsearch -h $LDAP_IP -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldap_LDAP_ADMIN_PASSWORD} -b $ldap_root -x "(identifiantKaz=${line})" | grep numEntries)
echo "${line} ${result}" | grep -v "numEntries: 1" | grep -v "^uid"
done
IFS=${OLDIFS}

15
bin/lib/config.py Normal file
View File

@@ -0,0 +1,15 @@
DOCKERS_ENV = "/kaz/config/dockers.env"
SECRETS = "/kaz/secret/env-{serv}"
def getDockersConfig(key):
with open(DOCKERS_ENV) as config:
for line in config:
if line.startswith(f"{key}="):
return line.split("=", 1)[1].split("#")[0].strip()
def getSecretConfig(serv, key):
with open(SECRETS.format(serv=serv)) as config:
for line in config:
if line.startswith(f"{key}="):
return line.split("=", 2)[1].split("#")[0].strip()

101
bin/lib/ldap.py Normal file
View File

@@ -0,0 +1,101 @@
import ldap
from passlib.hash import sha512_crypt
from email_validator import validate_email, EmailNotValidError
import subprocess
from .config import getDockersConfig, getSecretConfig
class Ldap:
def __init__(self):
self.ldap_connection = None
self.ldap_root = getDockersConfig("ldap_root")
self.ldap_admin_username = getSecretConfig("ldapServ", "LDAP_ADMIN_USERNAME")
self.ldap_admin_password = getSecretConfig("ldapServ", "LDAP_ADMIN_PASSWORD")
cmd="docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ"
self.ldap_host = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT).strip().decode()
def __enter__(self):
self.ldap_connection = ldap.initialize(f"ldap://{self.ldap_host}")
self.ldap_connection.simple_bind_s("cn={},{}".format(self.ldap_admin_username, self.ldap_root), self.ldap_admin_password)
return self
def __exit__(self, tp, e, traceback):
self.ldap_connection.unbind_s()
def get_email(self, email):
"""
Vérifier si un utilisateur avec cet email existe dans le LDAP soit comme mail principal soit comme alias
"""
# Créer une chaîne de filtre pour rechercher dans les champs "cn" et "mailAlias"
filter_str = "(|(cn={})(mailAlias={}))".format(email, email)
result = self.ldap_connection.search_s("ou=users,{}".format(self.ldap_root), ldap.SCOPE_SUBTREE, filter_str)
return result
def delete_user(self, email):
"""
Supprimer un utilisateur du LDAP par son adresse e-mail
"""
try:
# Recherche de l'utilisateur
result = self.ldap_connection.search_s("ou=users,{}".format(self.ldap_root), ldap.SCOPE_SUBTREE, "(cn={})".format(email))
if not result:
return False # Utilisateur non trouvé
# Récupération du DN de l'utilisateur
dn = result[0][0]
# Suppression de l'utilisateur
self.ldap_connection.delete_s(dn)
return True # Utilisateur supprimé avec succès
except ldap.NO_SUCH_OBJECT:
return False # Utilisateur non trouvé
except ldap.LDAPError as e:
return False # Erreur lors de la suppression
def create_user(self, email, prenom, nom, password, email_secours, quota):
"""
Créer une nouvelle entrée dans le LDAP pour un nouvel utilisateur. QUESTION: A QUOI SERVENT PRENOM/NOM/IDENT_KAZ DANS LE LDAP ? POURQUOI 3 QUOTA ?
"""
password_chiffre = sha512_crypt.hash(password)
if not validate_email(email) or not validate_email(email_secours):
return False
if self.get_email(email):
return False
# Construire le DN
dn = f"cn={email},ou=users,{self.ldap_root}"
mod_attrs = [
('objectClass', [b'inetOrgPerson', b'PostfixBookMailAccount', b'nextcloudAccount', b'kaznaute']),
('sn', f'{prenom} {nom}'.encode('utf-8')),
('mail', email.encode('utf-8')),
('mailEnabled', b'TRUE'),
('mailGidNumber', b'5000'),
('mailHomeDirectory', f"/var/mail/{email.split('@')[1]}/{email.split('@')[0]}/".encode('utf-8')),
('mailQuota', f'{quota}G'.encode('utf-8')),
('mailStorageDirectory', f"maildir:/var/mail/{email.split('@')[1]}/{email.split('@')[0]}/".encode('utf-8')),
('mailUidNumber', b'5000'),
('mailDeSecours', email_secours.encode('utf-8')),
('identifiantKaz', f'{prenom.lower()}.{nom.lower()}'.encode('utf-8')),
('quota', str(quota).encode('utf-8')),
('nextcloudEnabled', b'TRUE'),
('nextcloudQuota', f'{quota} GB'.encode('utf-8')),
('mobilizonEnabled', b'TRUE'),
('agoraEnabled', b'TRUE'),
('userPassword', f'{{CRYPT}}{password_chiffre}'.encode('utf-8')),
('cn', email.encode('utf-8'))
]
self.ldap_connection.add_s(dn, mod_attrs)
return True

134
bin/lib/mattermost.py Normal file
View File

@@ -0,0 +1,134 @@
import subprocess
from .config import getDockersConfig, getSecretConfig
mattermost_user = getSecretConfig("mattermostServ", "MM_ADMIN_USER")
mattermost_pass = getSecretConfig("mattermostServ", "MM_ADMIN_PASSWORD")
mattermost_url = f"https://{getDockersConfig('matterHost')}.{getDockersConfig('domain')}"
mmctl = "docker exec -i mattermostServ bin/mmctl"
class Mattermost:
def __init__(self):
pass
def __enter__(self):
self.authenticate()
return self
def __exit__(self, tp, e, traceback):
self.logout()
def authenticate(self):
# Authentification sur MM
cmd = f"{mmctl} auth login {mattermost_url} --name local-server --username {mattermost_user} --password {mattermost_pass}"
subprocess.run(cmd, shell=True, stderr=subprocess.STDOUT, check=True)
def logout(self):
# Authentification sur MM
cmd = f"{mmctl} auth clean"
subprocess.run(cmd, shell=True, stderr=subprocess.STDOUT, check=True)
def post_message(self, message, equipe="kaz", canal="creation-comptes"):
"""
Envoyer un message dans une Equipe/Canal de MM
"""
cmd = f"{mmctl} post create {equipe}:{canal} --message \"{message}\""
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()
def get_user(self, user):
"""
Le user existe t-il sur MM ?
"""
try:
cmd = f"{mmctl} user search {user} --json"
user_list_output = subprocess.check_output(cmd, shell=True)
return True # Le nom d'utilisateur existe
except subprocess.CalledProcessError:
return False
def create_user(self, user, email, password):
"""
Créer un utilisateur sur MM
"""
cmd = f"{mmctl} user create --email {email} --username {user} --password {password}"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()
def delete_user(self, email):
"""
Supprimer un utilisateur sur MM
"""
cmd = f"{mmctl} user delete {email} --confirm"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()
def update_password(self, email, new_password):
"""
Changer un password pour un utilisateur de MM
"""
cmd = f"{mmctl} user change-password {email} --password {new_password}"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()
def add_user_to_team(self, email, equipe):
"""
Affecte un utilisateur à une équipe MM
"""
cmd = f"{mmctl} team users add {equipe} {email}"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()
def add_user_to_channel(self, email, equipe, canal):
"""
Affecte un utilisateur à un canal MM
"""
cmd = f'{mmctl} channel users add {equipe}:{canal} {email}'
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()
def get_teams(self):
"""
Lister les équipes sur MM
"""
cmd = f"{mmctl} team list --disable-pager"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
data_list = output.decode("utf-8").strip().split('\n')
data_list.pop()
return data_list
def create_team(self, equipe, email):
"""
Créer une équipe sur MM et affecter un admin si email est renseigné (set admin marche pô)
"""
#DANGER: l'option --email ne rend pas le user admin de l'équipe comme c'est indiqué dans la doc :(
cmd = f"{mmctl} team create --name {equipe} --display-name {equipe} --private --email {email}"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
#Workaround: on récup l'id du user et de l'équipe pour affecter le rôle "scheme_admin": true, "scheme_user": true avec l'api MM classique.
#TODO:
return output.decode()
def delete_team(self, equipe):
"""
Supprimer une équipe sur MM
"""
cmd = f"{mmctl} team delete {equipe} --confirm"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()

134
bin/lib/paheko.py Normal file
View File

@@ -0,0 +1,134 @@
import re
import requests
from .config import getDockersConfig, getSecretConfig
paheko_ident = getDockersConfig("paheko_API_USER")
paheko_pass = getDockersConfig("paheko_API_PASSWORD")
paheko_auth = (paheko_ident, paheko_pass)
paheko_url = f"https://kaz-paheko.{getDockersConfig('domain')}"
class Paheko:
def get_categories(self):
"""
Récupérer les catégories Paheko avec le compteur associé
"""
api_url = paheko_url + '/api/user/categories'
response = requests.get(api_url, auth=paheko_auth)
if response.status_code == 200:
data = response.json()
return data
else:
return None
def get_users_in_categorie(self,categorie):
"""
Afficher les membres d'une catégorie Paheko
"""
if not categorie.isdigit():
return 'Id de category non valide', 400
api_url = paheko_url + '/api/user/category/'+categorie+'.json'
response = requests.get(api_url, auth=paheko_auth)
if response.status_code == 200:
data = response.json()
return data
else:
return None
def get_user(self,ident):
"""
Afficher un membre de Paheko par son email kaz ou son numéro ou le non court de l'orga
"""
emailmatchregexp = re.compile(r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$")
if emailmatchregexp.match(ident):
data = { "sql": f"select * from users where email='{ident}' or alias = '{ident}'" }
api_url = paheko_url + '/api/sql/'
response = requests.post(api_url, auth=paheko_auth, data=data)
#TODO: if faut Rechercher count et vérifier que = 1 et supprimer le count=1 dans la réponse
elif ident.isdigit():
api_url = paheko_url + '/api/user/'+ident
response = requests.get(api_url, auth=paheko_auth)
else:
nomorga = re.sub(r'\W+', '', ident) # on vire les caractères non alphanumérique
data = { "sql": f"select * from users where admin_orga=1 and nom_orga='{nomorga}'" }
api_url = paheko_url + '/api/sql/'
response = requests.post(api_url, auth=paheko_auth, data=data)
#TODO:if faut Rechercher count et vérifier que = 1 et supprimer le count=1 dans la réponse
if response.status_code == 200:
data = response.json()
if data["count"] == 1:
return data["results"][0]
elif data["count"] == 0:
return None
else:
return data["results"]
else:
return None
def set_user(self,ident,field,new_value):
"""
Modifie la valeur d'un champ d'un membre paheko (ident= numéro paheko ou email kaz)
"""
#récupérer le numero paheko si on fournit un email kaz
emailmatchregexp = re.compile(r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$")
if emailmatchregexp.match(ident):
data = { "sql": f"select id from users where email='{ident}'" }
api_url = paheko_url + '/api/sql/'
response = requests.post(api_url, auth=paheko_auth, data=data)
if response.status_code == 200:
#on extrait l'id de la réponse
data = response.json()
if data['count'] == 0:
print("email non trouvé")
return None
elif data['count'] > 1:
print("trop de résultat")
return None
else:
#OK
ident = data['results'][0]['id']
else:
print("pas de résultat")
return None
elif not ident.isdigit():
print("Identifiant utilisateur invalide")
return None
regexp = re.compile("[^a-zA-Z0-9 \\r\\n\\t" + re.escape(string.punctuation) + "]")
valeur = regexp.sub('',new_value) # mouais, il faudrait être beaucoup plus précis ici en fonction des champs qu'on accepte...
champ = re.sub(r'\W+','',field) # pas de caractères non alphanumériques ici, dans l'idéal, c'est à choisir dans une liste plutot
api_url = paheko_url + '/api/user/'+str(ident)
payload = {champ: valeur}
response = requests.post(api_url, auth=paheko_auth, data=payload)
return response.json()
def get_users_with_action(self, action):
"""
retourne tous les membres de paheko avec une action à mener (création du compte kaz / modification...)
"""
api_url = paheko_url + '/api/sql/'
payload = { "sql": f"select * from users where action_auto='{action}'" }
response = requests.post(api_url, auth=paheko_auth, data=payload)
if response.status_code == 200:
return response.json()
else:
return None

