diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ad06f7cf3eba1dc7a9e6a0f7c140296ef5e5b222..1ed7a2f216a0b33512e459221b3a7dfa8c10eec1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,82 +1,100 @@
image: docker:stable
services:
- docker:dind
-
+
stages:
+ - metabuild
- build
- static_tests
- dynamic_tests
- deployment
+
+# build the container that further steps will run in in order to avoid duplicating instructions between steps
+metabuild:
+ stage: metabuild
+ before_script:
+ - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
+ script:
+ - docker build -f pica-ci/Dockerfile . -t $REGISTRY/pica-ci
+ - docker push $REGISTRY/pica-ci:latest
+ after_script:
+ - docker logout $REGISTRY
+ tags: [build]
+ only:
+ changes:
+ - "pica-dokuwiki/*"
+ - "pica-etherpad/*"
+ refs:
+ - master
+ - dev-ci
+# build the container that was modified
build:
stage: build
+ image: $REGISTRY/pica-ci:latest
before_script:
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- - apk update
- - apk add git
- - chmod +x ./get-modified-image.sh
- - ./get-modified-image.sh
- - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
- - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
- - echo -e "Building container $MODIFIED_IMAGE"
+ - source /etc/profile.d/ci-variables
script:
- docker build -f $MODIFIED_IMAGE/Dockerfile $MODIFIED_IMAGE -t $REGISTRY/ci-builds/$CI_COMMIT_SHA
- docker push $REGISTRY/ci-builds/$CI_COMMIT_SHA
after_script:
- - docker logout $REGISTRY
+ - docker logout $REGISTRY
tags: [build]
only:
changes:
- - pica-etherpad/*
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ - "pica-etherpad/*"
+ refs:
+ - master
+ - dev-ci
+# run CoreOS' Clair and make the CI failed if a critical vulnerability isn't in the whitelist
clair:
stage: static_tests
+ image: $REGISTRY/pica-ci:latest
before_script:
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
- - apk update
- - apk add git
- - chmod +x get-modified-image.sh
- - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
- - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
- - echo -e "Performing static analysis for container $MODIFIED_IMAGE"
+ - docker logout $REGISTRY
+ - source /etc/profile.d/ci-variables
script:
- docker run -d --name db arminc/clair-db:latest
- - docker run -p 6060:6060 -d --link db:postgres --name clair --restart on-failure arminc/clair-local-scan:v2.0.6
+ - docker run -p 6060:6060 -d --link db:postgres --name clair --restart on-failure arminc/clair-local-scan:latest
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- - echo "Waiting for Clair daemon to start"wget
- - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
- - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-report.json -l clair.log -w $MODIFIED_IMAGE/clair-whitelist.yml --threshold="High" $REGISTRY/ci-builds/$CI_COMMIT_SHA
+ - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
+ - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r clair-report.json -l clair.log -w $MODIFIED_IMAGE/clair-whitelist.yml --threshold="High" $REGISTRY/ci-builds/$CI_COMMIT_SHA
artifacts:
paths:
- clair-report.json
- clair.log
- after_script:
- - docker logout $REGISTRY
tags: [build]
only:
changes:
- - pica-etherpad/*
- - pica-dokuwiki/*
- allow_failure: false
+ - "pica-dokuwiki/*"
+ - "pica-etherpad/*"
+ refs:
+ - master
+ - dev-ci
+# run docker-bench-security and upload the results
docker-bench-security:
stage: dynamic_tests
+ image: $REGISTRY/pica-ci:latest
before_script:
- - apk update
- - apk add wget py-pip git iproute2
- - pip install docker-compose
- - chmod +x get-modified-image.sh
- - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
- - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
- - sed -i -e "s/$MODIFIED_IMAGE_FULL/$REGISTRY\/ci-builds\/$CI_COMMIT_SHA:latest/g" $MODIFIED_IMAGE/docker-compose.yml
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ - docker logout $REGISTRY
+ - source /etc/profile.d/ci-variables
+ - sed -i -e "s/$MODIFIED_IMAGE_FULL/$REGISTRY\/ci-builds\/$CI_COMMIT_SHA:latest/g" $MODIFIED_IMAGE/docker-compose.yml
+ # if secrets.example files exist, remove the .example extension to be able to start the container
+ - if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/*.example ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi;
+ # let docker-compose create the required volumes and networks
+ - "sed -i -e 's/external: true/external: false/g' $MODIFIED_IMAGE/docker-compose.yml"
+ - cat $MODIFIED_IMAGE/docker-compose.yml
script:
- - if [[ -d $MODIFIED_IMAGE/secrets ]]; then for i in $MODIFIED_IMAGE/secrets/* ; do cp $i $(echo $i| cut -d '.' -f1,2); done; fi;
- cd $MODIFIED_IMAGE
- docker-compose up -d
- git clone https://github.com/docker/docker-bench-security.git
@@ -86,27 +104,24 @@ docker-bench-security:
paths:
- report.txt
after_script:
- - docker logout $REGISTRY
+ - docker logout $REGISTRY
tags: [build]
only:
changes:
- - pica-etherpad/*
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ - "pica-etherpad/*"
+ refs:
+ - master
+ - dev-ci
-deployment-test:
+# automatically deploy the container on pica01-test
+deployment-test:
stage: deployment
+ image: $REGISTRY/pica-ci:latest
+ variables:
+ PICA_ENVIRONMENT: "TEST"
before_script:
- - apk update
- - apk add wget py-pip git iproute2
- - pip install docker-compose
- - chmod +x get-modified-image.sh
- - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
- - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
- - export CURRENT_CONTAINER_ID=$(docker container ls -a | grep pica-dokuwiki| cut -d ' ' -f1)
- - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
- - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $REGISTRY/$MODIFIED_IMAGE_FULL
- - docker push $REGISTRY/$MODIFIED_IMAGE_FULL
+ - source /etc/profile.d/ci-variables
- export DOCKER_HOST=tcp://pica01-test.picasoft.net:2376
- export DOCKER_TLS_VERIFY=1
- export DOCKER_CERT_PATH=/tmp/certs
@@ -114,58 +129,67 @@ deployment-test:
- echo "$DEV_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
- echo "$DEV_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
- echo "$DEV_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
- script:
+ - chmod +x decrypt-secrets.sh
+ - if [[ -d "$MODIFIED_IMAGE/secrets" ]]; then eval $(cat /etc/profile.d/ci-variables) ./decrypt-secrets.sh; fi
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- - docker pull $REGISTRY/$MODIFIED_IMAGE_FULL
- - docker tag $REGISTRY/$MODIFIED_IMAGE_FULL $MODIFIED_IMAGE_FULL
- - cd /docker
- - echo $(cat docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1)
- - docker-compose up -d --force-recreate --remove-orphans $(cat docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1)
+ - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $MODIFIED_IMAGE_FULL
+ script:
+ - cd $MODIFIED_IMAGE
+ - sed -i -e s/picasoft.net/test.picasoft.net/g docker-compose.yml
+ - for SERVICE in $(docker-compose config --services); do if [[ $(docker container ls --format "{{.Names}}" | grep $SERVICE) ]]; then docker stop $SERVICE | xargs docker rm; fi; done
+ - docker-compose up -d --force-recreate --remove-orphans $CONTAINER_NAME
after_script:
- rm -rf $DOCKER_CERT_PATH
- docker logout $REGISTRY
tags: [build]
only:
changes:
- - pica-etherpad/*
- - pica-dokuwiki/*
+ - "pica-dokuwiki/*"
+ - "pica-etherpad/*"
+ refs:
+ - master
+ - dev-ci
-.deployment-prod:
+# automatically deploy the container on the production host associated with the modified image
+# this will only happen after manually triggering the deployment
+deployment-prod:
stage: deployment
+ image: $REGISTRY/pica-ci:latest
+ variables:
+ PICA_ENVIRONMENT: "PRODUCTION"
before_script:
- - apk update
- - apk add wget py-pip git iproute2
- - pip install docker-compose
- - chmod +x get-modified-image.sh
- - export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh)
- - export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1)
- - export CURRENT_CONTAINER_ID=$(docker container ls -a | grep pica-dokuwiki| cut -d ' ' -f1)
- - echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
- - docker logout $REGISTRY
- - echo $REGISTRY_PROD_PASSWORD | docker login $REGISTRY_PROD -u $REGISTRY_PROD_USERNAME --password-stdin
- - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
- - docker push $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
- - docker logout $REGISTRY_PROD
- - export REMOTE_HOSTNAME=pica01
- - export DOCKER_HOST=tcp://$REMOTE_HOSTNAME.picasoft.net:2376
+ - source /etc/profile.d/ci-variables
+ - TMP_DOCKER_CA_CERT="${HOST}_DOCKER_CA_CERT" && eval DOCKER_CA_CERT_VARIABLE=\$$TMP_DOCKER_CA_CERT
+ - TMP_DOCKER_CLIENT_CERT="${HOST}_DOCKER_CLIENT_CERT" && eval DOCKER_CLIENT_CERT_VARIABLE=\$$TMP_DOCKER_CLIENT_CERT
+ - TMP_DOCKER_CLIENT_KEY="${HOST}_DOCKER_CLIENT_KEY" && eval DOCKER_CLIENT_KEY_VARIABLE=\$$TMP_DOCKER_CLIENT_KEY
+ - export DOCKER_HOST=tcp://$HOST.picasoft.net:2376
- export DOCKER_TLS_VERIFY=1
- export DOCKER_CERT_PATH=/tmp/certs
- mkdir -p $DOCKER_CERT_PATH
- - echo "$PROD_DOCKER_CA_CERT" > $DOCKER_CERT_PATH/ca.pem
- - echo "$PROD_DOCKER_CLIENT_CERT" > $DOCKER_CERT_PATH/cert.pem
- - echo "$PROD_DOCKER_CLIENT_KEY" > $DOCKER_CERT_PATH/key.pem
- script:
+ - echo "$DOCKER_CA_CERT_VARIABLE" > $DOCKER_CERT_PATH/ca.pem
+ - echo "$DOCKER_CLIENT_CERT_VARIABLE" > $DOCKER_CERT_PATH/cert.pem
+ - echo "$DOCKER_CLIENT_KEY_VARIABLE" > $DOCKER_CERT_PATH/key.pem
+ - chmod +x decrypt-secrets.sh
+ - if [[ -d "$MODIFIED_IMAGE/secrets" ]]; then eval $(cat /etc/profile.d/ci-variables) ./decrypt-secrets.sh; fi
- echo $REGISTRY_PASSWORD | docker login $REGISTRY -u $REGISTRY_USERNAME --password-stdin
- - docker pull $REGISTRY/$MODIFIED_IMAGE_FULL
- - docker logout $REGISTRY
- - cd pica-etherpad
- - docker-compose up -d --force-recreate --remove-orphans $(cat docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1)
+ - docker pull $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest
+ - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $MODIFIED_IMAGE_FULL
+ script:
+ - cd $MODIFIED_IMAGE
+ - for SERVICE in $(docker-compose config --services); do if [[ $(docker container ls --format "{{.Names}}" | grep $SERVICE) ]]; then docker stop $SERVICE | xargs docker rm; fi; done
+ - docker-compose up -d --force-recreate --remove-orphans $CONTAINER_NAME
after_script:
+ - docker tag $REGISTRY/ci-builds/$CI_COMMIT_SHA:latest $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
+ - docker push $REGISTRY_PROD/$MODIFIED_IMAGE_FULL
- rm -rf $DOCKER_CERT_PATH
+ - docker logout $REGISTRY
tags: [build]
only:
changes:
- - pica-etherpad/*
+ - "pica-dokuwiki/*"
+ - "pica-etherpad/*"
+ refs:
+ - master
+ - dev-ci
when: manual
-
diff --git a/collabora_code_light/Dockerfile b/collabora_code_light/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..503f438b5655400fb5f8a06cdf758a7eeaf6c12a
--- /dev/null
+++ b/collabora_code_light/Dockerfile
@@ -0,0 +1,16 @@
+FROM ubuntu:16.04
+
+#Â Environment variables
+ENV domain localhost
+ENV LANG fr_FR.utf8
+ENV LC_CTYPE fr_FR.utf8
+
+# Setup scripts for LibreOffice Online
+ADD /scripts/install-libreoffice.sh /
+ADD /scripts/start-libreoffice.sh /
+RUN bash install-libreoffice.sh
+
+EXPOSE 9980
+
+# Entry point
+CMD bash start-libreoffice.sh
diff --git a/collabora_code_light/README.md b/collabora_code_light/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..b52328c0f0aacafc91c33fb9eef5139c8546a434
--- /dev/null
+++ b/collabora_code_light/README.md
@@ -0,0 +1,4 @@
+# Docker-CODE
+Dockerfile and scripts to generate CODE Docker image
+
+Usage and possible settings are documented on the [CODE home page](https://collaboraoffice.com/code/).
