Page MenuHomePhorge
Files F1974897

No OneTemporary
Actions

View Options

diff --git a/README.md b/README.md
index 24004978..79144a89 100644
--- a/README.md
+++ b/README.md
@@ -1,32 +1,41 @@
-## Quickstart Instructions
-
-Really quick?
-
-```
-$ bin/quickstart.sh
-```
-
-More detailed:
-
-```
-$ bin/regen-certs
-$ docker pull kolab/centos7:latest
-$ docker-compose down
-$ docker-compose up -d
-$ cd src/
-$ composer install
-$ npm install
-$ cp .env.example .env
-$ echo "" >> .env
-$ cat .env.local >> .env
-$ ./artisan key:generate
-$ ./artisan jwt:secret -f
-$ ./artisan clear-compiled
-$ npm run dev
-$ rm -rf database/database.sqlite
-$ touch database/database.sqlite
-$ ./artisan migrate:refresh --seed
-$ ./artisan serve
-```
-
-NOTE: Set `APP_PUBLIC_URL` and `MOLLIE_KEY` and other such private settings in `.env.local`
+## Quickstart Instructions to try it out
+
+* Make sure you have docker and docker-compose available.
+* Run 'make deploy' in the base directory.
+* Add an /etc/hosts entry "127.0.0.1 kolab.local"
+* navigate to https://kolab.local
+* login as "john@kolab.org" with password "simple123"
+
+# Setup env.local
+
+To customize the installation, create a file src/env.local to override setting in src/.env.example.
+
+The setup script with merge these settings into src/.env, which is what is ultimately used by the installation.
+
+Take a look at ansible/env.local for an example of typical modifications required for an installation.
+
+# Use the ansible setup
+
+The ansible/ directory contains setup scripts to setup a fresh Fedora system with a kolab deployment.
+Modify the Makefile with the required variables and then execute `make setup`.
+
+This will configure the remote system and execute bin/deploy.sh
+
+### Update
+
+* git pull
+* Run "bin/update.sh"
+
+### Backup / Restore
+
+The "bin/backup.sh" script will stop all containers, snapshot the volumes to the backup/ directory, and restart the containers.
+
+"bin/restore.sh" will stop all containers, restore the volumes from tarballs in the backup/ directory, and restart the containers.
+
+
+### Requirements
+* docker
+* openssl
+
+## TODO
+* Only seed admin user, but not all the development stuff?
diff --git a/ansible/env.local b/ansible/env.local
index d10d9dc1..54fe6ecd 100644
--- a/ansible/env.local
+++ b/ansible/env.local
@@ -1,52 +1,43 @@
-MFA_DSN=mysql://root:Welcome2KolabSystems@127.0.0.1/roundcube
APP_DOMAIN={{ host }}
APP_WEBSITE_DOMAIN={{ host }}
APP_KEY=base64:FG6ECzyAMSmyX+eYwO/FW3bwnarbKkBhqtO65vlMb1E=
APP_PUBLIC_URL=https://{{ host }}
COTURN_STATIC_SECRET=uzYguvIl9tpZFMuQOE78DpOi6Jc7VFSD0UAnvgMsg5n4e74MgIf6vQvbc6LWzZjz
COTURN_PUBLIC_IP='{{ public_ip }}'
MEET_TURN_SERVER='turn:{{ public_ip }}:3478'
MEET_WEBRTC_LISTEN_IP='{{ public_ip }}'
MEET_PUBLIC_DOMAIN={{ host }}
MEET_SERVER_URLS=https://{{ host }}/meetmedia/api/
-WEBMAIL_URL=/roundcubemail
APP_URL=https://{{ host }}
ASSET_URL=https://{{ host }}
+DB_HOST=mariadb
+REDIS_HOST=redis
+IMAP_URI=ssl://kolab:11993
+LDAP_HOSTS=kolab
+
MOLLIE_KEY=
STRIPE_KEY=
STRIPE_PUBLIC_KEY=
STRIPE_WEBHOOK_SECRET=
OCTANE_HTTP_HOST={{ host }}
OPENEXCHANGERATES_API_KEY={{ openexchangerates_api_key }}
FIREBASE_API_KEY={{ firebase_api_key }}
#Generated by php artisan passport:client --password, but can be left hardcoded (the seeder will pick it up)
PASSPORT_PROXY_OAUTH_CLIENT_ID=942edef5-3dbd-4a14-8e3e-d5d59b727bee
PASSPORT_PROXY_OAUTH_CLIENT_SECRET=L6L0n56ecvjjK0cJMjeeV1pPAeffUBO0YSSH63wf
#Generated by php artisan passport:client --password, but can be left hardcoded (the seeder will pick it up)
PASSPORT_COMPANIONAPP_OAUTH_CLIENT_ID=9566e018-f05d-425c-9915-420cdb9258bb
PASSPORT_COMPANIONAPP_OAUTH_CLIENT_SECRET=XjgV6SU9shO0QFKaU6pQPRC5rJpyRezDJTSoGLgz
-APP_TENANT_ID=42
APP_PASSPHRASE=simple123
-MAIL_DRIVER=log
-
KOLAB_SSL_CERTIFICATE=/etc/letsencrypt/live/{{ host }}/cert.pem
KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/letsencrypt/live/{{ host }}/fullchain.pem
KOLAB_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/{{ host }}/privkey.pem
PROXY_SSL_CERTIFICATE=/etc/letsencrypt/live/{{ host }}/fullchain.pem
PROXY_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/{{ host }}/privkey.pem
-
-NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/{{ host }}/fullchain.pem
-NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/{{ host }}/privkey.pem
-
-PGP_ENABLE=true
-PGP_BINARY=/usr/bin/gpg
-PGP_AGENT=/usr/bin/gpg-agent
-PGP_GPGCONF=/usr/bin/gpgconf
-
diff --git a/bin/backup.sh b/bin/backup.sh
new file mode 100755
index 00000000..547f865e
--- /dev/null
+++ b/bin/backup.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+mkdir -p backup
+
+backup_path="$(pwd)/backup/"
+
+function backup_volume {
+ volume_name=$1
+ backup_destination=$2
+
+ echo "Backing up $volume_name to $backup_destination"
+ docker run --rm -v $volume_name:/data -v $backup_destination:/backup quay.io/centos/centos:stream8 tar -zcvf /backup/$volume_name.tar /data
+}
+
+echo "Stopping containers"
+docker-compose stop
+
+echo "Backing up volumes"
+volumes=($(docker volume ls -f name=kolab | awk '{if (NR > 1) print $2}'))
+for v in "${volumes[@]}"
+do
+ backup_volume $v $backup_path
+done
+
+echo "Restarting containers"
+docker-compose start
diff --git a/bin/quickstart.sh b/bin/quickstart.sh
index d20e6efd..224b4637 100755
--- a/bin/quickstart.sh
+++ b/bin/quickstart.sh
@@ -1,140 +1,157 @@
#!/bin/bash
set -e
function die() {
echo "$1"
exit 1
}
rpm -qv docker-compose >/dev/null 2>&1 || \
test ! -z "$(which docker-compose 2>/dev/null)" || \
die "Is docker-compose installed?"
test ! -z "$(grep 'systemd.unified_cgroup_hierarchy=0' /proc/cmdline)" || \
die "systemd containers only work with cgroupv1 (use 'grubby --update-kernel=ALL --args=\"systemd.unified_cgroup_hierarchy=0\"' and a reboot to fix)"
base_dir=$(dirname $(dirname $0))
# Always reset .env with .env.example
cp src/.env.example src/.env
if [ -f "src/env.local" ]; then
# Ensure there's a line ending
echo "" >> src/.env
cat src/env.local >> src/.env
fi
export DOCKER_BUILDKIT=0
+COMPOSE_ARGS=
+if [ "$1" != "--nodev" ]; then
+ COMPOSE_ARGS="-f docker-compose.yml -f docker-compose.local.yml"
+fi
docker-compose down --remove-orphans
-src/artisan octane:stop >/dev/null 2>&1 || :
-src/artisan horizon:terminate >/dev/null 2>&1 || :
-
-docker-compose build coturn kolab mariadb meet pdns proxy redis haproxy
+docker volume rm kolab_mariadb || :
+docker volume rm kolab_imap || :
+docker volume rm kolab_ldap || :
+
+if [ "$1" != "--nodev" ]; then
+ src/artisan octane:stop >/dev/null 2>&1 || :
+ src/artisan horizon:terminate >/dev/null 2>&1 || :
+else
+ # If we switch from an existing development setup to a compose deployment,
+ # we don't have a nice way to terminate octane/horizon.
+ # We can't use the artisan command because it will just block if redis is,
+ # no longer available, so we just kill all artisan processes running.
+ pkill -9 -f artisan || :
+fi
bin/regen-certs
-
-docker-compose up -d coturn kolab mariadb meet pdns proxy redis haproxy
+docker-compose build coturn kolab mariadb meet pdns proxy redis haproxy
+docker-compose ${COMPOSE_ARGS} up -d coturn kolab mariadb meet pdns redis
# Workaround until we have docker-compose --wait (https://github.com/docker/compose/pull/8777)
function wait_for_container {
container_id="$1"
container_name="$(docker inspect "${container_id}" --format '{{ .Name }}')"
echo "Waiting for container: ${container_name} [${container_id}]"
waiting_done="false"
while [[ "${waiting_done}" != "true" ]]; do
container_state="$(docker inspect "${container_id}" --format '{{ .State.Status }}')"
if [[ "${container_state}" == "running" ]]; then
health_status="$(docker inspect "${container_id}" --format '{{ .State.Health.Status }}')"
echo "${container_name}: container_state=${container_state}, health_status=${health_status}"
if [[ ${health_status} == "healthy" ]]; then
waiting_done="true"
fi
else
echo "${container_name}: container_state=${container_state}"
waiting_done="true"
fi
sleep 1;
done;
}
-# Ensure the containers we depend on are fully started
-wait_for_container 'kolab'
-wait_for_container 'kolab-redis'
-
if [ "$1" == "--nodev" ]; then
echo "starting everything in containers"
- docker-compose build swoole
+ docker-compose -f docker-compose.build.yml build swoole
docker-compose build webapp
- docker-compose up -d webapp proxy
+ docker-compose up -d webapp proxy haproxy
wait_for_container 'kolab-webapp'
exit 0
fi
echo "Starting the development environment"
rpm -qv composer >/dev/null 2>&1 || \
test ! -z "$(which composer 2>/dev/null)" || \
die "Is composer installed?"
rpm -qv npm >/dev/null 2>&1 || \
test ! -z "$(which npm 2>/dev/null)" || \
die "Is npm installed?"
rpm -qv php >/dev/null 2>&1 || \
test ! -z "$(which php 2>/dev/null)" || \
die "Is php installed?"
rpm -qv php-ldap >/dev/null 2>&1 || \
test ! -z "$(php --ini | grep ldap)" || \
die "Is php-ldap installed?"
rpm -qv php-mysqlnd >/dev/null 2>&1 || \
test ! -z "$(php --ini | grep mysql)" || \
die "Is php-mysqlnd installed?"
test ! -z "$(php --modules | grep swoole)" || \
die "Is swoole installed?"
+# Ensure the containers we depend on are fully started
+wait_for_container 'kolab'
+wait_for_container 'kolab-redis'
+
pushd ${base_dir}/src/
rm -rf vendor/ composer.lock
php -dmemory_limit=-1 $(which composer) install
npm install
find bootstrap/cache/ -type f ! -name ".gitignore" -delete
./artisan key:generate
./artisan clear-compiled
./artisan cache:clear
./artisan horizon:install
if [ ! -f storage/oauth-public.key -o ! -f storage/oauth-private.key ]; then
./artisan passport:keys --force
fi
cat >> .env << EOF
PASSPORT_PRIVATE_KEY="$(cat storage/oauth-private.key)"
PASSPORT_PUBLIC_KEY="$(cat storage/oauth-public.key)"
EOF
if rpm -qv chromium 2>/dev/null; then
chver=$(rpmquery --queryformat="%{VERSION}" chromium | awk -F'.' '{print $1}')
./artisan dusk:chrome-driver ${chver}
fi
if [ ! -f 'resources/countries.php' ]; then
./artisan data:countries
fi
npm run dev
popd
pushd ${base_dir}/src/
rm -rf database/database.sqlite
./artisan db:ping --wait
php -dmemory_limit=512M ./artisan migrate:refresh --seed
./artisan data:import || :
nohup ./artisan octane:start --host=$(grep OCTANE_HTTP_HOST .env | tail -n1 | sed "s/OCTANE_HTTP_HOST=//") > octane.out &
nohup ./artisan horizon > horizon.out &
+
popd
+
+docker-compose ${COMPOSE_ARGS} up --no-deps -d proxy haproxy
diff --git a/bin/restore.sh b/bin/restore.sh
new file mode 100755
index 00000000..b763cff8
--- /dev/null
+++ b/bin/restore.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+backup_path="$(pwd)/backup/"
+
+function restore_volume {
+ volume_name=$1
+ backup_destination=$2
+
+ echo "Restoring $volume_name from $backup_destination"
+ docker run --rm -v $volume_name:/data -v $backup_destination:/backup quay.io/centos/centos:stream8 bash -c "rm -rf /data/* && tar xvf /backup/$volume_name.tar -C /data --strip 1"
+}
+
+echo "Stopping containers"
+docker-compose stop
+
+# We currently expect the volumes to exist.
+# We could alternatively create volumes form existing tar files
+# for f in backup/*.tar; do
+# echo "$(basename $f .tar)" ;
+# done
+
+echo "Restoring volumes"
+volumes=($(docker volume ls -f name=kolab | awk '{if (NR > 1) print $2}'))
+for v in "${volumes[@]}"
+do
+ restore_volume $v $backup_path
+done
+echo "Restarting containers"
+docker-compose start
+
diff --git a/bin/update.sh b/bin/update.sh
new file mode 100755
index 00000000..45a9ed3b
--- /dev/null
+++ b/bin/update.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+docker-compose down --remove-orphans
+docker-compose build coturn kolab mariadb meet pdns proxy redis haproxy webapp
+bin/regen-certs
+docker-compose up -d coturn kolab mariadb meet pdns proxy redis haproxy webapp
diff --git a/ci/Makefile b/ci/Makefile
index 65287295..5a1c5a88 100644
--- a/ci/Makefile
+++ b/ci/Makefile
@@ -1,29 +1,29 @@
HOSTNAME=ci.local
PUBLIC_IP=127.0.0.1
OPENEXCHANGERATES_API_KEY=dummy
FIREBASE_API_KEY=dummy
PWD=$(shell pwd)
configure:
cd .. ; \
cp ci/env.local src/env.local ; \
sed -i 's/{{ host }}/${HOSTNAME}/g' src/env.local ; \
sed -i 's/{{ public_ip }}/${PUBLIC_IP}/g' src/env.local ; \
sed -i 's/{{ openexchangerates_api_key }}/${OPENEXCHANGERATES_API_KEY}/g' src/env.local ; \
sed -i 's/{{ firebase_api_key }}/${FIREBASE_API_KEY}/g' src/env.local ;
setup:
cd .. && bin/quickstart.sh --nodev
build:
- cd .. && DOCKER_BUILDKIT=0 docker compose build swoole && DOCKER_BUILDKIT=0 docker compose build tests && cd ci
+ cd .. && DOCKER_BUILDKIT=0 docker compose -f docker-compose.yml -f docker-compose.build.yml build swoole && DOCKER_BUILDKIT=0 docker compose -f docker-compose.yml -f docker-compose.build.yml build tests && cd ci
lint:
docker run -v ${PWD}/../:/src/kolab.orig -t kolab-tests /lint.sh
test:
- docker run --network=host -v ${PWD}/../src:/src/kolabsrc.orig -t kolab-tests /init.sh
+ docker run --network=kolab_kolab -v ${PWD}/../src:/src/kolabsrc.orig -t kolab-tests /init.sh
all: configure setup build lint test
diff --git a/ci/env.local b/ci/env.local
index 5b322dd7..3991e0db 100644
--- a/ci/env.local
+++ b/ci/env.local
@@ -1,46 +1,49 @@
-MFA_DSN=mysql://root:Welcome2KolabSystems@127.0.0.1/roundcube
+MFA_DSN=mysql://root:Welcome2KolabSystems@mariadb/roundcube
APP_DOMAIN={{ host }}
APP_WEBSITE_DOMAIN={{ host }}
APP_KEY=base64:FG6ECzyAMSmyX+eYwO/FW3bwnarbKkBhqtO65vlMb1E=
APP_PUBLIC_URL=https://{{ host }}
COTURN_STATIC_SECRET=uzYguvIl9tpZFMuQOE78DpOi6Jc7VFSD0UAnvgMsg5n4e74MgIf6vQvbc6LWzZjz
COTURN_PUBLIC_IP='{{ public_ip }}'
MEET_TURN_SERVER='turn:{{ public_ip }}:3478'
MEET_WEBRTC_LISTEN_IP='{{ public_ip }}'
MEET_PUBLIC_DOMAIN={{ host }}
MEET_SERVER_URLS=https://{{ host }}/meetmedia/api/
+MEET_LISTENING_HOST=172.18.0.1
WEBMAIL_URL=/roundcubemail
APP_URL=https://{{ host }}
ASSET_URL=https://{{ host }}
+DB_HOST=mariadb
+REDIS_HOST=redis
+IMAP_URI=ssl://kolab:11993
+LDAP_HOSTS=kolab
+
MOLLIE_KEY=
STRIPE_KEY=
STRIPE_PUBLIC_KEY=
STRIPE_WEBHOOK_SECRET=
OCTANE_HTTP_HOST={{ host }}
OPENEXCHANGERATES_API_KEY={{ openexchangerates_api_key }}
FIREBASE_API_KEY={{ firebase_api_key }}
#Generated by php artisan passport:client --password, but can be left hardcoded (the seeder will pick it up)
PASSPORT_PROXY_OAUTH_CLIENT_ID=942edef5-3dbd-4a14-8e3e-d5d59b727bee
PASSPORT_PROXY_OAUTH_CLIENT_SECRET=L6L0n56ecvjjK0cJMjeeV1pPAeffUBO0YSSH63wf
#Generated by php artisan passport:client --password, but can be left hardcoded (the seeder will pick it up)
PASSPORT_COMPANIONAPP_OAUTH_CLIENT_ID=9566e018-f05d-425c-9915-420cdb9258bb
PASSPORT_COMPANIONAPP_OAUTH_CLIENT_SECRET=XjgV6SU9shO0QFKaU6pQPRC5rJpyRezDJTSoGLgz
APP_TENANT_ID=42
APP_PASSPHRASE=simple123
MAIL_DRIVER=log
KOLAB_SSL_CERTIFICATE=/etc/pki/tls/certs/kolab.hosted.com.cert
KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/pki/tls/certs/kolab.hosted.com.chain.pem
KOLAB_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/kolab.hosted.com.key
-PROXY_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert
-PROXY_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key
-
-NGINX_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert
-NGINX_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key
+PROXY_SSL_CERTIFICATE=/etc/certs/imap.hosted.com.cert
+PROXY_SSL_CERTIFICATE_KEY=/etc/certs/imap.hosted.com.key
diff --git a/docker-compose.build.yml b/docker-compose.build.yml
new file mode 100644
index 00000000..3de06dd4
--- /dev/null
+++ b/docker-compose.build.yml
@@ -0,0 +1,12 @@
+version: '3'
+services:
+ swoole:
+ build:
+ context: ./docker/swoole/
+ container_name: kolab-swoole
+ image: apheleia/swoole:4.8.x
+ tests:
+ build:
+ context: ./docker/tests/
+ container_name: kolab-tests
+ image: kolab-tests
diff --git a/docker-compose.local.yml b/docker-compose.local.yml
new file mode 100644
index 00000000..528a53a4
--- /dev/null
+++ b/docker-compose.local.yml
@@ -0,0 +1,21 @@
+version: '3'
+services:
+ kolab:
+ ports:
+ - "389:389"
+ - "8880:8880"
+ - "8443:8443"
+ - "10143:10143"
+ - "10587:10587"
+ - "11143:11143"
+ - "11993:11993"
+ - "12143:12143"
+ mariadb:
+ ports:
+ - "3306:3306"
+ redis:
+ ports:
+ - "6379:6379"
+ proxy:
+ extra_hosts:
+ - "webapp:127.0.0.1"
diff --git a/docker-compose.yml b/docker-compose.yml
index c7638cf8..4dd05111 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,226 +1,274 @@
version: '3'
services:
coturn:
build:
context: ./docker/coturn/
container_name: kolab-coturn
healthcheck:
interval: 10s
test: "kill -0 $$(cat /tmp/turnserver.pid)"
timeout: 5s
retries: 30
environment:
- TURN_PUBLIC_IP=${COTURN_PUBLIC_IP}
- TURN_LISTEN_PORT=3478
- TURN_STATIC_SECRET=${COTURN_STATIC_SECRET}
hostname: sturn.mgmt.com
image: kolab-coturn
network_mode: host
restart: on-failure
tty: true
kolab:
build:
context: ./docker/kolab/
container_name: kolab
privileged: true
depends_on:
mariadb:
condition: service_healthy
+ pdns:
+ condition: service_healthy
extra_hosts:
- "kolab.mgmt.com:127.0.0.1"
environment:
- - DB_HOST=${DB_HOST}
+ - LDAP_HOST=127.0.0.1
+ - LDAP_ADMIN_BIND_DN="cn=Directory Manager"
+ - LDAP_ADMIN_BIND_PW=Welcome2KolabSystems
+ - DB_HOST=mariadb
- DB_ROOT_PASSWORD=Welcome2KolabSystems
- DB_HKCCP_DATABASE=${DB_DATABASE}
- DB_HKCCP_USERNAME=${DB_USERNAME}
- DB_HKCCP_PASSWORD=${DB_PASSWORD}
- DB_KOLAB_DATABASE=kolab
- DB_KOLAB_USERNAME=kolab
- DB_KOLAB_PASSWORD=Welcome2KolabSystems
- DB_RC_USERNAME=roundcube
- DB_RC_PASSWORD=Welcome2KolabSystems
- SSL_CERTIFICATE=${KOLAB_SSL_CERTIFICATE:?err}
- SSL_CERTIFICATE_FULLCHAIN=${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?err}
- SSL_CERTIFICATE_KEY=${KOLAB_SSL_CERTIFICATE_KEY:?err}
- IMAP_HOST=127.0.0.1
- IMAP_PORT=11993
- MAIL_HOST=127.0.0.1
- MAIL_PORT=10587
healthcheck:
interval: 10s
- test: test -f /tmp/kolab-init.done
+ test: "systemctl is-active kolab-init || exit 1"
timeout: 5s
retries: 30
+ start_period: 5m
+ # This makes docker's dns, resolve via pdns for this container.