40
bin/lib/sympa.py Normal file
View File

@@ -0,0 +1,40 @@
import subprocess
from email_validator import validate_email, EmailNotValidError
from .config import getDockersConfig, getSecretConfig
sympa_user = getSecretConfig("sympaServ", "SOAP_USER")
sympa_pass = getSecretConfig("sympaServ", "SOAP_PASSWORD")
sympa_listmaster = getSecretConfig("sympaServ", "ADMINEMAIL")
sympa_url = f"https://{getDockersConfig('sympaHost')}.{getDockersConfig('domain')}"
sympa_soap = "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl"
sympa_domain = getDockersConfig('domain_sympa')
sympa_liste_info = "infos"
# docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\"" | tee -a "${CMD_SYMPA}"
class Sympa:
def _execute_sympa_command(self, email, liste, service):
if validate_email(email) and validate_email(liste):
cmd = f'{sympa_soap} --soap_url={sympa_url}/sympasoap --trusted_application={sympa_user} --trusted_application_password={sympa_pass} --proxy_vars=USER_EMAIL={sympa_listmaster} --service={service} --service_parameters="{liste},{email}" && echo $?'
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
return output.decode()
def add_email_to_list(self, email, liste=sympa_liste_info):
"""
Ajouter un email dans une liste sympa
"""
output = self._execute_sympa_command(email, f"{liste}@{sympa_domain}", 'add')
return output
def delete_email_from_list(self, email, liste=sympa_liste_info):
"""
Supprimer un email dans une liste sympa
"""
output = self._execute_sympa_command(email, f"{liste}@{sympa_domain}", 'del')
return output

8
bin/lib/template.py Normal file
View File

@@ -0,0 +1,8 @@
import jinja2
templateLoader = jinja2.FileSystemLoader(searchpath="../templates")
templateEnv = jinja2.Environment(loader=templateLoader)
def render_template(filename, args):
template = templateEnv.get_template(filename)
return template.render(args)

213
bin/lib/user.py Normal file
View File

@@ -0,0 +1,213 @@
from email_validator import validate_email, EmailNotValidError
from glob import glob
import tempfile
import subprocess
import re
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
import smtplib
from .paheko import Paheko
from .ldap import Ldap
from .mattermost import Mattermost
from .sympa import Sympa
from .template import render_template
from .config import getDockersConfig, getSecretConfig
DEFAULT_FILE = "/kaz/tmp/createUser.txt"
webmail_url = f"https://webmail.{getDockersConfig('domain')}"
mattermost_url = f"https://agora.{getDockersConfig('domain')}"
mdp_url = f"https://mdp.{getDockersConfig('domain')}"
sympa_url = f"https://listes.{getDockersConfig('domain')}"
site_url = f"https://{getDockersConfig('domain')}"
cloud_url = f"https://cloud.{getDockersConfig('domain')}"
def _generate_password(self):
cmd="apg -n 1 -m 10 -M NCL -d"
output = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
new_password="_"+output.decode("utf-8")+"_"
return new_password
def create_user(email, email_secours, admin_orga, nom_orga, quota_disque, nom, prenom, nc_orga, garradin_orga, wp_orga, agora_orga, wiki_orga, nc_base, groupe_nc_base, equipe_agora, password=None):
email = email.lower()
with Ldap() as ldap:
# est-il déjà dans le ldap ? (mail ou alias)
if ldap.get_email(email):
print(f"ERREUR 1: {email} déjà existant dans ldap. on arrête tout")
return None
#test nom orga
if admin_orga == 1:
if nom_orga is None:
print(f"ERREUR 0 sur paheko: {email} : nom_orga vide, on arrête tout")
return
if not bool(re.match(r'^[a-z0-9-]+$', nom_orga)):
print(f"ERREUR 0 sur paheko: {email} : nom_orga ({tab['nom_orga']}) incohérent (minuscule/chiffre/-), on arrête tout")
return
#test email_secours
email_secours = email_secours.lower()
if not validate_email(email_secours):
print("Mauvais email de secours")
return
#test quota
quota = quota_disque
if not quota.isdigit():
print(f"ERREUR 2: quota non numérique : {quota}, on arrête tout")
return
#on génère un password
password = password or _generate_password()
#on créé dans le ldap
#à quoi servent prenom/nom dans le ldap ?
data = {
"prenom": prenom,
"nom": nom,
"password": password,
"email_secours": email_secours,
"quota": quota
}
if not ldap.create_user(email, **data):
print("Erreur LDAP")
return
with Mattermost() as mm:
#on créé dans MM
user = email.split('@')[0]
mm.create_user(user, email, password)
mm.add_user_to_team(email, "kaz")
#et aux 2 canaux de base
mm.add_user_to_channel(email, "kaz", "une-question--un-soucis")
mm.add_user_to_channel(email, "kaz", "cafe-du-commerce--ouvert-2424h")
#on créé une nouvelle équipe ds MM si besoin
if admin_orga == 1:
mm.create_team(nom_orga, email)
#BUG: créer la nouvelle équipe n'a pas rendu l'email admin, on le rajoute comme membre simple
mm.add_user_to_team(email, nom_orga)
#on inscrit email et email_secours à la nl sympa_liste_info
sympa = Sympa()
sympa.add_email_to_list(email)
sympa.add_email_to_list(email_secours)
#on construit/envoie le mail
context = {
'ADMIN_ORGA': admin_orga,
'NOM': f"{prenom} {nom}",
'EMAIL_SOUHAITE': email,
'PASSWORD': password,
'QUOTA': quota_disque,
'URL_WEBMAIL': webmail_url,
'URL_AGORA': mattermost_url,
'URL_MDP': mdp_url,
'URL_LISTE': sympa_url,
'URL_SITE': site_url,
'URL_CLOUD': cloud_url,
}
html = render_template("email_inscription.html", context)
raw = render_template("email_inscription.txt", context)
message = MIMEMultipart()
message["Subject"] = "KAZ: confirmation d'inscription !"
message["From"] = f"contact@{getDockersConfig('domain')}"
message["To"] = f"{email}, {email_secours}"
message.attach(MIMEText(raw, "plain"))
message.attach(MIMEText(html, "html"))
with smtplib.SMTP(f"mail.{getDockersConfig('domain')}", 25) as server:
server.sendmail(f"contact@{getDockersConfig('domain')}", [email,email_secours], message.as_string())
#on met le flag paheko action à Aucune
paheko = Paheko()
try:
paheko.set_user(email, "action_auto", "Aucune")
except:
print(f"Erreur paheko pour remettre action_auto = Aucune pour {email}")
#on post sur MM pour dire ok
with Mattermost() as mm:
msg=f"**POST AUTO** Inscription réussie pour {email} avec le secours {email_secours} Bisou!"
mm.post_message(message=msg)
def create_waiting_users():
"""
Créé les kaznautes en attente: inscription sur MM / Cloud / email + msg sur MM + email à partir de action="a créer" sur paheko
"""
#verrou pour empêcher de lancer en même temps la même api
prefixe="create_user_lock_"
if glob(f"{tempfile.gettempdir()}/{prefixe}*"):
print("Lock présent")
return None
lock_file = tempfile.NamedTemporaryFile(prefix=prefixe,delete=True)
#qui sont les kaznautes à créer ?
paheko = Paheko()
liste_kaznautes = paheko.get_users_with_action("A créer")
if liste_kaznautes:
count=liste_kaznautes['count']
if count==0:
print("aucun nouveau kaznaute à créer")
return
#au moins un kaznaute à créer
for tab in liste_kaznautes['results']:
create_user(**tab)
print("fin des inscriptions")
def create_users_from_file(file=DEFAULT_FILE):
"""
Créé les kaznautes en attente: inscription sur MM / Cloud / email + msg sur MM + email à partir du ficher
"""
#verrou pour empêcher de lancer en même temps la même api
prefixe="create_user_lock_"
if glob(f"{tempfile.gettempdir()}/{prefixe}*"):
print("Lock présent")
return None
lock_file = tempfile.NamedTemporaryFile(prefix=prefixe,delete=True)
#qui sont les kaznautes à créer ?
liste_kaznautes = []
with open(file) as lines:
for line in lines:
line = line.strip()
if not line.startswith("#") and line != "":
user_data = line.split(';')
user_dict = {
"nom": user_data[0],
"prenom": user_data[1],
"email": user_data[2],
"email_secours": user_data[3],
"nom_orga": user_data[4],
"admin_orga": user_data[5],
"nc_orga": user_data[6],
"garradin_orga": user_data[7],
"wp_orga": user_data[8],
"agora_orga": user_data[9],
"wiki_orga": user_data[10],
"nc_base": user_data[11],
"groupe_nc_base": user_data[12],
"equipe_agora": user_data[13],
"quota_disque": user_data[14],
"password": user_data[15],
}
liste_kaznautes.append(user_dict)
if liste_kaznautes:
for tab in liste_kaznautes:
create_user(**tab)
print("fin des inscriptions")