diff --git a/collabora_code_light/scripts/install-libreoffice.sh b/collabora_code_light/scripts/install-libreoffice.sh
new file mode 100644
index 0000000000000000000000000000000000000000..4bb6339c49ff72c9ef7fd0d0cdf209238c901604
--- /dev/null
+++ b/collabora_code_light/scripts/install-libreoffice.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Update installed packages
+apt-get update && apt-get -y upgrade
+
+# Install HTTPS transport
+apt-get -y install apt-transport-https
+
+# Install locales
+apt-get -y install locales-all
+
+# Add Collabora repos
+echo "deb https://collaboraoffice.com/repos/CollaboraOnline/CODE /" > /etc/apt/sources.list.d/collabora.list
+apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6CCEA47B2281732DF5D504D00C54D189F4BA284D
+apt-get update
+
+# Install the Collabora packages
+apt-get -y install loolwsd code-brand collaboraoffice6.0-dict-fr collaboraoffice6.0-dict-en collaboraofficebasis6.0-fr collaboraofficebasis6.0-en
+
+# Install inotifywait and killall to automatic restart loolwsd, if loolwsd.xml changes
+apt-get -y install inotify-tools psmisc
+
+# Cleanup
+rm -rf /var/lib/apt/lists/*
\ No newline at end of file
diff --git a/collabora_code_light/scripts/start-libreoffice.sh b/collabora_code_light/scripts/start-libreoffice.sh
new file mode 100644
index 0000000000000000000000000000000000000000..3bb613e81f2ac57862d3e0fe2a76685fb21d8284
--- /dev/null
+++ b/collabora_code_light/scripts/start-libreoffice.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+# Fix domain name resolution from jails
+cp /etc/resolv.conf /etc/hosts /opt/lool/systemplate/etc/
+
+if test "${DONT_GEN_SSL_CERT-set}" == set; then
+# Generate new SSL certificate instead of using the default
+mkdir -p /opt/ssl/
+cd /opt/ssl/
+mkdir -p certs/ca
+openssl genrsa -out certs/ca/root.key.pem 2048
+openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority"
+mkdir -p certs/{servers,tmp}
+mkdir -p "certs/servers/localhost"
+openssl genrsa -out "certs/servers/localhost/privkey.pem" 2048 -key "certs/servers/localhost/privkey.pem"
+if test "${cert_domain-set}" == set; then
+openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost"
+else
+openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=${cert_domain}"
+fi
+openssl x509 -req -in certs/tmp/localhost.csr.pem -CA certs/ca/root.crt.pem -CAkey certs/ca/root.key.pem -CAcreateserial -out certs/servers/localhost/cert.pem -days 9131
+mv certs/servers/localhost/privkey.pem /etc/loolwsd/key.pem
+mv certs/servers/localhost/cert.pem /etc/loolwsd/cert.pem
+mv certs/ca/root.crt.pem /etc/loolwsd/ca-chain.cert.pem
+fi
+
+# Replace trusted host and set admin username and password
+perl -pi -e "s/localhost<\/host>/${domain}<\/host>/g" /etc/loolwsd/loolwsd.xml
+perl -pi -e "s/<username (.*)>.*<\/username>/<username \1>${username}<\/username>/" /etc/loolwsd/loolwsd.xml
+perl -pi -e "s/<password (.*)>.*<\/password>/<password \1>${password}<\/password>/" /etc/loolwsd/loolwsd.xml
+perl -pi -e "s/<server_name (.*)>.*<\/server_name>/<server_name \1>${server_name}<\/server_name>/" /etc/loolwsd/loolwsd.xml
+perl -pi -e "s/<allowed_languages (.*)>.*<\/allowed_languages>/<allowed_languages \1>${dictionaries:-en_GB en_US fr_FR}<\/allowed_languages>/" /etc/loolwsd/loolwsd.xml
+
+# Restart when /etc/loolwsd/loolwsd.xml changes
+[ -x /usr/bin/inotifywait -a /usr/bin/killall ] && (
+ /usr/bin/inotifywait -e modify /etc/loolwsd/loolwsd.xml
+ echo "$(ls -l /etc/loolwsd/loolwsd.xml) modified --> restarting"
+ /usr/bin/killall -1 loolwsd
+) &
+
+# Start loolwsd
+su -c "/usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:lo_template_path=/opt/collaboraoffice6.0 --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd ${extra_params}" -s /bin/bash lool
diff --git a/decrypt-secrets.sh b/decrypt-secrets.sh
new file mode 100644
index 0000000000000000000000000000000000000000..eaa4d9a32b2f09a77c65cf2496fc5c22b0f0e561
--- /dev/null
+++ b/decrypt-secrets.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# import the PGP key for the right environment
+if [ "$PICA_ENVIRONMENT" = "TEST" ];
+then
+ echo "$PRIVATE_GPG_KEY_TEST" > /tmp/pgp-key
+elif [ "$PICA_ENVIRONMENT" = "PRODUCTION" ];
+then
+ echo "$PRIVATE_GPG_KEY_PRODUCTION" > /tmp/pgp-key
+else
+ exit -1
+fi
+cat /tmp/pgp-key | gpg --import
+
+# decrypt the secrets
+SECRETS_PATH=$MODIFIED_IMAGE/secrets/encrypted-variables-$(echo $PICA_ENVIRONMENT | tr '[:upper:]' '[:lower:]')
+echo $SECRETS_PATH
+
+for container_secrets_folder in $SECRETS_PATH/*;
+do
+ CONTAINER_NAME=$(basename $container_secrets_folder)
+ for encrypted_secret in $container_secrets_folder/*;
+ do
+ SECRET_NAME=$(basename $encrypted_secret)
+ ( echo -n "$SECRET_NAME=" ; gpg --quiet --decrypt $encrypted_secret ) >> $MODIFIED_IMAGE/secrets/$CONTAINER_NAME.secrets
+ done
+done
+
+ls -al pica-etherpad/secrets/
\ No newline at end of file
diff --git a/get-host-by-image.sh b/get-host-by-image.sh
new file mode 100644
index 0000000000000000000000000000000000000000..5b6de2883857f94cfb2e68af795a3a7fc753cee2
--- /dev/null
+++ b/get-host-by-image.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# return the host the service is hosted on
+case $MODIFIED_IMAGE in
+ pica-etherpad) RES="PICA01"
+ ;;
+ pica-dokuwiki) RES="PICA02"
+esac
+echo $RES
\ No newline at end of file
diff --git a/get-modified-image.sh b/get-modified-image.sh
old mode 100644
new mode 100755
index 0fe55f193debdd56cae5653b52ae2910c90c5db7..6d13e0446de87b34f4af3f55565052c801504a1a
--- a/get-modified-image.sh
+++ b/get-modified-image.sh
@@ -4,15 +4,25 @@
# this script should become obsolete as soon as a proper way of getting the modified files is added to Gitlab CI
RES=""
-for i in $(git diff-tree --no-commit-id --name-only $CI_COMMIT_SHA)
+for i in $(git log -m -1 --name-only --pretty="format:" --first-parent)
do
case "$i" in
- *pica*) RES=$i ;;
+ *pica*) RES=$(echo $i | cut -d '/' -f1);;
esac
done
-if [[ "$i" == "" ]]
+
+if [[ "$RES" == "" ]]
then
+ echo "No image modified"
exit 1
fi
+
RES=$(cat $RES/docker-compose.yml | grep image: | head -n1 | cut -d ':' -f2-)
-echo $RES
\ No newline at end of file
+if [[ "$RES" == "" ]]
+then
+ echo "No image modified"
+ exit 1
+else
+ echo $RES
+fi
+
diff --git a/nextcloud-docker/Dockerfile b/nextcloud-docker/13.0/Dockerfile
similarity index 100%
rename from nextcloud-docker/Dockerfile
rename to nextcloud-docker/13.0/Dockerfile
diff --git a/nextcloud-docker/config/apache-pretty-urls.config.php b/nextcloud-docker/13.0/config/apache-pretty-urls.config.php
similarity index 100%
rename from nextcloud-docker/config/apache-pretty-urls.config.php
rename to nextcloud-docker/13.0/config/apache-pretty-urls.config.php
diff --git a/nextcloud-docker/config/apcu.config.php b/nextcloud-docker/13.0/config/apcu.config.php
similarity index 100%
rename from nextcloud-docker/config/apcu.config.php
rename to nextcloud-docker/13.0/config/apcu.config.php
diff --git a/nextcloud-docker/config/apps.config.php b/nextcloud-docker/13.0/config/apps.config.php
similarity index 100%
rename from nextcloud-docker/config/apps.config.php
rename to nextcloud-docker/13.0/config/apps.config.php
diff --git a/nextcloud-docker/config/autoconfig.php b/nextcloud-docker/13.0/config/autoconfig.php
similarity index 100%
rename from nextcloud-docker/config/autoconfig.php
rename to nextcloud-docker/13.0/config/autoconfig.php
diff --git a/nextcloud-docker/cron.sh b/nextcloud-docker/13.0/cron.sh
similarity index 100%
rename from nextcloud-docker/cron.sh
rename to nextcloud-docker/13.0/cron.sh
diff --git a/nextcloud-docker/entrypoint.sh b/nextcloud-docker/13.0/entrypoint.sh
similarity index 100%
rename from nextcloud-docker/entrypoint.sh
rename to nextcloud-docker/13.0/entrypoint.sh
diff --git a/nextcloud-docker/15.0/Dockerfile b/nextcloud-docker/15.0/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..4c2c5decb6e9f2febfa89ab06cbfbf92f03d0d1d
--- /dev/null
+++ b/nextcloud-docker/15.0/Dockerfile
@@ -0,0 +1,146 @@
+# DO NOT EDIT: created by update.sh from Dockerfile-debian.template
+FROM php:7.2-apache-stretch
+
+# entrypoint.sh and cron.sh dependencies
+RUN set -ex; \
+ \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ rsync \
+ bzip2 \
+ busybox-static \
+ ; \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ mkdir -p /var/spool/cron/crontabs; \
+ echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
+
+# install the PHP extensions we need
+# see https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html
+RUN set -ex; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libcurl4-openssl-dev \
+ libevent-dev \
+ libfreetype6-dev \
+ libicu-dev \
+ libjpeg-dev \
+ libldap2-dev \
+ libmcrypt-dev \
+ libmemcached-dev \
+ libpng-dev \
+ libpq-dev \
+ libxml2-dev \
+ libmagickwand-dev \
+ ; \
+ \
+ debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
+ docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr; \
+ docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
+ docker-php-ext-install \
+ exif \
+ gd \
+ intl \
+ ldap \
+ opcache \
+ pcntl \
+ pdo_mysql \
+ pdo_pgsql \
+ zip \
+ ; \
+ \
+# pecl will claim success even if one install fails, so we need to perform each install separately
+ pecl install APCu-5.1.17; \
+ pecl install memcached-3.1.3; \
+ pecl install redis-4.3.0; \
+ pecl install imagick-3.4.3; \
+ \
+ docker-php-ext-enable \
+ apcu \
+ memcached \
+ redis \
+ imagick \
+ ; \
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+ apt-mark auto '.*' > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+ | awk '/=>/ { print $3 }' \
+ | sort -u \
+ | xargs -r dpkg-query -S \
+ | cut -d: -f1 \
+ | sort -u \
+ | xargs -rt apt-mark manual; \
+ \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ rm -rf /var/lib/apt/lists/*
+
+# set recommended PHP.ini settings
+# see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
+RUN { \
+ echo 'opcache.enable=1'; \
+ echo 'opcache.enable_cli=1'; \
+ echo 'opcache.interned_strings_buffer=8'; \
+ echo 'opcache.max_accelerated_files=10000'; \
+ echo 'opcache.memory_consumption=128'; \
+ echo 'opcache.save_comments=1'; \
+ echo 'opcache.revalidate_freq=1'; \
+ } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
+ \
+ echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+ \
+ echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
+ \
+ mkdir /var/www/data; \
+ chown -R www-data:root /var/www; \
+ chmod -R g=u /var/www
+
+VOLUME /var/www/html
+
+RUN a2enmod rewrite remoteip ;\
+ {\
+ echo RemoteIPHeader X-Real-IP ;\
+ echo RemoteIPTrustedProxy 10.0.0.0/8 ;\
+ echo RemoteIPTrustedProxy 172.16.0.0/12 ;\
+ echo RemoteIPTrustedProxy 192.168.0.0/16 ;\
+ } > /etc/apache2/conf-available/remoteip.conf;\
+ a2enconf remoteip
+
+ENV NEXTCLOUD_VERSION 15.0.5
+
+RUN set -ex; \
+ fetchDeps=" \
+ gnupg \
+ dirmngr \
+ "; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends $fetchDeps; \
+ \
+ curl -fsSL -o nextcloud.tar.bz2 \
+ "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
+ curl -fsSL -o nextcloud.tar.bz2.asc \
+ "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+# gpg key from https://nextcloud.com/nextcloud.asc
+ gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
+ gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+ tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
+ gpgconf --kill all; \
+ rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+ rm -rf /usr/src/nextcloud/updater; \
+ mkdir -p /usr/src/nextcloud/data; \
+ mkdir -p /usr/src/nextcloud/custom_apps; \
+ chmod +x /usr/src/nextcloud/occ; \
+ \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
+ rm -rf /var/lib/apt/lists/*
+
+COPY *.sh upgrade.exclude /
+COPY config/* /usr/src/nextcloud/config/
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["apache2-foreground"]
diff --git a/nextcloud-docker/15.0/config/apache-pretty-urls.config.php b/nextcloud-docker/15.0/config/apache-pretty-urls.config.php
new file mode 100644
index 0000000000000000000000000000000000000000..72da1d8c00cc3a6f5c1de3922ff955afd5f6333e
--- /dev/null
+++ b/nextcloud-docker/15.0/config/apache-pretty-urls.config.php
@@ -0,0 +1,4 @@
+<?php
+$CONFIG = array (
+ 'htaccess.RewriteBase' => '/',
+);
diff --git a/nextcloud-docker/15.0/config/apcu.config.php b/nextcloud-docker/15.0/config/apcu.config.php
new file mode 100644
index 0000000000000000000000000000000000000000..69fed876a37564b238262bb854a37a9c7e576279
--- /dev/null
+++ b/nextcloud-docker/15.0/config/apcu.config.php
@@ -0,0 +1,4 @@
+<?php
+$CONFIG = array (
+ 'memcache.local' => '\OC\Memcache\APCu',
+);
diff --git a/nextcloud-docker/15.0/config/apps.config.php b/nextcloud-docker/15.0/config/apps.config.php
new file mode 100644
index 0000000000000000000000000000000000000000..a4bed8336e2a706a8e87d5f459b116802da8da3f
--- /dev/null
+++ b/nextcloud-docker/15.0/config/apps.config.php
@@ -0,0 +1,15 @@
+<?php
+$CONFIG = array (
+ "apps_paths" => array (
+ 0 => array (
+ "path" => OC::$SERVERROOT."/apps",
+ "url" => "/apps",
+ "writable" => false,
+ ),
+ 1 => array (
+ "path" => OC::$SERVERROOT."/custom_apps",
+ "url" => "/custom_apps",
+ "writable" => true,
+ ),
+ ),
+);
diff --git a/nextcloud-docker/15.0/config/autoconfig.php b/nextcloud-docker/15.0/config/autoconfig.php
new file mode 100644
index 0000000000000000000000000000000000000000..85e02212c4941185c25aa7df72572409ead55d72
--- /dev/null
+++ b/nextcloud-docker/15.0/config/autoconfig.php
@@ -0,0 +1,29 @@
+<?php
+
+$autoconfig_enabled = false;
+
+if (getenv('SQLITE_DATABASE')) {
+ $AUTOCONFIG["dbtype"] = "sqlite";
+ $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
+ $autoconfig_enabled = true;
+} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
+ $AUTOCONFIG["dbtype"] = "mysql";
+ $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
+ $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
+ $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
+ $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
+ $autoconfig_enabled = true;
+} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
+ $AUTOCONFIG["dbtype"] = "pgsql";
+ $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
+ $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
+ $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
+ $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
+ $autoconfig_enabled = true;
+}
+
+if ($autoconfig_enabled) {
+ $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX') ?: "";
+
+ $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
+}
diff --git a/nextcloud-docker/15.0/config/redis.config.php b/nextcloud-docker/15.0/config/redis.config.php
new file mode 100644
index 0000000000000000000000000000000000000000..5df799f2752ea19020f3171fd05941bbc747a3c5
--- /dev/null
+++ b/nextcloud-docker/15.0/config/redis.config.php
@@ -0,0 +1,12 @@
+<?php
+if (getenv('REDIS_HOST')) {
+ $CONFIG = array (
+ 'memcache.distributed' => '\OC\Memcache\Redis',
+ 'memcache.locking' => '\OC\Memcache\Redis',
+ 'redis' => array(
+ 'host' => getenv('REDIS_HOST'),
+ 'port' => getenv('REDIS_HOST_PORT') ?: 6379,
+ ),
+ );
+}
+
diff --git a/nextcloud-docker/15.0/cron.sh b/nextcloud-docker/15.0/cron.sh
new file mode 100755
index 0000000000000000000000000000000000000000..4dfa4118170e25f029c60a9fbd8fa9a81dde14e7
--- /dev/null
+++ b/nextcloud-docker/15.0/cron.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -eu
+
+exec busybox crond -f -l 0 -L /dev/stdout
diff --git a/nextcloud-docker/15.0/entrypoint.sh b/nextcloud-docker/15.0/entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..6ef2540ebe55fba7466ab2ae933cb847a20c74e2
--- /dev/null
+++ b/nextcloud-docker/15.0/entrypoint.sh
@@ -0,0 +1,133 @@
+#!/bin/sh
+set -eu
+
+# version_greater A B returns whether A > B
+version_greater() {
+ [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
+}
+
+# return true if specified directory is empty
+directory_empty() {
+ [ -z "$(ls -A "$1/")" ]
+}
+
+run_as() {
+ if [ "$(id -u)" = 0 ]; then
+ su -p www-data -s /bin/sh -c "$1"
+ else
+ sh -c "$1"
+ fi
+}
+
+if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
+ installed_version="0.0.0.0"
+ if [ -f /var/www/html/version.php ]; then
+ # shellcheck disable=SC2016
+ installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+ fi
+ # shellcheck disable=SC2016
+ image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
+
+ if version_greater "$installed_version" "$image_version"; then
+ echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
+ exit 1
+ fi
+
+ if version_greater "$image_version" "$installed_version"; then
+ echo "Initializing nextcloud $image_version ..."