+ # Please note it does not affect /etc/resolv.conf
+ dns: 172.18.0.11
hostname: kolab.mgmt.com
image: kolab
- network_mode: host
+ networks:
+ kolab:
+ ipv4_address: 172.18.0.5
+ ports:
+ - "12143:12143"
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
tty: true
volumes:
- ./ext/:/src/:ro
- /etc/letsencrypt/:/etc/letsencrypt/:ro
- ./docker/certs/ca.cert:/etc/pki/tls/certs/ca.cert:ro
- ./docker/certs/ca.cert:/etc/pki/ca-trust/source/anchors/ca.cert:ro
- - ./docker/certs/kolab.hosted.com.cert:/etc/pki/tls/certs/kolab.hosted.com.cert
- - ./docker/certs/kolab.hosted.com.chain.pem:/etc/pki/tls/certs/kolab.hosted.com.chain.pem
- - ./docker/certs/kolab.hosted.com.key:/etc/pki/tls/certs/kolab.hosted.com.key
+ - ./docker/certs/kolab.hosted.com.cert:${KOLAB_SSL_CERTIFICATE:?err}
+ - ./docker/certs/kolab.hosted.com.chain.pem:${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?err}
+ - ./docker/certs/kolab.hosted.com.key:${KOLAB_SSL_CERTIFICATE_KEY:?err}
- ./docker/kolab/utils:/root/utils:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro
+ - imap:/imapdata
+ - ldap:/ldapdata
mariadb:
container_name: kolab-mariadb
environment:
- MYSQL_ROOT_PASSWORD: Welcome2KolabSystems
- TZ: "+02:00"
+ - MARIADB_ROOT_PASSWORD=Welcome2KolabSystems
+ - TZ="+02:00"
+ - DB_HKCCP_DATABASE=${DB_DATABASE}
+ - DB_HKCCP_USERNAME=${DB_USERNAME}
+ - DB_HKCCP_PASSWORD=${DB_PASSWORD}
healthcheck:
interval: 10s
test: test -e /var/run/mysqld/mysqld.sock
timeout: 5s
retries: 30
- image: mariadb
- network_mode: host
+ image: mariadb:latest
+ networks:
+ - kolab
+ volumes:
+ - ./docker/mariadb/mysql-init/:/docker-entrypoint-initdb.d/
+ - mariadb:/var/lib/mysql
haproxy:
+ depends_on:
+ proxy:
+ condition: service_healthy
build:
context: ./docker/haproxy/
healthcheck:
interval: 10s
test: "kill -0 $$(cat /var/run/haproxy.pid)"
timeout: 5s
retries: 30
container_name: kolab-haproxy
hostname: haproxy.hosted.com
image: kolab-haproxy
- network_mode: host
+ networks:
+ - kolab
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
tty: true
volumes:
- ./docker/certs/:/etc/certs/:ro
- /etc/letsencrypt/:/etc/letsencrypt/:ro
pdns:
build:
context: ./docker/pdns/
container_name: kolab-pdns
+ hostname: pdns
depends_on:
mariadb:
condition: service_healthy
healthcheck:
interval: 10s
test: "systemctl status pdns || exit 1"
timeout: 5s
retries: 30
- hostname: pdns
- image: apheleia/kolab-pdns
- network_mode: host
+ image: kolab-pdns
+ networks:
+ kolab:
+ ipv4_address: 172.18.0.11
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
tty: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
proxy:
+ depends_on:
+ kolab:
+ condition: service_healthy
+ webapp:
+ condition: service_healthy
build:
context: ./docker/proxy/
args:
APP_WEBSITE_DOMAIN: ${APP_WEBSITE_DOMAIN:?err}
SSL_CERTIFICATE: ${PROXY_SSL_CERTIFICATE:?err}
SSL_CERTIFICATE_KEY: ${PROXY_SSL_CERTIFICATE_KEY:?err}
healthcheck:
interval: 10s
test: "kill -0 $$(cat /run/nginx.pid)"
timeout: 5s
retries: 30
container_name: kolab-proxy
- hostname: ${APP_WEBSITE_DOMAIN:?err}
+ hostname: proxy
image: kolab-proxy
- network_mode: host
+ extra_hosts:
+ - "meet:${MEET_LISTENING_HOST}"
+ networks:
+ kolab:
+ ipv4_address: 172.18.0.7
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
tty: true
volumes:
- ./docker/certs/:/etc/certs/:ro
- /etc/letsencrypt/:/etc/letsencrypt/:ro
+ ports:
+ # - "80:80"
+ - "443:443"
+ - "465:465"
+ - "587:587"
+ - "143:143"
+ - "993:993"
redis:
build:
context: ./docker/redis/
healthcheck:
interval: 10s
test: "redis-cli ping || exit 1"
timeout: 5s
retries: 30
container_name: kolab-redis
hostname: redis
image: redis
- network_mode: host
+ networks:
+ - kolab
volumes:
- ./docker/redis/redis.conf:/usr/local/etc/redis/redis.conf:ro
- swoole:
- build:
- context: ./docker/swoole/
- container_name: kolab-swoole
- image: apheleia/swoole:4.8.x
+ # ports:
+ # - "6379:6379"
webapp:
build:
context: ./docker/webapp/
container_name: kolab-webapp
image: kolab-webapp
healthcheck:
interval: 10s
test: "/src/kolabsrc/artisan octane:status || exit 1"
timeout: 5s
retries: 30
+ start_period: 5m
depends_on:
kolab:
condition: service_healthy
- network_mode: host
- volumes:
- - ./src:/src/kolabsrc.orig:ro
- tests:
- build:
- context: ./docker/tests/
- container_name: kolab-tests
- image: kolab-tests
- depends_on:
- kolab:
+ redis:
condition: service_healthy
- network_mode: host
+ networks:
+ - kolab
volumes:
- ./src:/src/kolabsrc.orig:ro
+ ports:
+ - "8000:8000"
meet:
build:
context: ./docker/meet/
healthcheck:
interval: 10s
- test: "curl --insecure -H 'X-AUTH-TOKEN: ${MEET_SERVER_TOKEN}' --fail https://localhost:12443/meetmedia/api/health || exit 1"
+ test: "curl --insecure -H 'X-AUTH-TOKEN: ${MEET_SERVER_TOKEN}' --fail https://${MEET_LISTENING_HOST}:12443/meetmedia/api/health || exit 1"
timeout: 5s
retries: 30
+ start_period: 5m
environment:
- WEBRTC_LISTEN_IP=${MEET_WEBRTC_LISTEN_IP:?err}
- PUBLIC_DOMAIN=${MEET_PUBLIC_DOMAIN:?err}
- - LISTENING_HOST=0.0.0.0
+ - LISTENING_HOST=${MEET_LISTENING_HOST:?err}
- LISTENING_PORT=12443
- TURN_SERVER=${MEET_TURN_SERVER}
- TURN_STATIC_SECRET=${COTURN_STATIC_SECRET}
- AUTH_TOKEN=${MEET_SERVER_TOKEN:?err}
- WEBHOOK_TOKEN=${MEET_WEBHOOK_TOKEN:?err}
- WEBHOOK_URL=${APP_PUBLIC_URL:?err}/api/webhooks/meet
- SSL_CERT=/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN:?err}.cert
- SSL_KEY=/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN:?err}.key
network_mode: host
container_name: kolab-meet
image: kolab-meet
volumes:
- ./meet/server:/src/meet/:ro
- ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.cert:/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN}.cert
- ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.key:/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN}.key
+networks:
+ kolab:
+ driver: bridge
+ ipam:
+ config:
+ - subnet: "172.18.0.0/24"
+volumes:
+ mariadb:
+ imap:
+ ldap:
diff --git a/docker/haproxy/haproxy.cfg b/docker/haproxy/haproxy.cfg
index 766dcb38..faf42206 100644
--- a/docker/haproxy/haproxy.cfg
+++ b/docker/haproxy/haproxy.cfg
@@ -1,76 +1,76 @@
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 100
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
# mode http
log global
# option httplog
# option dontlognull
# option http-server-close
# option forwardfor except 127.0.0.0/8
# option redispatch
# retries 3
# timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
# timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend ft_imap
# Accept the proxy protocol
bind :145 accept-proxy
mode tcp
default_backend bk_imap
backend bk_imap
mode tcp
# imap connections are usually long
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
# NGINX imap with proxy protocol enabled
- server s1 127.0.0.1:144 check send-proxy-v2
+ server s1 proxy:144 check send-proxy-v2
diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile
index c1e4ad6a..7dbd2fd9 100644
--- a/docker/kolab/Dockerfile
+++ b/docker/kolab/Dockerfile
@@ -1,58 +1,75 @@
FROM quay.io/centos/centos:stream8
LABEL maintainer="contact@apheleia-it.ch"
LABEL dist=centos8
LABEL tier=${TIER}
ENV SYSTEMD_PAGER=''
ENV DISTRO=centos8
ENV LANG=en_US.utf8
ENV LC_ALL=en_US.utf8
# Add EPEL.
RUN dnf config-manager --set-enabled powertools && \
dnf -y install \
epel-release epel-next-release && \
dnf -y module enable 389-directory-server:stable/default && \
dnf -y module enable mariadb:10.3 && \
+ dnf -y install iputils vim-enhanced bind-utils && \
dnf clean all
RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
# Install kolab
RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \
rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el8stream.rpm
RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \
dnf config-manager --enable kolab-16-testing &&\
dnf -y --setopt tsflags= install kolab dnsmasq patch &&\
dnf clean all
COPY kolab-init.service /etc/systemd/system/kolab-init.service
COPY kolab-setenv.service /etc/systemd/system/kolab-setenv.service
-COPY kolab-vlv.service /etc/systemd/system/kolab-vlv.service
COPY utils /root/utils
RUN rm -rf /etc/systemd/system/multi-user.target.wants/{avahi-daemon,sshd}.* && \
ln -s /etc/systemd/system/kolab-init.service \
/etc/systemd/system/multi-user.target.wants/kolab-init.service && \
ln -s /etc/systemd/system/kolab-setenv.service \
- /etc/systemd/system/multi-user.target.wants/kolab-setenv.service && \
- ln -s /etc/systemd/system/kolab-vlv.service \
- /etc/systemd/system/multi-user.target.wants/kolab-vlv.service
+ /etc/systemd/system/multi-user.target.wants/kolab-setenv.service
-RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || :
+RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || :
RUN sed -i -r -e 's/^Listen 80$/Listen 9080/g' /etc/httpd/conf/httpd.conf
#RUN sed -i -r -e 's/^Listen 443$/Listen 9443/g' /etc/httpd/conf/httpd.conf
COPY kolab-init.sh /usr/local/sbin/
RUN chmod 750 /usr/local/sbin/kolab-init.sh
-COPY kolab-vlv.sh /usr/local/sbin/
-RUN chmod 750 /usr/local/sbin/kolab-vlv.sh
+
+COPY kolab.conf /etc/kolab/kolab.conf
+COPY cyrus.conf /etc/cyrus.conf
+COPY imapd.conf /etc/imapd.conf
+COPY imapd.annotations.conf /etc/imapd.annotations.conf
+COPY guam.conf /etc/guam/sys.config
+
+
+RUN mkdir -p /imapdata/{spool,lib} && \
+ rm -rf /var/spool/imap && ln -s /imapdata/spool /var/spool/imap && \
+ mv /var/lib/imap /var/lib/imap-bak && ln -s /imapdata/lib /var/lib/imap && \
+ chmod -R 777 /imapdata && \
+ chown cyrus:mail /var/spool/imap /var/lib/imap
+
+RUN mkdir -p /ldapdata/{config,ssca,run} /var/run/dirsrv && \
+ ln -s /ldapdata/config /etc/dirsrv/slapd-kolab && \
+ ln -s /ldapdata/ssca /etc/dirsrv/ssca && \
+ ln -s /ldapdata/run /var/run/dirsrv && \
+ chmod -R 777 /ldapdata /etc/dirsrv
VOLUME [ "/sys/fs/cgroup" ]
+VOLUME [ "/imapdata" ]
+VOLUME [ "/ldapdata" ]
WORKDIR /root/
CMD ["/lib/systemd/systemd"]
EXPOSE 21/tcp 22/tcp 25/tcp 53/tcp 53/udp 80/tcp 110/tcp 389/tcp 443/tcp 995/tcp 5353/udp 8880/tcp 8443/tcp 8447/tcp 10143/tcp 10465/tcp 10587/tcp 11143/tcp 11993/tcp
diff --git a/docker/kolab/cyrus.conf b/docker/kolab/cyrus.conf
new file mode 100644
index 00000000..96518409
--- /dev/null
+++ b/docker/kolab/cyrus.conf
@@ -0,0 +1,46 @@
+# standard standalone server implementation
+
+START {
+ # do not delete this entry!
+ recover cmd="ctl_cyrusdb -r"
+
+ idled cmd="idled"
+}
+
+# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
+SERVICES {
+ nginx cmd="imapd" listen=0.0.0.0:12143 prefork=1
+ guam cmd="imapd" listen=0.0.0.0:13143 prefork=1
+ imap cmd="imapd" listen=0.0.0.0:11143 prefork=1
+ imaps cmd="imapd -s" listen=0.0.0.0:11993 prefork=5
+
+ sieve cmd="timsieved" listen="sieve" prefork=0
+
+ ptloader cmd="ptloader" listen="/var/lib/imap/socket/ptsock" prefork=0
+
+ lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
+
+ notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
+}
+
+EVENTS {
+ # this is required
+ checkpoint cmd="ctl_cyrusdb -c" period=30
+
+ # this is only necessary if using duplicate delivery suppression,
+ # Sieve or NNTP
+ duplicateprune cmd="cyr_expire -E 3" at=0400
+
+ # Expire data older then 69 days. Two full months of 31 days
+ # each includes two full backup cycles, plus 1 week margin
+ # because we run our full backups on the first sat/sun night
+ # of each month.
+ deleteprune cmd="cyr_expire -E 4 -D 69" at=0430
+ expungeprune cmd="cyr_expire -E 4 -X 69" at=0445
+
+ # this is only necessary if caching TLS sessions
+ tlsprune cmd="tls_prune" at=0400
+
+ # Create search indexes regularly (remove -s for cyrus 3+)
+ #squatter cmd="squatter -s -i" at=0530
+}
diff --git a/docker/kolab/utils/10-change-port-numbers.sh b/docker/kolab/guam.conf
old mode 100755
new mode 100644
similarity index 50%
rename from docker/kolab/utils/10-change-port-numbers.sh
rename to docker/kolab/guam.conf
index e69bdf58..fa99364d
--- a/docker/kolab/utils/10-change-port-numbers.sh
+++ b/docker/kolab/guam.conf
@@ -1,163 +1,88 @@
-#!/bin/bash
-
-cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
-chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
-
-cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
-chown postfix:mail /etc/pki/tls/private/postfix.pem
-chmod 655 /etc/pki/tls/private/postfix.pem
-
-sed -i "s/tls_server_cert:.*/tls_server_cert: \/etc\/pki\/cyrus-imapd\/cyrus-imapd.bundle.pem/" /etc/imapd.conf
-sed -i "s/tls_server_key:.*/tls_server_key: \/etc\/pki\/cyrus-imapd\/cyrus-imapd.bundle.pem/" /etc/imapd.conf
-sed -i "s/tls_server_ca_file:.*/tls_server_ca_file: \/etc\/pki\/cyrus-imapd\/cyrus-imapd.bundle.pem/" /etc/imapd.conf
-
-sed -i "s/smtpd_tls_key_file =.*/smtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
-sed -i "s/smtpd_tls_cert_file =.*/smtpd_tls_cert_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
-
-sed -i -r \
- -e '/allowplaintext/ a\
-guam_allowplaintext: yes' \
- -e '/allowplaintext/ a\
-nginx_allowplaintext: yes' \
- /etc/imapd.conf
-
-sed -i \
- -e '/SERVICES/ a\
- nginx cmd="imapd" listen=127.0.0.1:12143 prefork=1' \
- -e '/SERVICES/ a\
- guam cmd="imapd" listen=127.0.0.1:13143 prefork=1' \
- -e '/SERVICES/ a\
- imap cmd="imapd" listen=127.0.0.1:11143 prefork=1' \
- -e 's/listen="127.0.0.1:9993"/listen=127.0.0.1:11993/g' \
- /etc/cyrus.conf
-
-systemctl restart cyrus-imapd
-
-# Remove the submission block, by matching from submission until the next empty line
-sed -i -e '/submission inet/,/^$/d' /etc/postfix/master.cf
-
-# Insert a new submission block with a modified port
-cat >> /etc/postfix/master.cf << EOF
-127.0.0.1:10587 inet n - n - - smtpd
- -o cleanup_service_name=cleanup_submission
- -o syslog_name=postfix/submission
- #-o smtpd_tls_security_level=encrypt
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_sasl_authenticated_header=yes
- -o smtpd_client_restrictions=permit_sasl_authenticated,reject
- -o smtpd_data_restrictions=\$submission_data_restrictions
- -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
- -o smtpd_sender_restrictions=\$submission_sender_restrictions
-
-127.0.0.1:10465 inet n - n - - smtpd
- -o cleanup_service_name=cleanup_submission
- -o rewrite_service_name=rewrite_submission
- -o syslog_name=postfix/smtps
- -o mydestination=
- -o local_recipient_maps=
- -o relay_domains=
- -o relay_recipient_maps=
- #-o smtpd_tls_wrappermode=yes
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_sasl_authenticated_header=yes
- -o smtpd_client_restrictions=permit_sasl_authenticated,reject
- -o smtpd_sender_restrictions=\$submission_sender_restrictions
- -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
- -o smtpd_data_restrictions=\$submission_data_restrictions
-EOF
-
-systemctl restart postfix
-
-cat > /etc/guam/sys.config << EOF
-%% Example configuration for Guam.