16
bin/manageAgora.sh
View File

@@ -83,8 +83,7 @@ Init(){
[ $? -ne 0 ] && printKazError "$DockerServName ne parvient pas à démarrer correctement : impossible de terminer l'install" && return 1 >& $QUIET
# creation compte admin
_getPasswords
${SIMU} curl -i -d "{\"email\":\"${mattermostServ_MM_ADMIN_EMAIL}\",\"username\":\"${mattermost_user}\",\"password\":\"${mattermost_pass}\",\"allow_marketing\":true}" "${MATTER_URL}/api/v4/users"
${SIMU} curl -i -d "{\"email\":\"${mattermost_MM_ADMIN_EMAIL}\",\"username\":\"${mattermost_user}\",\"password\":\"${mattermost_pass}\",\"allow_marketing\":true}" "${MATTER_URL}/api/v4/users"
MM_TOKEN=$(_getMMToken ${MATTER_URL})
@@ -99,13 +98,12 @@ Version(){
_getMMToken(){
#$1 MATTER_URL
_getPasswords
${SIMU} curl -i -s -d "{\"login_id\":\"${mattermost_user}\",\"password\":\"${mattermost_pass}\"}" "${1}/api/v4/users/login" | grep 'token' | sed 's/token:\s*\(.*\)\s*/\1/' | tr -d '\r'
}
PostMessage(){
printKazMsg "Envoi à $TEAM : $MESSAGE" >& $QUIET
_getPasswords
${SIMU} docker exec -ti "${DockerServName}" bin/mmctl auth login "${MATTER_URL}" --name local-server --username ${mattermost_user} --password ${mattermost_pass}
${SIMU} docker exec -ti "${DockerServName}" bin/mmctl post create "${TEAM}" --message "${MESSAGE}"
}
@@ -115,16 +113,6 @@ MmctlCommand(){
${SIMU} docker exec -u 33 "$DockerServName" bin/mmctl $1
}
_getPasswords(){
# récupération des infos du compte admin
if [ -n "$AGORACOMMUN" ] ; then
. $KAZ_KEY_DIR/env-mattermostAdmin
. $KAZ_BIN_DIR/getPasswords.sh mattermostServ
else
. $KAZ_KEY_DIR/orgas/${ORGA}/env-mattermostAdmin
. $KAZ_BIN_DIR/getPasswords.sh -d ${ORGA} mattermostServ
fi
}
########## Main #################
for ARG in "$@"; do

15
bin/manageCastopod.sh
View File

@@ -63,12 +63,11 @@ Init(){
cookies=$(curl -c - ${POD_URL})
CSRF_TOKEN=$(curl --cookie <(echo "$cookies") ${POD_URL}/cp-install | grep "csrf_test_name" | sed "s/.*value=.//" | sed "s/.>//")
_getPasswords
#echo ${CSRF_TOKEN}
${SIMU} curl --cookie <(echo "$cookies") -X POST \
-d "username=${ADMIN_USER}" \
-d "password=${ADMIN_PASSWORD}" \
-d "email=${ADMIN_MAIL}" \
-d "username=${castopod_ADMIN_USER}" \
-d "password=${castopod_ADMIN_PASSWORD}" \
-d "email=${castopod_ADMIN_MAIL}" \
-d "csrf_test_name=${CSRF_TOKEN}" \
"${POD_URL}/cp-install/create-superadmin"
@@ -79,13 +78,7 @@ Version(){
echo "Version $DockerServName : ${GREEN}${VERSION}${NC}"
}
_getPasswords(){
if [ -n "$CASTOPOD_COMMUN" ]; then
. $KAZ_KEY_DIR/env-castopodAdmin
else
. $KAZ_KEY_DIR/orgas/$ORGA/env-castopodAdmin
fi
}
########## Main #################
for ARG in "$@"; do

34
bin/manageCloud.sh
View File

@@ -32,7 +32,7 @@ OPTIONS
-n|--simu SIMULATION
-q|--quiet On ne parle pas (utile avec le -n pour avoir que les commandes)
--nas L'orga se trouve sur le NAS !
COMMANDES (on peut en mettre plusieurs dans l'ordre souhaité)
-I|--install L'initialisation du cloud
-v|--version Donne la version du cloud et signale les MàJ
@@ -75,7 +75,7 @@ Init(){
CONF_FILE="${NAS_VOL}/orga_${ORGA}-cloudConfig/_data/config.php"
fi
firstInstall "$CLOUD_URL" "$CONF_FILE" "$NOM"
firstInstall "$CLOUD_URL" "$CONF_FILE" " NextCloud de $NOM"
updatePhpConf "$CONF_FILE"
InstallApplis
echo "${CYAN} *** Paramétrage richdocuments pour $ORGA${NC}" >& $QUIET
@@ -100,38 +100,25 @@ firstInstall(){
# $2 phpConfFile
# $3 orga
if ! grep -q "'installed' => true," "$2" 2> /dev/null; then
printKazMsg "\n *** Premier lancement nextcloud $3" >& $QUIET
_getPasswords
printKazMsg "\n *** Premier lancement de $3" >& $QUIET
${SIMU} waitUrl "$1"
${SIMU} curl -X POST \
-d "install=true" \
-d "adminlogin=${NEXTCLOUD_ADMIN_USER}" \
-d "adminpass=${NEXTCLOUD_ADMIN_PASSWORD}" \
-d "adminlogin=${nextcloud_NEXTCLOUD_ADMIN_USER}" \
-d "adminpass=${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}" \
-d "directory=/var/www/html/data" \
-d "dbtype=mysql" \
-d "dbuser=${MYSQL_USER}" \
-d "dbpass=${MYSQL_PASSWORD}" \
-d "dbname=${MYSQL_DATABASE}" \
-d "dbhost=${MYSQL_HOST}" \
-d "dbuser=${nextcloud_MYSQL_USER}" \
-d "dbpass=${nextcloud_MYSQL_PASSWORD}" \
-d "dbname=${nextcloud_MYSQL_DATABASE}" \
-d "dbhost=${nextcloud_MYSQL_HOST}" \
-d "install-recommended-apps=true" \
"$1"
fi
}
_getPasswords(){
if [ -n "$CLOUDCOMMUN" ]; then
. $KAZ_KEY_DIR/env-nextcloudServ
. $KAZ_KEY_DIR/env-nextcloudDB
else
. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudServ
. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudDB
fi
}
setOfficeUrl(){
# Did le 25 mars les offices sont tous normalisé sur les serveurs https://${site}-${officeHost}.${domain}
#OFFICE_URL="https://${officeHost}.${domain}"
@@ -144,14 +131,13 @@ setOfficeUrl(){
}
initLdap(){
. $KAZ_BIN_DIR/getPasswords.sh ldapServ
# $1 Nom du cloud
echo "${CYAN} *** Installation LDAP pour $1${NC}" >& $QUIET
occCommand "app:enable user_ldap" "${DockerServName}"
occCommand "ldap:delete-config s01" "${DockerServName}"
occCommand "ldap:create-empty-config" "${DockerServName}"
occCommand "ldap:set-config s01 ldapAgentName cn=cloud,ou=applications,${ldap_root}" "${DockerServName}"
occCommand "ldap:set-config s01 ldapAgentPassword ${ldapServ_LDAP_CLOUD_PASSWORD}" "${DockerServName}"
occCommand "ldap:set-config s01 ldapAgentPassword ${ldap_LDAP_CLOUD_PASSWORD}" "${DockerServName}"
occCommand "ldap:set-config s01 ldapBase ${ldap_root}" "${DockerServName}"
occCommand "ldap:set-config s01 ldapBaseGroups ${ldap_root}" "${DockerServName}"
occCommand "ldap:set-config s01 ldapBaseUsers ou=users,${ldap_root}" "${DockerServName}"

18
bin/manageWiki.sh
View File

@@ -55,7 +55,15 @@ Init(){
PLG_DIR="${VOL_PREFIX}wikiPlugins/_data"
CONF_DIR="${VOL_PREFIX}wikiConf/_data"
. $KAZ_BIN_DIR/getPasswords.sh dokuwiki
# Gael, j'avais ajouté ça mais j'ai pas test alors je laisse comme avant ...
# A charge au prochain qui monte un wiki de faire qque chose
#WIKI_ROOT="${dokuwiki_WIKI_ROOT}"
#WIKI_EMAIL="${dokuwiki_WIKI_EMAIL}"
#WIKI_PASS="${dokuwiki_WIKI_PASSWORD}"
WIKI_ROOT=Kaz
WIKI_EMAIL=wiki@kaz.local
WIKI_PASS=azerty
${SIMU} checkDockerRunning "${DockerServName}" "${NOM}" || exit
@@ -69,11 +77,11 @@ Init(){
-d "l=fr" \
-d "d[title]=${NOM}" \
-d "d[acl]=true" \
-d "d[superuser]=${dokuwiki_WIKI_ROOT}" \
-d "d[superuser]=${WIKI_ROOT}" \
-d "d[fullname]=Admin"\
-d "d[email]=${dokuwiki_WIKI_EMAIL}" \
-d "d[password]=${dokuwiki_WIKI_PASSWORD}" \
-d "d[confirm]=${dokuwiki_WIKI_PASSWORD}" \
-d "d[email]=${WIKI_EMAIL}" \
-d "d[password]=${WIKI_PASS}" \
-d "d[confirm]=${WIKI_PASS}" \
-d "d[policy]=1" \
-d "d[allowreg]=false" \
-d "d[license]=0" \

8
bin/manageWp.sh
View File

@@ -61,11 +61,11 @@ Init(){
echo "\n *** Premier lancement de WP" >& $QUIET
${SIMU} waitUrl "${WP_URL}"
. $KAZ_BIN_DIR/getPasswords.sh wpServ
${SIMU} curl -X POST \
-d "user_name=${wpServ_WORDPRESS_ADMIN_USER}" \
-d "admin_password=${wpServ_WORDPRESS_ADMIN_PASSWORD}" \
-d "admin_password2=${wpServ_WORDPRESS_ADMIN_PASSWORD}" \
-d "user_name=${wp_WORDPRESS_ADMIN_USER}" \
-d "admin_password=${wp_WORDPRESS_ADMIN_PASSWORD}" \
-d "admin_password2=${wp_WORDPRESS_ADMIN_PASSWORD}" \
-d "pw_weak=true" \
-d "admin_email=admin@kaz.bzh" \
-d "blog_public=0" \

3
bin/migration.sh
View File

@@ -20,7 +20,8 @@ ${SIMU} "${CV1}" stop orga
${SIMU} "${CV1}" stop
${SIMU} rsync "${EV1}/dockers.env" "${EV2}/"
${SIMU} rsync "${SV1}/" "${SV2}/"
${SIMU} rsync "${SV1}/SetAllPass.sh" "${SV2}/"
${SIMU} "${BV2}/updateDockerPassword.sh"
# XXX ? rsync /kaz/secret/allow_admin_ip /kaz-git/secret/allow_admin_ip

1
bin/nextcloud_maintenance.sh
View File

@@ -10,7 +10,6 @@ URL_AGORA=https://$matterHost.$domain/api/v4
EQUIPE=kaz
PostMattermost() {
. $KAZ_KEY_DIR/env-mattermostAdmin
PostM=$1
CHANNEL=$2
TEAMID=$(curl -s -H "Authorization: Bearer ${mattermost_token}" "${URL_AGORA}/teams/name/${EQUIPE}" | jq .id | sed -e 's/"//g')