+ if [ "$installed_version" != "0.0.0.0" ]; then
+ echo "Upgrading nextcloud from $installed_version ..."
+ run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
+ fi
+ if [ "$(id -u)" = 0 ]; then
+ rsync_options="-rlDog --chown www-data:root"
+ else
+ rsync_options="-rlD"
+ fi
+ rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
+
+ for dir in config data custom_apps themes; do
+ if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
+ rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+ fi
+ done
+ rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+ echo "Initializing finished"
+
+ #install
+ if [ "$installed_version" = "0.0.0.0" ]; then
+ echo "New nextcloud instance"
+
+ if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
+ # shellcheck disable=SC2016
+ install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
+ if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
+ # shellcheck disable=SC2016
+ install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
+ else
+ install_options=$install_options' --database-table-prefix ""'
+ fi
+ if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
+ # shellcheck disable=SC2016
+ install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
+ fi
+
+ install=false
+ if [ -n "${SQLITE_DATABASE+x}" ]; then
+ echo "Installing with SQLite database"
+ # shellcheck disable=SC2016
+ install_options=$install_options' --database-name "$SQLITE_DATABASE"'
+ install=true
+ elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
+ echo "Installing with MySQL database"
+ # shellcheck disable=SC2016
+ install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
+ install=true
+ elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
+ echo "Installing with PostgreSQL database"
+ # shellcheck disable=SC2016
+ install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
+ install=true
+ fi
+
+ if [ "$install" = true ]; then
+ echo "starting nextcloud installation"
+ max_retries=10
+ try=0
+ until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
+ do
+ echo "retrying install..."
+ try=$((try+1))
+ sleep 3s
+ done
+ if [ "$try" -gt "$max_retries" ]; then
+ echo "installing of nextcloud failed!"
+ exit 1
+ fi
+ if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
+ echo "setting trusted domains…"
+ NC_TRUSTED_DOMAIN_IDX=1
+ for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
+ DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+ run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
+ NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
+ done
+ fi
+ else
+ echo "running web-based installer on first connect!"
+ fi
+ fi
+ #upgrade
+ else
+ run_as 'php /var/www/html/occ upgrade'
+
+ run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
+ echo "The following apps have been disabled:"
+ diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
+ rm -f /tmp/list_before /tmp/list_after
+
+ fi
+ fi
+fi
+
+exec "$@"
diff --git a/nextcloud-docker/15.0/upgrade.exclude b/nextcloud-docker/15.0/upgrade.exclude
new file mode 100644
index 0000000000000000000000000000000000000000..354864da8800b213a020c66bb2b284cf4aca4176
--- /dev/null
+++ b/nextcloud-docker/15.0/upgrade.exclude
@@ -0,0 +1,5 @@
+/config/
+/data/
+/custom_apps/
+/themes/
+/version.php
diff --git a/checkmk/Dockerfile b/old/checkmk/Dockerfile
similarity index 100%
rename from checkmk/Dockerfile
rename to old/checkmk/Dockerfile
diff --git a/checkmk/README.md b/old/checkmk/README.md
similarity index 100%
rename from checkmk/README.md
rename to old/checkmk/README.md
diff --git a/checkmk/entrypoint.sh b/old/checkmk/entrypoint.sh
similarity index 100%
rename from checkmk/entrypoint.sh
rename to old/checkmk/entrypoint.sh
diff --git a/database/Mongo/Dockerfile b/old/database/Mongo/Dockerfile
similarity index 100%
rename from database/Mongo/Dockerfile
rename to old/database/Mongo/Dockerfile
diff --git a/database/Mongo/README b/old/database/Mongo/README
similarity index 100%
rename from database/Mongo/README
rename to old/database/Mongo/README
diff --git a/database/Mongo/run.sh b/old/database/Mongo/run.sh
similarity index 100%
rename from database/Mongo/run.sh
rename to old/database/Mongo/run.sh
diff --git a/database/Mongo/runScript.sh b/old/database/Mongo/runScript.sh
similarity index 100%
rename from database/Mongo/runScript.sh
rename to old/database/Mongo/runScript.sh
diff --git a/database/Mongo/set_mongodb_password.sh b/old/database/Mongo/set_mongodb_password.sh
similarity index 100%
rename from database/Mongo/set_mongodb_password.sh
rename to old/database/Mongo/set_mongodb_password.sh
diff --git a/database/Redis/Dockerfile b/old/database/Redis/Dockerfile
similarity index 100%
rename from database/Redis/Dockerfile
rename to old/database/Redis/Dockerfile
diff --git a/database/Redis/README b/old/database/Redis/README
similarity index 100%
rename from database/Redis/README
rename to old/database/Redis/README
diff --git a/database/Redis/runScript.sh b/old/database/Redis/runScript.sh
similarity index 100%
rename from database/Redis/runScript.sh
rename to old/database/Redis/runScript.sh
diff --git a/framadate/Dockerfile b/old/framadate/Dockerfile
similarity index 100%
rename from framadate/Dockerfile
rename to old/framadate/Dockerfile
diff --git a/framadate/README.md b/old/framadate/README.md
similarity index 100%
rename from framadate/README.md
rename to old/framadate/README.md
diff --git a/framadate/apache-framadate.conf b/old/framadate/apache-framadate.conf
similarity index 100%
rename from framadate/apache-framadate.conf
rename to old/framadate/apache-framadate.conf
diff --git a/framadate/entrypoint.sh b/old/framadate/entrypoint.sh
similarity index 100%
rename from framadate/entrypoint.sh
rename to old/framadate/entrypoint.sh
diff --git a/galette/Dockerfile b/old/galette/Dockerfile
similarity index 100%
rename from galette/Dockerfile
rename to old/galette/Dockerfile
diff --git a/influxdb/Dockerfile b/old/influxdb/Dockerfile
similarity index 100%
rename from influxdb/Dockerfile
rename to old/influxdb/Dockerfile
diff --git a/influxdb/README.md b/old/influxdb/README.md
similarity index 100%
rename from influxdb/README.md
rename to old/influxdb/README.md
diff --git a/mattermost-integration-giphy/.gitignore b/old/mattermost-integration-giphy/.gitignore
similarity index 100%
rename from mattermost-integration-giphy/.gitignore
rename to old/mattermost-integration-giphy/.gitignore
diff --git a/mattermost-integration-giphy/DOCKER.md b/old/mattermost-integration-giphy/DOCKER.md
similarity index 100%
rename from mattermost-integration-giphy/DOCKER.md
rename to old/mattermost-integration-giphy/DOCKER.md
diff --git a/mattermost-integration-giphy/Dockerfile b/old/mattermost-integration-giphy/Dockerfile
similarity index 100%
rename from mattermost-integration-giphy/Dockerfile
rename to old/mattermost-integration-giphy/Dockerfile
diff --git a/mattermost-integration-giphy/HEROKU.md b/old/mattermost-integration-giphy/HEROKU.md
similarity index 100%
rename from mattermost-integration-giphy/HEROKU.md
rename to old/mattermost-integration-giphy/HEROKU.md
diff --git a/mattermost-integration-giphy/LICENSE.txt b/old/mattermost-integration-giphy/LICENSE.txt
similarity index 100%
rename from mattermost-integration-giphy/LICENSE.txt
rename to old/mattermost-integration-giphy/LICENSE.txt
diff --git a/mattermost-integration-giphy/LINUX.md b/old/mattermost-integration-giphy/LINUX.md
similarity index 100%
rename from mattermost-integration-giphy/LINUX.md
rename to old/mattermost-integration-giphy/LINUX.md
diff --git a/mattermost-integration-giphy/Procfile b/old/mattermost-integration-giphy/Procfile
similarity index 100%
rename from mattermost-integration-giphy/Procfile
rename to old/mattermost-integration-giphy/Procfile
diff --git a/mattermost-integration-giphy/README.md b/old/mattermost-integration-giphy/README.md
similarity index 100%
rename from mattermost-integration-giphy/README.md
rename to old/mattermost-integration-giphy/README.md
diff --git a/mattermost-integration-giphy/mattermost_giphy/__init__.py b/old/mattermost-integration-giphy/mattermost_giphy/__init__.py
similarity index 100%
rename from mattermost-integration-giphy/mattermost_giphy/__init__.py
rename to old/mattermost-integration-giphy/mattermost_giphy/__init__.py
diff --git a/mattermost-integration-giphy/mattermost_giphy/app.py b/old/mattermost-integration-giphy/mattermost_giphy/app.py
similarity index 100%
rename from mattermost-integration-giphy/mattermost_giphy/app.py
rename to old/mattermost-integration-giphy/mattermost_giphy/app.py
diff --git a/mattermost-integration-giphy/mattermost_giphy/settings.py b/old/mattermost-integration-giphy/mattermost_giphy/settings.py
similarity index 100%
rename from mattermost-integration-giphy/mattermost_giphy/settings.py
rename to old/mattermost-integration-giphy/mattermost_giphy/settings.py
diff --git a/mattermost-integration-giphy/requirements.txt b/old/mattermost-integration-giphy/requirements.txt