[
{
kolab_guam, [
{
imap_servers, [
{
imap, [
{ host, "127.0.0.1" },
{ port, 13143 },
{ tls, no }
]
},
{
imaps, [
{ host, "127.0.0.1" },
{ port, 11993 },
{ tls, true }
]
}
]
},
{
listeners, [
{
imap, [
{ port, 9143 },
{ imap_server, imap },
{
rules, [
{ filter_groupware, [] }
]
},
{
tls_config, [
{ certfile, "/etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem" },
{ keyfile, "/etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem" },
{ cacertfile, "/etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem" }
]
}
]
},
{
imaps, [
{ port, 9993 },
{ implicit_tls, true },
{ imap_server, imaps },
{
rules, [
{ filter_groupware, [] }
]
},
{
tls_config, [
{ certfile, "/etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem" },
{ keyfile, "/etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem" },
{ cacertfile, "/etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem" }
]
}
]
}
]
}
]
},
{
lager, [
{
handlers, [
{ lager_console_backend, warning },
{ lager_file_backend, [ { file, "log/error.log"}, { level, error } ] },
{ lager_file_backend, [ { file, "log/console.log"}, { level, info } ] }
]
}
]
},
%% SASL config
{
sasl, [
{ sasl_error_logger, { file, "log/sasl-error.log" } },
{ errlog_type, error },
{ error_logger_mf_dir, "log/sasl" }, % Log directory
{ error_logger_mf_maxbytes, 10485760 }, % 10 MB max file size
{ error_logger_mf_maxfiles, 5 } % 5 files max
]
}
].
-EOF
-
-systemctl restart guam
diff --git a/docker/kolab/imapd.annotations.conf b/docker/kolab/imapd.annotations.conf
new file mode 100644
index 00000000..3b03bfad
--- /dev/null
+++ b/docker/kolab/imapd.annotations.conf
@@ -0,0 +1,11 @@
+/vendor/kolab/activesync,mailbox,string,backend,value.priv,r
+/vendor/kolab/color,mailbox,string,backend,value.shared value.priv,a
+/vendor/kolab/displayname,mailbox,string,backend,value.shared value.priv,a
+/vendor/kolab/folder-test,mailbox,string,backend,value.shared value.priv,a
+/vendor/kolab/folder-type,mailbox,string,backend,value.shared value.priv,a
+/vendor/kolab/incidences-for,mailbox,string,backend,value.shared value.priv,a
+/vendor/kolab/pxfb-readable-for,mailbox,string,backend,value.shared value.priv,a
+/vendor/kolab/uniqueid,mailbox,string,backend,value.shared value.priv,a
+/vendor/kolab/h-share-attr-desc,mailbox,string,backend,value.shared value.priv,a
+/vendor/horde/share-params,mailbox,string,backend,value.shared value.priv,a
+/vendor/x-toltec/test,mailbox,string,backend,value.shared value.priv,a
diff --git a/docker/kolab/imapd.conf b/docker/kolab/imapd.conf
new file mode 100644
index 00000000..637aff77
--- /dev/null
+++ b/docker/kolab/imapd.conf
@@ -0,0 +1,58 @@
+defaultpartition: default
+configdirectory: /var/lib/imap/
+partition-default: /var/spool/imap/
+admins: cyrus-admin
+sievedir: /var/lib/imap/sieve/
+sendmail: /usr/sbin/sendmail
+sasl_pwcheck_method: saslauthd
+sasl_mech_list: PLAIN LOGIN
+allowplaintext: no
+guam_allowplaintext: yes
+nginx_allowplaintext: yes
+tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
+tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
+# uncomment this if you're operating in a DSCP environment (RFC-4594)
+# qosmarking: af13
+auth_mech: pts
+pts_module: ldap
+ptloader_sock: /var/lib/imap/socket/ptsock
+ldap_uri: ldap://127.0.0.1:389
+ldap_sasl: 0
+ldap_base: dc=hosted,dc=com
+ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+ldap_password: Welcome2KolabSystems
+ldap_filter: (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
+ldap_user_attribute: mail
+ldap_group_base: dc=mgmt,dc=com
+ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
+ldap_group_scope: one
+ldap_member_base: dc=mgmt,dc=com
+ldap_member_method: attribute
+ldap_member_attribute: nsrole
+ldap_restart: 1
+ldap_timeout: 10
+ldap_time_limit: 10
+unixhierarchysep: 1
+virtdomains: userid
+annotation_definitions: /etc/imapd.annotations.conf
+sieve_extensions: fileinto reject envelope body vacation imapflags notify include regex subaddress relational copy date index
+allowallsubscribe: 0
+allowusermoves: 1
+altnamespace: 1
+hashimapspool: 1
+anysievefolder: 1
+fulldirhash: 0
+sieveusehomedir: 0
+sieve_allowreferrals: 0
+lmtp_downcase_rcpt: 1
+lmtp_fuzzy_mailbox_match: 1
+username_tolower: 1
+deletedprefix: DELETED
+delete_mode: delayed
+expunge_mode: delayed
+postuser: shared
+# on systems with cyrus 3+ specify search engine
+# search_engine: squat
+ldap_domain_base_dn: ou=Domains,dc=mgmt,dc=com
+chatty: 1
+debug: 1
diff --git a/docker/kolab/kolab-init.service b/docker/kolab/kolab-init.service
index b293055d..91777dab 100644
--- a/docker/kolab/kolab-init.service
+++ b/docker/kolab/kolab-init.service
@@ -1,12 +1,13 @@
[Unit]
Description=Kolab Setup Service
Requires=kolab-setenv.service
-After=kolab-setenv.service
+After=kolab-setenv.service ldapdata.mount imapdata.mount
[Service]
Type=oneshot
EnvironmentFile=/etc/openshift-environment
ExecStart=/usr/local/sbin/kolab-init.sh
+RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
diff --git a/docker/kolab/kolab-init.sh b/docker/kolab/kolab-init.sh
index c9963115..8587e294 100755
--- a/docker/kolab/kolab-init.sh
+++ b/docker/kolab/kolab-init.sh
@@ -1,38 +1,15 @@
#!/bin/bash
-if [ -d "/etc/dirsrv/slapd-kolab/" ]; then
- exit 0
-fi
-
-cp -av /bin/true /usr/sbin/ds_systemd_ask_password_acl
-
pushd /root/utils/
./01-reverse-etc-hosts.sh && echo "01 done"
./02-write-my.cnf.sh && echo "02 done"
-./03-setup-kolab.sh && echo "03 done"
+./03-setup-ldap.sh && echo "03 ldap done"
+./03-setup-kolab.sh && echo "03 kolab done"
./04-reset-mysql-kolab-password.sh && echo "04 done"
-./05-replace-localhost.sh && echo "05 done"
-./06-mysql-for-kolabdev.sh && echo "06 done"
-./07-adjust-base-dns.sh && echo "07 done"
-./08-disable-amavisd.sh && echo "08 done"
-./09-enable-debugging.sh && echo "09 done"
-./10-change-port-numbers.sh && echo "10 done"
+./05-adjust-configs.sh && echo "05 done"
./10-reset-kolab-service-password.sh && echo "10 done"
./11-reset-cyrus-admin-password.sh && echo "11 done"
-./12-create-hosted-kolab-service.sh && echo "12 done"
-./13-create-ou-domains.sh && echo "13 done"
-./14-create-management-domain.sh && echo "14 done"
-./15-create-hosted-domain.sh && echo "15 done"
-./16-remove-cn-kolab-cn-config.sh && echo "16 done"
-./17-remove-hosted-service-access-from-mgmt-domain.sh && echo "17 done"
-./18-adjust-kolab-conf.sh && echo "18 done"
-./19-turn-on-vlv-in-roundcube.sh && echo "19 done"
-./20-add-alias-attribute-index.sh && echo "20 done"
-./21-adjust-postfix-config.sh && echo "21 done"
-# FIXME we can only create the resource once the owner exists
-#./22-create-resource.sh && echo "22 done"
./23-patch-system.sh && echo "23 done"
-./24-roundcubeconfig.sh && echo "24 done"
touch /tmp/kolab-init.done
diff --git a/docker/kolab/kolab-vlv.service b/docker/kolab/kolab-vlv.service
deleted file mode 100644
index 5bbef562..00000000
--- a/docker/kolab/kolab-vlv.service
+++ /dev/null
@@ -1,9 +0,0 @@
-[Unit]
-Description=Kolab VLV and SSS Service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/sbin/kolab-vlv.sh
-
-[Install]
-WantedBy=multi-user.target
diff --git a/docker/kolab/kolab-vlv.sh b/docker/kolab/kolab-vlv.sh
deleted file mode 100755
index 49642b4b..00000000
--- a/docker/kolab/kolab-vlv.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-pushd /root/utils/
-
-while [ ! -f /tmp/kolab-init.done ]; do
- sleep 5
-done
-
-./50-add-vlv-searches.sh
-./51-add-vlv-indexes.sh
-./52-run-vlv-index-tasks.sh
diff --git a/docker/kolab/kolab.conf b/docker/kolab/kolab.conf
new file mode 100644
index 00000000..b320e19e
--- /dev/null
+++ b/docker/kolab/kolab.conf
@@ -0,0 +1,83 @@
+[kolab]
+primary_domain = mgmt.com
+auth_mechanism = ldap
+imap_backend = cyrus-imap
+default_locale = en_US
+sync_interval = 300
+domain_sync_interval = 600
+policy_uid = %(surname)s.lower()
+daemon_rcpt_policy = False
+[imap]
+virtual_domains = userid
+
+[ldap]
+ldap_uri = ldap://127.0.0.1:389
+timeout = 10
+supported_controls = 0,2,3
+base_dn = dc=mgmt,dc=com
+bind_dn = cn=Directory Manager
+bind_pw = Welcome2KolabSystems
+service_bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+service_bind_pw = Welcome2KolabSystems
+user_base_dn = dc=hosted,dc=com
+user_scope = sub
+user_filter = (objectclass=inetorgperson)
+kolab_user_base_dn = dc=hosted,dc=com
+kolab_user_filter = (objectclass=kolabinetorgperson)
+group_base_dn = dc=hosted,dc=com
+group_filter = (|(objectclass=groupofuniquenames)(objectclass=groupofurls))
+group_scope = sub
+kolab_group_filter = (|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))
+sharedfolder_base_dn = dc=hosted,dc=com
+sharedfolder_filter = (objectclass=kolabsharedfolder)
+sharedfolder_acl_entry_attribute = acl
+resource_base_dn = dc=hosted,dc=com
+resource_filter = (|%(group_filter)s(objectclass=kolabsharedfolder))
+domain_base_dn = ou=Domains,dc=mgmt,dc=com
+domain_filter = (&(associatedDomain=*))
+domain_name_attribute = associateddomain
+domain_rootdn_attribute = inetdomainbasedn
+quota_attribute = mailquota
+modifytimestamp_format = %Y%m%d%H%M%SZ
+unique_attribute = nsuniqueid
+mail_attributes = mail, alias
+mailserver_attribute = mailhost
+auth_attributes = mail, uid
+
+[kolab_smtp_access_policy]
+cache_uri = mysql://kolab:Welcome2KolabSystems@mariadb/kolab
+cache_retention = 86400
+address_search_attrs = mail, alias
+delegate_sender_header = True
+alias_sender_header = True
+sender_header = True
+xsender_header = True
+empty_sender_hosts = 3.2.1.0/24, 6.6.6.0/24
+
+[kolab_wap]
+mgmt_root_dn = dc=mgmt,dc=com
+hosted_root_dn = dc=hosted,dc=com
+api_url = http://127.0.0.1:9080/kolab-webadmin/api
+skin = default
+sql_uri = mysql://kolab:Welcome2KolabSystems@mariadb/kolab
+ssl_verify_peer = false
+ssl_verify_host = false
+
+[cyrus-imap]
+uri = imaps://127.0.0.1:11993
+admin_login = cyrus-admin
+admin_password = Welcome2KolabSystems
+
+[cyrus-sasl]
+result_attribute = mail
+
+[wallace]
+webmail_url = https://%(domain)s/roundcubemail
+modules = resources, invitationpolicy
+kolab_invitation_policy = ACT_ACCEPT_IF_NO_CONFLICT:example.org, ACT_MANUAL
+invitationpolicy_autoupdate_other_attendees_on_reply = false
+resource_calendar_expire_days = 100
+
+[mgmt.com]
+default_quota = 1048576
+daemon_rcpt_policy = False
diff --git a/docker/kolab/utils/02-write-my.cnf.sh b/docker/kolab/utils/02-write-my.cnf.sh
index b2d71b7d..5d116443 100755
--- a/docker/kolab/utils/02-write-my.cnf.sh
+++ b/docker/kolab/utils/02-write-my.cnf.sh
@@ -1,8 +1,8 @@
#!/bin/bash
cat > /root/.my.cnf << EOF
[client]
-host=${DB_HOST:-127.0.0.1}
+host=${DB_HOST}
user=root
password=${DB_ROOT_PASSWORD}
EOF
diff --git a/docker/kolab/utils/03-setup-kolab.sh b/docker/kolab/utils/03-setup-kolab.sh
index 6f85cf57..d9e65378 100755
--- a/docker/kolab/utils/03-setup-kolab.sh
+++ b/docker/kolab/utils/03-setup-kolab.sh
@@ -1,38 +1,86 @@
#!/bin/bash
. ./settings.sh
-if [ -f /root/kolab.conf.template ]; then
- eval "echo \"$(cat /root/kolab.conf.template)\"" > /root/kolab.conf.ref
- KOLAB_CONFIG_REF="--config=/root/kolab.conf.ref"
- cp -f ${KOLAB_CONFIG_REF#--config=} /etc/kolab/kolab.conf
-fi
-
-CMD="$(which setup-kolab) \
- --default ${LDAP_HOST+--without-ldap} ${KOLAB_CONFIG_REF} \
- --fqdn=kolab.${domain} \
- --timezone=Europe/Zurich \
- --mysqlhost=${DB_HOST:-127.0.0.1} \
- --mysqlserver=existing \
- --mysqlrootpw=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \
- --directory-manager-pwd=${LDAP_ADMIN_BIND_PW:-Welcome2KolabSystems}"
echo ${CMD} | tee -a /root/setup-kolab.log
echo -n "Wait for MariaDB container: " | tee -a /root/setup-kolab.log
while ! mysqladmin -u root ping > /dev/null 2>&1 ; do
echo -n '.'
sleep 3
done | tee -a /root/setup-kolab.log
echo "OK!" | tee -a /root/setup-kolab.log
-if [ ! -z "${LDAP_HOST}" ]; then
- echo -n "Wait for DS389 container: " | tee -a /root/setup-kolab.log
- while ! ldapsearch -h ${LDAP_HOST} -D "${LDAP_ADMIN_BIND_DN}" -w "${LDAP_ADMIN_BIND_PW}" -b "" -s base > /dev/null 2>&1 ; do
- echo -n '.'
- sleep 3
- done | tee -a /root/setup-kolab.log
- echo "OK!" | tee -a /root/setup-kolab.log
+echo -n "Wait for DS389 container: " | tee -a /root/setup-kolab.log
+while ! ldapsearch -h ${LDAP_HOST} -D "${LDAP_ADMIN_BIND_DN}" -w "${LDAP_ADMIN_BIND_PW}" -b "" -s base > /dev/null 2>&1 ; do
+ echo -n '.'
+ sleep 3
+done | tee -a /root/setup-kolab.log
+echo "OK!" | tee -a /root/setup-kolab.log
+
+
+cat > /tmp/kolab-setup-my.cnf << EOF
+[client]
+host=${DB_HOST}
+user=root
+password=${DB_ROOT_PASSWORD}
+EOF
+
+
+CMD="$(which setup-kolab) mta \
+ --default"
+${CMD} 2>&1 | tee -a /root/setup-kolab.log
+
+
+
+CMD="$(which setup-kolab) php \
+ --default \
+ --timezone=Europe/Zurich"
+${CMD} 2>&1 | tee -a /root/setup-kolab.log
+
+# setup imap
+if [ -f "/var/lib/imap/db" ]; then
+ echo "IMAP directory exists, nothing to do"
+else
+ echo "Initializing IMAP volume"
+ cp -ar /var/lib/imap-bak/* /var/lib/imap/
+ systemctl start cyrus-imapd
fi
+systemctl stop saslauthd
+systemctl start kolab-saslauthd
+systemctl enable kolab-saslauthd
+#Setup guam
+systemctl start guam
+systemctl enable guam
+
+
+#TODO just add /etc/kolab-freebusy/
+# CMD="$(which setup-kolab) freebusy \
+# --default"
+# ${CMD} 2>&1 | tee -a /root/setup-kolab.log
+
+cat > /tmp/kolab-setup-my.cnf << EOF
+[client]
+host=${DB_HOST}
+user=root
+password=${DB_ROOT_PASSWORD}
+EOF
+
+# Configure roundcube and setup db
+# The db setup will just fail if the db already exists,
+# but no harm done
+CMD="$(which setup-kolab) roundcube \
+ --default"
+${CMD} 2>&1 | tee -a /root/setup-kolab.log
+
+cat > /tmp/kolab-setup-my.cnf << EOF
+[client]
+host=${DB_HOST}
+user=root
+password=${DB_ROOT_PASSWORD}
+EOF
+CMD="$(which setup-kolab) syncroton \
+ --default"
${CMD} 2>&1 | tee -a /root/setup-kolab.log
diff --git a/docker/kolab/utils/03-setup-ldap.sh b/docker/kolab/utils/03-setup-ldap.sh
new file mode 100755
index 00000000..bf6ba104
--- /dev/null
+++ b/docker/kolab/utils/03-setup-ldap.sh
@@ -0,0 +1,259 @@
+#!/bin/bash
+
+. ./settings.sh
+
+cp -av /bin/true /usr/sbin/ds_systemd_ask_password_acl
+
+if [ -f "/etc/dirsrv/slapd-kolab/dse.ldif" ]; then
+ echo "LDAP directory exists, nothing to do"
+
+ mkdir -p /var/log/dirsrv/slapd-kolab/
+ chmod 777 /var/log/dirsrv/slapd-kolab/
+ systemctl start dirsrv@kolab
+ mkdir /run/dirsrv
+ chmod 777 /run/dirsrv
+ mkdir -p /run/lock/dirsrv/slapd-kolab/
+ chmod 777 /run/lock/dirsrv/slapd-kolab/
+ mkdir -p /var/lib/dirsrv/slapd-kolab
+ chown dirsrv:dirsrv /var/lib/dirsrv/slapd-kolab
+
+ systemctl start dirsrv@kolab
+else
+ sed -i -e 's/sys.exit/print("exit") #sys.exit/' /usr/lib/python3.6/site-packages/pykolab/setup/setup_ldap.py
+
+ echo "LDAP directory does not exist, setting it up."