2
bin/postfix-superviz.sh
View File

@@ -15,8 +15,6 @@ OLDIFS=$IFS
IFS=" "
COUNT_MAILQ=$(docker exec -t mailServ mailq | tail -n1 | gawk '{print $5}')
# récupération mots de passes
. $KAZ_KEY_DIR/env-mattermostAdmin
docker exec ${mattermostServName} bin/mmctl --suppress-warnings auth login $httpProto://$URL_AGORA --name local-server --username $mattermost_user --password $mattermost_pass >/dev/null 2>&1
if [ "${COUNT_MAILQ}" -gt "${MAX_QUEUE}" ]; then

2
bin/scriptBorg.sh
View File

@@ -17,7 +17,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
. $KAZ_ROOT/bin/.commonFunctions.sh
setKazVars
. $DOCKERS_ENV
. $KAZ_BIN_DIR/getPasswords.sh borg
. $KAZ_ROOT/secret/SetAllPass.sh
VERSION="V-10-03-2025"
PRG=$(basename $0)

82
bin/templates/email.css Normal file
View File

@@ -0,0 +1,82 @@
body {
font-family: Arial, sans-serif;
background-color: #f4f4f4;
margin: 0;
padding: 0;
}
.email-content {
background-color: #f0f0f0; /* Light gray background */
margin: 20px auto;
padding: 20px;
border: 1px solid #dddddd;
max-width: 600px;
width: 90%; /* This makes the content take 90% width of its container */
text-align: left; /* Remove text justification */
}
header {
background-color: #E16969;
color: white;
text-align: center;
height: 50px; /* Fixed height for header */
line-height: 50px; /* Vertically center the text */
width: 100%; /* Make header full width */
}
footer {
background-color: #E16969;
color: white;
text-align: center;
height: 50px; /* Fixed height for footer */
line-height: 50px; /* Vertically center the text */
width: 100%; /* Make footer full width */
}
.header-container {
position: relative; /* Pour positionner le logo et le texte dans le header */
height: 50px; /* Hauteur maximale du header */
}
.logo {
position: absolute; /* Pour positionner le logo */
max-height: 100%; /* Taille maximale du logo égale à la hauteur du header */
top: 0; /* Aligner le logo en haut */
left: 0; /* Aligner le logo à gauche */
margin-right: 10px; /* Marge à droite du logo */
}
.header-container h1, .footer-container p {
margin: 0;
font-size: 24px;
}
.footer-container p {
font-size: 12px;
}
.footer-container a {
color: #FFFFFF; /* White color for links in footer */
text-decoration: none;
}
.footer-container a:hover {
text-decoration: underline; /* Optional: add underline on hover */
}
a {
color: #E16969; /* Same color as header/footer background for all other links */
text-decoration: none;
}
a:hover {
text-decoration: underline; /* Optional: add underline on hover */
}
h2 {
color: #E16969;
}
p {
line-height: 1.6;
}

9
bin/templates/email_footer.html Normal file
View File

@@ -0,0 +1,9 @@
<footer>
<div class="footer-container">
<p>
Ici, on prend soin de vos données et on ne les vend pas !
<br>
<a href="https://kaz.bzh">https://kaz.bzh</a>
</p>
</div>
</footer>

6
bin/templates/email_header.html Normal file
View File

@@ -0,0 +1,6 @@
<header>
<div class="header-container">
<img class="logo" src="https://kaz-cloud.kaz.bzh/apps/theming/image/logo?v=33" alt="KAZ Logo">
<h1>Kaz : Le numérique sobre, libre, éthique et local</h1>
</div>
</header>

94
bin/templates/email_inscription.html Normal file
View File

@@ -0,0 +1,94 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Email d'inscription'</title>
<style>
{% include 'email.css' %}
</style>
</head>
<body>
{% include 'email_header.html' %}
<div class="email-content">
<p>
Bonjour {{NOM}}!<br><br>
Bienvenue chez KAZ!<br><br>
Vous disposez de :
<ul>
<li>une messagerie classique : <a href={{URL_WEBMAIL}}>{{URL_WEBMAIL}}</a></li>
<li>une messagerie instantanée pour discuter au sein d'équipes : <a href={{URL_AGORA}}>{{URL_AGORA}}</a></li>
</ul>
Votre email et identifiant pour ces services : {{EMAIL_SOUHAITE}}<br>
Le mot de passe : <b>{{PASSWORD}}</b><br><br>
Pour changer votre mot de passe de messagerie, c'est ici: <a href={{URL_MDP}}>{{URL_MDP}}</a><br>
Si vous avez perdu votre mot de passe, c'est ici: <a href={{URL_MDP}}/?action=sendtoken>{{URL_MDP}}/?action=sendtoken</a><br><br>
Vous pouvez accéder à votre messagerie classique:
<ul>
<li>soit depuis votre webmail : <a href={{URL_WEBMAIL}}>{{URL_WEBMAIL}}</a></li>
<li>soit depuis votre bureau virtuel : <a href={{URL_CLOUD}}>{{URL_CLOUD}}</a></li>
<li>soit depuis un client de messagerie comme thunderbird<br>
</ul>
</p>
{% if ADMIN_ORGA == '1' %}
<p>
En tant qu'association/famille/société. Vous avez la possibilité d'ouvrir, quand vous le voulez, des services kaz, il vous suffit de nous le demander.<br><br>
Pourquoi n'ouvrons-nous pas tous les services tout de suite ? parce que nous aimons la sobriété et que nous préservons notre espace disque ;)<br>
A quoi sert d'avoir un site web si on ne l'utilise pas, n'est-ce pas ?<br><br>
Par retour de mail, dites-nous de quoi vous avez besoin tout de suite entre:
<ul>
<li>une comptabilité : un service de gestion adhérents/clients</li>
<li>un site web de type WordPress</li>
<li>un cloud : bureau virtuel pour stocker des fichiers/calendriers/contacts et partager avec vos connaissances</li>
</ul>
Une fois que vous aurez répondu à ce mail, votre demande sera traitée manuellement.
</p>
{% endif %}
<p>
Vous avez quelques docs intéressantes sur le wiki de kaz:
<ul>
<li>Migrer son site internet wordpress vers kaz : <a href="https://wiki.kaz.bzh/wordpress/start#migrer_son_site_wordpress_vers_kaz">https://wiki.kaz.bzh/wordpress/start#migrer_son_site_wordpress_vers_kaz</a></li>
<li>Migrer sa messagerie vers kaz : <a href="https://wiki.kaz.bzh/messagerie/gmail/start">https://wiki.kaz.bzh/messagerie/gmail/start</a></li>
<li>Démarrer simplement avec son cloud : <a href="https://wiki.kaz.bzh/nextcloud/start">https://wiki.kaz.bzh/messagerie/gmail/start</a></li>
</ul>
Votre quota est de {{QUOTA}}GB. Si vous souhaitez plus de place pour vos fichiers ou la messagerie, faites-nous signe !<br><br>
Pour accéder à la messagerie instantanée et communiquer avec les membres de votre équipe ou ceux de kaz : <a href={{URL_AGORA}}/login>{{URL_AGORA}}/login</a><br>
</p>
{% if ADMIN_ORGA == '1' %}
<p>
Comme administrateur de votre organisation, vous pouvez créer des listes de diffusion en vous rendant sur <a href={{URL_LISTE}}>{{URL_LISTE}}</a><br>
</p>
{% endif %}
<p>
Enfin, vous disposez de tous les autres services KAZ où l'authentification n'est pas nécessaire : <a href={{URL_SITE}}>{{URL_SITE}}</a><br><br>
En cas de soucis, n'hésitez pas à poser vos questions sur le canal 'Une question ? un soucis' de l'agora dispo ici : <a href={{URL_AGORA}}>{{URL_AGORA}}</a><br><br>
Si vous avez besoin d'accompagnement pour votre site, votre cloud, votre compta, votre migration de messagerie,...<br>nous proposons des formations mensuelles gratuites. Si vous souhaitez être accompagné par un professionnel, nous pouvons vous donner une liste de pros, référencés par KAZ.<br><br>
À bientôt 😉<br><br>
La collégiale de KAZ.<br>
</p>
</div> <!-- <div class="email-content"> -->
{% include 'email_footer.html' %}
</body>
</html>

70
bin/templates/email_inscription.txt Normal file
View File

@@ -0,0 +1,70 @@
Bonjour {{NOM}}!
Bienvenue chez KAZ!<br><br>
Vous disposez de :
<ul>
<li>une messagerie classique : <a href={{URL_WEBMAIL}}>{{URL_WEBMAIL}}</a></li>
<li>une messagerie instantanée pour discuter au sein d'équipes : <a href={{URL_AGORA}}>{{URL_AGORA}}</a></li>
</ul>
Votre email et identifiant pour ces services : {{EMAIL_SOUHAITE}}<br>
Le mot de passe : <b>{{PASSWORD}}</b><br><br>
Pour changer votre mot de passe de messagerie, c'est ici: <a href={{URL_MDP}}>{{URL_MDP}}</a><br>
Si vous avez perdu votre mot de passe, c'est ici: <a href={{URL_MDP}}/?action=sendtoken>{{URL_MDP}}/?action=sendtoken</a><br><br>
Vous pouvez accéder à votre messagerie classique:
<ul>
<li>soit depuis votre webmail : <a href={{URL_WEBMAIL}}>{{URL_WEBMAIL}}</a></li>
<li>soit depuis votre bureau virtuel : <a href={{URL_CLOUD}}>{{URL_CLOUD}}</a></li>
<li>soit depuis un client de messagerie comme thunderbird<br>
</ul>
</p>
{% if ADMIN_ORGA == '1' %}
<p>
En tant qu'association/famille/société. Vous avez la possibilité d'ouvrir, quand vous le voulez, des services kaz, il vous suffit de nous le demander.<br><br>
Pourquoi n'ouvrons-nous pas tous les services tout de suite ? parce que nous aimons la sobriété et que nous préservons notre espace disque ;)<br>
A quoi sert d'avoir un site web si on ne l'utilise pas, n'est-ce pas ?<br><br>
Par retour de mail, dites-nous de quoi vous avez besoin tout de suite entre:
<ul>
<li>une comptabilité : un service de gestion adhérents/clients</li>
<li>un site web de type WordPress</li>
<li>un cloud : bureau virtuel pour stocker des fichiers/calendriers/contacts et partager avec vos connaissances</li>
</ul>
Une fois que vous aurez répondu à ce mail, votre demande sera traitée manuellement.
</p>
{% endif %}
<p>
Vous avez quelques docs intéressantes sur le wiki de kaz:
<ul>
<li>Migrer son site internet wordpress vers kaz : <a href="https://wiki.kaz.bzh/wordpress/start#migrer_son_site_wordpress_vers_kaz">https://wiki.kaz.bzh/wordpress/start#migrer_son_site_wordpress_vers_kaz</a></li>
<li>Migrer sa messagerie vers kaz : <a href="https://wiki.kaz.bzh/messagerie/gmail/start">https://wiki.kaz.bzh/messagerie/gmail/start</a></li>
<li>Démarrer simplement avec son cloud : <a href="https://wiki.kaz.bzh/nextcloud/start">https://wiki.kaz.bzh/messagerie/gmail/start</a></li>
</ul>
Votre quota est de {{QUOTA}}GB. Si vous souhaitez plus de place pour vos fichiers ou la messagerie, faites-nous signe !<br><br>
Pour accéder à la messagerie instantanée et communiquer avec les membres de votre équipe ou ceux de kaz : <a href={{URL_AGORA}}/login>{{URL_AGORA}}/login</a><br>
</p>
{% if ADMIN_ORGA == '1' %}
<p>
Comme administrateur de votre organisation, vous pouvez créer des listes de diffusion en vous rendant sur <a href={{URL_LISTE}}>{{URL_LISTE}}</a><br>
</p>
{% endif %}
<p>
Enfin, vous disposez de tous les autres services KAZ où l'authentification n'est pas nécessaire : <a href={{URL_SITE}}>{{URL_SITE}}</a><br><br>
En cas de soucis, n'hésitez pas à poser vos questions sur le canal 'Une question ? un soucis' de l'agora dispo ici : <a href={{URL_AGORA}}>{{URL_AGORA}}</a><br><br>
Si vous avez besoin d'accompagnement pour votre site, votre cloud, votre compta, votre migration de messagerie,...<br>nous proposons des formations mensuelles gratuites. Si vous souhaitez être accompagné par un professionnel, nous pouvons vous donner une liste de pros, référencés par KAZ.<br><br>
À bientôt 😉<br><br>
La collégiale de KAZ.<br>