similarity index 100%
rename from mattermost-integration-giphy/requirements.txt
rename to old/mattermost-integration-giphy/requirements.txt
diff --git a/mattermost-integration-giphy/run.py b/old/mattermost-integration-giphy/run.py
similarity index 100%
rename from mattermost-integration-giphy/run.py
rename to old/mattermost-integration-giphy/run.py
diff --git a/mattermost-integration-giphy/setup.py b/old/mattermost-integration-giphy/setup.py
similarity index 100%
rename from mattermost-integration-giphy/setup.py
rename to old/mattermost-integration-giphy/setup.py
diff --git a/mattermost/.gitignore b/old/mattermost/.gitignore
similarity index 100%
rename from mattermost/.gitignore
rename to old/mattermost/.gitignore
diff --git a/mattermost/.travis.yml b/old/mattermost/.travis.yml
similarity index 100%
rename from mattermost/.travis.yml
rename to old/mattermost/.travis.yml
diff --git a/mattermost/LICENSE b/old/mattermost/LICENSE
similarity index 100%
rename from mattermost/LICENSE
rename to old/mattermost/LICENSE
diff --git a/mattermost/MAINTENANCE.md b/old/mattermost/MAINTENANCE.md
similarity index 100%
rename from mattermost/MAINTENANCE.md
rename to old/mattermost/MAINTENANCE.md
diff --git a/mattermost/README.md b/old/mattermost/README.md
similarity index 100%
rename from mattermost/README.md
rename to old/mattermost/README.md
diff --git a/mattermost/app/Dockerfile b/old/mattermost/app/Dockerfile
similarity index 100%
rename from mattermost/app/Dockerfile
rename to old/mattermost/app/Dockerfile
diff --git a/mattermost/app/entrypoint.sh b/old/mattermost/app/entrypoint.sh
similarity index 100%
rename from mattermost/app/entrypoint.sh
rename to old/mattermost/app/entrypoint.sh
diff --git a/mattermost/contrib/aws/Dockerrun.aws.json b/old/mattermost/contrib/aws/Dockerrun.aws.json
similarity index 100%
rename from mattermost/contrib/aws/Dockerrun.aws.json
rename to old/mattermost/contrib/aws/Dockerrun.aws.json
diff --git a/mattermost/contrib/aws/README.md b/old/mattermost/contrib/aws/README.md
similarity index 100%
rename from mattermost/contrib/aws/README.md
rename to old/mattermost/contrib/aws/README.md
diff --git a/mattermost/contrib/kubernetes/README.md b/old/mattermost/contrib/kubernetes/README.md
similarity index 100%
rename from mattermost/contrib/kubernetes/README.md
rename to old/mattermost/contrib/kubernetes/README.md
diff --git a/mattermost/contrib/kubernetes/mattermost.deployment.yaml b/old/mattermost/contrib/kubernetes/mattermost.deployment.yaml
similarity index 100%
rename from mattermost/contrib/kubernetes/mattermost.deployment.yaml
rename to old/mattermost/contrib/kubernetes/mattermost.deployment.yaml
diff --git a/mattermost/contrib/kubernetes/mattermost.secret.yaml b/old/mattermost/contrib/kubernetes/mattermost.secret.yaml
similarity index 100%
rename from mattermost/contrib/kubernetes/mattermost.secret.yaml
rename to old/mattermost/contrib/kubernetes/mattermost.secret.yaml
diff --git a/mattermost/contrib/kubernetes/mattermost.svc.yaml b/old/mattermost/contrib/kubernetes/mattermost.svc.yaml
similarity index 100%
rename from mattermost/contrib/kubernetes/mattermost.svc.yaml
rename to old/mattermost/contrib/kubernetes/mattermost.svc.yaml
diff --git a/mattermost/contrib/swarm/docker-stack-traefik.yml b/old/mattermost/contrib/swarm/docker-stack-traefik.yml
similarity index 100%
rename from mattermost/contrib/swarm/docker-stack-traefik.yml
rename to old/mattermost/contrib/swarm/docker-stack-traefik.yml
diff --git a/mattermost/contrib/swarm/docker-stack.yml b/old/mattermost/contrib/swarm/docker-stack.yml
similarity index 100%
rename from mattermost/contrib/swarm/docker-stack.yml
rename to old/mattermost/contrib/swarm/docker-stack.yml
diff --git a/mattermost/db/Dockerfile b/old/mattermost/db/Dockerfile
similarity index 100%
rename from mattermost/db/Dockerfile
rename to old/mattermost/db/Dockerfile
diff --git a/mattermost/db/entrypoint.sh b/old/mattermost/db/entrypoint.sh
similarity index 100%
rename from mattermost/db/entrypoint.sh
rename to old/mattermost/db/entrypoint.sh
diff --git a/mattermost/db/setup-wale.sh b/old/mattermost/db/setup-wale.sh
similarity index 100%
rename from mattermost/db/setup-wale.sh
rename to old/mattermost/db/setup-wale.sh
diff --git a/mattermost/docker-compose.yml b/old/mattermost/docker-compose.yml
similarity index 100%
rename from mattermost/docker-compose.yml
rename to old/mattermost/docker-compose.yml
diff --git a/mattermost/web/Dockerfile b/old/mattermost/web/Dockerfile
similarity index 100%
rename from mattermost/web/Dockerfile
rename to old/mattermost/web/Dockerfile
diff --git a/mattermost/web/entrypoint.sh b/old/mattermost/web/entrypoint.sh
similarity index 100%
rename from mattermost/web/entrypoint.sh
rename to old/mattermost/web/entrypoint.sh
diff --git a/mattermost/web/mattermost b/old/mattermost/web/mattermost
similarity index 100%
rename from mattermost/web/mattermost
rename to old/mattermost/web/mattermost
diff --git a/mattermost/web/mattermost-ssl b/old/mattermost/web/mattermost-ssl
similarity index 100%
rename from mattermost/web/mattermost-ssl
rename to old/mattermost/web/mattermost-ssl
diff --git a/mattermost/web/security.conf b/old/mattermost/web/security.conf
similarity index 100%
rename from mattermost/web/security.conf
rename to old/mattermost/web/security.conf
diff --git a/minetest/Dockerfile b/old/minetest/Dockerfile
similarity index 100%
rename from minetest/Dockerfile
rename to old/minetest/Dockerfile
diff --git a/minetest/README.md b/old/minetest/README.md
similarity index 100%
rename from minetest/README.md
rename to old/minetest/README.md
diff --git a/minetest/entrypoint.sh b/old/minetest/entrypoint.sh
similarity index 100%
rename from minetest/entrypoint.sh
rename to old/minetest/entrypoint.sh
diff --git a/mysql-backup/Dockerfile b/old/mysql-backup/Dockerfile
similarity index 100%
rename from mysql-backup/Dockerfile
rename to old/mysql-backup/Dockerfile
diff --git a/mysql-backup/LICENSE b/old/mysql-backup/LICENSE
similarity index 100%
rename from mysql-backup/LICENSE
rename to old/mysql-backup/LICENSE
diff --git a/mysql-backup/README.md b/old/mysql-backup/README.md
similarity index 100%
rename from mysql-backup/README.md
rename to old/mysql-backup/README.md
diff --git a/mysql-backup/run.sh b/old/mysql-backup/run.sh
similarity index 100%
rename from mysql-backup/run.sh
rename to old/mysql-backup/run.sh
diff --git a/pica-apache/Dockerfile b/old/pica-apache/Dockerfile
similarity index 100%
rename from pica-apache/Dockerfile
rename to old/pica-apache/Dockerfile
diff --git a/pica-apache/run.sh b/old/pica-apache/run.sh
similarity index 100%
rename from pica-apache/run.sh
rename to old/pica-apache/run.sh
diff --git a/pica-apache/sample/index.php b/old/pica-apache/sample/index.php
similarity index 100%
rename from pica-apache/sample/index.php
rename to old/pica-apache/sample/index.php
diff --git a/pica-kanboard/Dockerfile b/old/pica-kanboard/Dockerfile
similarity index 100%
rename from pica-kanboard/Dockerfile
rename to old/pica-kanboard/Dockerfile
diff --git a/postgres-backup/Dockerfile b/old/postgres-backup/Dockerfile
similarity index 100%
rename from postgres-backup/Dockerfile
rename to old/postgres-backup/Dockerfile
diff --git a/postgres-backup/README.md b/old/postgres-backup/README.md
similarity index 100%
rename from postgres-backup/README.md
rename to old/postgres-backup/README.md
diff --git a/postgres-backup/run.sh b/old/postgres-backup/run.sh
similarity index 100%
rename from postgres-backup/run.sh
rename to old/postgres-backup/run.sh
diff --git a/pica-ci/Dockerfile b/pica-ci/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..4514e10052c3d73efbca9f2a7cae6a22178e6cd7
--- /dev/null
+++ b/pica-ci/Dockerfile
@@ -0,0 +1,25 @@
+FROM docker:stable
+WORKDIR /workdir
+COPY . /workdir/
+
+RUN apk update && \
+ apk add build-base \
+ git \
+ gnupg \
+ iproute2 \
+ libffi-dev \
+ openssl-dev \
+ py-pip \
+ python2-dev \
+ sed \
+ wget && \
+ pip install docker-compose && \
+ chmod +x get-modified-image.sh get-host-by-image.sh decrypt-secrets.sh && \
+ export MODIFIED_IMAGE_FULL=$(./get-modified-image.sh) && \
+ export MODIFIED_IMAGE=$(echo $MODIFIED_IMAGE_FULL | cut -d ':' -f1) && \
+ export CONTAINER_NAME=$(cat $MODIFIED_IMAGE/docker-compose.yml | grep $MODIFIED_IMAGE -B1 | head -n1 | cut -d ':' -f1 | xargs) && \
+ export HOST=$(./get-host-by-image.sh) && \
+ echo "MODIFIED_IMAGE=$MODIFIED_IMAGE" >> /etc/profile.d/ci-variables && \
+ echo "MODIFIED_IMAGE_FULL=$MODIFIED_IMAGE_FULL" >> /etc/profile.d/ci-variables && \
+ echo "CONTAINER_NAME=$CONTAINER_NAME" >> /etc/profile.d/ci-variables && \
+ echo "HOST=$HOST" >> /etc/profile.d/ci-variables
diff --git a/pica-dokuwiki/Dockerfile b/pica-dokuwiki/Dockerfile
index c37d0a95439716a96c06883eb454f29397fb0335..14cc4ebe1bd8566056385e736884138e5f482867 100644
--- a/pica-dokuwiki/Dockerfile
+++ b/pica-dokuwiki/Dockerfile
@@ -12,6 +12,7 @@ RUN apt-get update -y && \
php7.0 \
php7.0-fpm \
php7.0-gd \
+ php7.0-ldap \
