add ldap UI

1 year ago · 4ec07e7ecd
12 changed files with 132 additions and 127 deletions
--- a/bin/configKaz.sh.templates
+++ b/bin/configKaz.sh.templates
--- a/bin/dns.sh
+++ b/bin/dns.sh
@ -16,7 +16,7 @@ export ETC_HOSTS="/etc/hosts"
 export $(set | grep "domain=")

 declare -a forbidenName
-forbidenName=(dev ${calcHost} calc ${cloudHost} bureau ${dateHost} date ${dokuwikiHost} dokuwiki ${fileHost} file ${garHost} ${gitHost} ${gravHost} ${matterHost} ${officeHost} collabra ${padHost} ${sympaHost} listes ${webmailHost} ${wordpressHost} www ${vigiloHost} form)
+forbidenName=(${calcHost} calc ${cloudHost} bureau ${dateHost} date ${dokuwikiHost} dokuwiki ${fileHost} file ${ldapHost} ${garHost} ${gitHost} ${gravHost} ${matterHost} ${officeHost} collabra ${padHost} ${sympaHost} listes ${webmailHost} ${wordpressHost} www ${vigiloHost} form)

 export FORCE="NO"
 export CMD=""
--- a/bin/updateDockerPassword.sh
+++ b/bin/updateDockerPassword.sh
@ -106,6 +106,7 @@ updateEnv "wp" "${KAZ_KEY_DIR}/env-${wordpressServName}"
 updateEnv "ldap" "${KAZ_KEY_DIR}/env-${ldapServName}"
 updateEnv "sympa" "${KAZ_KEY_DIR}/env-${sympaServName}"

+updateEnv "ldap" "${KAZ_KEY_DIR}/env-${ldapUIName}"

 framadateUpdate
 jirafeauUpdate
--- a/config/dockers.tmpl.env
+++ b/config/dockers.tmpl.env
@ -29,6 +29,23 @@ MAIN_IP=
 # prod=89.234.186.151 / dev=192.168.57.2 / local=127.0.0.2
 SYMPA_IP=

+########################################
+# choix du domaine ldap
+# prod dc=kaz,dc=bzh / dev dc=kazkouil,dc=fr / local dc=kaz,dc=local
+ldap_root=
+
+########################################
+# devrait être dans env-jirafeauServ
+# mais seuls les variables de ".env" sont
+# utilisables pour le montage des volumes
+
+jirafeauDir=
+
+########################################
+# politique de redémarrage
+# prod=always / test=unless-stopped / local=no
+restartPolicy=
+
 ########################################
 # noms des services

@ -48,7 +65,6 @@ officeHost=office
 padHost=pad
 smtpHost=smtp
 ldapHost=ldap
-ssoHost=keycloak
 sympaHost=listes
 vigiloHost=vigilo
 webmailHost=webmail
@ -72,7 +88,6 @@ proxyServName=proxyServ
 roundcubeServName=roundcubeServ
 smtpServName=mailServ
 ldapServName=ldapServ
-ssoServName=keycloakServ
 sympaServName=sympaServ
 vigiloServName=vigiloServ
 webServName=webServ
@ -85,29 +100,14 @@ gitDBName=gitDB
 mattermostDBName=mattermostDB
 nextcloudDBName=nextcloudDB
 roundcubeDBName=roundcubeDB
-ssoDBName=keycloakDB
 sympaDBName=sympaDB
 vigiloDBName=vigiloDB
 wordpressDBName=wpDB

-########################################
-# politique de redémarrage
-# prod=always / test=unless-stopped / local=no
-restartPolicy=
-
-########################################
-# devrait être dans env-jirafeauServ
-# mais seuls les variables de ".env" sont
-# utilisables pour le montage des volumes
-
-jirafeauDir=
+ldapUIName=ldapUI

 ########################################
 # services activés par container.sh
 # variables d'environneements utilisées
 # pour le tmpl du mandataire (proxy)

-########################################
-# choix du domaine ldap
-# prod dc=kaz,dc=bzh / dev dc=kazkouil,dc=fr / local dc=kaz,dc=local
-ldap_root=
--- a/dockers/ldap/docker-compose.yml
+++ b/dockers/ldap/docker-compose.yml
@ -9,33 +9,27 @@
 version: '2'
 services:

-  # web:
-  #   # ports:
-  #   #   - 8083:80
-  #   image: wheelybird/ldap-user-manager
-  #   container_name: ${ldapUIName}
-  #   depends_on:
-  #     - ldap
-  #   networks:
-  #     - ldapNet
-  #   links:
-  #     - ldap
-  #   env_file:
-  #     - ../../secret/env-${ldapUIName}
-  #   environment:
-  #     - SERVER_HOSTNAME=${domain}
-  #     # - NO_HTTPS=true
-  #     - LDAP_URI=ldaps://ldap
-  #     - LDAP_BASE_DN=${ldapRoot}
-  #     - LDAP_REQUIRE_STARTTLS=FALSE
-  #     - LDAP_ADMINS_GROUP=admins
-  #     - LDAP_ADMIN_BIND_DN=cn=admin,${ldapRoot}
-  #     - LDAP_IGNORE_CERT_ERRORS=true
-  #     - EMAIL_DOMAIN=${domain}
-  #   volumes:
-  #     - /etc/ssl:/etc/ssl:ro
-  #     - /etc/timezone:/etc/timezone:ro
-  #     - /root/mkcert:/root/mkcert:ro
+  web:
+    # ports:
+    #    - 8083:80
+    image: wheelybird/ldap-user-manager
+    container_name: ${ldapUIName}
+    depends_on:
+      - ldap
+    networks:
+      - ldapNet
+    links:
+      - ldap
+    env_file:
+      - ../../secret/env-${ldapUIName}
+    environment:
+      - SERVER_HOSTNAME=${domain}
+      - EMAIL_DOMAIN=${domain}
+      - NO_HTTPS=TRUE
+    volumes:
+      - /etc/ssl:/etc/ssl:ro
+      - /etc/timezone:/etc/timezone:ro
+      - /root/mkcert:/root/mkcert:ro

  ldap:
    image: docker.io/bitnami/openldap:2.6
@ -44,11 +38,11 @@ services:

    env_file:
      - ../../secret/env-${ldapServName}
-    ports:
-      - 389:389
-      - 636:636
+    # ports:
+    #   - 389:389
+    #   - 636:636
    environment:
-      - LDAP_ROOT=${ldap_root}
+      - LDAP_ROOT="${ldap_root}"
      - LDAP_PORT_NUMBER=389
      - LDAP_LDAPS_PORT_NUMBER=636
    volumes:
--- a/dockers/proxy/config/nginx.tmpl.conf
+++ b/dockers/proxy/config/nginx.tmpl.conf
@ -171,6 +171,23 @@ http {
  }
 }}

+  ########################################
+  #### LDAP
+{{ldap
+  server {
+    server_name __LDAP_HOST__.__DOMAIN__;
+    include includes/port;
+    ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
+    include includes/proxy_params;
+
+    location / {
+      include includes/allow_ip;
+      proxy_pass http://__LDAP_HOST__.__DOMAIN__;
+    }
+  }
+}}
+
  ########################################
  #### garradin kaz
 {{garradin
--- a/dockers/proxy/docker-compose.tmpl.yml.dist
+++ b/dockers/proxy/docker-compose.tmpl.yml.dist
@ -30,6 +30,9 @@ services:
 {{framadate
      - ${framadateServName}:${dateHost}.${domain}
 }}
+{{ldap
+      - ${ldapUIName}:${ldapHost}.${domain}
+}}
 {{cloud
      - ${nextcloudServName}:${cloudHost}.${domain}
 }}
@ -51,6 +54,9 @@ services:
 {{gitea
      - ${gitServName}:${gitHost}.${domain}
 }}
+{{gitea
+      - ${gitServName}:${gitHost}.${domain}
+}}
 {{dokuwiki
      - ${dokuwikiServName}:${dokuwikiHost}.${domain}
 }}
@ -79,6 +85,9 @@ services:
 {{framadate
      - framadateNet
 }}
+{{ldap
+      - ldapNet
+}}
 {{cloud
      - cloudNet
 }}
@ -144,6 +153,11 @@ networks:
    external:
      name: framadateNet
 }}
+{{ldap
+  ldapNet:
+    external:
+      name: ldapNet
+}}
 {{cloud
  cloudNet:
   external:
--- a/secret.tmpl/SetAllPass.sh
+++ b/secret.tmpl/SetAllPass.sh
@ -38,10 +38,27 @@ framadate_HTTPD_PASSWORD="--clean_val--"