127
bin/updateDockerPassword.sh Executable file
View File

@@ -0,0 +1,127 @@
#!/bin/bash
KAZ_ROOT=$(cd $(dirname $0)/..; pwd)
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
setKazVars
# pour mise au point
# SIMU=echo
# Améliorations à prévoir
# - donner en paramètre les services concernés (pour limité les modifications)
# - pour les DB si on déclare un nouveau login, alors les privilèges sont créé mais les anciens pas révoqués
. "${DOCKERS_ENV}"
. "${KAZ_KEY_DIR}/SetAllPass.sh"
updateEnvDB(){
# $1 = prefix
# $2 = envName
# $3 = containerName of DB
rootPass="$1_MYSQL_ROOT_PASSWORD"
dbName="$1_MYSQL_DATABASE"
userName="$1_MYSQL_USER"
userPass="$1_MYSQL_PASSWORD"
${SIMU} sed -i \
-e "s/MYSQL_ROOT_PASSWORD=.*/MYSQL_ROOT_PASSWORD=${!rootPass}/g" \
-e "s/MYSQL_DATABASE=.*/MYSQL_DATABASE=${!dbName}/g" \
-e "s/MYSQL_USER=.*/MYSQL_USER=${!userName}/g" \
-e "s/MYSQL_PASSWORD=.*/MYSQL_PASSWORD=${!userPass}/g" \
"$2"
# seulement si pas de mdp pour root
# pb oeuf et poule (il faudrait les anciennes valeurs) :
# * si rootPass change, faire à la main
# * si dbName change, faire à la main
checkDockerRunning "$3" "$3" || return
echo "change DB pass on docker $3"
echo "grant all privileges on ${!dbName}.* to '${!userName}' identified by '${!userPass}';" | \
docker exec -i $3 bash -c "mysql --user=root --password=${!rootPass}"
}
updateEnv(){
# $1 = prefix
# $2 = envName
for varName in $(grep "^[a-zA-Z_]*=" $2 | sed "s/^\([^=]*\)=.*/\1/g")
do
srcName="$1_${varName}"
srcVal=$(echo "${!srcName}" | sed -e "s/[&]/\\\&/g")
${SIMU} sed -i \
-e "s%^[ ]*${varName}=.*\$%${varName}=${srcVal}%" \
"$2"
done
}
framadateUpdate(){
[[ "${COMP_ENABLE}" =~ " framadate " ]] || return
if [ ! -f "${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php" ]; then
return 0
fi
checkDockerRunning "${framadateServName}" "Framadate" &&
${SIMU} docker exec -ti "${framadateServName}" bash -c -i "htpasswd -bc /var/framadate/admin/.htpasswd ${framadate_HTTPD_USER} ${framadate_HTTPD_PASSWORD}"
${SIMU} sed -i \
-e "s/^#*const DB_USER[ ]*=.*$/const DB_USER= '${framadate_MYSQL_USER}';/g" \
-e "s/^#*const DB_PASSWORD[ ]*=.*$/const DB_PASSWORD= '${framadate_MYSQL_PASSWORD}';/g" \
"${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php"
}
jirafeauUpdate(){
[[ "${COMP_ENABLE}" =~ " jirafeau " ]] || return
if [ ! -f "${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php" ]; then
return 0
fi
SHA=$(echo -n "${jirafeau_HTTPD_PASSWORD}" | sha256sum | cut -d \ -f 1)
${SIMU} sed -i \
-e "s/'admin_password'[ ]*=>[ ]*'[^']*'/'admin_password' => '${SHA}'/g" \
"${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php"
}
####################
# main
updateEnvDB "etherpad" "${KAZ_KEY_DIR}/env-${etherpadDBName}" "${etherpadDBName}"
updateEnvDB "framadate" "${KAZ_KEY_DIR}/env-${framadateDBName}" "${framadateDBName}"
updateEnvDB "gitea" "${KAZ_KEY_DIR}/env-${gitDBName}" "${gitDBName}"
updateEnvDB "nextcloud" "${KAZ_KEY_DIR}/env-${nextcloudDBName}" "${nextcloudDBName}"
updateEnvDB "roundcube" "${KAZ_KEY_DIR}/env-${roundcubeDBName}" "${roundcubeDBName}"
updateEnvDB "sympa" "${KAZ_KEY_DIR}/env-${sympaDBName}" "${sympaDBName}"
updateEnvDB "vigilo" "${KAZ_KEY_DIR}/env-${vigiloDBName}" "${vigiloDBName}"
updateEnvDB "wp" "${KAZ_KEY_DIR}/env-${wordpressDBName}" "${wordpressDBName}"
updateEnvDB "vaultwarden" "${KAZ_KEY_DIR}/env-${vaultwardenDBName}" "${vaultwardenDBName}"
updateEnvDB "castopod" "${KAZ_KEY_DIR}/env-${castopodDBName}" "${castopodDBName}"
updateEnvDB "spip" "${KAZ_KEY_DIR}/env-${spipDBName}" "${spipDBName}"
updateEnvDB "mastodon" "${KAZ_KEY_DIR}/env-${mastodonDBName}" "${mastodonDBName}"
updateEnv "apikaz" "${KAZ_KEY_DIR}/env-${apikazServName}"
updateEnv "ethercalc" "${KAZ_KEY_DIR}/env-${ethercalcServName}"
updateEnv "etherpad" "${KAZ_KEY_DIR}/env-${etherpadServName}"
updateEnv "framadate" "${KAZ_KEY_DIR}/env-${framadateServName}"
updateEnv "gandi" "${KAZ_KEY_DIR}/env-gandi"
updateEnv "gitea" "${KAZ_KEY_DIR}/env-${gitServName}"
updateEnv "jirafeau" "${KAZ_KEY_DIR}/env-${jirafeauServName}"
updateEnv "mattermost" "${KAZ_KEY_DIR}/env-${mattermostServName}"
updateEnv "mattermost" "${KAZ_KEY_DIR}/env-${mattermostDBName}"
updateEnv "nextcloud" "${KAZ_KEY_DIR}/env-${nextcloudServName}"
updateEnv "office" "${KAZ_KEY_DIR}/env-${officeServName}"
updateEnv "roundcube" "${KAZ_KEY_DIR}/env-${roundcubeServName}"
updateEnv "vigilo" "${KAZ_KEY_DIR}/env-${vigiloServName}"
updateEnv "wp" "${KAZ_KEY_DIR}/env-${wordpressServName}"
updateEnv "ldap" "${KAZ_KEY_DIR}/env-${ldapServName}"
updateEnv "sympa" "${KAZ_KEY_DIR}/env-${sympaServName}"
updateEnv "mail" "${KAZ_KEY_DIR}/env-${smtpServName}"
updateEnv "mobilizon" "${KAZ_KEY_DIR}/env-${mobilizonServName}"
updateEnv "mobilizon" "${KAZ_KEY_DIR}/env-${mobilizonDBName}"
updateEnv "vaultwarden" "${KAZ_KEY_DIR}/env-${vaultwardenServName}"
updateEnv "castopod" "${KAZ_KEY_DIR}/env-${castopodServName}"
updateEnv "spip" "${KAZ_KEY_DIR}/env-${spipServName}"
updateEnv "ldap" "${KAZ_KEY_DIR}/env-${ldapUIName}"
updateEnv "peertube" "${KAZ_KEY_DIR}/env-${peertubeServName}"
updateEnv "peertube" "${KAZ_KEY_DIR}/env-${peertubeDBName}" "${peertubeDBName}"
updateEnv "mastodon" "${KAZ_KEY_DIR}/env-${mastodonServName}"
framadateUpdate
jirafeauUpdate
exit 0

4
config/container-proxy.list.tmpl
View File

@@ -1,2 +1,2 @@
proxy
#traefik
# proxy
traefik

2
config/container-withMail.list.tmpl
View File

@@ -4,7 +4,7 @@ dokuwiki
paheko
gitea
jirafeau
mattermost
#mattermost
roundcube
mobilizon
vaultwarden

7
config/dockers.tmpl.env
View File

@@ -101,7 +101,7 @@ snappymailHost=snappymail
########################################
# ports internes
matterPort=8000
matterPort=8065
imapsyncPort=8080
apikaz=5000
@@ -159,8 +159,3 @@ apikazServName=apikazServ
# services activés par container.sh
# variables d'environneements utilisées
# pour le tmpl du mandataire (proxy)
##################
#qui on envoi le mail d'inscription ?
EMAIL_CONTACT="toto@kaz.bzh"

58
config/orgaTmpl/app/Dockerfile Normal file
View File

@@ -0,0 +1,58 @@
FROM alpine:3.17
# Some ENV variables
ENV PATH="/mattermost/bin:${PATH}"
#ENV MM_VERSION=5.32.0
ENV MM_VERSION=6.1.0
ENV MM_INSTALL_TYPE=docker
# Build argument to set Mattermost edition
ARG edition=enterprise
ARG PUID=2000
ARG PGID=2000
ARG MM_BINARY=
# Install some needed packages
RUN apk add --no-cache \
ca-certificates \
curl \
jq \
libc6-compat \
libffi-dev \
libcap \
linux-headers \
mailcap \
netcat-openbsd \
xmlsec-dev \
tzdata \
&& rm -rf /tmp/*
# Get Mattermost
RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
&& cp /mattermost/config/config.json /config.json.save \
&& rm -rf /mattermost/config/config.json \
&& addgroup -g ${PGID} mattermost \
&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
USER mattermost
#Healthcheck to make sure container is ready
HEALTHCHECK CMD curl --fail http://localhost:8000 || exit 1
# Configure entrypoint and command
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
WORKDIR /mattermost
CMD ["mattermost"]
# Expose port 8000 of the container
EXPOSE 8000
# Declare volumes for mount point directories
VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]