+ CMD="$(which setup-kolab) ldap \
+ --default ${LDAP_HOST} \
+ --fqdn=kolab.${domain} \
+ --directory-manager-pwd=${LDAP_ADMIN_BIND_PW}"
+ ${CMD} 2>&1 | tee -a /root/setup-kolab.log
+
+
+ # Create hosted kolab service
+ (
+ echo "dn: uid=hosted-kolab-service,ou=Special Users,${rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: inetorgperson"
+ echo "objectclass: person"
+ echo "uid: hosted-kolab-service"
+ echo "cn: Hosted Kolab Service Account"
+ echo "sn: Service Account"
+ echo "givenname: Hosted Kolab"
+ echo "userpassword: ${hosted_kolab_service_pw}"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+ # Create ou domain
+ (
+ echo "dn: ou=Domains,${rootdn}"
+ echo "ou: Domains"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+ # Create management domain
+ (
+ echo "dn: associateddomain=${domain},${domain_base_dn}"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "inetDomainStatus: active"
+ echo "objectClass: top"
+ echo "objectClass: domainrelatedobject"
+ echo "objectClass: inetdomain"
+ echo "associatedDomain: ${domain}"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+
+ # Create hosted domains
+ (
+ echo "dn: associateddomain=${hosted_domain},${domain_base_dn}"
+ echo "objectclass: top"
+ echo "objectclass: domainrelatedobject"
+ echo "objectclass: inetdomain"
+ echo "inetdomainstatus: active"
+ echo "associateddomain: ${hosted_domain}"
+ echo "inetdomainbasedn: ${hosted_domain_rootdn}"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+ (
+ echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: extensibleobject"
+ echo "objectClass: nsbackendinstance"
+ echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
+ echo "nsslapd-suffix: ${hosted_domain_rootdn}"
+ echo "nsslapd-cachesize: -1"
+ echo "nsslapd-cachememsize: 10485760"
+ echo "nsslapd-readonly: off"
+ echo "nsslapd-require-index: off"
+ echo "nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')"
+ echo "nsslapd-dncachememsize: 10485760"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+ (
+ #On centos7
+ #echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config"
+ #On centos8
+ echo "dn: cn=\"${hosted_domain_rootdn}\",cn=mapping tree,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: extensibleObject"
+ echo "objectClass: nsMappingTree"
+ echo "nsslapd-state: backend"
+ echo "cn: ${hosted_domain_rootdn}"
+ echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+ (
+ echo "dn: ${hosted_domain_rootdn}"
+ echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
+ echo "aci: (targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${hosted_domain_rootdn}\" or roledn=\"ldap:///cn=kolab-admin,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "objectClass: top"
+ echo "objectClass: domain"
+ echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+ (
+ for role in "2fa-user" "activesync-user" "imap-user"; do
+ echo "dn: cn=${role},${hosted_domain_rootdn}"
+ echo "cn: ${role}"
+ echo "description: ${role} role"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo ""
+ done
+
+ echo "dn: ou=Groups,${hosted_domain_rootdn}"
+ echo "ou: Groups"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=People,${hosted_domain_rootdn}"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "ou: People"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Special Users,${hosted_domain_rootdn}"
+ echo "ou: Special Users"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Resources,${hosted_domain_rootdn}"
+ echo "ou: Resources"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Shared Folders,${hosted_domain_rootdn}"
+ echo "ou: Shared Folders"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: uid=cyrus-admin,ou=Special Users,${hosted_domain_rootdn}"
+ echo "sn: Administrator"
+ echo "uid: cyrus-admin"
+ echo "objectClass: top"
+ echo "objectClass: person"
+ echo "objectClass: inetorgperson"
+ echo "objectClass: organizationalperson"
+ echo "givenName: Cyrus"
+ echo "cn: Cyrus Administrator"
+ echo ""
+
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+
+ # Remove cn kolab cn config
+ (
+ echo "associateddomain=${domain},cn=kolab,cn=config"
+ echo "cn=kolab,cn=config"
+ ) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+
+ # Remove hosted service access from mgmt domain
+ (
+ echo "dn: associateddomain=${domain},ou=Domains,${rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+ ) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+
+ # Add alias attribute index
+ #
+ export index_attr=alias
+
+ (
+ echo "dn: cn=${index_attr},cn=index,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: nsindex"
+ echo "cn: ${index_attr}"
+ echo "nsSystemIndex: false"
+ echo "nsindextype: pres"
+ echo "nsindextype: eq"
+ echo "nsindextype: sub"
+
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+
+ (
+ echo "dn: cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: extensibleObject"
+ echo "cn: ${hosted_domain_db} ${index_attr} index"
+ echo "nsinstance: ${hosted_domain_db}"
+ echo "nsIndexAttribute: ${index_attr}:pres"
+ echo "nsIndexAttribute: ${index_attr}:eq"
+ echo "nsIndexAttribute: ${index_attr}:sub"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+ ldap_complete=0
+
+ while [ ${ldap_complete} -ne 1 ]; do
+ result=$(
+ ldapsearch \
+ -x \
+ -h "${ldap_host}" \
+ -D "${ldap_binddn}" \
+ -w "${ldap_bindpw}" \
+ -c \
+ -LLL \
+ -b "cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" \
+ '(!(nstaskexitcode=0))' \
+ -s base 2>/dev/null
+ )
+ if [ -z "$result" ]; then
+ ldap_complete=1
+ echo ""
+ else
+ echo -n "."
+ sleep 1
+ fi
+ done
+
+ ./50-add-vlv-searches.sh
+ ./51-add-vlv-indexes.sh
+ ./52-run-vlv-index-tasks.sh
+fi
+
diff --git a/docker/kolab/utils/04-reset-mysql-kolab-password.sh b/docker/kolab/utils/04-reset-mysql-kolab-password.sh
index a3646407..7fd942f0 100755
--- a/docker/kolab/utils/04-reset-mysql-kolab-password.sh
+++ b/docker/kolab/utils/04-reset-mysql-kolab-password.sh
@@ -1,20 +1,22 @@
#!/bin/bash
mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
-e "SET PASSWORD FOR '${DB_HKCCP_USERNAME}'@'%' = PASSWORD('${DB_HKCCP_PASSWORD}');"
mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
-e "SET PASSWORD FOR '${DB_KOLAB_USERNAME}'@'localhost' = PASSWORD('${DB_KOLAB_PASSWORD}');"
mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
-e "CREATE USER '${DB_KOLAB_USERNAME}'@'%' IDENTIFIED BY '${DB_KOLAB_PASSWORD}'; FLUSH PRIVILEGES;"
mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
-e "SET PASSWORD FOR '${DB_RC_USERNAME}'@'localhost' = PASSWORD('${DB_RC_PASSWORD}');"
mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
-e "CREATE USER '${DB_RC_USERNAME}'@'%' IDENTIFIED BY '${DB_RC_PASSWORD}'; FLUSH PRIVILEGES;"
mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
-e "SET PASSWORD FOR '${DB_RC_USERNAME}'@'%' = PASSWORD('${DB_RC_PASSWORD}');"
+mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
+ -e "GRANT ALL PRIVILEGES ON roundcube.* TO '${DB_RC_USERNAME}'@'%' IDENTIFIED BY '${DB_RC_PASSWORD}';"
diff --git a/docker/kolab/utils/05-adjust-configs.sh b/docker/kolab/utils/05-adjust-configs.sh
new file mode 100755
index 00000000..088d62eb
--- /dev/null
+++ b/docker/kolab/utils/05-adjust-configs.sh
@@ -0,0 +1,166 @@
+#!/bin/bash
+
+# Replace localhost
+sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/iRony/dav.inc.php
+sed -i -e "/host/s/localhost/${LDAP_HOST}/g" \
+ -e "/fbsource/s/localhost/${IMAP_HOST}/g" /etc/kolab-freebusy/config.ini
+#sed -i -e "s/server_host.*/server_host = ${LDAP_HOST}/g" /etc/postfix/ldap/*
+sed -i -e "/password_ldap_host/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/password.inc.php
+sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/kolab_auth.inc.php
+sed -i -e "s#.*db_dsnw.*# \$config['db_dsnw'] = 'mysql://${DB_RC_USERNAME}:${DB_RC_PASSWORD}@${DB_HOST}/roundcube';#" \
+ -e "/default_host/s|= .*$|= 'ssl://${IMAP_HOST}';|" \
+ -e "/default_port/s|= .*$|= ${IMAP_PORT};|" \
+ -e "/smtp_server/s|= .*$|= 'tls://${MAIL_HOST}';|" \
+ -e "/smtp_port/s/= .*$/= ${MAIL_PORT};/" \
+ -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/config.inc.php
+sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/calendar.inc.php
+
+
+. ./settings.sh
+
+#Adjust basedn
+sed -i -r \
+ -e "s/(\s+)base => '.*',$/\1base => '${hosted_domain_rootdn}',/g" \
+ -e "/\\\$mydomain = / a\
+\$myhostname = '${HOSTNAME:-kolab}.${DOMAIN:-mgmt.com}';" \
+ -e "s/^base_dn = .*$/base_dn = ${hosted_domain_rootdn}/g" \
+ -e "s/^search_base = .*$/search_base = ${hosted_domain_rootdn}/g" \
+ -e "s/(\s+)'base_dn'(\s+)=> '.*',/\1'base_dn'\2=> '${hosted_domain_rootdn}',/g" \
+ -e "s/(\s+)'search_base_dn'(\s+)=> '.*',/\1'search_base_dn'\2=> '${hosted_domain_rootdn}',/g" \
+ -e "s/(\s+)'user_specific'(\s+)=> false,/\1'user_specific'\2=> true,/g" \
+ /etc/amavisd/amavisd.conf \
+ /etc/kolab-freebusy/config.ini \
+ /etc/postfix/ldap/*.cf \
+ /etc/roundcubemail/config.inc.php \
+ /etc/roundcubemail/calendar.inc.php \
+ /etc/roundcubemail/kolab_auth.inc.php
+
+sed -i -r \
+ -e "s/^search_base = .*$/search_base = ${domain_base_dn}/g" \
+ /etc/postfix/ldap/mydestination.cf
+
+
+#Disable amavisd
+postconf -e content_filter='smtp-wallace:[127.0.0.1]:10026'
+
+systemctl stop amavisd
+systemctl disable amavisd
+
+systemctl stop clamd@amavisd
+systemctl disable clamd@amavisd
+
+
+# Change port numbers
+cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
+chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
+
+cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
+chown postfix:mail /etc/pki/tls/private/postfix.pem
+chmod 655 /etc/pki/tls/private/postfix.pem
+
+sed -i "s/smtpd_tls_key_file =.*/smtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
+sed -i "s/smtpd_tls_cert_file =.*/smtpd_tls_cert_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf
+
+# Remove the submission block, by matching from submission until the next empty line
+sed -i -e '/submission inet/,/^$/d' /etc/postfix/master.cf
+
+# Insert a new submission block with a modified port
+cat >> /etc/postfix/master.cf << EOF
+127.0.0.1:10587 inet n - n - - smtpd
+ -o cleanup_service_name=cleanup_submission
+ -o syslog_name=postfix/submission
+ #-o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_sasl_authenticated_header=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_data_restrictions=\$submission_data_restrictions
+ -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
+ -o smtpd_sender_restrictions=\$submission_sender_restrictions
+
+127.0.0.1:10465 inet n - n - - smtpd
+ -o cleanup_service_name=cleanup_submission
+ -o rewrite_service_name=rewrite_submission
+ -o syslog_name=postfix/smtps
+ -o mydestination=
+ -o local_recipient_maps=
+ -o relay_domains=
+ -o relay_recipient_maps=
+ #-o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_sasl_authenticated_header=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_sender_restrictions=\$submission_sender_restrictions
+ -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
+ -o smtpd_data_restrictions=\$submission_data_restrictions
+EOF
+
+
+sed -i -r \
+ -e "s/'vlv'(\s+)=> false,/'vlv'\1=> true,/g" \
+ -e "s/'vlv_search'(\s+)=> false,/'vlv_search'\1=> true,/g" \
+ -e "s/inetOrgPerson/inetorgperson/g" \
+ -e "s/kolabInetOrgPerson/inetorgperson/g" \
+ /etc/roundcubemail/*.inc.php
+
+
+# Adjust postfix
+
+# new: (inetdomainstatus:1.2.840.113556.1.4.803:=1)
+# active: (inetdomainstatus:1.2.840.113556.1.4.803:=2)
+# suspended: (inetdomainstatus:1.2.840.113556.1.4.803:=4)
+# deleted: (inetdomainstatus:1.2.840.113556.1.4.803:=8)
+# confirmed: (inetdomainstatus:1.2.840.113556.1.4.803:=16)
+# verified: (inetdomainstatus:1.2.840.113556.1.4.803:=32)
+# ready: (inetdomainstatus:1.2.840.113556.1.4.803:=64)
+
+sed -i -r \
+ -e 's/^query_filter.*$/query_filter = (\&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4)))/g' \
+ /etc/postfix/ldap/mydestination.cf
+
+# new: (inetuserstatus:1.2.840.113556.1.4.803:=1)
+# active: (inetuserstatus:1.2.840.113556.1.4.803:=2)
+# suspended: (inetuserstatus:1.2.840.113556.1.4.803:=4)
+# deleted: (inetuserstatus:1.2.840.113556.1.4.803:=8)
+# ldapready: (inetuserstatus:1.2.840.113556.1.4.803:=16)
+# imapready: (inetuserstatus:1.2.840.113556.1.4.803:=32)
+
+sed -i -r \
+ -e 's/^query_filter.*$/query_filter = (\&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4)))/g' \
+ /etc/postfix/ldap/local_recipient_maps.cf
+
+systemctl restart postfix
+
+
+
+sed -i -r -e "s|$config\['kolab_files_url'\] = .*$|$config['kolab_files_url'] = 'https://' \. \$_SERVER['HTTP_HOST'] . '/chwala/';|g" /etc/roundcubemail/kolab_files.inc.php
+
+sed -i -r -e "s|$config\['kolab_invitation_calendars'\] = .*$|$config['kolab_invitation_calendars'] = true;|g" /etc/roundcubemail/calendar.inc.php
+
+sed -i -r -e "/^.*'contextmenu',$/a 'enigma'," /etc/roundcubemail/config.inc.php
+
+sed -i -r -e "s|$config\['enigma_passwordless'\] = .*$|$config['enigma_passwordless'] = true;|g" /etc/roundcubemail/enigma.inc.php
+sed -i -r -e "s|$config\['enigma_multihost'\] = .*$|$config['enigma_multihost'] = true;|g" /etc/roundcubemail/enigma.inc.php
+
+echo "\$config['enigma_woat'] = true;" >> /etc/roundcubemail/enigma.inc.php
+
+# Run it over haproxy then nginx for 2fa. We need to use startls because otherwise the proxy protocol doesn't work.
+sed -i -r -e "s|$config\['default_host'\] = .*$|$config['default_host'] = 'tls://haproxy';|g" /etc/roundcubemail/config.inc.php
+sed -i -r -e "s|$config\['default_port'\] = .*$|$config['default_port'] = 145;|g" /etc/roundcubemail/config.inc.php
+
+# So we can just append
+sed -i "s/?>//g" /etc/roundcubemail/config.inc.php
+
+# Enable the PROXY protocol
+cat << EOF >> /etc/roundcubemail/config.inc.php
+ \$config['imap_conn_options'] = Array(
+ 'ssl' => Array(
+ 'verify_peer_name' => false,
+ 'verify_peer' => false,
+ 'allow_self_signed' => true
+ ),
+ 'proxy_protocol' => 2
+ );
+ \$config['proxy_whitelist'] = array('127.0.0.1', '172.18.0.7');
+EOF
+
+echo "?>" >> /etc/roundcubemail/config.inc.php
diff --git a/docker/kolab/utils/05-replace-localhost.sh b/docker/kolab/utils/05-replace-localhost.sh
deleted file mode 100755
index 5ffb7da8..00000000
--- a/docker/kolab/utils/05-replace-localhost.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-
-if [[ ${DB_HOST} == "localhost" || ${DB_HOST} == "127.0.0.1" ]]; then
- mysql -h ${DB_HOST} -u root --password=${DB_ROOT_PASSWORD} \
- -e "UPDATE mysql.db SET Host = '127.0.0.1' WHERE Host = 'localhost';"
-
- mysql -h ${DB_HOST} -u root --password=${DB_ROOT_PASSWORD} \
- -e "FLUSH PRIVILEGES;"
-fi
-
-sed -i -e "s#^ldap_servers:.*#ldap_servers: ldap://${LDAP_HOST:-127.0.0.1}:389#" /etc/imapd.conf
-sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/iRony/dav.inc.php
-sed -i -e "s#^ldap_uri.*#ldap_uri = ldap://${LDAP_HOST:-127.0.0.1}:389#" \
- -e "s#^cache_uri.*mysql://\(.*\):\(.*\)@\(.*\)\/\(.*\)#cache_uri = mysql://${DB_KOLAB_USERNAME}:${DB_KOLAB_PASSWORD}@${DB_HOST}/${DB_KOLAB_DATABASE}#" \
- -e "s#^sql_uri.*mysql://\(.*\):\(.*\)@\(.*\)\/\(.*\)#sql_uri = mysql://${DB_KOLAB_USERNAME}:${DB_KOLAB_PASSWORD}@${DB_HOST}/${DB_KOLAB_DATABASE}#" \
- -e "s#^uri.*#uri = imaps://${IMAP_HOST:-127.0.0.1}:11993#" /etc/kolab/kolab.conf
-sed -i -e "/host/s/localhost/${LDAP_HOST:-127.0.0.1}/g" \
- -e "/fbsource/s/localhost/${IMAP_HOST:-127.0.0.1}/g" /etc/kolab-freebusy/config.ini
-#sed -i -e "s/server_host.*/server_host = ${LDAP_HOST:-127.0.0.1}/g" /etc/postfix/ldap/*
-sed -i -e "/password_ldap_host/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/password.inc.php
-sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/kolab_auth.inc.php
-sed -i -e "s#.*db_dsnw.*# \$config['db_dsnw'] = 'mysql://${DB_RC_USERNAME}:${DB_RC_PASSWORD}@${DB_HOST}/roundcube';#" \
- -e "/default_host/s|= .*$|= 'ssl://${IMAP_HOST:-127.0.0.1}';|" \
- -e "/default_port/s|= .*$|= ${IMAP_PORT:-11993};|" \
- -e "/smtp_server/s|= .*$|= 'tls://${MAIL_HOST:-127.0.0.1}';|" \
- -e "/smtp_port/s/= .*$/= ${MAIL_PORT:-10587};/" \
- -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/config.inc.php
-sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/calendar.inc.php
-
-systemctl restart cyrus-imapd postfix
diff --git a/docker/kolab/utils/06-mysql-for-kolabdev.sh b/docker/kolab/utils/06-mysql-for-kolabdev.sh
deleted file mode 100755
index 7100d89a..00000000
--- a/docker/kolab/utils/06-mysql-for-kolabdev.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
- -e "CREATE DATABASE IF NOT EXISTS ${DB_HKCCP_DATABASE};"
-
-mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
- -e "GRANT ALL PRIVILEGES ON ${DB_HKCCP_DATABASE}.* TO '${DB_HKCCP_USERNAME}'@'%' IDENTIFIED BY '${DB_HKCCP_PASSWORD}';"
-
-mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \
- -e "FLUSH PRIVILEGES;"
-
diff --git a/docker/kolab/utils/07-adjust-base-dns.sh b/docker/kolab/utils/07-adjust-base-dns.sh
deleted file mode 100755
index a633c22b..00000000
--- a/docker/kolab/utils/07-adjust-base-dns.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-echo "ldap_domain_base_dn: ${domain_base_dn}" >> /etc/imapd.conf
-
-sed -i -r \
- -e "s/^ldap_base: .*$/ldap_base: ${hosted_domain_rootdn}/g" \
- /etc/imapd.conf
-
-sed -i -r \
- -e "s/(\s+)base => '.*',$/\1base => '${hosted_domain_rootdn}',/g" \
- -e "/\\\$mydomain = / a\
-\$myhostname = '${HOSTNAME:-kolab}.${DOMAIN:-mgmt.com}';" \
- -e "s/^base_dn = .*$/base_dn = ${hosted_domain_rootdn}/g" \
- -e "s/^search_base = .*$/search_base = ${hosted_domain_rootdn}/g" \
- -e "s/(\s+)'base_dn'(\s+)=> '.*',/\1'base_dn'\2=> '${hosted_domain_rootdn}',/g" \
- -e "s/(\s+)'search_base_dn'(\s+)=> '.*',/\1'search_base_dn'\2=> '${hosted_domain_rootdn}',/g" \
- -e "s/(\s+)'user_specific'(\s+)=> false,/\1'user_specific'\2=> true,/g" \
- /etc/amavisd/amavisd.conf \
- /etc/kolab-freebusy/config.ini \
- /etc/postfix/ldap/*.cf \
- /etc/roundcubemail/config.inc.php \
- /etc/roundcubemail/calendar.inc.php \