php7.0-xml && \
mkdir -p html /var/run/php && \
echo "cgi.fix_pathinfo = 0;" >> /etc/php/7.0/fpm/php.ini && \
diff --git a/pica-dokuwiki/clair-whitelist.yml b/pica-dokuwiki/clair-whitelist.yml
index 987c831ef64473a8b259544368755b81967389ec..6c0c6e6e16c9f7759c418b32166917e7cb9c18fb 100644
--- a/pica-dokuwiki/clair-whitelist.yml
+++ b/pica-dokuwiki/clair-whitelist.yml
@@ -1,18 +1,11 @@
generalwhitelist:
- CVE-2018-6954: systemd -> Pas de contre mesure
CVE-2018-15686: systemd -> Pas de contre mesure
- CVE-2017-16997: glibc -> Pas de contre mesure
CVE-2018-6551: glibc -> La contre mesure est dans des paquets plus anciens et il est dangereux d'installer une version fixe, ou dans sid -> Pas de conter mesure pour stretch
CVE-2018-1000001: glibc -> Pas de contre-mesure
- CVE-2017-18269: glibc -> La contre mesure est dans des paquets plus anciens et il est dangereux d'installer une version fixe, ou dans sid -> Pas de conter mesure pour stretch
CVE-2019-9169: glibc -> Pas de contre-mesure
- CVE-2017-15670: glibc -> Pas de contre-mesure
- CVE-2017-15804: glibc -> Pas de contre-mesure
- CVE-2017-1000408: glibc -> Pas de contre mesure
CVE-2018-6485: glibc -> Pas de contre mesure
- CVE-2017-9120: php7.0 -> Il n'y a pas de paquet PHP version 7 non vulnérable -> Pas de contre mesure
CVE-2017-8923: php7.0 -> Pas de contre mesure
- CVE-2018-1000654: libtasn1-6 -> Pas de contre-mesure
CVE-2017-12424: shadow -> Pas de contre-mesure
- CVE-2016-2779: util-linux -> Pas de contre-mesure
- CVE-2017-14062: libidn11 -> dépendance directe de wget et indirecte de curl, un des 2 est nécessaire pour le HEALTHCHECK et le téléchargement de Dokuwiki -> Pas de contre-mesure
\ No newline at end of file
+ CVE-2016-2779: util-linux -> Pas de contre-mesure
+ CVE-2017-14062: libidn11 -> dépendance directe de wget et indirecte de curl, un des 2 est nécessaire pour le HEALTHCHECK et le téléchargement de Dokuwiki -> Pas de contre-mesure
+ CVE-2019-11068: libxslt -> dépendance de PHP, pas de contre-mesure
\ No newline at end of file
diff --git a/pica-dokuwiki/docker-compose.yml b/pica-dokuwiki/docker-compose.yml
index e8ffa7b8672ce5304bd065d0c96950289786db3c..410f9e756362f9c1ed74f8d260e112285c42499e 100644
--- a/pica-dokuwiki/docker-compose.yml
+++ b/pica-dokuwiki/docker-compose.yml
@@ -1,10 +1,20 @@
version : "2.4"
+
+volumes:
+ dokuwiki-app-volume:
+ external:
+ name: "dokuwiki-app"
+
+networks:
+ docker_default:
+ external: true
+
services:
dokuwiki-app:
- image: pica-dokuwiki:2018.05
+ image: pica-dokuwiki:stable
container_name: dokuwiki-app
volumes:
- - /DATA/docker/wiki/html:/var/www/html
+ - dokuwiki-app-volume:/var/www/html
security_opt:
- no-new-privileges
mem_limit: "2048m"
@@ -15,3 +25,5 @@ services:
- "traefik.port=80"
- "traefik.enable=true"
restart: always
+ networks:
+ - docker_default
diff --git a/pica-dokuwiki/nginx.conf b/pica-dokuwiki/nginx.conf
index cf2e58bf7bf12666b14928b1f82d459876744ed3..f4151b8b6876f4fff4a4930e9f9da8ccff7e18a9 100644
--- a/pica-dokuwiki/nginx.conf
+++ b/pica-dokuwiki/nginx.conf
@@ -31,7 +31,7 @@ http {
try_files $uri $uri/ @dokuwiki;
}
- location ~ \.php$ {
+ location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
diff --git a/pica-etherpad/Dockerfile b/pica-etherpad/Dockerfile
index 20e77dfcb17ca813a6495473506fe7e6198987cb..c37ddc6dee25a9899a9fba0bd8aa6e7697225435 100644
--- a/pica-etherpad/Dockerfile
+++ b/pica-etherpad/Dockerfile
@@ -2,7 +2,7 @@
FROM node:10-slim as base
LABEL maintainer="antoine@barbare.me"
-ARG ETHERPAD_VERSION_BUILD=1.7.0
+ARG ETHERPAD_VERSION_BUILD=1.7.5
ARG ETHERPAD_LANDING_PAGE_VERSION_BUILD=v0.1
ARG NODE_ENV_BUILD=production
@@ -36,23 +36,32 @@ RUN curl -SL https://github.com/ether/etherpad-lite/archive/${ETHERPAD_VERSION}.
npm install \
ep_align \
ep_author_hover \
+ ep_chatdate \
+ ep_colibris_full_width \
ep_comments_page \
ep_countable \
ep_delete_empty_pads \
ep_font_color \
+ ep_font_family \
ep_headings2 \
- ep_markdown \
+ ep_hide_referrer \
+ ep_markdown \
+ ep_pad_activity_nofication_in_title \
ep_pads_stats \
ep_page_view \
- ep_spellcheck \
+ ep_prompt_for_name \
+ ep_set_title_on_pad \
ep_subscript_and_superscript \
- ep_table_of_contents \
+ ep_tables2 \
ep_user_font_size && \
git clone https://framagit.org/DeBugs/picasoft-etherpad-landing-page.git src/templates/picasoft-etherpad-landing-page && \
rm package-lock.json && \
git --git-dir=src/templates/picasoft-etherpad-landing-page/.git checkout ${ETHERPAD_LANDING_PAGE_VERSION} && \
cp src/templates/picasoft-etherpad-landing-page/index.html src/templates/index.html && \
- cp src/templates/picasoft-etherpad-landing-page/static/* src/static/ -r
+ cp src/templates/picasoft-etherpad-landing-page/static/* src/static/ -r && \
+ # Change default hard-coded pad title
+ sed -i 's|Untitled Pad|Nouveau pad|g' node_modules/ep_set_title_on_pad/templates/title.ejs && \
+ sed -i 's|Untitled Pad|Nouveau pad|g' node_modules/ep_set_title_on_pad/static/tests/frontend/specs/atest.js
# construction de l'image finale
@@ -60,7 +69,7 @@ FROM base
COPY entrypoint.sh /opt/etherpad-lite/entrypoint.sh
RUN apt-get update && \
- apt-get install -y mysql-client && \
+ apt-get install -y mysql-client unoconv libreoffice-writer libreoffice-pdfimport && \
chmod +x /opt/etherpad-lite/entrypoint.sh && \
mkdir -p /opt/etherpad-lite && \
chown -R node /opt/etherpad-lite && \
diff --git a/pica-etherpad/README.md b/pica-etherpad/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..68d60967fab980757a4c917eb108c9ecad2db879
--- /dev/null
+++ b/pica-etherpad/README.md
@@ -0,0 +1,68 @@
+# Pica Etherpad
+
+Ce dossier contient une image d'Etherpad Lite maintenue par l'association.
+
+Tous les fichiers présents ici suffisent à lancer correctement les deux conteneurs (application et base de données), si un Traefik tourne sur la machine cible. Sinon, il faut simplement adapter l'URL présente dans `entrypoint.sh` et exposer un port du conteneur, mais c'est hors-propos.
+
+<!-- MarkdownTOC autolink="true" -->
+
+- [Environnement](#environnement)
+- [Configuration](#configuration)
+ - [Ajouter ou modifier un paramètre](#ajouter-ou-modifier-un-param%C3%A8tre)
+- [Mise à jour de l'image](#mise-%C3%A0-jour-de-limage)
+- [Ajout d'un plugin](#ajout-dun-plugin)
+
+<!-- /MarkdownTOC -->
+
+## Environnement
+
+Etherpad se configure au lancement du conteneur avec des variables d'environnement. Elles sont présentes à trois endroits :
+
+* Le fichier `etherpad-app.secrets.example` contient les variables possibles pour créer un administrateur Etherpad, qui pourra par exemple modifier la configuration depuis l'interface graphique. Copiez le fichier en enlevant `.example` et remplacez les valeurs. Ce fichier est importé depuis `docker-compose.yml`.
+* Le fichier `etherpad-db.secrets.example` contient les variables nécéssaires pour créer un utilisateur de la base de données. Le reste est similaire à l'autre fichier secret.
+* Le reste des variables d'environnement non-confidentielles est affecté directement dans le fichier `docker-compose.yml`, via la directive `environment`.
+
+Les valeurs par défaut des variables (si elles ne sont pas affectées) se trouve dans `entrypoint.sh`.
+
+Pour information, les variables que l'on peut affecter directement dans le `docker-compose.yml` sont :
+
+* `ETHERPAD_MINIFY`
+* `ETHERPAD_THEME`
+* `ETHERPAD_TITLE`
+* `ETHERPAD_PORT`
+
+Elles ont toutes une valeur par défaut fonctionnelle ; à ne modifier qu'en cas particulier.
+
+## Configuration
+
+### Ajouter ou modifier un paramètre
+
+Le fichier de configuration se trouve, dans le conteneur, à l'emplacement `/opt/etherpad-lite/settings.json`. Il est construit dynamiquement à chaque lancement du conteneur par le script `entrypoint.sh`.
+
+Pour modifier la configuration, il faudra donc changer la valeur de la variable d'environnement associée et relancer le conteneur.
+
+Pour ajouter un paramètre de configuration, il faudra :
+
+1. Créer une nouvelle variable d'environnement que l'on peut affecter dans le `docker-compose.yml`
+2. Récupérer cette valeur dans `entrypoint.sh` et lui substituer une valeur par défaut si elle n'existe pas
+3. Rajouter le paramètre de configuration lors de la construction du fichier `settings.json`
+4. Tester en local que tout fonctionne
+5. Reconstruire l'image et la pousser sur le Registry
+6. Modifier le `docker-compose.yml` d'exemple **et** de production avec la nouvelle variable d'environnement, puis l'ajouter à ce README.
+
+## Mise à jour de l'image
+
+Pour mettre à jour la version d'Etherpad, il faut simplement reconstruire l'image en ayant préalablement modifié la variable `ETHERPAD_VERSION_BUILD` du Dockerfile.
+
+Ensuite, on construit l'image, on la teste, on la tag et on la pousse sur le registry (procédure classique).
+Il faut ensuite mettre à jour le `docker-compose` d'exemple pour refléter la nouvelle version.
+
+## Ajout d'un plugin
+
+Etherpad maintient une [liste officielle des plugins](https://static.etherpad.org/plugins.html).