 ##################
 # Gandi
+# à supprimer et à replacer par dns_gandi_api_key
+gandi_GANDI_KEY="xxx"
+gandi_GANDI_API="https://api.gandi.net/v5/livedns/domains/${domain}"
+gandi_dns_gandi_api_key="${gandi_GANDI_KEY}"

-#TODO: soucis, les clés sont dédoublées
-gandi_GANDI_KEY="ce56hL3Tn7efFWvNLyf2ewkT"
-GANDI_API="https://api.gandi.net/v5/livedns/domains/kaz.bzh"
+##################
+# Openldap
+ldap_LDAP_ADMIN_USERNAME="--clean_val--"
+ldap_LDAP_ADMIN_PASSWORD="--clean_val--"
+ldap_LDAP_ENABLE_TLS="no"
+ldap_LDAP_TLS_CERT_FILE="/etc/letsencrypt/live/${domain}/cert.pem"
+ldap_LDAP_TLS_KEY_FILE="/etc/letsencrypt/live/${domain}/privkey.pem"
+ldap_LDAP_TLS_CA_FILE="/etc/letsencrypt/live/${domain}/fullchain.pem"
+
+ldap_LDAP_URI=ldap://ldap
+ldap_LDAP_BASE_DN=${ldap_root}
+ldap_LDAP_REQUIRE_STARTTLS=FALSE
+ldap_LDAP_ADMINS_GROUP=admins
+ldap_LDAP_ADMIN_BIND_DN=cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}
+ldap_LDAP_ADMIN_BIND_PWD=${ldap_LDAP_ADMIN_PASSWORD}
+ldap_LDAP_IGNORE_CERT_ERRORS=TRUE

 ###################
 # gitea
@ -55,43 +72,11 @@ gitea_user_admin="admin_gitea"
 gitea_pass_admin="--clean_val--"
 gitea_admin_email="root@kaz.bzh"

-# Share with etherpadDB
-gitea_GITEA__database__DB_TYPE="mysql"
-gitea_GITEA__database__HOST="db:3306"
-gitea_GITEA__database__NAME="${gitea_MYSQL_DATABASE}"
-gitea_GITEA__database__USER="${gitea_MYSQL_USER}"
-gitea_GITEA__database__PASSWD="${gitea_MYSQL_PASSWORD}"
-
-#gitea_GITEA__mailer__ENABLED=true
-#gitea_GITEA__mailer__FROM=
-#gitea_GITEA__mailer__MAILER_TYPE=smtp
-#gitea_GITEA__mailer__HOST=
-#gitea_GITEA__mailer__IS_TLS_ENABLED=
-#gitea_GITEA__mailer__USER=
-#gitea_GITEA__mailer__PASSWD=
-
 ####################
 # jirafeau
 jirafeau_HTTPD_PASSWORD="--clean_val--"
 jirafeau_DATA_DIR="--clean_val--"

-##################
-# keycloack DB
-keycloak_MYSQL_ROOT_PASSWORD="--clean_val--"
-keycloak_MYSQL_DATABASE="--clean_val--"
-keycloak_MYSQL_USER="--clean_val--"
-keycloak_MYSQL_PASSWORD="--clean_val--"
-
-# Keycloak
-keycloak_DB_VENDOR="mariadb"
-keycloak_DB_ADDR="mariadb"
-keycloak_DB_DATABASE="${keycloak_MYSQL_DATABASE}"
-keycloak_DB_USER="${keycloak_MYSQL_USER}"
-keycloak_DB_PASSWORD="${keycloak_MYSQL_PASSWORD}"
-keycloak_USER="admin"
-keycloak_PASSWORD="--clean_val--"
-
-
 ####################
 # mattermost
 mattermost_MYSQL_ROOT_PASSWORD="--clean_val--"
@ -152,20 +137,11 @@ roundcube_ROUNDCUBEMAIL_DB_TYPE="mysql"
 roundcube_ROUNDCUBEMAIL_DB_NAME="${roundcube_MYSQL_DATABASE}"
 roundcube_ROUNDCUBEMAIL_DB_USER="${roundcube_MYSQL_USER}"
 roundcube_ROUNDCUBEMAIL_DB_PASSWORD="${roundcube_MYSQL_PASSWORD}"
-roundcube_ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE="100Mo"
-
-# XXX TODO >>>
-# ROUNDCUBEMAIL_DB_PORT
-
-# ROUNDCUBEMAIL_PLUGINS
-# ROUNDCUBEMAIL_SPELLCHECK_URI
-# ROUNDCUBEMAIL_ASPELL_DICTS
-# XXX TODO <<<
-
+roundcube_ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE="1G"