- /etc/roundcubemail/kolab_auth.inc.php
-
-sed -i -r \
- -e "s/^search_base = .*$/search_base = ${domain_base_dn}/g" \
- /etc/postfix/ldap/mydestination.cf
-
-systemctl restart cyrus-imapd postfix
diff --git a/docker/kolab/utils/08-disable-amavisd.sh b/docker/kolab/utils/08-disable-amavisd.sh
deleted file mode 100755
index 4c93b16f..00000000
--- a/docker/kolab/utils/08-disable-amavisd.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-postconf -e content_filter='smtp-wallace:[127.0.0.1]:10026'
-
-systemctl restart postfix
-
-systemctl stop amavisd
-systemctl disable amavisd
-
-systemctl stop clamd@amavisd
-systemctl disable clamd@amavisd
diff --git a/docker/kolab/utils/12-create-hosted-kolab-service.sh b/docker/kolab/utils/12-create-hosted-kolab-service.sh
deleted file mode 100755
index 9e42381a..00000000
--- a/docker/kolab/utils/12-create-hosted-kolab-service.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-(
- echo "dn: uid=hosted-kolab-service,ou=Special Users,${rootdn}"
- echo "objectclass: top"
- echo "objectclass: inetorgperson"
- echo "objectclass: person"
- echo "uid: hosted-kolab-service"
- echo "cn: Hosted Kolab Service Account"
- echo "sn: Service Account"
- echo "givenname: Hosted Kolab"
- echo "userpassword: ${hosted_kolab_service_pw}"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
diff --git a/docker/kolab/utils/13-create-ou-domains.sh b/docker/kolab/utils/13-create-ou-domains.sh
deleted file mode 100755
index 7ec8d6da..00000000
--- a/docker/kolab/utils/13-create-ou-domains.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
- . ./settings.sh
-
-(
- echo "dn: ou=Domains,${rootdn}"
- echo "ou: Domains"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/docker/kolab/utils/14-create-management-domain.sh b/docker/kolab/utils/14-create-management-domain.sh
deleted file mode 100755
index 973a47af..00000000
--- a/docker/kolab/utils/14-create-management-domain.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-(
- echo "dn: associateddomain=${domain},${domain_base_dn}"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
- echo "inetDomainStatus: active"
- echo "objectClass: top"
- echo "objectClass: domainrelatedobject"
- echo "objectClass: inetdomain"
- echo "associatedDomain: ${domain}"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/docker/kolab/utils/15-create-hosted-domain.sh b/docker/kolab/utils/15-create-hosted-domain.sh
deleted file mode 100755
index fe7a142e..00000000
--- a/docker/kolab/utils/15-create-hosted-domain.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
- (
- echo "dn: associateddomain=${hosted_domain},${domain_base_dn}"
- echo "objectclass: top"
- echo "objectclass: domainrelatedobject"
- echo "objectclass: inetdomain"
- echo "inetdomainstatus: active"
- echo "associateddomain: ${hosted_domain}"
- echo "inetdomainbasedn: ${hosted_domain_rootdn}"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
- (
- echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: extensibleobject"
- echo "objectClass: nsbackendinstance"
- echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
- echo "nsslapd-suffix: ${hosted_domain_rootdn}"
- echo "nsslapd-cachesize: -1"
- echo "nsslapd-cachememsize: 10485760"
- echo "nsslapd-readonly: off"
- echo "nsslapd-require-index: off"
- echo "nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')"
- echo "nsslapd-dncachememsize: 10485760"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
-(
- #On centos7
- #echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config"
- #On centos8
- echo "dn: cn=\"${hosted_domain_rootdn}\",cn=mapping tree,cn=config"
- echo "objectClass: top"
- echo "objectClass: extensibleObject"
- echo "objectClass: nsMappingTree"
- echo "nsslapd-state: backend"
- echo "cn: ${hosted_domain_rootdn}"
- echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
-(
- echo "dn: ${hosted_domain_rootdn}"
- echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
- echo "aci: (targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${hosted_domain_rootdn}\" or roledn=\"ldap:///cn=kolab-admin,${hosted_domain_rootdn}\");)"
- echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
- echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
- echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
- echo "objectClass: top"
- echo "objectClass: domain"
- echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
-(
- for role in "2fa-user" "activesync-user" "imap-user"; do
- echo "dn: cn=${role},${hosted_domain_rootdn}"
- echo "cn: ${role}"
- echo "description: ${role} role"
- echo "objectclass: top"
- echo "objectclass: ldapsubentry"
- echo "objectclass: nsmanagedroledefinition"
- echo "objectclass: nsroledefinition"
- echo "objectclass: nssimpleroledefinition"
- echo ""
- done
-
- echo "dn: ou=Groups,${hosted_domain_rootdn}"
- echo "ou: Groups"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=People,${hosted_domain_rootdn}"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
- echo "ou: People"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=Special Users,${hosted_domain_rootdn}"
- echo "ou: Special Users"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=Resources,${hosted_domain_rootdn}"
- echo "ou: Resources"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=Shared Folders,${hosted_domain_rootdn}"
- echo "ou: Shared Folders"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: uid=cyrus-admin,ou=Special Users,${hosted_domain_rootdn}"
- echo "sn: Administrator"
- echo "uid: cyrus-admin"
- echo "objectClass: top"
- echo "objectClass: person"
- echo "objectClass: inetorgperson"
- echo "objectClass: organizationalperson"
- echo "givenName: Cyrus"
- echo "cn: Cyrus Administrator"
- echo ""
-
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/docker/kolab/utils/16-remove-cn-kolab-cn-config.sh b/docker/kolab/utils/16-remove-cn-kolab-cn-config.sh
deleted file mode 100755
index 643cc5b7..00000000
--- a/docker/kolab/utils/16-remove-cn-kolab-cn-config.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-(
- echo "associateddomain=${domain},cn=kolab,cn=config"
- echo "cn=kolab,cn=config"
-) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
diff --git a/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh b/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh
deleted file mode 100755
index 3f930c81..00000000
--- a/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-(
- echo "dn: associateddomain=${domain},ou=Domains,${rootdn}"
- echo "changetype: modify"
- echo "replace: aci"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
- echo ""
-) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/docker/kolab/utils/18-adjust-kolab-conf.sh b/docker/kolab/utils/18-adjust-kolab-conf.sh
deleted file mode 100755
index e9ad544b..00000000
--- a/docker/kolab/utils/18-adjust-kolab-conf.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-sed -r -i \
- -e "s/^base_dn.*$/base_dn = ${rootdn}/g" \
- -e "s/^domain_base_dn.*$/domain_base_dn = ${domain_base_dn}/g" \
- -e "s/^user_base_dn.*$/user_base_dn = ${hosted_domain_rootdn}/g" \
- -e "s/^kolab_user_base_dn.*$/kolab_user_base_dn = ${hosted_domain_rootdn}/g" \
- -e "s/^group_base_dn.*$/group_base_dn = ${hosted_domain_rootdn}/g" \
- -e "s/^sharedfolder_base_dn.*$/sharedfolder_base_dn = ${hosted_domain_rootdn}/g" \
- -e "s/^resource_base_dn.*$/resource_base_dn = ${hosted_domain_rootdn}/g" \
- -e '/^primary_mail/ a\
-daemon_rcpt_policy = False' \
- -e '/^primary_mail/d' \
- -e '/secondary_mail/,+10d' \
- -e '/autocreate_folders/,+77d' \
- -e "/^\[kolab_wap\]/ a\
-mgmt_root_dn = ${rootdn}" \
- -e "/^\[kolab_wap\]/ a\
-hosted_root_dn = ${hosted_domain_rootdn}" \
- -e "/^\[kolab_wap\]/ a\
-api_url = http://127.0.0.1:9080/kolab-webadmin/api" \
- -e 's/^auth_attributes.*$/auth_attributes = mail, uid/g' \
- -e 's|^uri = imaps.*$|uri = imaps://127.0.0.1:11993|g' \
- -e "/^\[wallace\]/ a\
-webmail_url = https://%(domain)s/roundcubemail" \
- /etc/kolab/kolab.conf
-
-systemctl restart kolabd
-systemctl restart kolab-saslauthd
diff --git a/docker/kolab/utils/19-turn-on-vlv-in-roundcube.sh b/docker/kolab/utils/19-turn-on-vlv-in-roundcube.sh
deleted file mode 100755
index 75a1ece1..00000000
--- a/docker/kolab/utils/19-turn-on-vlv-in-roundcube.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-sed -i -r \
- -e "s/'vlv'(\s+)=> false,/'vlv'\1=> true,/g" \
- -e "s/'vlv_search'(\s+)=> false,/'vlv_search'\1=> true,/g" \
- -e "s/inetOrgPerson/inetorgperson/g" \
- -e "s/kolabInetOrgPerson/inetorgperson/g" \
- /etc/roundcubemail/*.inc.php
diff --git a/docker/kolab/utils/20-add-alias-attribute-index.sh b/docker/kolab/utils/20-add-alias-attribute-index.sh
deleted file mode 100755
index a43c582c..00000000
--- a/docker/kolab/utils/20-add-alias-attribute-index.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-export index_attr=alias
-
-(
- echo "dn: cn=${index_attr},cn=index,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectclass: top"
- echo "objectclass: nsindex"
- echo "cn: ${index_attr}"
- echo "nsSystemIndex: false"
- echo "nsindextype: pres"
- echo "nsindextype: eq"
- echo "nsindextype: sub"
-
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-
-(
- echo "dn: cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config"
- echo "objectclass: top"
- echo "objectclass: extensibleObject"
- echo "cn: ${hosted_domain_db} ${index_attr} index"
- echo "nsinstance: ${hosted_domain_db}"
- echo "nsIndexAttribute: ${index_attr}:pres"
- echo "nsIndexAttribute: ${index_attr}:eq"
- echo "nsIndexAttribute: ${index_attr}:sub"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-ldap_complete=0
-
-while [ ${ldap_complete} -ne 1 ]; do
- result=$(
- ldapsearch \
- -x \
- -h ${ldap_host} \
- -D "${ldap_binddn}" \
- -w "${ldap_bindpw}" \
- -c \
- -LLL \
- -b "cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" \
- '(!(nstaskexitcode=0))' \
- -s base 2>/dev/null
- )
- if [ -z "$result" ]; then
- ldap_complete=1
- echo ""
- else
- echo -n "."
- sleep 1
- fi
-done
-
diff --git a/docker/kolab/utils/21-adjust-postfix-config.sh b/docker/kolab/utils/21-adjust-postfix-config.sh
deleted file mode 100755
index e3b4f8a8..00000000
--- a/docker/kolab/utils/21-adjust-postfix-config.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-
-# new: (inetdomainstatus:1.2.840.113556.1.4.803:=1)
-# active: (inetdomainstatus:1.2.840.113556.1.4.803:=2)
-# suspended: (inetdomainstatus:1.2.840.113556.1.4.803:=4)
-# deleted: (inetdomainstatus:1.2.840.113556.1.4.803:=8)
-# confirmed: (inetdomainstatus:1.2.840.113556.1.4.803:=16)
-# verified: (inetdomainstatus:1.2.840.113556.1.4.803:=32)
-# ready: (inetdomainstatus:1.2.840.113556.1.4.803:=64)
-
-sed -i -r \
- -e 's/^query_filter.*$/query_filter = (\&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4)))/g' \
- /etc/postfix/ldap/mydestination.cf
-
-# new: (inetuserstatus:1.2.840.113556.1.4.803:=1)
-# active: (inetuserstatus:1.2.840.113556.1.4.803:=2)
-# suspended: (inetuserstatus:1.2.840.113556.1.4.803:=4)
-# deleted: (inetuserstatus:1.2.840.113556.1.4.803:=8)
-# ldapready: (inetuserstatus:1.2.840.113556.1.4.803:=16)
-# imapready: (inetuserstatus:1.2.840.113556.1.4.803:=32)
-
-sed -i -r \
- -e 's/^query_filter.*$/query_filter = (\&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4)))/g' \
- /etc/postfix/ldap/local_recipient_maps.cf
-
-systemctl restart postfix
diff --git a/docker/kolab/utils/22-create-resource.sh b/docker/kolab/utils/22-create-resource.sh
deleted file mode 100755
index 77ca37ef..00000000
--- a/docker/kolab/utils/22-create-resource.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
- . ./settings.sh
-
-(
- echo "dn: cn=TestResource,ou=Resources,ou=kolab.org,${hosted_domain_rootdn}"
- echo "cn: TestResource"
- echo "owner: uid=jack@kolab.org,ou=People,ou=kolab.org,${hosted_domain_rootdn}"
- echo "kolabTargetFolder: shared/Resources/TestResource@kolab.org"
- echo "mail: resource-confroom-testresource@kolab.org"
- echo "objectClass: top"
- echo "objectClass: kolabsharedfolder"
- echo "objectClass: kolabresource"
- echo "objectClass: mailrecipient"
- echo "kolabFolderType: event"
- echo "kolabInvitationPolicy: ACT_STORE_AND_NOTIFY"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/docker/kolab/utils/24-roundcubeconfig.sh b/docker/kolab/utils/24-roundcubeconfig.sh
deleted file mode 100755
index 7ce34ca1..00000000
--- a/docker/kolab/utils/24-roundcubeconfig.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-
-sed -i -r -e "s|$config\['kolab_files_url'\] = .*$|$config['kolab_files_url'] = 'https://' \. \$_SERVER['HTTP_HOST'] . '/chwala/';|g" /etc/roundcubemail/kolab_files.inc.php
-
-sed -i -r -e "s|$config\['kolab_invitation_calendars'\] = .*$|$config['kolab_invitation_calendars'] = true;|g" /etc/roundcubemail/calendar.inc.php
-
-sed -i -r -e "/^.*'contextmenu',$/a 'enigma'," /etc/roundcubemail/config.inc.php
-
-sed -i -r -e "s|$config\['enigma_passwordless'\] = .*$|$config['enigma_passwordless'] = true;|g" /etc/roundcubemail/enigma.inc.php
-sed -i -r -e "s|$config\['enigma_multihost'\] = .*$|$config['enigma_multihost'] = true;|g" /etc/roundcubemail/enigma.inc.php
-
-echo "\$config['enigma_woat'] = true;" >> /etc/roundcubemail/enigma.inc.php
-
-# Run it over haproxy then nginx for 2fa. We need to use startls because otherwise the proxy protocol doesn't work.
-sed -i -r -e "s|$config\['default_host'\] = .*$|$config['default_host'] = 'tls://127.0.0.1';|g" /etc/roundcubemail/config.inc.php
-sed -i -r -e "s|$config\['default_port'\] = .*$|$config['default_port'] = 145;|g" /etc/roundcubemail/config.inc.php
-
-# So we can just append
-sed -i "s/?>//g" /etc/roundcubemail/config.inc.php
-
-# Enable the PROXY protocol
-cat << EOF >> /etc/roundcubemail/config.inc.php
- \$config['imap_conn_options'] = Array(
- 'ssl' => Array(
- 'verify_peer_name' => false,
- 'verify_peer' => false,
- 'allow_self_signed' => true
- ),
- 'proxy_protocol' => 2
- );
- \$config['proxy_whitelist'] = array('127.0.0.1');
-EOF
-
-echo "?>" >> /etc/roundcubemail/config.inc.php
-
-
-# Send dns queries over powerdns
-rm -f /etc/resolv.conf
-echo "nameserver 127.0.0.1:9953" > /etc/resolv.conf
diff --git a/docker/kolab/utils/settings.sh b/docker/kolab/utils/settings.sh
index 47a14b10..fbf6f045 100755
--- a/docker/kolab/utils/settings.sh
+++ b/docker/kolab/utils/settings.sh
@@ -1,24 +1,24 @@
#!/bin/bash
export rootdn=${LDAP_ADMIN_ROOT_DN:-"dc=mgmt,dc=com"}
export domain=${DOMAIN:-"mgmt.com"}
export domain_db=${DOMAIN_DB:-"mgmt_com"}
-export ldap_host=${LDAP_HOST:-"127.0.0.1"}
+export ldap_host=${LDAP_HOST}
export ldap_binddn=${LDAP_ADMIN_BIND_DN:-"cn=Directory Manager"}
export ldap_bindpw=${LDAP_ADMIN_BIND_PW:-"Welcome2KolabSystems"}
export cyrus_admin=${IMAP_ADMIN_LOGIN:-"cyrus-admin"}
-export imap_host=${IMAP_HOST:-"127.0.0.1"}
+export imap_host=${IMAP_HOST}
export cyrus_admin_pw=${IMAP_ADMIN_PASSWORD:-"Welcome2KolabSystems"}
export kolab_service_pw=${LDAP_SERVICE_BIND_PW:-"Welcome2KolabSystems"}
export hosted_kolab_service_pw=${LDAP_HOSTED_BIND_PW:-"Welcome2KolabSystems"}
export hosted_domain=${HOSTED_DOMAIN:-"hosted.com"}
export hosted_domain_db=${HOSTED_DOMAIN_DB:-"hosted_com"}
export hosted_domain_rootdn=${LDAP_HOSTED_ROOT_DN:-"dc=hosted,dc=com"}
export domain_base_dn=${LDAP_DOMAIN_BASE_DN:-"ou=Domains,dc=mgmt,dc=com"}
export default_user_password=${DEFAULT_USER_PASSWORD:-"Welcome2KolabSystems"}
diff --git a/docker/mariadb/mysql-init/80-add-users.sh b/docker/mariadb/mysql-init/80-add-users.sh
deleted file mode 100644
index 4b81c9b4..00000000
--- a/docker/mariadb/mysql-init/80-add-users.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-create_arbitrary_users() {
-
- # Do not care what option is compulsory here, just create what is specified
- log_info "Creating user specified by (${2}) ..."
-mysql $mysql_flags <<EOSQL
- CREATE USER '${2}'@'${4}' IDENTIFIED BY '${3}';
-EOSQL
-
- log_info "Granting privileges to user ${2} for ${1} ..."
-mysql $mysql_flags <<EOSQL
- GRANT ALL ON \`${1}\`.* TO '${2}'@'${4}' ;
- FLUSH PRIVILEGES ;
-EOSQL
-}
-
-DB_NO=1
-while [[ ${DB_NO} -ne 0 ]]; do
- DB_CUR="DB_${DB_NO}"
- if [[ -n $(eval echo '${!'${DB_CUR}'*}') ]]; then
- NAME="${DB_CUR}_NAME"
- USER="${DB_CUR}_USER"
- PASS="${DB_CUR}_PASS"
- HOST="${DB_CUR}_HOST"
- create_arbitrary_users ${!NAME} ${!USER} ${!PASS:-Welcome2KolabSystems} ${!HOST:-127.0.0.1} || true
- let "DB_NO+=1"
- else
- DB_NO=0
- fi
-done
diff --git a/docker/mariadb/mysql-init/81-update-root-user.sh b/docker/mariadb/mysql-init/81-update-root-user.sh
deleted file mode 100644
index 1a0df852..00000000
--- a/docker/mariadb/mysql-init/81-update-root-user.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-if [ ! -v ${MYSQL_ROOT_PASSWORD} ]; then
- log_info "Update root user for host 127.0.0.1 ..."
-mysql $mysql_flags <<EOSQL
- UPDATE mysql.user SET Password = PASSWORD('${MYSQL_ROOT_PASSWORD}') WHERE User = 'root' AND Host = '127.0.0.1';
- FLUSH PRIVILEGES;
-EOSQL
-fi
-
diff --git a/docker/mariadb/mysql-init/setup.sh b/docker/mariadb/mysql-init/setup.sh
new file mode 100755
index 00000000..5a89cc8c
--- /dev/null
+++ b/docker/mariadb/mysql-init/setup.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+MYSQL_PWD=$MARIADB_ROOT_PASSWORD mysql --protocol=socket -uroot -hlocalhost --socket="/run/mysqld/mysqld.sock" << EOF
+CREATE DATABASE IF NOT EXISTS ${DB_HKCCP_DATABASE};
+CREATE USER '${DB_HKCCP_USERNAME}'@'%' IDENTIFIED BY '${DB_HKCCP_PASSWORD}';
+GRANT ALL PRIVILEGES ON ${DB_HKCCP_DATABASE}.* TO '${DB_HKCCP_USERNAME}'@'%' IDENTIFIED BY '${DB_HKCCP_PASSWORD}';
+FLUSH PRIVILEGES;
+EOF
+
+# Powerdns setup according to https://github.com/PowerDNS/pdns/blob/master/modules/gmysqlbackend/schema.mysql.sql
+# Required for the first boot, afterwards the laravel migration will take over.
+# This is only required so pdns can start cleanly, indexes etc are handled by the laravel migration.