82
config/orgaTmpl/app/entrypoint.sh Executable file
View File

@@ -0,0 +1,82 @@
#!/bin/sh
# Function to generate a random salt
generate_salt() {
tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
}
# Read environment variables or set default values
DB_HOST=${DB_HOST:-db}
DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
# see https://www.postgresql.org/docs/current/libpq-ssl.html
# for usage when database connection requires encryption
# filenames should be escaped if they contain spaces
# i.e. $(printf %s ${MY_ENV_VAR:-''} | jq -s -R -r @uri)
# the location of the CA file can be set using environment var PGSSLROOTCERT
# the location of the CRL file can be set using PGSSLCRL
# The URL syntax for connection string does not support the parameters
# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
# to set names if using a location other than default
DB_USE_SSL=${DB_USE_SSL:-disable}
MM_DBNAME=${MM_DBNAME:-mattermost}
MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
_1=$(echo "$1" | awk '{ s=substr($0, 0, 1); print s; }' )
if [ "$_1" = '-' ]; then
set -- mattermost "$@"
fi
if [ "$1" = 'mattermost' ]; then
# Check CLI args for a -config option
for ARG in "$@"; do
case "$ARG" in
-config=*) MM_CONFIG=${ARG#*=};;
esac
done
if [ ! -f "$MM_CONFIG" ]; then
# If there is no configuration file, create it with some default values
echo "No configuration file $MM_CONFIG"
echo "Creating a new one"
# Copy default configuration file
cp /config.json.save "$MM_CONFIG"
# Substitute some parameters with jq
jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
else
echo "Using existing config file $MM_CONFIG"
fi
# Configure database access
if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
echo "Configure database connection..."
# URLEncode the password, allowing for special characters
ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
echo "OK"
else
echo "Using existing database connection"
fi
# Wait another second for the database to be properly started.
# Necessary to avoid "panic: Failed to open sql connection pq: the database system is starting up"
sleep 1
echo "Starting mattermost"
fi
exec "$@"

51
config/orgaTmpl/init-db.sh
View File

@@ -25,66 +25,57 @@ SQL=""
for ARG in "$@"; do
case "${ARG}" in
'cloud' )
. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudDB
SQL="$SQL
CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
CREATE DATABASE IF NOT EXISTS ${nextcloud_MYSQL_DATABASE};
DROP USER IF EXISTS '${MYSQL_USER}';
CREATE USER '${MYSQL_USER}'@'%';
DROP USER IF EXISTS '${nextcloud_MYSQL_USER}';
CREATE USER '${nextcloud_MYSQL_USER}'@'%';
GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
GRANT ALL ON ${nextcloud_MYSQL_DATABASE}.* TO '${nextcloud_MYSQL_USER}'@'%' IDENTIFIED BY '${nextcloud_MYSQL_PASSWORD}';
FLUSH PRIVILEGES;"
;;
'agora' )
. $KAZ_KEY_DIR/orgas/$ORGA/env-mattermostDB
SQL="$SQL
CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
CREATE DATABASE IF NOT EXISTS ${mattermost_MYSQL_DATABASE};
DROP USER IF EXISTS '${MYSQL_USER}';
CREATE USER '${MYSQL_USER}'@'%';
DROP USER IF EXISTS '${mattermost_MYSQL_USER}';
CREATE USER '${mattermost_MYSQL_USER}'@'%';
GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
GRANT ALL ON ${mattermost_MYSQL_DATABASE}.* TO '${mattermost_MYSQL_USER}'@'%' IDENTIFIED BY '${mattermost_MYSQL_PASSWORD}';
FLUSH PRIVILEGES;"
;;
'wp' )
. $KAZ_KEY_DIR/orgas/$ORGA/env-wpDB
SQL="$SQL
CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
CREATE DATABASE IF NOT EXISTS ${wp_MYSQL_DATABASE};
DROP USER IF EXISTS '${MYSQL_USER}';
CREATE USER '${MYSQL_USER}'@'%';
DROP USER IF EXISTS '${wp_MYSQL_USER}';
CREATE USER '${wp_MYSQL_USER}'@'%';
GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
GRANT ALL ON ${wp_MYSQL_DATABASE}.* TO '${wp_MYSQL_USER}'@'%' IDENTIFIED BY '${wp_MYSQL_PASSWORD}';
FLUSH PRIVILEGES;"
;;
'castopod' )
. $KAZ_KEY_DIR/orgas/$ORGA/env-castopodDB
SQL="$SQL
CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
CREATE DATABASE IF NOT EXISTS ${castopod_MYSQL_DATABASE};
DROP USER IF EXISTS '${MYSQL_USER}';
CREATE USER '${MYSQL_USER}'@'%';
DROP USER IF EXISTS '${castopod_MYSQL_USER}';
CREATE USER '${castopod_MYSQL_USER}'@'%';
GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
GRANT ALL ON ${castopod_MYSQL_DATABASE}.* TO '${castopod_MYSQL_USER}'@'%' IDENTIFIED BY '${castopod_MYSQL_PASSWORD}';
FLUSH PRIVILEGES;"
;;
'spip' )
. $KAZ_KEY_DIR/orgas/$ORGA/env-spipDB
SQL="$SQL
CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
CREATE DATABASE IF NOT EXISTS ${spip_MYSQL_DATABASE};
DROP USER IF EXISTS '${MYSQL_USER}';
CREATE USER '${MYSQL_USER}'@'%';
DROP USER IF EXISTS '${spip_MYSQL_USER}';
CREATE USER '${spip_MYSQL_USER}'@'%';
GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
GRANT ALL ON ${spip_MYSQL_DATABASE}.* TO '${spip_MYSQL_USER}'@'%' IDENTIFIED BY '${spip_MYSQL_PASSWORD}';
FLUSH PRIVILEGES;"
;;
@@ -93,4 +84,4 @@ FLUSH PRIVILEGES;"
esac
done
echo $SQL | docker exec -i ${ORGA}-DB bash -c "mariadb --user=root --password=${MYSQL_ROOT_PASSWORD}"
echo $SQL | docker exec -i ${ORGA}-DB bash -c "mariadb --user=root --password=${wp_MYSQL_ROOT_PASSWORD}"

3
config/orgaTmpl/initdb.d/orga.sql Normal file
View File

@@ -0,0 +1,3 @@
CREATE DATABASE IF NOT EXISTS nextcloud;
CREATE DATABASE IF NOT EXISTS mattermost;
CREATE DATABASE IF NOT EXISTS wpdb;

10
config/orgaTmpl/wiki-conf/acl.auth.php Normal file
View File

@@ -0,0 +1,10 @@
# acl.auth.php
# <?php exit()?>
# Don't modify the lines above
#
# Access Control Lists
#
# Auto-generated by install script
# Date: Sat, 13 Feb 2021 17:42:28 +0000
* @ALL 1
* @user 8

26
config/orgaTmpl/wiki-conf/local.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
/*
* Dokuwiki's Main Configuration File - Local Settings
* Auto-generated by config plugin
* Run for user: felix
* Date: Sun, 28 Feb 2021 15:56:13 +0000
*/
$conf['title'] = 'Kaz';
$conf['template'] = 'docnavwiki';
$conf['license'] = 'cc-by-sa';
$conf['useacl'] = 1;
$conf['superuser'] = '@admin';
$conf['manager'] = '@manager';
$conf['disableactions'] = 'register';
$conf['remoteuser'] = '';
$conf['mailfrom'] = 'dokuwiki@kaz.bzh';
$conf['updatecheck'] = 0;
$conf['userewrite'] = '1';
$conf['useslash'] = 1;
$conf['plugin']['ckgedit']['scayt_auto'] = 'on';
$conf['plugin']['ckgedit']['scayt_lang'] = 'French/fr_FR';
$conf['plugin']['ckgedit']['other_lang'] = 'fr';
$conf['plugin']['smtp']['smtp_host'] = 'smtp.kaz.bzh';
$conf['plugin']['todo']['CheckboxText'] = 0;
$conf['plugin']['wrap']['restrictionType'] = '1';

13
config/orgaTmpl/wiki-conf/users.auth.php Normal file
View File

@@ -0,0 +1,13 @@
# users.auth.php
# <?php exit()?>
# Don't modify the lines above
#
# Userfile
#
# Auto-generated by install script
# Date: Sat, 13 Feb 2021 17:42:28 +0000
#
# Format:
# login:passwordhash:Real Name:email:groups,comma,separated
admin:$2y$10$GYvFgViXeEUmDViplHEs7eoYV8tmbfsS8wA1vfHQ.tWgW14o9aTjy:admin:contact@kaz.bzh:admin,user

21
config/proxy/proxy_params Normal file
View File

@@ -0,0 +1,21 @@
#proxy_buffering off;
#proxy_set_header X-Forwarded-Host $host:$server_port;
#proxy_set_header X-Forwarded-Server $host;
#XXX pb proxy_set_header Connection $proxy_connection;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
# mattermost
http2_push_preload on; # Enable HTTP/2 Server Push
add_header Strict-Transport-Security max-age=15768000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_hide_header 'x-frame-options';
#proxy_set_header x-frame-options allowall;
proxy_set_header X-Frame-Options SAMEORIGIN;

4
dockers/ldap/UIHooks/post-hook.sh
View File

@@ -5,9 +5,7 @@ NEWPASSWORD=$(base64 -d <<< $2)
OLDPASSWORD=$(base64 -d <<< $3)
URL_AGORA="https://${matterHost}.${domain}"
#mattermost_token=${LDAPUI_MM_ADMIN_TOKEN}
. $KAZ_KEY_DIR/env-mattermostAdmin
mattermost_token=${LDAPUI_MM_ADMIN_TOKEN}
IDUSER=$(curl -s -H "Authorization: Bearer ${mattermost_token}" "${URL_AGORA}/api/v4/users/email/${EMAIL}" | awk -F "," '{print $1}' | sed -e 's/{"id"://g' -e 's/"//g')
if [ ${IDUSER} == 'app.user.missing_account.const' ]

4
dockers/mattermost/first.sh
View File

@@ -11,3 +11,7 @@ cd $(dirname $0)
"${KAZ_BIN_DIR}/gestContainers.sh" --install -M -agora
docker exec ${mattermostServName} mmctl auth login https://${matterHost}.${domain} --name local-server --username ${mattermost_MM_ADMIN_USER} --password ${mattermost_MM_ADMIN_PASSWORD}
docker exec ${mattermostServName} mmctl channel create --team kaz --name "une-question--un-soucis" --display-name "Une question ? Un souci ?"
docker exec ${mattermostServName} mmctl channel create --team kaz --name "cafe-du-commerce--ouvert-2424h" --display-name "Café du commerce"
docker exec ${mattermostServName} mmctl channel create --team kaz --name "creation-comptes" --display-name "Création comptes"