+
+Pour installer un plugin, on évitera de passer par l'interface administrateur et on préfèrera modifier le [Dockerfile](Dockerfile) directement.
+
+Il suffit pour ce faire d'ajouter le nom du package npm correspondant à l'endroit où ils sont tous installés (`npm install`...), en respectant l'ordre alphabétique pour la facilité de lecture.
+
+Il suffit ensuite de mettre à jour l'image.
\ No newline at end of file
diff --git a/pica-etherpad/clair-whitelist.yml b/pica-etherpad/clair-whitelist.yml
index a9ef1655750a09236c7ee2506147e24c899c5239..5dbddc2009c856f6b8c914e2e4b960bb39c5de86 100644
--- a/pica-etherpad/clair-whitelist.yml
+++ b/pica-etherpad/clair-whitelist.yml
@@ -1,23 +1,11 @@
generalwhitelist:
CVE-2017-14062: libidn11 -> pas de contre mesure disponible pour stretch
- CVE-2019-3823: curl -> non affecté, le paquet qui contient la contre mesure est installé à la place de celui qui est vulnérable cf logs
- CVE-2019-3822: curl -> idem
- CVE-2018-1000654: libtasn1-6 -> Pas de contre mesure disponible
- CVE-2016-9841: zlib -> le paquet qui corrige le problème n'est pas backporté -> Pas de contre mesure
- CVE-2016-2774: isc-dhcp -> Le paquet qui corrige le problème n'est pas backporté, et DHCP n'est probablement même pas utilisé par le conteneur -> Pas de contre mesure
- CVE-2016-9843: zlib -> le paquet qui corrige le problème n'est pas backporté -> Pas de contre mesure
CVE-2016-2779: util-linux -> Vulnérabilité Linux
CVE-2017-10788: libdbd-mysql-perl -> Bug qui semble nécessiter que la base de données soit accessible par le réseau ce qui n'est pas le cas -> Non affecté
CVE-2018-6485: glibc -> Pas de contre mesure
- CVE-2017-16997: glibc -> Pas de contre mesure
- CVE-2017-18269: glibc -> Pas de contre mesure
- CVE-2017-15670: glibc -> Pas de contre mesure
CVE-2018-6551: glibc -> Pas de contre mesure
CVE-2018-1000001: glibc -> Pas de contre mesure
- CVE-2017-1000408: glibc -> Pas de contre mesure
- CVE-2017-15804: glibc -> Pas de contre mesure
CVE-2019-9169: glibc -> Pas de contre mesure
CVE-2017-12424: shadow -> Pas de contre mesure
- CVE-2018-6954: systemd -> Pas de contre mesure
- CVE-2018-15686: systemd -> Pas de contre mesure
- CVE-2018-6797: Perl est une dépendance du client mysql et la version non vulnérable dans stretch n'a pas été backportée -> Pas de contre-mesure
\ No newline at end of file
+ CVE-2019-11068: libxslt -> dépendance d'autres paquets, pas de correctif disponible -> Pas de contre-mesure
+ CVE-2019-9631: poppler -> à désinstaller
\ No newline at end of file
diff --git a/pica-etherpad/docker-compose.yml b/pica-etherpad/docker-compose.yml
index fa5b85f0a19203721574caed3a4a028da747b89d..daf375784cb2144c90ce7a98647b4e937c6fbb1d 100755
--- a/pica-etherpad/docker-compose.yml
+++ b/pica-etherpad/docker-compose.yml
@@ -1,8 +1,21 @@
version : "2.4"
+
+volumes:
+ etherpad-db-volume:
+ external: true
+ name: "etherpad-db"
+
+networks:
+ docker_default:
+ external: true
+ name: "docker_default"
+
services:
etherpad-app:
- image: pica-etherpad:1.7.0
+ image: pica-etherpad:1.7.5
container_name: etherpad-app
+ depends_on:
+ - etherpad-db
links:
- etherpad-db:mysql
security_opt:
@@ -15,8 +28,12 @@ services:
- "traefik.frontend.rule=Host:pad.picasoft.net"
- "traefik.port=8080"
- "traefik.enable=true"
+ environment:
+ - ETHERPAD_THEME=colibris
+ - ETHERPAD_MINIFY=true
restart: always
-
+ networks:
+ - docker_default
etherpad-db:
image: mysql:5.7
container_name: etherpad-db
@@ -26,12 +43,13 @@ services:
cpus: "0.20"
pids_limit: 1024
volumes:
- - /DATA/docker/etherpad/etherpad-db/data:/var/lib/mysql
+ - etherpad-db-volume:/var/lib/mysql
env_file: ./secrets/etherpad-db.secrets
healthcheck:
- test: "/usr/bin/mysql --user=root --password=$${MYSQL_ROOT_PASSWORD} --execute \"SHOW DATABASES;\""
- interval: 4s
- timeout: 20s
- retries: 10
+ test: "/usr/bin/mysql --user=root --password=$${MYSQL_ROOT_PASSWORD} --execute \"SHOW DATABASES;\""
+ interval: 4s
+ timeout: 20s
+ retries: 10
restart: always
-
+ networks:
+ - docker_default
\ No newline at end of file
diff --git a/pica-etherpad/entrypoint.sh b/pica-etherpad/entrypoint.sh
index a3ca9967e6d834bb82f0886e4d18e97e79f9e1d5..61a0cb57ee24c1f35e45b7bf8ce630c745796599 100644
--- a/pica-etherpad/entrypoint.sh
+++ b/pica-etherpad/entrypoint.sh
@@ -23,9 +23,41 @@ if [ -z "$ETHERPAD_DB_PASSWORD" ]; then
exit 1
fi
-: ${ETHERPAD_TITLE:=Etherpad}
+# Title of the instance
+: ${ETHERPAD_TITLE:=Picapad}
: ${ETHERPAD_PORT:=8080}
+# Skin of the instance ; for now only no-skin and colibris exist
+: ${ETHERPAD_THEME:=no-skin}
+
+# If true, minify all CSS and JS but prevent debugging client-side
+: ${ETHERPAD_MINIFY:=false}
+
+# Default text when creating a new pad
+: ${ETHERPAD_DEFAULT_TEXT:="Bienvenue sur Picapad, une instance d'Etherpad, un éditeur de texte collaboratif libre.\n\
+-----------------------------------------------------------\n\
+Le texte que vous saisissez est automatiquement synchronisé avec toutes les personnes naviguant sur ce pad.\n\n\
+Prenez des notes et rédigez des documents librement !\n\n\
+→ Pour bien commencer :\n\
+• Renseignez votre nom ou pseudo, en cliquant sur l’icône « utilisateur » en haut à droite.\n\
+• Choisissez votre couleur d'écriture au même endroit.\n\
+• Les contributions de chacun se synchronisent « en temps réel » sous leur propre couleur.\n\
+• Un chat vous permet de discuter avec les autres personnes présentes sur le pad.\n\n\
+→ Fonctionnalités :\n\
+• Couleur du texte, tableau, choix et taille de police, alignement, pleine page...\n\
+• Sauvegarde automatique du pad.\n\
+• Historique complet du pad (bouton en forme d'horloge)\n\
+• Sauvegarde de versions clés (bouton en forme d'étoile).\n\
+• Commentaires avec suggestion de remplacement (bouton en forme de bulle).\n\
+• Les réglages vous permettent de désactiver les couleurs, de changer la langue, d'activer les sauts de pages...\n\n\
+→ Partage :\n\
+• Import et export dans divers formats (bouton avec les flèches).\n\
+• Partage en lecture seule, pour éviter les modifications non voulues (bouton </>).\n\n\
+Pensez à garder l'URL de votre pad pour le retrouver.\nAttention, celui-ci est public, c'est-à -dire que toute personne qui en possède l'URL pourra y accéder : \
+n'y stockez pas d'informations confidentielles !\n\
+-----------------------------------------------------------\n\
+Une question ? Un problème ? Envoyez-nous un mail à picasoft@assos.utc.fr !"}
+
# Check if database already exists
RESULT=`mysql -u${ETHERPAD_DB_USER} -p${ETHERPAD_DB_PASSWORD} \
-h${MYSQL_PORT_3306_TCP_ADDR} --skip-column-names \
@@ -43,15 +75,26 @@ cat <<- EOF > /opt/etherpad-lite/settings.json
{
"title": "${ETHERPAD_TITLE}",
"ip": "0.0.0.0",
- "port" :${ETHERPAD_PORT},
- "dbType" : "mysql",
- "dbSettings" : {
- "user" : "${ETHERPAD_DB_USER}",
- "host" : "${MYSQL_PORT_3306_TCP_ADDR}",
- "password": "${ETHERPAD_DB_PASSWORD}",
- "database": "${ETHERPAD_DB_NAME}",
- "charset" : "utf8mb4"
- },
+ "port": "${ETHERPAD_PORT}",
+ "dbType": "mysql",
+ "dbSettings": {
+ "user" : "${ETHERPAD_DB_USER}",
+ "host" : "${MYSQL_PORT_3306_TCP_ADDR}",
+ "password": "${ETHERPAD_DB_PASSWORD}",
+ "database": "${ETHERPAD_DB_NAME}",
+ "charset" : "utf8mb4"
+ },
+ "minify": "${ETHERPAD_MINIFY}",
+ "skinName": "${ETHERPAD_THEME}",
+ "defaultPadText": "${ETHERPAD_DEFAULT_TEXT}",
+ "padOptions": {
+ "lang": "fr",
+ "userName": "Anonyme",
+ "alwaysShowChat": false,
+ "chatAndUsers": false
+ },
+ "allowUnknownFileEnds": false,
+ "soffice": "/usr/bin/soffice",
EOF
if [ $ETHERPAD_ADMIN_PASSWORD ]; then
@@ -64,7 +107,7 @@ if [ $ETHERPAD_ADMIN_PASSWORD ]; then
"password": "${ETHERPAD_ADMIN_PASSWORD}",
"is_admin": true
}
- },
+ }
EOF
fi
@@ -72,5 +115,4 @@ cat <<- EOF >> /opt/etherpad-lite/settings.json
}
EOF
-
exec "$@"
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_ADMIN_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_ADMIN_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..b9613c461816fe5d18dab37ca2d03cc21db743b7
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_ADMIN_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_NAME b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_NAME
new file mode 100644
index 0000000000000000000000000000000000000000..0fa4709e749342699d9ef9ef4bf2cc62ab72d775