+MYSQL_PWD=$MARIADB_ROOT_PASSWORD mysql --protocol=socket -uroot -hlocalhost --socket="/run/mysqld/mysqld.sock" ${DB_HKCCP_DATABASE} << EOF
+CREATE TABLE powerdns_domains (
+ id INT AUTO_INCREMENT,
+ name VARCHAR(255) NOT NULL,
+ master VARCHAR(128) DEFAULT NULL,
+ last_check INT DEFAULT NULL,
+ type VARCHAR(8) NOT NULL,
+ notified_serial INT UNSIGNED DEFAULT NULL,
+ account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
+ options VARCHAR(64000) DEFAULT NULL,
+ catalog VARCHAR(255) DEFAULT NULL,
+ PRIMARY KEY (id)
+) Engine=InnoDB CHARACTER SET 'latin1';
+
+CREATE TABLE powerdns_records (
+ id BIGINT AUTO_INCREMENT,
+ domain_id INT DEFAULT NULL,
+ name VARCHAR(255) DEFAULT NULL,
+ type VARCHAR(10) DEFAULT NULL,
+ content VARCHAR(64000) DEFAULT NULL,
+ ttl INT DEFAULT NULL,
+ prio INT DEFAULT NULL,
+ disabled TINYINT(1) DEFAULT 0,
+ ordername VARCHAR(255) BINARY DEFAULT NULL,
+ auth TINYINT(1) DEFAULT 1,
+ PRIMARY KEY (id)
+) Engine=InnoDB CHARACTER SET 'latin1';
+
+CREATE TABLE powerdns_masters (
+ ip VARCHAR(64) NOT NULL,
+ nameserver VARCHAR(255) NOT NULL,
+ account VARCHAR(40) CHARACTER SET 'utf8' NOT NULL,
+ PRIMARY KEY (ip, nameserver)
+) Engine=InnoDB CHARACTER SET 'latin1';
+
+CREATE TABLE powerdns_comments (
+ id INT AUTO_INCREMENT,
+ domain_id INT NOT NULL,
+ name VARCHAR(255) NOT NULL,
+ type VARCHAR(10) NOT NULL,
+ modified_at INT NOT NULL,
+ account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
+ comment TEXT CHARACTER SET 'utf8' NOT NULL,
+ PRIMARY KEY (id)
+) Engine=InnoDB CHARACTER SET 'latin1';
+
+
+CREATE TABLE powerdns_cryptokeys (
+ id INT AUTO_INCREMENT,
+ domain_id INT NOT NULL,
+ flags INT NOT NULL,
+ active BOOL,
+ published BOOL DEFAULT 1,
+ content TEXT,
+ PRIMARY KEY(id)
+) Engine=InnoDB CHARACTER SET 'latin1';
+
+
+CREATE TABLE powerdns_tsigkeys (
+ id INT AUTO_INCREMENT,
+ name VARCHAR(255),
+ algorithm VARCHAR(50),
+ secret VARCHAR(255),
+ PRIMARY KEY (id)
+) Engine=InnoDB CHARACTER SET 'latin1';
+
+EOF
diff --git a/docker/pdns/Dockerfile b/docker/pdns/Dockerfile
index a4920898..a75296c6 100644
--- a/docker/pdns/Dockerfile
+++ b/docker/pdns/Dockerfile
@@ -1,37 +1,37 @@
FROM fedora:35
ENV container docker
ENV SYSTEMD_PAGER=''
RUN dnf -y install \
--setopt 'tsflags=nodocs' \
bind-utils \
- cronie \
iproute \
iptables \
+ iputils \
net-tools \
pdns \
pdns-backend-mysql \
pdns-recursor \
pdns-tools \
procps-ng \
vim-enhanced \
wget \
which && \
dnf clean all
COPY pdns.conf /etc/pdns/pdns.conf
COPY recursor.conf /etc/pdns-recursor/recursor.conf
-RUN systemctl enable pdns && systemctl enable pdns-recursor
+RUN systemctl disable systemd-resolved && systemctl enable pdns && systemctl enable pdns-recursor
# This is how we could run pdns without systemd
# ENV PDNS_guardian=yes \
# PDNS_setuid=pdns \
# PDNS_setgid=pdns \
# PDNS_launch=gmysql
# CMD ["/usr/sbin/pdns_server", "--guardian=no", "--daemon=no", "--disable-syslog", "--log-timestamp=no", "--write-pid=no"]
CMD ["/lib/systemd/systemd", "--system"]
-EXPOSE 9953 9953/udp
+EXPOSE 53 53/udp
diff --git a/docker/pdns/pdns.conf b/docker/pdns/pdns.conf
index acf09c42..07ecf0f0 100644
--- a/docker/pdns/pdns.conf
+++ b/docker/pdns/pdns.conf
@@ -1,69 +1,69 @@
launch=gmysql
log-dns-details
query-logging=yes
-local-address=127.0.0.1:5300, [::1]:5300
+local-address=127.0.0.1:5300
edns-subnet-processing
-gmysql-host=127.0.0.1
+gmysql-host=mariadb
gmysql-dbname=kolabdev
gmysql-password=kolab
gmysql-user=kolabdev
gmysql-activate-domain-key-query=UPDATE powerdns_cryptokeys SET active=1 WHERE domain_id=(SELECT id FROM domains WHERE name=?) AND powerdns_cryptokeys.id=?
gmysql-add-domain-key-query=INSERT INTO powerdns_cryptokeys (domain_id, flags, active, content) SELECT id, ?, ?, ? FROM powerdns_domains WHERE name=?
gmysql-any-id-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM powerdns_records WHERE disabled=0 AND name=? AND domain_id=?
gmysql-any-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM powerdns_records WHERE disabled=0 AND name=?
gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM powerdns_records WHERE disabled=0 AND type=? AND name=?
gmysql-clear-domain-all-keys-query=delete FROM powerdns_cryptokeys WHERE domain_id=(SELECT id FROM powerdns_domains WHERE name=?)
gmysql-clear-domain-all-metadata-query=delete FROM powerdns_domain_settings WHERE domain_id=(SELECT id FROM powerdns_domains WHERE name=?)
gmysql-clear-domain-metadata-query=delete FROM powerdns_domain_settings WHERE domain_id=(SELECT id FROM powerdns_domains WHERE name=?) AND powerdns_domain_settings.kind=?
gmysql-deactivate-domain-key-query=UPDATE powerdns_cryptokeys SET active=0 WHERE domain_id=(SELECT id FROM powerdns_domains WHERE name=?) AND powerdns_cryptokeys.id=?
gmysql-delete-comment-rrset-query=DELETE FROM powerdns_comments WHERE domain_id=? AND name=? AND type=?
gmysql-delete-comments-query=DELETE FROM powerdns_comments WHERE domain_id=?
gmysql-delete-domain-query=delete FROM powerdns_domains WHERE name=?
gmysql-delete-empty-non-terminal-query=delete FROM powerdns_records WHERE domain_id=? AND name=? AND type is null
gmysql-delete-names-query=delete FROM powerdns_records WHERE domain_id=? AND name=?
gmysql-delete-rrset-query=delete FROM powerdns_records WHERE domain_id=? AND name=? AND type=?
gmysql-delete-tsig-key-query=delete FROM powerdns_tsigkeys WHERE name=?
gmysql-delete-zone-query=delete FROM powerdns_records WHERE domain_id=?
gmysql-get-all-domain-metadata-query=SELECT kind,content FROM powerdns_domains, powerdns_domain_settings WHERE powerdns_domain_settings.domain_id=powerdns_domains.id AND name=?
gmysql-get-all-domains-query=SELECT powerdns_domains.id, powerdns_domains.name, powerdns_records.content, powerdns_domains.type, powerdns_domains.master, powerdns_domains.notified_serial, powerdns_domains.last_check, powerdns_domains.account FROM powerdns_domains LEFT JOIN powerdns_records ON powerdns_records.domain_id=powerdns_domains.id AND powerdns_records.type='SOA' AND powerdns_records.name=powerdns_domains.name WHERE powerdns_records.disabled=0 OR ?
gmysql-get-domain-metadata-query=SELECT content FROM powerdns_domains, powerdns_domain_settings WHERE powerdns_domain_settings.domain_id=powerdns_domains.id AND name=? AND powerdns_domain_settings.kind=?
gmysql-get-last-inserted-key-id-query=SELECT LAST_INSERT_ID()
gmysql-get-order-after-query=SELECT ordername FROM powerdns_records WHERE ordername > ? AND domain_id=? AND disabled=0 AND ordername IS NOT NULL ORDER BY 1 ASC LIMIT 1
gmysql-get-order-before-query=SELECT ordername, name FROM powerdns_records WHERE ordername <= ? AND domain_id=? AND disabled=0 AND ordername IS NOT NULL ORDER BY 1 desc LIMIT 1
gmysql-get-order-first-query=SELECT ordername FROM powerdns_records WHERE domain_id=? AND disabled=0 AND ordername IS NOT NULL ORDER BY 1 ASC LIMIT 1
gmysql-get-order-last-query=SELECT ordername, name FROM powerdns_records WHERE ordername != '' AND domain_id=? AND disabled=0 AND ordername IS NOT NULL ORDER BY 1 desc LIMIT 1
gmysql-get-tsig-key-query=SELECT algorithm, secret FROM powerdns_tsigkeys WHERE name=?
gmysql-get-tsig-keys-query=SELECT name,algorithm, secret FROM powerdns_tsigkeys
gmysql-id-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM powerdns_records WHERE disabled=0 AND type=? AND name=? AND domain_id=?
gmysql-info-all-master-query=SELECT d.id, d.name, d.notified_serial, r.content FROM powerdns_records r join powerdns_domains d on r.name=d.name WHERE r.type='SOA' AND r.disabled=0 AND d.type='MASTER'
gmysql-info-all-slaves-query=SELECT id,name,master,last_check FROM powerdns_domains WHERE type='SLAVE'
gmysql-info-zone-query=SELECT id,name,master,last_check,notified_serial,type,account FROM powerdns_domains WHERE name=?
gmysql-insert-comment-query=INSERT INTO powerdns_comments (domain_id, name, type, modified_at, account, comment) VALUES (?, ?, ?, ?, ?, ?)
gmysql-insert-empty-non-terminal-order-query=INSERT INTO powerdns_records (type,domain_id,disabled,name,ordername,auth,content,ttl,prio) values (null,?,0,?,?,?,NULL,NULL,NULL)
gmysql-insert-record-query=INSERT INTO powerdns_records (content,ttl,prio,type,domain_id,disabled,name,ordername,auth) values (?,?,?,?,?,?,?,?,?)
gmysql-insert-zone-query=INSERT INTO powerdns_domains (type,name,master,account,last_check,notified_serial) values(?,?,?,?,NULL,NULL)
gmysql-list-comments-query=SELECT domain_id,name,type,modified_at,account,comment FROM powerdns_comments WHERE domain_id=?
gmysql-list-domain-keys-query=SELECT powerdns_cryptokeys.id, flags, active, content FROM powerdns_domains, powerdns_cryptokeys WHERE powerdns_cryptokeys.domain_id=powerdns_domains.id AND name=?
gmysql-list-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM powerdns_records WHERE (disabled=0 OR ?) AND domain_id=? ORDER BY name, type
gmysql-list-subzone-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM powerdns_records WHERE disabled=0 AND (name=? OR name like ?) AND domain_id=?
gmysql-nullify-ordername-and-update-auth-query=UPDATE powerdns_records SET ordername=NULL,auth=? WHERE domain_id=? AND name=? AND disabled=0
gmysql-nullify-ordername-and-update-auth-type-query=UPDATE powerdns_records SET ordername=NULL,auth=? WHERE domain_id=? AND name=? AND type=? AND disabled=0
gmysql-remove-domain-key-query=delete FROM powerdns_cryptokeys WHERE domain_id=(SELECT id FROM powerdns_domains WHERE name=?) AND powerdns_cryptokeys.id=?
gmysql-remove-empty-non-terminals-from-zone-query=delete FROM powerdns_records WHERE domain_id=? AND type is null
gmysql-search-comments-query=SELECT domain_id,name,type,modified_at,account,comment FROM powerdns_comments WHERE name LIKE ? OR comment LIKE ? LIMIT ?
gmysql-search-records-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM powerdns_records WHERE name LIKE ? OR content LIKE ? LIMIT ?
gmysql-set-domain-metadata-query=INSERT INTO powerdns_domain_settings (domain_id, kind, content) SELECT id, ?, ? FROM powerdns_domains WHERE name=?
gmysql-set-tsig-key-query=REPLACE INTO powerdns_tsigkeys (name,algorithm,secret) values(?,?,?)
gmysql-supermaster-query=SELECT account FROM powerdns_masters WHERE ip=? AND nameserver=?
gmysql-update-account-query=UPDATE powerdns_domains SET account=? WHERE name=?
gmysql-update-kind-query=UPDATE powerdns_domains SET type=? WHERE name=?
gmysql-update-lastcheck-query=UPDATE powerdns_domains SET last_check=? WHERE id=?
gmysql-update-master-query=UPDATE powerdns_domains SET master=? WHERE name=?
gmysql-update-ordername-and-auth-query=UPDATE powerdns_records SET ordername=?,auth=? WHERE domain_id=? AND name=? AND disabled=0
gmysql-update-ordername-and-auth-type-query=UPDATE powerdns_records SET ordername=?,auth=? WHERE domain_id=? AND name=? AND type=? AND disabled=0
gmysql-update-serial-query=UPDATE powerdns_domains SET notified_serial=? WHERE id=?
diff --git a/docker/pdns/recursor.conf b/docker/pdns/recursor.conf
index 8b1f7412..82540227 100644
--- a/docker/pdns/recursor.conf
+++ b/docker/pdns/recursor.conf
@@ -1,4 +1,6 @@
-local-address=127.0.0.1
-local-port=9953
+local-address=0.0.0.0
+local-port=53
allow-from=0.0.0.0/0
forward-zones=_woat.kolab.org=127.0.0.1:5300
+# Forward everything else to the docker resolver, so we can still resolve other containers when using pdns
+forward-zones-recurse=.=127.0.0.11
diff --git a/docker/proxy/Dockerfile b/docker/proxy/Dockerfile
index 2a3c8ba9..7e802a70 100644
--- a/docker/proxy/Dockerfile
+++ b/docker/proxy/Dockerfile
@@ -1,29 +1,29 @@
FROM fedora:35
MAINTAINER Jeroen van Meeuwen <vanmeeuwen@kolabsys.com>
ENV container docker
RUN dnf -y install \
--setopt 'tsflags=nodocs' \
nginx \
nginx-mod-mail && \
dnf clean all
COPY rootfs/ /
ARG APP_WEBSITE_DOMAIN
ARG SSL_CERTIFICATE
ARG SSL_CERTIFICATE_KEY
RUN sed -i -r -e "s|APP_WEBSITE_DOMAIN|$APP_WEBSITE_DOMAIN|g" /etc/nginx/nginx.conf
RUN sed -i -r -e "s|SSL_CERTIFICATE_CERT|$SSL_CERTIFICATE|g" /etc/nginx/nginx.conf
RUN sed -i -r -e "s|SSL_CERTIFICATE_KEY|$SSL_CERTIFICATE_KEY|g" /etc/nginx/nginx.conf
# Forward request logs to Docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
STOPSIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"]
-EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 993/tcp 995/tcp
+EXPOSE 80/tcp 443/tcp 465/tcp 587/tcp 143/tcp 144/tcp 993/tcp
diff --git a/docker/proxy/rootfs/etc/nginx/nginx.conf b/docker/proxy/rootfs/etc/nginx/nginx.conf
index c961fd59..5616e99f 100644
--- a/docker/proxy/rootfs/etc/nginx/nginx.conf
+++ b/docker/proxy/rootfs/etc/nginx/nginx.conf
@@ -1,247 +1,247 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
server_name APP_WEBSITE_DOMAIN;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
- proxy_pass http://127.0.0.1:8000;
+ proxy_pass http://webapp:8000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
# Mostly for files, swoole has a 10MB limit
client_max_body_size 11m;
}
location /meetmedia {
- proxy_pass https://127.0.0.1:12443;
+ proxy_pass https://meet:12443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
location /meetmedia/api {
- proxy_pass https://127.0.0.1:12443;
+ proxy_pass https://meet:12443;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
location /roundcubemail {
- proxy_pass http://127.0.0.1:9080;
+ proxy_pass http://kolab:9080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
location /kolab-webadmin {
- proxy_pass http://127.0.0.1:9080;
+ proxy_pass http://kolab:9080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
location /Microsoft-Server-ActiveSync {
auth_request /auth;
#auth_request_set $auth_status $upstream_status;
- proxy_pass http://127.0.0.1:9080;
+ proxy_pass http://kolab:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_send_timeout 910s;
proxy_read_timeout 910s;
fastcgi_send_timeout 910s;
fastcgi_read_timeout 910s;
}
location ~* ^/\\.well-known/(caldav|carddav) {
- proxy_pass http://127.0.0.1:9080;
+ proxy_pass http://kolab:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /iRony {
auth_request /auth;
#auth_request_set $auth_status $upstream_status;
- proxy_pass http://127.0.0.1:9080;
+ proxy_pass http://kolab:9080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location = /auth {
internal;
- proxy_pass http://127.0.0.1:8000/api/webhooks/nginx-httpauth;
+ proxy_pass http://webapp:8000/api/webhooks/nginx-httpauth;
proxy_pass_request_body off;
proxy_set_header Host services.APP_WEBSITE_DOMAIN;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
mail {
server_name imap.hosted.com;
- auth_http 127.0.0.1:8000/api/webhooks/nginx;
+ auth_http webapp:8000/api/webhooks/nginx;
auth_http_header Host services.APP_WEBSITE_DOMAIN;
proxy_pass_error_message on;
server {
listen 143;
protocol imap;
proxy on;
starttls on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
# Roundcube specific imap endpoint with proxy-protocol enabled
server {
listen 144 proxy_protocol;
protocol imap;
- auth_http 127.0.0.1:8000/api/webhooks/nginx-roundcube;
+ auth_http webapp:8000/api/webhooks/nginx-roundcube;
proxy on;
starttls on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
server {
listen 465 ssl;
protocol smtp;
proxy on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
server {
listen 587;
protocol smtp;
proxy on;
starttls on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
server {
listen 993 ssl;
protocol imap;
proxy on;
ssl_certificate SSL_CERTIFICATE_CERT;
ssl_certificate_key SSL_CERTIFICATE_KEY;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
}
diff --git a/docker/redis/Dockerfile b/docker/redis/Dockerfile
index 36f88183..fd028345 100644
--- a/docker/redis/Dockerfile
+++ b/docker/redis/Dockerfile
@@ -1,27 +1,25 @@
-FROM fedora:34
+FROM fedora:35
ENV container docker
-ENV SYSTEMD_PAGER=''
RUN dnf -y install \
--setopt 'tsflags=nodocs' \
bind-utils \
cronie \
iproute \
iptables \
net-tools \
procps-ng \
redis \
- suricata \
vim-enhanced \
wget \
which && \
dnf clean all
-COPY redis.conf /etc/redis.conf
-
-RUN systemctl enable redis
+COPY redis.conf /etc/redis/redis.conf
WORKDIR /root/
-CMD ["/usr/bin/redis-server"]
+CMD ["/usr/bin/redis-server", "/etc/redis/redis.conf"]