2
dockers/sympa/alerting/sympa.sh
View File

@@ -6,7 +6,7 @@ KAZ_ROOT=/kaz
setKazVars
. $DOCKERS_ENV
. $KAZ_KEY_DIR/env-mattermostAdmin
. $KAZ_ROOT/secret/SetAllPass.sh
DOCKER_CMD="docker exec sympaServ"
URL_AGORA=$(echo $matterHost).$(echo $domain)

2
dockers/traefik/docker-compose.tmpl.yml.dist
View File

@@ -1,6 +1,6 @@
services:
reverse-proxy:
image: traefik:v3.4.1
image: traefik:v3.4.4
container_name: ${traefikServName}
restart: ${restartPolicy}
# Enables the web UI and tells Traefik to listen to docker

2
dockers/traefik/proxy-gen.sh
View File

@@ -4,7 +4,7 @@ KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
. "${KAZ_ROOT}/bin/.commonFunctions.sh"
setKazVars
. "${DOCKERS_ENV}"
. $KAZ_BIN_DIR/getPasswords.sh traefik
. "${KAZ_ROOT}/secret/SetAllPass.sh"
printKazMsg "\n *** Proxy update config"

337
secret.tmpl/SetAllPass.sh
View File

@@ -2,43 +2,215 @@
# Attention à cause des scripts pas de ["'/] dans les mot de passe
####################
# ethercalc
ethercalc_REDIS_PORT_6379_TCP_ADDR="redis"
ethercalc_REDIS_PORT_6379_TCP_PORT="6379"
# A COPIER DANS UN FICHIER DE CONF !! -> mattermostAdmin
# pour envoyer des messages sur l'agora avec mmctl
mattermost_user="admin-mattermost"
mattermost_pass="--clean_val--"
mattermost_token="xxx-private"
####################
# etherpad
etherpad_MYSQL_ROOT_PASSWORD="--clean_val--"
etherpad_MYSQL_DATABASE="--clean_val--"
etherpad_MYSQL_USER="--clean_val--"
etherpad_MYSQL_PASSWORD="--clean_val--"
# Share with etherpadDB
etherpad_DB_NAME="${etherpad_MYSQL_DATABASE}"
etherpad_DB_USER="${etherpad_MYSQL_USER}"
etherpad_DB_PASS="${etherpad_MYSQL_PASSWORD}"
etherpad_DB_TYPE="mysql"
etherpad_DB_HOST="padDB"
etherpad_DB_PORT="3306"
#etherpad_DB_CHARSET="utf8"
#user: admin
etherpad_ADMIN_PASSWORD="--clean_val--"
etherpad_PAD_OPTIONS_LANG="fr"
etherpad_TITLE="KazPad"
etherpad_TRUST_PROXY="true"
####################
# framadate
framadate_MYSQL_ROOT_PASSWORD="--clean_val--"
framadate_MYSQL_DATABASE="--clean_val--"
framadate_MYSQL_USER="--clean_val--"
framadate_MYSQL_PASSWORD="--clean_val--"
framadate_HTTPD_USER="--clean_val--"
framadate_HTTPD_PASSWORD="--clean_val--"
##################
# Gandi
# à supprimer et à replacer par dns_gandi_api_key
gandi_GANDI_KEY="xxx"
gandi_GANDI_API="https://api.gandi.net/v5/livedns/domains/${domain}"
gandi_dns_gandi_api_key="${gandi_GANDI_KEY}"
####################
# mattermost
mattermost_POSTGRES_USER="mattermost"
mattermost_POSTGRES_PASSWORD="--clean_val--"
mattermost_POSTGRES_DB="mattermost"
mattermost_MM_ADMIN_EMAIL="${matterHost}@${domain}"
mattermost_MM_ADMIN_USER="admin-mattermost"
mattermost_MM_ADMIN_PASSWORD="--clean_val--@"
mattermost_MM_SQLSETTINGS_DATASOURCE="postgres://${mattermost_POSTGRES_USER}:${mattermost_POSTGRES_PASSWORD}@postgres:5432/${mattermost_POSTGRES_DB}?sslmode=disable&connect_timeout=10"
# pour envoyer des messages sur l'agora avec mmctl
mattermost_user="${mattermost_MM_ADMIN_USER}"
mattermost_pass="${mattermost_MM_ADMIN_PASSWORD}"
mattermost_token="xxx-private"
##################
# Openldap
ldap_LDAP_ADMIN_USERNAME="--clean_val--"
ldap_LDAP_ADMIN_PASSWORD="--clean_val--"
ldap_LDAP_CONFIG_ADMIN_USERNAME="--clean_val--"
ldap_LDAP_CONFIG_ADMIN_PASSWORD="--clean_val--"
ldap_LDAP_POSTFIX_PASSWORD="--clean_val--"
ldap_LDAP_LDAPUI_PASSWORD="--clean_val--"
ldap_LDAP_MATTERMOST_PASSWORD="--clean_val--"
ldap_LDAP_CLOUD_PASSWORD="--clean_val--"
ldap_LDAP_MOBILIZON_PASSWORD="--clean_val--"
ldap_LDAPUI_URI=ldap://ldap
ldap_LDAPUI_BASE_DN=${ldap_root}
ldap_LDAPUI_REQUIRE_STARTTLS=FALSE
ldap_LDAPUI_ADMINS_GROUP=admins
ldap_LDAPUI_ADMIN_BIND_DN=cn=ldapui,ou=applications,${ldap_root}
ldap_LDAPUI_ADMIN_BIND_PWD=${ldap_LDAP_LDAPUI_PASSWORD}
ldap_LDAPUI_IGNORE_CERT_ERRORS=TRUE
ldap_LDAPUI_PASSWORD="--clean_val--"
ldap_LDAPUI_MM_ADMIN_TOKEN=${mattermost_token}
###################
# gitea
gitea_MYSQL_ROOT_PASSWORD="--clean_val--"
gitea_MYSQL_DATABASE="--clean_val--"
gitea_MYSQL_USER="--clean_val--"
gitea_MYSQL_PASSWORD="--clean_val--"
# on ne peut pas utiliser le login "admin"
gitea_user_admin="admin_gitea"
gitea_pass_admin="--clean_val--"
gitea_admin_email="admin@kaz.bzh"
####################
# jirafeau
jirafeau_HTTPD_PASSWORD="--clean_val--"
jirafeau_DATA_DIR="--clean_val--"
####################
# nexcloud
nextcloud_MYSQL_ROOT_PASSWORD="${mattermost_MYSQL_ROOT_PASSWORD}"
nextcloud_MYSQL_DATABASE="--clean_val--"
nextcloud_MYSQL_USER="--clean_val--"
nextcloud_MYSQL_PASSWORD="--clean_val--"
nextcloud_NEXTCLOUD_ADMIN_USER="admin"
nextcloud_NEXTCLOUD_ADMIN_PASSWORD="--clean_val--"
nextcloud_MYSQL_HOST="db"
#user: admin
nextcloud_RAIN_LOOP="--clean_val--"
####################
# collabora
office_username="admin"
office_password="--clean_val--"
####################
# roundcube
roundcube_MYSQL_ROOT_PASSWORD="--clean_val--"
roundcube_MYSQL_DATABASE="--clean_val--"
roundcube_MYSQL_USER="--clean_val--"
roundcube_MYSQL_PASSWORD="--clean_val--"
# Share with roundcubeDB
roundcube_ROUNDCUBEMAIL_DB_TYPE="mysql"
roundcube_ROUNDCUBEMAIL_DB_NAME="${roundcube_MYSQL_DATABASE}"
roundcube_ROUNDCUBEMAIL_DB_USER="${roundcube_MYSQL_USER}"
roundcube_ROUNDCUBEMAIL_DB_PASSWORD="${roundcube_MYSQL_PASSWORD}"
roundcube_ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE="1G"
####################
# postfix LDAP
mail_LDAP_BIND_DN=cn=postfix,ou=applications,${ldap_root}
mail_LDAP_BIND_PW=${ldap_LDAP_POSTFIX_PASSWORD}
####################
# sympa
sympa_MYSQL_ROOT_PASSWORD="--clean_val--"
sympa_MYSQL_DATABASE="sympa"
sympa_MYSQL_USER="sympa"
sympa_MYSQL_PASSWORD="--clean_val--"
sympa_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
sympa_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
sympa_LISTMASTERS="listmaster@${domain_sympa}"
sympa_ADMINEMAIL="listmaster@${domain_sympa}"
sympa_SOAP_USER="sympa"
sympa_SOAP_PASSWORD="--clean_val--"
# pour inscrire des users sur des listes sympa avec soap
#il faut que le user soit admin de sympa
sympa_user="a@${domain}"
sympa_pass="--clean_val--"
##################
# vigilo
vigilo_MYSQL_ROOT_PASSWORD="--clean_val--"
vigilo_MYSQL_USER="--clean_val--"
vigilo_MYSQL_PASSWORD="--clean_val--"
vigilo_MYSQL_DATABASE="--clean_val--"
vigilo_MYSQL_HOST="db"
#vigilo_BIND=
####################
# wordpress
wp_MYSQL_ROOT_PASSWORD="${mattermost_MYSQL_ROOT_PASSWORD}"
wp_MYSQL_DATABASE="--clean_val--"
wp_MYSQL_USER="--clean_val--"
wp_MYSQL_PASSWORD="--clean_val--"
# Share with wpDB
wp_WORDPRESS_DB_HOST="db:3306"
wp_WORDPRESS_DB_NAME="${wp_MYSQL_DATABASE}"
wp_WORDPRESS_DB_USER="${wp_MYSQL_USER}"
wp_WORDPRESS_DB_PASSWORD="${wp_MYSQL_PASSWORD}"
wp_WORDPRESS_ADMIN_USER="admin"
wp_WORDPRESS_ADMIN_PASSWORD="--clean_val--"
##################
# A DEPLACER DANS DOCKER ENV
#qui envoi le mail d'inscription ?
EMAIL_CONTACT="toto@kaz.bzh"
# A COPIER DANS UN FICHIER DE CONF !! -> paheko
##################
# Paheko
paheko_API_USER="admin-api"
paheko_API_PASSWORD="--clean_val--"
##################
# La nas de Kaz chez Grifon
nas_admin1="admin"
nas_password1="--clean_val--"
nas_admin2="kaz"
nas_password1="--clean_val--"
# compte mail pour les notifications du nas
nas_email_account="admin-nas@${domain}"
nas_email_password="--clean_val--"
# A virer dans koffre
##################
#Compte sur outlook.com
outlook_user="kaz-user@outlook.fr"
outlook_pass="--clean_val--"
# A COPIER DANS UN FICHIER DE CONF !! -> mail
service_mail=admin-kaz@kaz.bzh
service_password="--clean_val--"
##################
#Borg
# A COPIER DANS UN FICHIER DE CONF !! -> borg
BORG_REPO="/mnt/backup-nas1/BorgRepo"
BORG_PASSPHRASE="--clean_val--"
VOLUME_SAUVEGARDES="/mnt/backup-nas1"
@@ -46,21 +218,148 @@ MAIL_RAPPORT="a@${domain};b@${domain};c@${domain}"
BORGMOUNT="/mnt/disk-nas1/tmp/repo_mount"
###################
# mobilizon
mobilizon_POSTGRES_USER="--clean_val--"
mobilizon_POSTGRES_PASSWORD="--clean_val--"
mobilizon_POSTGRES_DB=mobilizon
mobilizon_MOBILIZON_DATABASE_USERNAME="${mobilizon_POSTGRES_USER}"
mobilizon_MOBILIZON_DATABASE_PASSWORD="${mobilizon_POSTGRES_PASSWORD}"
mobilizon_MOBILIZON_DATABASE_DBNAME=mobilizon
mobilizon_MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
mobilizon_MOBILIZON_INSTANCE_NAME="Mobilizon"
mobilizon_MOBILIZON_INSTANCE_HOST="${mobilizonHost}.${domain}"
mobilizon_MOBILIZON_INSTANCE_SECRET_KEY_BASE=changeme
mobilizon_MOBILIZON_INSTANCE_SECRET_KEY=changeme
mobilizon_MOBILIZON_INSTANCE_EMAIL=noreply@${domain}
mobilizon_MOBILIZON_REPLY_EMAIL=contact@${domain_sympa}
mobilizon_MOBILIZON_ADMIN_EMAIL=admin@${domain_sympa}
mobilizon_MOBILIZON_SMTP_SERVER="${smtpHost}.${domain}"
mobilizon_MOBILIZON_SMTP_PORT=25
mobilizon_MOBILIZON_SMTP_HOSTNAME="${smtpHost}.${domain}"
mobilizon_MOBILIZON_SMTP_USERNAME=noreply@${domain}
mobilizon_MOBILIZON_SMTP_PASSWORD=
mobilizon_MOBILIZON_SMTP_SSL=false
mobilizon_MOBILIZON_LDAP_BINDUID=cn=mobilizon,ou=applications,${ldap_root}
mobilizon_MOBILIZON_LDAP_BINDPASSWORD=${ldap_LDAP_MOBILIZON_PASSWORD}
#####################
# Vaultwarden
vaultwarden_MYSQL_ROOT_PASSWORD="--clean_val--"
vaultwarden_MYSQL_DATABASE="vaultwarden"
vaultwarden_MYSQL_USER="vaultwarden"
vaultwarden_MYSQL_PASSWORD="--clean_val--"
vaultwarden_DATABASE_URL="mysql://${vaultwarden_MYSQL_USER}:${vaultwarden_MYSQL_PASSWORD}@db/${vaultwarden_MYSQL_DATABASE}"
vaultwarden_ADMIN_TOKEN="--clean_val--"
#####################
#Traefik
# A COPIER DANS UN FICHIER DE CONF !! -> traefik
traefik_DASHBOARD_USER="admin"
traefik_DASHBOARD_PASSWORD="--clean_val--"
#####################
# dokuwiki
dokuwiki_WIKI_ROOT=Kaz
dokuwiki_WIKI_EMAIL=wiki@kaz.local
dokuwiki_WIKI_PASSWORD="--clean_val--"
#####################
# Castopod
# A COPIER DANS UN FICHIER DE CONF !! castopodAdmin
castopod_MYSQL_ROOT_PASSWORD="--clean_val--"
castopod_MYSQL_DATABASE="--clean_val--"
castopod_MYSQL_USER="--clean_val--"
castopod_MYSQL_PASSWORD="--clean_val--"
castopod_CP_REDIS_PASSWORD="${castopodRedisPassword}"
castopod_ADMIN_USER=adminKaz
castopod_ADMIN_MAIL=admin@${domain}
castopod_ADMIN_PASSWORD="--clean_val--"
castopod_CP_EMAIL_SMTP_HOST="${smtpHost}.${domain}"
castopod_CP_EMAIL_SMTP_PORT=25
castopod_CP_EMAIL_SMTP_USERNAME=noreply@${domain}
castopod_CP_EMAIL_SMTP_PASSWORD=
castopod_CP_EMAIL_FROM=noreply@${domain}
castopod_CP_EMAIL_SMTP_CRYPTO=tls
#####################
# Spip
spip_MYSQL_ROOT_PASSWORD="--clean_val--"
spip_MYSQL_DATABASE="--clean_val--"
spip_MYSQL_USER="--clean_val--"
spip_MYSQL_PASSWORD="--clean_val--"
spip_SPIP_AUTO_INSTALL=1
spip_SPIP_DB_SERVER=mysql
spip_SPIP_DB_LOGIN="${spip_MYSQL_USER}"
spip_SPIP_DB_PASS="${spip_MYSQL_PASSWORD}"
spip_SPIP_DB_NAME="${spip_MYSQL_DATABASE}"
spip_SPIP_ADMIN_NAME=admin
spip_SPIP_ADMIN_LOGIN=admin
spip_SPIP_ADMIN_EMAIL=admin@${domain}
spip_SPIP_ADMIN_PASS="--clean_val--"
spip_PHP_TIMEZONE="Europe/Paris"
#####################
# Peertube
peertube_POSTGRES_USER="--clean_val--"
peertube_POSTGRES_PASSWORD="--clean_val--"
peertube_PEERTUBE_DB_NAME="--clean_val--"
peertube_PEERTUBE_DB_USERNAME="${peertube_POSTGRES_USER}"
peertube_PEERTUBE_DB_PASSWORD="${peertube_POSTGRES_PASSWORD}"
peertube_PEERTUBE_DB_SSL=false
peertube_PEERTUBE_DB_HOSTNAME="${peertubeDBName}"
peertube_PEERTUBE_WEBSERVER_HOSTNAME="${peertubeHost}.${domain}"
peertube_PEERTUBE_TRUST_PROXY="['10.0.0.0/8', '127.0.0.1', 'loopback', '172.18.0.0/16']"
peertube_PEERTUBE_SECRET="--clean_val--"
peertube_PT_INITIAL_ROOT_PASSWORD="--clean_val--"
#peertube_PEERTUBE_SMTP_USERNAME=
#peertube_PEERTUBE_SMTP_PASSWORD=
# Default to Postfix service name "postfix" in docker-compose.yml
# May be the hostname of your Custom SMTP server
peertube_PEERTUBE_SMTP_HOSTNAME=
peertube_PEERTUBE_SMTP_PORT=25
peertube_PEERTUBE_SMTP_FROM=
peertube_PEERTUBE_SMTP_TLS=false
peertube_PEERTUBE_SMTP_DISABLE_STARTTLS=false
peertube_PEERTUBE_ADMIN_EMAIL=
peertube_POSTFIX_myhostname=
#peertube_OPENDKIM_DOMAINS=peertube
peertube_OPENDKIM_RequireSafeKeys=no
peertube_PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC="public-read"
peertube_PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE="private"
######################
peertube_POSTGRES_DB="${peertube_PEERTUBE_DB_NAME}"
######################
# SNAPPYMAIL
# Url https://snappymail.${domain}/?admin
# au premier lancement un mot de passe est généré en aut par l' appli dans le
# volume Data : /var/lib/docker/volumes/snappymail_data/_data/_data_/_default_
# le fichier s' appelle admin_password.txt
# une fois le mot de passe changé dans le Gui de l' admin, ce fichier est automatiquement supprimé
snappymail_TZ="Europe/Paris"
snappymail_UPLOAD_MAX_SIZE="100M"
####################
# mastodon
mastodon_POSTGRES_USER="--clean_val--"
mastodon_POSTGRES_PASSWORD="--clean_val--"
mastodon_POSTGRES_DB=mastodon
mastodon_DB_USER="${mastodon_POSTGRES_USER}"
mastodon_DB_PASS="${mastodon_POSTGRES_PASSWORD}"
mastodon_DB_NAME=mastodon