 ####################
 # postfix ?
-mail_ENABLE_SPAMASSASSIN=1
+mail_ENABLE_SPAMASSASSIN="1"

 ####################
 # sympa
@ -181,6 +157,10 @@ sympa_ADMINEMAIL="listmaster@${domain_sympa}"
 sympa_SOAP_USER="sympa"
 sympa_SOAP_PASSWORD="--clean_val--"

+# pour inscrire des users sur des listes sympa avec soap
+#il faut que le user soit admin de sympa
+sympa_user="a@${domain}"
+sympa_pass="--clean_val--"

 ##################
 # vigilo
@ -211,19 +191,31 @@ wp_WORDPRESS_ADMIN_PASSWORD="--clean_val--"
 #qui envoi le mail d'inscription ?
 EMAIL_CONTACT="toto@kaz.bzh"

-##################
-# Openldap
-ldap_LDAP_ADMIN_USERNAME="--clean_val--"
-ldap_LDAP_ADMIN_PASSWORD="--clean_val--"
-ldap_LDAP_ENABLE_TLS=no
-ldap_LDAP_TLS_CERT_FILE="/etc/letsencrypt/live/${domain}/cert.pem"
-ldap_LDAP_TLS_KEY_FILE="/etc/letsencrypt/live/${domain}/privkey.pem"
-ldap_LDAP_TLS_CA_FILE="/etc/letsencrypt/live/${domain}/fullchain.pem"
-#ldap_LDAP_TLS_DH_PARAMS_FILE="/etc/letsencrypt/live/${domain}/dh.pem"
-
-

 ##################
 # Garradin
 garradin_API_USER="admin-api"
 garradin_API_PASSWORD="--clean_val--"
+
+##################
+# La nas de Kaz chez Grifon
+nas_admin1="admin"
+nas_password1="--clean_val--"
+nas_admin2="kaz"
+nas_password1="--clean_val--"
+# compte mail pour les notifications du nas
+nas_email_account="admin-nas@${domain}"
+nas_email_password="--clean_val--"
+
+##################
+#Compte sur outlook.com
+outlook_user="kaz-user@outlook.fr"
+outlook_pass="--clean_val--"
+
+##################
+#Borg
+BORG_REPO="/mnt/backup-nas1/BorgRepo"
+BORG_PASSPHRASE="--clean_val--"
+VOLUME_SAUVEGARDES="/mnt/backup-nas1"
+MAIL_RAPPORT="a@${domain};b@${domain};c@${domain}"
+BORGMOUNT="/mnt/disk-nas1/tmp/repo_mount"
--- a/secret.tmpl/env-gitServ
+++ b/secret.tmpl/env-gitServ
@ -1,10 +1,3 @@
-
-GITEA__database__DB_TYPE=
-GITEA__database__HOST=
-GITEA__database__NAME=
-GITEA__database__USER=
-GITEA__database__PASSWD=
-
 user_admin=
 pass_admin=
 admin_email=
--- a/secret.tmpl/env-keycloakDB
+++ b/secret.tmpl/env-keycloakDB
@ -1,5 +0,0 @@
-
-MYSQL_ROOT_PASSWORD=
-MYSQL_DATABASE=
-MYSQL_USER=
-MYSQL_PASSWORD=
--- a/secret.tmpl/env-keycloakServ
+++ b/secret.tmpl/env-keycloakServ
@ -1,8 +0,0 @@
-
-DB_VENDOR=
-DB_ADDR=
-DB_DATABASE=
-DB_USER=
-DB_PASSWORD=
-USER=
-PASSWORD=
--- a/secret.tmpl/env-ldapUI
+++ b/secret.tmpl/env-ldapUI
@ -0,0 +1,7 @@
+LDAP_URI=
+LDAP_BASE_DN=
+LDAP_REQUIRE_STARTTLS=
+LDAP_ADMINS_GROUP=
+LDAP_ADMIN_BIND_DN=
+LDAP_ADMIN_BIND_PWD=
+LDAP_IGNORE_CERT_ERRORS=