+
+EXPOSE 6379/tcp
diff --git a/docker/redis/redis.conf b/docker/redis/redis.conf
index dd0ef345..dc828ad1 100644
--- a/docker/redis/redis.conf
+++ b/docker/redis/redis.conf
@@ -1,827 +1,830 @@
# Redis configuration file example
# Note on units: when memory size is needed, it is possible to specify
# it in the usual form of 1k 5GB 4M and so forth:
#
# 1k => 1000 bytes
# 1kb => 1024 bytes
# 1m => 1000000 bytes
# 1mb => 1024*1024 bytes
# 1g => 1000000000 bytes
# 1gb => 1024*1024*1024 bytes
#
# units are case insensitive so 1GB 1Gb 1gB are all the same.
################################## INCLUDES ###################################
# Include one or more other config files here. This is useful if you
# have a standard template that goes to all Redis servers but also need
# to customize a few per-server settings. Include files can include
# other files, so use this wisely.
#
# Notice option "include" won't be rewritten by command "CONFIG REWRITE"
# from admin or Redis Sentinel. Since Redis always uses the last processed
# line as value of a configuration directive, you'd better put includes
# at the beginning of this file to avoid overwriting config change at runtime.
#
# If instead you are interested in using includes to override configuration
# options, it is better to use include as the last line.
#
# include /path/to/local.conf
# include /path/to/other.conf
################################ GENERAL #####################################
# By default Redis does not run as a daemon. Use 'yes' if you need it.
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
daemonize no
# When running daemonized, Redis writes a pid file in /var/run/redis.pid by
# default. You can specify a custom pid file location here.
pidfile /var/run/redis/redis.pid
# Accept connections on the specified port, default is 6379.
# If port 0 is specified Redis will not listen on a TCP socket.
port 6379
# TCP listen() backlog.
#
# In high requests-per-second environments you need an high backlog in order
# to avoid slow clients connections issues. Note that the Linux kernel
# will silently truncate it to the value of /proc/sys/net/core/somaxconn so
# make sure to raise both the value of somaxconn and tcp_max_syn_backlog
# in order to get the desired effect.
tcp-backlog 511
# By default Redis listens for connections from all the network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the "bind" configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
-bind 127.0.0.1
+#bind 127.0.0.1
# Specify the path for the Unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
# unixsocket /tmp/redis.sock
# unixsocketperm 700
# Close the connection after a client is idle for N seconds (0 to disable)
timeout 0
# TCP keepalive.
#
# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence
# of communication. This is useful for two reasons:
#
# 1) Detect dead peers.
# 2) Take the connection alive from the point of view of network
# equipment in the middle.
#
# On Linux, the specified value (in seconds) is the period used to send ACKs.
# Note that to close the connection the double of the time is needed.
# On other kernels the period depends on the kernel configuration.
#
# A reasonable value for this option is 60 seconds.
tcp-keepalive 0
# Specify the server verbosity level.
# This can be one of:
# debug (a lot of information, useful for development/testing)
# verbose (many rarely useful info, but not a mess like the debug level)
# notice (moderately verbose, what you want in production probably)
# warning (only very important / critical messages are logged)
loglevel notice
# Specify the log file name. Also the empty string can be used to force
# Redis to log on the standard output. Note that if you use standard
# output for logging but daemonize, logs will be sent to /dev/null
logfile /var/log/redis/redis.log
# To enable logging to the system logger, just set 'syslog-enabled' to yes,
# and optionally update the other syslog parameters to suit your needs.
# syslog-enabled no
# Specify the syslog identity.
# syslog-ident redis
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
# syslog-facility local0
# Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT <dbid> where
# dbid is a number between 0 and 'databases'-1
databases 16
################################ SNAPSHOTTING ################################
#
# Save the DB on disk:
#
# save <seconds> <changes>
#
# Will save the DB if both the given number of seconds and the given
# number of write operations against the DB occurred.
#
# In the example below the behaviour will be to save:
# after 900 sec (15 min) if at least 1 key changed
# after 300 sec (5 min) if at least 10 keys changed
# after 60 sec if at least 10000 keys changed
#
# Note: you can disable saving completely by commenting out all "save" lines.
#
# It is also possible to remove all the previously configured save
# points by adding a save directive with a single empty string argument
# like in the following example:
#
# save ""
save 900 1
save 300 10
save 60 10000
# By default Redis will stop accepting writes if RDB snapshots are enabled
# (at least one save point) and the latest background save failed.
# This will make the user aware (in a hard way) that data is not persisting
# on disk properly, otherwise chances are that no one will notice and some
# disaster will happen.
#
# If the background saving process will start working again Redis will
# automatically allow writes again.
#
# However if you have setup your proper monitoring of the Redis server
# and persistence, you may want to disable this feature so that Redis will
# continue to work as usual even if there are problems with disk,
# permissions, and so forth.
stop-writes-on-bgsave-error yes
# Compress string objects using LZF when dump .rdb databases?
# For default that's set to 'yes' as it's almost always a win.
# If you want to save some CPU in the saving child set it to 'no' but
# the dataset will likely be bigger if you have compressible values or keys.
rdbcompression yes
# Since version 5 of RDB a CRC64 checksum is placed at the end of the file.
# This makes the format more resistant to corruption but there is a performance
# hit to pay (around 10%) when saving and loading RDB files, so you can disable it
# for maximum performances.
#
# RDB files created with checksum disabled have a checksum of zero that will
# tell the loading code to skip the check.
rdbchecksum yes
# The filename where to dump the DB
dbfilename dump.rdb
# The working directory.
#
# The DB will be written inside this directory, with the filename specified
# above using the 'dbfilename' configuration directive.
#
# The Append Only File will also be created inside this directory.
#
# Note that you must specify a directory here, not a file name.
dir /var/lib/redis/
################################# REPLICATION #################################
# Master-Slave replication. Use slaveof to make a Redis instance a copy of
# another Redis server. A few things to understand ASAP about Redis replication.
#
# 1) Redis replication is asynchronous, but you can configure a master to
# stop accepting writes if it appears to be not connected with at least
# a given number of slaves.
# 2) Redis slaves are able to perform a partial resynchronization with the
# master if the replication link is lost for a relatively small amount of
# time. You may want to configure the replication backlog size (see the next
# sections of this file) with a sensible value depending on your needs.
# 3) Replication is automatic and does not need user intervention. After a
# network partition slaves automatically try to reconnect to masters
# and resynchronize with them.
#
# slaveof <masterip> <masterport>
# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
#
# masterauth <master-password>
# When a slave loses its connection with the master, or when the replication
# is still in progress, the slave can act in two different ways:
#
# 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will
# still reply to client requests, possibly with out of date data, or the
# data set may just be empty if this is the first synchronization.
#
# 2) if slave-serve-stale-data is set to 'no' the slave will reply with
# an error "SYNC with master in progress" to all the kind of commands
# but to INFO and SLAVEOF.
#
slave-serve-stale-data yes
# You can configure a slave instance to accept writes or not. Writing against
# a slave instance may be useful to store some ephemeral data (because data
# written on a slave will be easily deleted after resync with the master) but
# may also cause problems if clients are writing to it because of a
# misconfiguration.
#
# Since Redis 2.6 by default slaves are read-only.
#
# Note: read only slaves are not designed to be exposed to untrusted clients
# on the internet. It's just a protection layer against misuse of the instance.
# Still a read only slave exports by default all the administrative commands
# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve
# security of read only slaves using 'rename-command' to shadow all the
# administrative / dangerous commands.
slave-read-only yes
# Replication SYNC strategy: disk or socket.
#
# -------------------------------------------------------
# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY
# -------------------------------------------------------
#
# New slaves and reconnecting slaves that are not able to continue the replication
# process just receiving differences, need to do what is called a "full
# synchronization". An RDB file is transmitted from the master to the slaves.
# The transmission can happen in two different ways:
#
# 1) Disk-backed: The Redis master creates a new process that writes the RDB
# file on disk. Later the file is transferred by the parent
# process to the slaves incrementally.
# 2) Diskless: The Redis master creates a new process that directly writes the
# RDB file to slave sockets, without touching the disk at all.
#
# With disk-backed replication, while the RDB file is generated, more slaves
# can be queued and served with the RDB file as soon as the current child producing
# the RDB file finishes its work. With diskless replication instead once
# the transfer starts, new slaves arriving will be queued and a new transfer
# will start when the current one terminates.
#
# When diskless replication is used, the master waits a configurable amount of
# time (in seconds) before starting the transfer in the hope that multiple slaves
# will arrive and the transfer can be parallelized.
#
# With slow disks and fast (large bandwidth) networks, diskless replication
# works better.
repl-diskless-sync no
# When diskless replication is enabled, it is possible to configure the delay
# the server waits in order to spawn the child that trnasfers the RDB via socket
# to the slaves.
#
# This is important since once the transfer starts, it is not possible to serve
# new slaves arriving, that will be queued for the next RDB transfer, so the server
# waits a delay in order to let more slaves arrive.
#
# The delay is specified in seconds, and by default is 5 seconds. To disable
# it entirely just set it to 0 seconds and the transfer will start ASAP.
repl-diskless-sync-delay 5
# Slaves send PINGs to server in a predefined interval. It's possible to change
# this interval with the repl_ping_slave_period option. The default value is 10
# seconds.
#
# repl-ping-slave-period 10
# The following option sets the replication timeout for:
#
# 1) Bulk transfer I/O during SYNC, from the point of view of slave.
# 2) Master timeout from the point of view of slaves (data, pings).
# 3) Slave timeout from the point of view of masters (REPLCONF ACK pings).
#
# It is important to make sure that this value is greater than the value
# specified for repl-ping-slave-period otherwise a timeout will be detected
# every time there is low traffic between the master and the slave.
#
# repl-timeout 60
# Disable TCP_NODELAY on the slave socket after SYNC?
#
# If you select "yes" Redis will use a smaller number of TCP packets and
# less bandwidth to send data to slaves. But this can add a delay for
# the data to appear on the slave side, up to 40 milliseconds with
# Linux kernels using a default configuration.
#
# If you select "no" the delay for data to appear on the slave side will
# be reduced but more bandwidth will be used for replication.
#
# By default we optimize for low latency, but in very high traffic conditions
# or when the master and slaves are many hops away, turning this to "yes" may
# be a good idea.
repl-disable-tcp-nodelay no
# Set the replication backlog size. The backlog is a buffer that accumulates
# slave data when slaves are disconnected for some time, so that when a slave
# wants to reconnect again, often a full resync is not needed, but a partial
# resync is enough, just passing the portion of data the slave missed while
# disconnected.
#
# The bigger the replication backlog, the longer the time the slave can be
# disconnected and later be able to perform a partial resynchronization.
#
# The backlog is only allocated once there is at least a slave connected.
#
# repl-backlog-size 1mb
# After a master has no longer connected slaves for some time, the backlog
# will be freed. The following option configures the amount of seconds that
# need to elapse, starting from the time the last slave disconnected, for
# the backlog buffer to be freed.
#
# A value of 0 means to never release the backlog.
#
# repl-backlog-ttl 3600
# The slave priority is an integer number published by Redis in the INFO output.
# It is used by Redis Sentinel in order to select a slave to promote into a
# master if the master is no longer working correctly.
#
# A slave with a low priority number is considered better for promotion, so
# for instance if there are three slaves with priority 10, 100, 25 Sentinel will
# pick the one with priority 10, that is the lowest.
#
# However a special priority of 0 marks the slave as not able to perform the
# role of master, so a slave with priority of 0 will never be selected by
# Redis Sentinel for promotion.
#
# By default the priority is 100.
slave-priority 100
# It is possible for a master to stop accepting writes if there are less than
# N slaves connected, having a lag less or equal than M seconds.
#
# The N slaves need to be in "online" state.
#
# The lag in seconds, that must be <= the specified value, is calculated from
# the last ping received from the slave, that is usually sent every second.
#
# This option does not GUARANTEE that N replicas will accept the write, but
# will limit the window of exposure for lost writes in case not enough slaves
# are available, to the specified number of seconds.
#
# For example to require at least 3 slaves with a lag <= 10 seconds use:
#
# min-slaves-to-write 3
# min-slaves-max-lag 10
#
# Setting one or the other to 0 disables the feature.
#
# By default min-slaves-to-write is set to 0 (feature disabled) and
# min-slaves-max-lag is set to 10.
################################## SECURITY ###################################
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
# Command renaming.
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to slaves may cause problems.
################################### LIMITS ####################################
# Set the max number of connected clients at the same time. By default
# this limit is set to 10000 clients, however if the Redis server is not
# able to configure the process file limit to allow for the specified limit
# the max number of allowed clients is set to the current file limit
# minus 32 (as Redis reserves a few file descriptors for internal uses).
#
# Once the limit is reached Redis will close all the new connections sending
# an error 'max number of clients reached'.
#
# maxclients 10000
# Don't use more memory than the specified amount of bytes.
# When the memory limit is reached Redis will try to remove keys
# according to the eviction policy selected (see maxmemory-policy).
#
# If Redis can't remove keys according to the policy, or if the policy is
# set to 'noeviction', Redis will start to reply with errors to commands
# that would use more memory, like SET, LPUSH, and so on, and will continue
# to reply to read-only commands like GET.
#
# This option is usually useful when using Redis as an LRU cache, or to set
# a hard memory limit for an instance (using the 'noeviction' policy).
#
# WARNING: If you have slaves attached to an instance with maxmemory on,
# the size of the output buffers needed to feed the slaves are subtracted
# from the used memory count, so that network problems / resyncs will
# not trigger a loop where keys are evicted, and in turn the output
# buffer of slaves is full with DELs of keys evicted triggering the deletion
# of more keys, and so forth until the database is completely emptied.
#
# In short... if you have slaves attached it is suggested that you set a lower
# limit for maxmemory so that there is some free RAM on the system for slave
# output buffers (but this is not needed if the policy is 'noeviction').
#
# maxmemory <bytes>
# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
# is reached. You can select among five behaviors:
#
# volatile-lru -> remove the key with an expire set using an LRU algorithm
# allkeys-lru -> remove any key according to the LRU algorithm
# volatile-random -> remove a random key with an expire set
# allkeys-random -> remove a random key, any key
# volatile-ttl -> remove the key with the nearest expire time (minor TTL)
# noeviction -> don't expire at all, just return an error on write operations
#
# Note: with any of the above policies, Redis will return an error on write
# operations, when there are no suitable keys for eviction.
#
# At the date of writing these commands are: set setnx setex append
# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
# getset mset msetnx exec sort
#
# The default is:
#
# maxmemory-policy volatile-lru
# LRU and minimal TTL algorithms are not precise algorithms but approximated
# algorithms (in order to save memory), so you can select as well the sample
# size to check. For instance for default Redis will check three keys and
# pick the one that was used less recently, you can change the sample size
# using the following configuration directive.
#
# maxmemory-samples 3
############################## APPEND ONLY MODE ###############################
# By default Redis asynchronously dumps the dataset on disk. This mode is
# good enough in many applications, but an issue with the Redis process or
# a power outage may result into a few minutes of writes lost (depending on
# the configured save points).
#
# The Append Only File is an alternative persistence mode that provides
# much better durability. For instance using the default data fsync policy
# (see later in the config file) Redis can lose just one second of writes in a
# dramatic event like a server power outage, or a single write if something
# wrong with the Redis process itself happens, but the operating system is
# still running correctly.
#
# AOF and RDB persistence can be enabled at the same time without problems.
# If the AOF is enabled on startup Redis will load the AOF, that is the file
# with the better durability guarantees.
#
# Please check http://redis.io/topics/persistence for more information.
appendonly no
# The name of the append only file (default: "appendonly.aof")
appendfilename "appendonly.aof"
# The fsync() call tells the Operating System to actually write data on disk
# instead of waiting for more data in the output buffer. Some OS will really flush
# data on disk, some other OS will just try to do it ASAP.
#
# Redis supports three different modes:
#
# no: don't fsync, just let the OS flush the data when it wants. Faster.
# always: fsync after every write to the append only log. Slow, Safest.
# everysec: fsync only one time every second. Compromise.
#
# The default is "everysec", as that's usually the right compromise between
# speed and data safety. It's up to you to understand if you can relax this to
# "no" that will let the operating system flush the output buffer when
# it wants, for better performances (but if you can live with the idea of
# some data loss consider the default persistence mode that's snapshotting),
# or on the contrary, use "always" that's very slow but a bit safer than
# everysec.
#
# More details please check the following article:
# http://antirez.com/post/redis-persistence-demystified.html
#
# If unsure, use "everysec".
# appendfsync always
appendfsync everysec
# appendfsync no
# When the AOF fsync policy is set to always or everysec, and a background
# saving process (a background save or AOF log background rewriting) is
# performing a lot of I/O against the disk, in some Linux configurations
# Redis may block too long on the fsync() call. Note that there is no fix for
# this currently, as even performing fsync in a different thread will block
# our synchronous write(2) call.
#
# In order to mitigate this problem it's possible to use the following option
# that will prevent fsync() from being called in the main process while a
# BGSAVE or BGREWRITEAOF is in progress.
#
# This means that while another child is saving, the durability of Redis is
# the same as "appendfsync none". In practical terms, this means that it is
# possible to lose up to 30 seconds of log in the worst scenario (with the
# default Linux settings).
#
# If you have latency problems turn this to "yes". Otherwise leave it as
# "no" that is the safest pick from the point of view of durability.
no-appendfsync-on-rewrite no
# Automatic rewrite of the append only file.
# Redis is able to automatically rewrite the log file implicitly calling
# BGREWRITEAOF when the AOF log size grows by the specified percentage.
#
# This is how it works: Redis remembers the size of the AOF file after the
# latest rewrite (if no rewrite has happened since the restart, the size of
# the AOF at startup is used).
#
# This base size is compared to the current size. If the current size is
# bigger than the specified percentage, the rewrite is triggered. Also
# you need to specify a minimal size for the AOF file to be rewritten, this
# is useful to avoid rewriting the AOF file even if the percentage increase
# is reached but it is still pretty small.
#
# Specify a percentage of zero in order to disable the automatic AOF
# rewrite feature.
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
# An AOF file may be found to be truncated at the end during the Redis
# startup process, when the AOF data gets loaded back into memory.
# This may happen when the system where Redis is running
# crashes, especially when an ext4 filesystem is mounted without the
# data=ordered option (however this can't happen when Redis itself
# crashes or aborts but the operating system still works correctly).
#
# Redis can either exit with an error when this happens, or load as much
# data as possible (the default now) and start if the AOF file is found
# to be truncated at the end. The following option controls this behavior.
#
# If aof-load-truncated is set to yes, a truncated AOF file is loaded and
# the Redis server starts emitting a log to inform the user of the event.
# Otherwise if the option is set to no, the server aborts with an error
# and refuses to start. When the option is set to no, the user requires
# to fix the AOF file using the "redis-check-aof" utility before to restart
# the server.
#
# Note that if the AOF file will be found to be corrupted in the middle
# the server will still exit with an error. This option only applies when
# Redis will try to read more data from the AOF file but not enough bytes
# will be found.
aof-load-truncated yes
################################ LUA SCRIPTING ###############################
# Max execution time of a Lua script in milliseconds.
#
# If the maximum execution time is reached Redis will log that a script is
# still in execution after the maximum allowed time and will start to
# reply to queries with an error.
#
# When a long running script exceeds the maximum execution time only the
# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
# used to stop a script that did not yet called write commands. The second
# is the only way to shut down the server in the case a write command was
# already issued by the script but the user doesn't want to wait for the natural
# termination of the script.
#
# Set it to 0 or a negative value for unlimited execution without warnings.
lua-time-limit 5000
################################## SLOW LOG ###################################
# The Redis Slow Log is a system to log queries that exceeded a specified
# execution time. The execution time does not include the I/O operations
# like talking with the client, sending the reply and so forth,
# but just the time needed to actually execute the command (this is the only
# stage of command execution where the thread is blocked and can not serve
# other requests in the meantime).
#
# You can configure the slow log with two parameters: one tells Redis
# what is the execution time, in microseconds, to exceed in order for the
# command to get logged, and the other parameter is the length of the
# slow log. When a new command is logged the oldest one is removed from the
# queue of logged commands.
# The following time is expressed in microseconds, so 1000000 is equivalent
# to one second. Note that a negative number disables the slow log, while
# a value of zero forces the logging of every command.
slowlog-log-slower-than 10000
# There is no limit to this length. Just be aware that it will consume memory.
# You can reclaim memory used by the slow log with SLOWLOG RESET.
slowlog-max-len 128
################################ LATENCY MONITOR ##############################
# The Redis latency monitoring subsystem samples different operations
# at runtime in order to collect data related to possible sources of
# latency of a Redis instance.
#
# Via the LATENCY command this information is available to the user that can
# print graphs and obtain reports.
#
# The system only logs operations that were performed in a time equal or
# greater than the amount of milliseconds specified via the
# latency-monitor-threshold configuration directive. When its value is set
# to zero, the latency monitor is turned off.
#
# By default latency monitoring is disabled since it is mostly not needed
# if you don't have latency issues, and collecting data has a performance
# impact, that while very small, can be measured under big load. Latency
# monitoring can easily be enalbed at runtime using the command
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
latency-monitor-threshold 0
############################# Event notification ##############################
# Redis can notify Pub/Sub clients about events happening in the key space.
# This feature is documented at http://redis.io/topics/notifications
#
# For instance if keyspace events notification is enabled, and a client
# performs a DEL operation on key "foo" stored in the Database 0, two
# messages will be published via Pub/Sub:
#
# PUBLISH __keyspace@0__:foo del
# PUBLISH __keyevent@0__:del foo
#
# It is possible to select the events that Redis will notify among a set
# of classes. Every class is identified by a single character:
#
# K Keyspace events, published with __keyspace@<db>__ prefix.
# E Keyevent events, published with __keyevent@<db>__ prefix.
# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ...