17
secret.tmpl/env-borg
View File

@@ -1,17 +0,0 @@
VOLUME_SAUVEGARDES=
BORG_REPO=
BORG_PASSPHRASE=
BORGLOG="/var/log/borg"
BORG_FIC_DEL="/tmp/sauvegarde_supp.txt"
BORG_EXCLUDE_BACKUP=
MAIL_RAPPORT=
LISTREPSAUV=
BORGMOUNT="/mnt/repo_borg"
MAILOK=
MAILWARNING=
MAILDETAIL=
BACKUPS_KEEP="4m"
NB_BACKUPS_JOUR=90
NB_BACKUPS_SEM=30
NB_BACKUPS_MOIS=12
BORGSCRIPTS=/root/borgscripts

3
secret.tmpl/env-castopodAdmin
View File

@@ -1,3 +0,0 @@
ADMIN_USER=
ADMIN_MAIL=
ADMIN_PASSWORD="--clean_val--"

2
secret.tmpl/env-mail
View File

@@ -1,2 +0,0 @@
service_mail=
service_password=

3
secret.tmpl/env-mattermostAdmin
View File

@@ -1,3 +0,0 @@
mattermost_user=
mattermost_pass=
mattermost_token=

11
secret.tmpl/env-mattermostDB
View File

@@ -1,8 +1,3 @@
MYSQL_ROOT_PASSWORD=
MYSQL_DATABASE=
MYSQL_USER=
MYSQL_PASSWORD=
MM_MYSQL_USER=
MM_MYSQL_PASSWORD=
POSTGRES_USER=
POSTGRES_PASSWORD=
POSTGRES_DB=

15
secret.tmpl/env-mattermostServ
View File

@@ -1,15 +1,4 @@
# share with matterDB
MM_DBNAME=
MM_USERNAME=
MM_PASSWORD=
MM_SQLSETTINGS_DATASOURCE=
MM_ADMIN_EMAIL=
MM_ADMIN_USER=
MM_ADMIN_PASSWORD=
DB_HOST=
DB_PORT_NUMBER=
MM_SQLSETTINGS_DRIVERNAME=
MM_SQLSETTINGS_DATASOURCE=
MM_ADMIN_PASSWORD=

2
secret.tmpl/env-paheko
View File

@@ -1,2 +0,0 @@
API_USER="admin-api"
API_PASSWORD="--clean_val--"

2
secret.tmpl/env-traefik
View File

@@ -1,2 +0,0 @@
DASHBOARD_USER="admin"
DASHBOARD_PASSWORD="--clean_val--"

2
secret.tmpl/env-wpServ
View File

@@ -4,5 +4,3 @@ WORDPRESS_DB_HOST=
WORDPRESS_DB_USER=
WORDPRESS_DB_PASSWORD=
WORDPRESS_DB_NAME=
WORDPRESS_ADMIN_USER=
WORDPRESS_ADMIN_PASSWORD=