# $ String commands
# l List commands
# s Set commands
# h Hash commands
# z Sorted set commands
# x Expired events (events generated every time a key expires)
# e Evicted events (events generated when a key is evicted for maxmemory)
# A Alias for g$lshzxe, so that the "AKE" string means all the events.
#
# The "notify-keyspace-events" takes as argument a string that is composed
# of zero or multiple characters. The empty string means that notifications
# are disabled.
#
# Example: to enable list and generic events, from the point of view of the
# event name, use:
#
# notify-keyspace-events Elg
#
# Example 2: to get the stream of the expired keys subscribing to channel
# name __keyevent@0__:expired use:
#
# notify-keyspace-events Ex
#
# By default all notifications are disabled because most users don't need
# this feature and the feature has some overhead. Note that if you don't
# specify at least one of K or E, no events will be delivered.
notify-keyspace-events ""
############################### ADVANCED CONFIG ###############################
# Hashes are encoded using a memory efficient data structure when they have a
# small number of entries, and the biggest entry does not exceed a given
# threshold. These thresholds can be configured using the following directives.
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
# Similarly to hashes, small lists are also encoded in a special way in order
# to save a lot of space. The special representation is only used when
# you are under the following limits:
list-max-ziplist-entries 512
list-max-ziplist-value 64
# Sets have a special encoding in just one case: when a set is composed
# of just strings that happen to be integers in radix 10 in the range
# of 64 bit signed integers.
# The following configuration setting sets the limit in the size of the
# set in order to use this special memory saving encoding.
set-max-intset-entries 512
# Similarly to hashes and lists, sorted sets are also specially encoded in
# order to save a lot of space. This encoding is only used when the length and
# elements of a sorted set are below the following limits:
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
# HyperLogLog sparse representation bytes limit. The limit includes the
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
# this limit, it is converted into the dense representation.
#
# A value greater than 16000 is totally useless, since at that point the
# dense representation is more memory efficient.
#
# The suggested value is ~ 3000 in order to have the benefits of
# the space efficient encoding without slowing down too much PFADD,
# which is O(N) with the sparse encoding. The value can be raised to
# ~ 10000 when CPU is not a concern, but space is, and the data set is
# composed of many HyperLogLogs with cardinality in the 0 - 15000 range.
hll-sparse-max-bytes 3000
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
# order to help rehashing the main Redis hash table (the one mapping top-level
# keys to values). The hash table implementation Redis uses (see dict.c)
# performs a lazy rehashing: the more operation you run into a hash table
# that is rehashing, the more rehashing "steps" are performed, so if the
# server is idle the rehashing is never complete and some more memory is used
# by the hash table.
#
# The default is to use this millisecond 10 times every second in order to
# actively rehash the main dictionaries, freeing memory when possible.
#
# If unsure:
# use "activerehashing no" if you have hard latency requirements and it is
# not a good thing in your environment that Redis can reply from time to time
# to queries with 2 milliseconds delay.
#
# use "activerehashing yes" if you don't have such hard requirements but
# want to free memory asap when possible.
activerehashing yes
# The client output buffer limits can be used to force disconnection of clients
# that are not reading data from the server fast enough for some reason (a
# common reason is that a Pub/Sub client can't consume messages as fast as the
# publisher can produce them).
#
# The limit can be set differently for the three different classes of clients:
#
# normal -> normal clients including MONITOR clients
# slave -> slave clients
# pubsub -> clients subscribed to at least one pubsub channel or pattern
#
# The syntax of every client-output-buffer-limit directive is the following:
#
# client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds>
#
# A client is immediately disconnected once the hard limit is reached, or if
# the soft limit is reached and remains reached for the specified number of
# seconds (continuously).
# So for instance if the hard limit is 32 megabytes and the soft limit is
# 16 megabytes / 10 seconds, the client will get disconnected immediately
# if the size of the output buffers reach 32 megabytes, but will also get
# disconnected if the client reaches 16 megabytes and continuously overcomes
# the limit for 10 seconds.
#
# By default normal clients are not limited because they don't receive data
# without asking (in a push way), but just after a request, so only
# asynchronous clients may create a scenario where data is requested faster
# than it can read.
#
# Instead there is a default limit for pubsub and slave clients, since
# subscribers and slaves receive data in a push fashion.
#
# Both the hard or the soft limit can be disabled by setting them to zero.
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
# Redis calls an internal function to perform many background tasks, like
# closing connections of clients in timeout, purging expired keys that are
# never requested, and so forth.
#
# Not all tasks are performed with the same frequency, but Redis checks for
# tasks to perform according to the specified "hz" value.
#
# By default "hz" is set to 10. Raising the value will use more CPU when
# Redis is idle, but at the same time will make Redis more responsive when
# there are many keys expiring at the same time, and timeouts may be
# handled with more precision.
#
# The range is between 1 and 500, however a value over 100 is usually not
# a good idea. Most users should use the default of 10 and raise this up to
# 100 only in environments where very low latency is required.
hz 10
# When a child rewrites the AOF file, if the following option is enabled
# the file will be fsync-ed every 32 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid
# big latency spikes.
aof-rewrite-incremental-fsync yes
+
+# We need to connect over non-localhost
+protected-mode no
diff --git a/docker/webapp/init.sh b/docker/webapp/init.sh
index e2cbd630..466380ee 100755
--- a/docker/webapp/init.sh
+++ b/docker/webapp/init.sh
@@ -1,43 +1,38 @@
#!/bin/bash
set -e
cp -a /src/kolabsrc.orig /src/kolabsrc
cd /src/kolabsrc
rm -rf vendor/ composer.lock .npm storage/framework
mkdir -p storage/framework/{sessions,views,cache}
php -dmemory_limit=-1 $(command -v composer) install
npm install
find bootstrap/cache/ -type f ! -name ".gitignore" -delete
./artisan key:generate
./artisan storage:link
./artisan clear-compiled
./artisan cache:clear
./artisan horizon:install
if [ ! -f storage/oauth-public.key -o ! -f storage/oauth-private.key ]; then
./artisan passport:keys --force
fi
cat >> .env << EOF
PASSPORT_PRIVATE_KEY="$(cat storage/oauth-private.key)"
PASSPORT_PUBLIC_KEY="$(cat storage/oauth-public.key)"
EOF
-if rpm -qv chromium 2>/dev/null; then
- chver=$(rpmquery --queryformat="%{VERSION}" chromium | awk -F'.' '{print $1}')
- ./artisan dusk:chrome-driver ${chver}
-fi
-
if [ ! -f 'resources/countries.php' ]; then
./artisan data:countries
fi
npm run dev
rm -rf database/database.sqlite
./artisan db:ping --wait
php -dmemory_limit=512M ./artisan migrate:refresh --seed
./artisan data:import || :
nohup ./artisan horizon >/dev/null 2>&1 &
./artisan octane:start --host=$(grep OCTANE_HTTP_HOST .env | tail -n1 | sed "s/OCTANE_HTTP_HOST=//")
diff --git a/src/.env.example b/src/.env.example
index 42bea3e7..e1ed5106 100644
--- a/src/.env.example
+++ b/src/.env.example
@@ -1,191 +1,187 @@
APP_NAME=Kolab
APP_ENV=local
APP_KEY=
APP_DEBUG=true
-APP_URL=http://127.0.0.1:8000
+APP_URL=https://kolab.local
#APP_PASSPHRASE=
-APP_PUBLIC_URL=
-APP_DOMAIN=kolabnow.com
-APP_WEBSITE_DOMAIN=kolabnow.com
+APP_PUBLIC_URL=https://kolab.local
+APP_DOMAIN=kolab.local
+APP_WEBSITE_DOMAIN=kolab.local
APP_THEME=default
APP_TENANT_ID=5
APP_LOCALE=en
APP_LOCALES=
APP_WITH_ADMIN=1
APP_WITH_RESELLER=1
APP_WITH_SERVICES=1
APP_WITH_FILES=1
APP_HEADER_CSP="connect-src 'self'; child-src 'self'; font-src 'self'; form-action 'self' data:; frame-ancestors 'self'; img-src blob: data: 'self' *; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; default-src 'self';"
APP_HEADER_XFO=sameorigin
SIGNUP_LIMIT_EMAIL=0
SIGNUP_LIMIT_IP=0
-ASSET_URL=http://127.0.0.1:8000
+ASSET_URL=https://kolab.local
-WEBMAIL_URL=/apps
+WEBMAIL_URL=/roundcubemail/
SUPPORT_URL=/support
SUPPORT_EMAIL=
LOG_CHANNEL=stack
LOG_SLOW_REQUESTS=5
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_DATABASE=kolabdev
-DB_HOST=127.0.0.1
+DB_HOST=mariadb
DB_PASSWORD=kolab
DB_PORT=3306
DB_USERNAME=kolabdev
BROADCAST_DRIVER=redis
CACHE_DRIVER=redis
QUEUE_CONNECTION=redis
SESSION_DRIVER=file
SESSION_LIFETIME=120
OPENEXCHANGERATES_API_KEY="from openexchangerates.org"
-MFA_DSN=mysql://roundcube:Welcome2KolabSystems@127.0.0.1/roundcube
+MFA_DSN=mysql://roundcube:Welcome2KolabSystems@mariadb/roundcube
MFA_TOTP_DIGITS=6
MFA_TOTP_INTERVAL=30
MFA_TOTP_DIGEST=sha1
-IMAP_URI=ssl://127.0.0.1:11993
+IMAP_URI=ssl://kolab:11993
+IMAP_HOST=172.18.0.5
IMAP_ADMIN_LOGIN=cyrus-admin
IMAP_ADMIN_PASSWORD=Welcome2KolabSystems
IMAP_VERIFY_HOST=false
IMAP_VERIFY_PEER=false
LDAP_BASE_DN="dc=mgmt,dc=com"
LDAP_DOMAIN_BASE_DN="ou=Domains,dc=mgmt,dc=com"
-LDAP_HOSTS=127.0.0.1
+LDAP_HOSTS=kolab
LDAP_PORT=389
LDAP_SERVICE_BIND_DN="uid=kolab-service,ou=Special Users,dc=mgmt,dc=com"
LDAP_SERVICE_BIND_PW="Welcome2KolabSystems"
LDAP_USE_SSL=false
LDAP_USE_TLS=false
# Administrative
LDAP_ADMIN_BIND_DN="cn=Directory Manager"
LDAP_ADMIN_BIND_PW="Welcome2KolabSystems"
LDAP_ADMIN_ROOT_DN="dc=mgmt,dc=com"
# Hosted (public registration)
LDAP_HOSTED_BIND_DN="uid=hosted-kolab-service,ou=Special Users,dc=mgmt,dc=com"
LDAP_HOSTED_BIND_PW="Welcome2KolabSystems"
LDAP_HOSTED_ROOT_DN="dc=hosted,dc=com"
-COTURN_PUBLIC_IP=127.0.0.1
+COTURN_PUBLIC_IP='172.18.0.1'
COTURN_STATIC_SECRET="Welcome2KolabSystems"
MEET_WEBHOOK_TOKEN=Welcome2KolabSystems
MEET_SERVER_TOKEN=Welcome2KolabSystems
-MEET_SERVER_URLS=https://localhost:12443/meetmedia/api/
-MEET_SERVER_VERIFY_TLS=true
+MEET_SERVER_URLS=https://kolab.local/meetmedia/api/
+MEET_SERVER_VERIFY_TLS=false
-MEET_WEBRTC_LISTEN_IP=
-MEET_PUBLIC_DOMAIN=127.0.0.1:12443
-MEET_TURN_SERVER='turn:127.0.0.1:3478?transport=tcp'
+MEET_WEBRTC_LISTEN_IP='172.18.0.1'
+MEET_PUBLIC_DOMAIN=kolab.local
+MEET_TURN_SERVER='turn:172.18.0.1:3478'
+MEET_LISTENING_HOST=172.18.0.1
-PGP_ENABLED=
-PGP_BINARY=
-PGP_AGENT=
-PGP_GPGCONF=
+
+PGP_ENABLE=true
+PGP_BINARY=/usr/bin/gpg
+PGP_AGENT=/usr/bin/gpg-agent
+PGP_GPGCONF=/usr/bin/gpgconf
PGP_LENGTH=
# Set these to IP addresses you serve WOAT with.
# Have the domain owner point _woat.<hosted-domain> NS RRs refer to ns0{1,2}.<provider-domain>
WOAT_NS1=ns01.domain.tld
WOAT_NS2=ns02.domain.tld
-REDIS_HOST=127.0.0.1
+REDIS_HOST=redis
REDIS_PASSWORD=null
REDIS_PORT=6379
OCTANE_HTTP_HOST=127.0.0.1
SWOOLE_PACKAGE_MAX_LENGTH=10485760
PAYMENT_PROVIDER=
MOLLIE_KEY=
STRIPE_KEY=
STRIPE_PUBLIC_KEY=
STRIPE_WEBHOOK_SECRET=
+MAIL_DRIVER=log
MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="noreply@example.com"
MAIL_FROM_NAME="Example.com"
MAIL_REPLYTO_ADDRESS="replyto@example.com"
MAIL_REPLYTO_NAME=null
DNS_TTL=3600
DNS_SPF="v=spf1 mx -all"
DNS_STATIC="%s. MX 10 ext-mx01.mykolab.com."
DNS_COPY_FROM=null
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
AWS_USE_PATH_STYLE_ENDPOINT=false
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
MIX_ASSET_PATH='/'
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
# Generate with ./artisan passport:client --password
#PASSPORT_PROXY_OAUTH_CLIENT_ID=
#PASSPORT_PROXY_OAUTH_CLIENT_SECRET=
# Generate with ./artisan passport:client --password
#PASSPORT_COMPANIONAPP_OAUTH_CLIENT_ID=
#PASSPORT_COMPANIONAPP_OAUTH_CLIENT_SECRET=
PASSPORT_PRIVATE_KEY=
PASSPORT_PUBLIC_KEY=
PASSWORD_POLICY=
COMPANY_NAME=
COMPANY_ADDRESS=
COMPANY_DETAILS=
COMPANY_EMAIL=
COMPANY_LOGO=
COMPANY_FOOTER=
VAT_COUNTRIES=CH,LI
VAT_RATE=7.7
KB_ACCOUNT_DELETE=
KB_ACCOUNT_SUSPENDED=
KB_PAYMENT_SYSTEM=
KOLAB_SSL_CERTIFICATE=/etc/pki/tls/certs/kolab.hosted.com.cert
KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/pki/tls/certs/kolab.hosted.com.chain.pem
KOLAB_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/kolab.hosted.com.key
-PROXY_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert
-PROXY_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key
-
-NGINX_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert
-NGINX_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key
-
-PGP_ENABLE=true
-PGP_BINARY=/usr/bin/gpg
-PGP_AGENT=/usr/bin/gpg-agent
-PGP_GPGCONF=/usr/bin/gpgconf
+PROXY_SSL_CERTIFICATE=/etc/certs/imap.hosted.com.cert
+PROXY_SSL_CERTIFICATE_KEY=/etc/certs/imap.hosted.com.key
diff --git a/src/config/imap.php b/src/config/imap.php
index c0ee8dc0..1c5ba77c 100644
--- a/src/config/imap.php
+++ b/src/config/imap.php
@@ -1,12 +1,12 @@
<?php
return [
- 'uri' => env('IMAP_URI', '127.0.0.1'),
+ 'uri' => env('IMAP_URI', 'ssl://kolab:11993'),
'admin_login' => env('IMAP_ADMIN_LOGIN', 'cyrus-admin'),
'admin_password' => env('IMAP_ADMIN_PASSWORD', null),
'verify_peer' => env('IMAP_VERIFY_PEER', true),
'verify_host' => env('IMAP_VERIFY_HOST', true),
- 'host' => env('IMAP_HOST', '127.0.0.1'),
+ 'host' => env('IMAP_HOST', '172.18.0.5'),
'imap_port' => env('IMAP_PORT', 12143),
'guam_port' => env('IMAP_GUAM_PORT', 9143),
];
diff --git a/src/config/smtp.php b/src/config/smtp.php
index 9c0d98b0..400824ed 100644
--- a/src/config/smtp.php
+++ b/src/config/smtp.php
@@ -1,6 +1,6 @@
<?php
return [
- 'host' => env('SMTP_HOST', '127.0.0.1'),
+ 'host' => env('SMTP_HOST', '172.18.0.5'),
'port' => env('SMTP_PORT', 10465),
];
diff --git a/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php b/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php
index 1f40f025..c9860ece 100644
--- a/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php
+++ b/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php
@@ -1,147 +1,156 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
// phpcs:ignore
class CreatePowerDNSTables extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
+ //Drop the tables from the mysql initialization
+ Schema::dropIfExists('powerdns_domains');
+ Schema::dropIfExists('powerdns_records');
+ Schema::dropIfExists('powerdns_masters');
+ Schema::dropIfExists('powerdns_comments');
+ Schema::dropIfExists('powerdns_domain_settings');
+ Schema::dropIfExists('powerdns_cryptokeys');
+ Schema::dropIfExists('powerdns_tsigkeys');
+
Schema::create(
'powerdns_domains',
function (Blueprint $table) {
$table->bigIncrements('id');
$table->string('name', 255)->unique()->index();
$table->string('master', 128)->nullable();
$table->datetime('last_check')->nullable();
$table->string('type', 6)->default('NATIVE');
$table->integer('notified_serial')->unsigned()->nullable();
$table->string('account', 40)->nullable();
$table->timestamps();
}
);
Schema::create(
'powerdns_records',
function (Blueprint $table) {
$table->bigIncrements('id');
$table->bigInteger('domain_id')->unsigned();
$table->string('name', 255)->nullable();
$table->string('type', 10)->nullable();
$table->longtext('content')->nullable();
$table->integer('ttl')->unsigned()->nullable();
$table->integer('prio')->unsigned()->nullable();
$table->boolean('disabled')->default(false);
$table->binary('ordername')->nullable();
$table->boolean('auth')->default(true);
$table->timestamps();
$table->foreign('domain_id')->references('id')->on('powerdns_domains')
->onDelete('cascade');
$table->index('domain_id');
$table->index(['name', 'type']);
//$table->index('ordername');
}
);
Schema::create(
'powerdns_masters',
function (Blueprint $table) {
$table->string('ip', 64);
$table->string('nameserver', 255);
$table->string('account', 40);
$table->primary(['ip', 'nameserver']);
$table->timestamps();
}
);
Schema::create(
'powerdns_comments',
function (Blueprint $table) {
$table->bigIncrements('id');
$table->bigInteger('domain_id')->unsigned();
$table->string('name', 255);
$table->string('type', 10);
$table->string('account', 40)->nullable();
$table->text('comment');
$table->timestamps();
$table->index(['name', 'type']);
$table->index(['domain_id', 'updated_at']);
$table->foreign('domain_id')->references('id')->on('powerdns_domains')
->onDelete('cascade');
}
);
Schema::create(
'powerdns_domain_settings',
function (Blueprint $table) {
$table->bigIncrements('id');
$table->bigInteger('domain_id')->unsigned();
$table->string('kind', 32);
$table->text('content');
$table->timestamps();
$table->foreign('domain_id')->references('id')->on('powerdns_domains')
->onDelete('cascade');
}
);
Schema::create(
'powerdns_cryptokeys',
function (Blueprint $table) {
$table->bigIncrements('id');
$table->bigInteger('domain_id')->unsigned();
$table->integer('flags');
$table->boolean('active');
$table->text('content');
$table->timestamps();
$table->index('domain_id');
$table->foreign('domain_id')->references('id')->on('powerdns_domains')
->onDelete('cascade');
}
);
Schema::create(
'powerdns_tsigkeys',
function (Blueprint $table) {
$table->bigIncrements('id');
$table->string('name', 255);
$table->string('algorithm', 50);
$table->string('secret', 255);
$table->timestamps();
$table->index(['name', 'algorithm']);
}
);
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::dropIfExists('powerdns_tsigkeys');
Schema::dropIfExists('powerdns_cryptokeys');
Schema::dropIfExists('powerdns_domain_settings');
Schema::dropIfExists('powerdns_comments');
Schema::dropIfExists('powerdns_masters');
Schema::dropIfExists('powerdns_records');
Schema::dropIfExists('powerdns_domains');
}
}

File Metadata

Mime Type
text/x-diff
Expires
Mon, Sep 15, 9:21 AM (1 d, 17 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
287515
Default Alt Text
(170 KB)

Event Timeline