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_NAME differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..88744f475dbc370be4c5783112b8692616383095
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_USER b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_USER
new file mode 100644
index 0000000000000000000000000000000000000000..9e2d3fbfe24197eae7644b3c48f875cb2855d88c
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/ETHERPAD_DB_USER differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/MYSQL_PORT_3306_TCP_ADDR b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/MYSQL_PORT_3306_TCP_ADDR
new file mode 100644
index 0000000000000000000000000000000000000000..bb074d3dbea2ff7fdbae86dafd3ec2f653b6e97f
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-app/MYSQL_PORT_3306_TCP_ADDR differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_DATABASE b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_DATABASE
new file mode 100644
index 0000000000000000000000000000000000000000..f28d17007de9d44fb330efc1cc3ee95510ef663b
--- /dev/null
+++ b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_DATABASE
@@ -0,0 +1,3 @@
+…���kö¿Û�oÒk��ÿ}<�¢Øßû=�“›5JÞo[Õ"ƒ×\i�ïw‹¯ÐÝåˆoA�¿ø�-#� n´áK:ŽÑ…�SÛ�Îèp�¦;òˆ�òßi€Ž¾qÈ9Õ˜7rêåËÇ��—È|¨G�_Óó#�uVFÞrm–ü·Ý€•eÕÓ�ƒ�£›â�„oÞþ‹lžæÀÌ%ëXó�Á‡„Ä)WY×�x›{ݾ�Y���ÍS5¦;„L�p XÀ¾&Zÿ'»ü¦MSê?xÀ8’þ‡í�$ý°qÞMm·ê~i¹$‘ºpGÎwa67ƒë6ú•Íèä��ðQ„.¼�œ�w[˜�YH1ž¤(Lç�ûŒ•Ä&D€¯„ÚF#Ÿ�×΢ËÕ�þ®W0†��Ï�Ê D‹.k�)ý�<D|‚X®�éá(‚Þ�#½ã~"
**-?‹±‚rI�û��Œ˜æ¯\é…�šg=.ê—fhñŒ€à�T2Å™îV `½rkü•ð‹O¼Ž_sÿòs4öâ9«ŒcŒâ,sú»=]ù�##�»g|��@˜2õ³¼ö×3®_ÈM¯y$�QܤŠâz‘ç��7@ |JªÔPŒ 6ažjÃq��¸ÜöS}dŽÀgƒ“ê-Ýž9�Ô•‡v"
+õJƒ ��[È® ¤˜�ßGæ
+E�ÝfÁ�Ö�&�»eµ ™$ÿà [Ûfý\”õ%è&ƒ‚ôØ$ÒW�Z�1�Gš“P>ÜGãçëHéîäm„úŒ¡²…��Jíþ%¢È~žyÎî›�ÂÁã#Ô'ä7/fãƒ|ݵPBÉœˆ�
��ž¦ˆ´tšç>éñJ(�J
\ No newline at end of file
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..9c3c24921fec8711c6648b06081156fd9f49e34d
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_ROOT_PASSWORD b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_ROOT_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..cd21bebf837e1596b2029c728dbacaa2763f666b
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_ROOT_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_USER b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_USER
new file mode 100644
index 0000000000000000000000000000000000000000..8ea5c5d730e9b41dc494c0f74bcf7ab85543cade
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-production/etherpad-db/MYSQL_USER differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_ADMIN_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_ADMIN_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..6de315d7269275a3446cc0a6576c5cca1467cd9b
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_ADMIN_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_NAME b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_NAME
new file mode 100644
index 0000000000000000000000000000000000000000..f9f3d6dcd6011ef2c99251441d2002c2526f3227
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_NAME differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..3e8a3e2c8c510098a0a4de4b03a4e1edc54c876c
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_USER b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_USER
new file mode 100644
index 0000000000000000000000000000000000000000..7a2ab42fadeefa82c834405eaf31ac72b38a0323
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/ETHERPAD_DB_USER differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/MYSQL_PORT_3306_TCP_ADDR b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/MYSQL_PORT_3306_TCP_ADDR
new file mode 100644
index 0000000000000000000000000000000000000000..8cdda0d812be49e09323eacd3614434799ffd46d
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-app/MYSQL_PORT_3306_TCP_ADDR differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_DATABASE b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_DATABASE
new file mode 100644
index 0000000000000000000000000000000000000000..75e409e910e38ece0967157a554d8ebe39d220a0
--- /dev/null
+++ b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_DATABASE
@@ -0,0 +1,6 @@
+…���Ãö™=�H¯z��ú�£§,¿‚��áÂzöó¨Dã¹Jp¤�'ÅׯWä”Q•À§¡ÉÎ×)y5r3qI ”qrZÿ#ªcBôïËÈ×qsqÊI@à'uÄ~í¨¸§üë�ÃäY��&|[t_�
&;ƒO#¡ícÆiA£Ì€H—��Ax‚ÕJx¨�Á„�iþµÔ¤§¢B¸�?þv)ä
ç‡3ÕôŸáGc�ð\yRy��J±Çu�^
+{<…h×ÿc“E#J€Áß+�‡ps—hqf�È'$•šø�Òµ÷^F']�÷®£·ÖÜD–\/K!£�ÓeA
¹F¿FáHt;(.Ï¿�…§¢2…�¸”æöp‹UÛ¯^½&¡�¼�t�ºK�ë¢dØí±<[œS›{y@ÆÐ âE/"ëBÒ��Ÿ{g�;]�s"t‚•/Ķ´�\Eš(z�ÐXe›Ži:õªÎ¢zˉcŽQ�$îJá°}6൹4±mÓ�§ˆyM×�¨sZ:ÌNaá»@^Âü}��v}a|×�l��ÙOHŸæ
+ͱ¡ †ì¥‚
+��‹æO�Éá�B�yX qL”XʈÒ
+¶t¡cùãHx“õ�
+�ò·õ; ôrÏ×x*óìU!~ºÃ9>#wàld ��Ü��#¯~·…¨\�¹›_³mࢧoW¯å•®£J�Žœ¡ïD,ÜMjÁ„XÄÛQvì°Ø›–>¡U];,{ÒW�%,ì¥æoéušÊh=IšÛéÁæÕe;�^‘°V´(à�pi£Ú>�ã°OÉ©§L«�T–ÞÃñÏm«a—ó�
¦ª:é�Áµ†= fhÛ�iñ¸öA�–�^Q�x
\ No newline at end of file
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..f579f7ad7cf840feef9af17e40eb1d35afe9a5ad
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_ROOT_PASSWORD b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_ROOT_PASSWORD
new file mode 100644
index 0000000000000000000000000000000000000000..87fce66983d6576c4863cb937a438f94c37b23d0
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_ROOT_PASSWORD differ
diff --git a/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_USER b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_USER
new file mode 100644
index 0000000000000000000000000000000000000000..6ce2fe00f4c8cab717771ecb85546e4d657bfdfc
Binary files /dev/null and b/pica-etherpad/secrets/encrypted-variables-test/etherpad-db/MYSQL_USER differ
diff --git a/pica-gchange/Dockerfile b/pica-gchange/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..8358a03308e11233d8645ac67b18a80257da156d
--- /dev/null
+++ b/pica-gchange/Dockerfile
@@ -0,0 +1,9 @@
+FROM registry.picasoft.net/pica-nginx
+LABEL maintainer jeremy.maille@etu.utc.fr
+RUN apt-get update && \
+ apt-get install -y zip && \
+ wget --quiet https://github.com/duniter-gchange/gchange-client/releases/download/v0.9.2/gchange-v0.9.2-web.zip -O gchange.zip && \
+ unzip gchange.zip -d /var/www/html && \
+ rm gchange.zip && \
+ apt-get remove -y zip && \
+ rm -r /var/lib/apt/lists/*
diff --git a/pica-mail-copy-certs/update-certs-pica-mail.sh b/pica-mail-copy-certs/update-certs-pica-mail.sh
index 2e51094a81fb2b11f9ae8e5eb03272e55e31bf82..2a13f2b54cf45ecd39a3424ddb2eaebc11d4804e 100755
--- a/pica-mail-copy-certs/update-certs-pica-mail.sh
+++ b/pica-mail-copy-certs/update-certs-pica-mail.sh
@@ -1,4 +1,4 @@
#!/bin/sh
echo pica-copying certs for ${DOMAIN} from /DATA/docker/traefik/certs/acme.json to /DATA/docker/mail/ssl
-cat /DATA/docker/traefik/certs/acme.json | jq -r --arg domain ${DOMAIN} '.DomainsCertificate[][] | if .Domains.Main == $domain then . else empty end | .Certificate.Certificate' | base64 -d > /DATA/docker/mail/ssl/cert
-cat /DATA/docker/traefik/certs/acme.json | jq -r --arg domain ${DOMAIN} '.DomainsCertificate[][] | if .Domains.Main == $domain then . else empty end | .Certificate.PrivateKey' | base64 -d > /DATA/docker/mail/ssl/key
+cat /DATA/docker/traefik/certs/acme.json | jq -r --arg domain ${DOMAIN} '.Certificates[] | if .Domain.Main == $domain then . else empty end | .Certificate' | base64 -d > /DATA/docker/mail/ssl/cert
+cat /DATA/docker/traefik/certs/acme.json | jq -r --arg domain ${DOMAIN} '.Certificates[] | if .Domain.Main == $domain then . else empty end | .Key' | base64 -d > /DATA/docker/mail/ssl/key
diff --git a/pica-mail-mta/config.sh b/pica-mail-mta/config.sh
index 92cc11234dbe61511c0fd7816f0e94535c09eefe..39305cbab1d261cd67adb06f86456d2670e5e4a0 100755
--- a/pica-mail-mta/config.sh
+++ b/pica-mail-mta/config.sh
@@ -28,17 +28,6 @@ EOF
postconf -e "virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps"
postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-virtual-mailbox-maps"
-#Tests aliases :
-cat <<EOF >>/etc/postfix/ldap-virtual-alias-maps
-server_host = ${LDAP_PROTOCOL}://${LDAP_SERVER_HOSTNAME}:${LDAP_PORT}
-search_base = ${LDAP_SEARCH_BASE}
-query_filter = ${LDAP_VIRTUAL_ALIASES_FILTER}
-bind = yes
-bind_dn = ${LDAP_BIND_DN}
-bind_pw = ${LDAP_BIND_PW}
-result_attribute = mail
-EOF
-postconf -e "virtual_alias_maps = ldap:/etc/postfix/ldap-virtual-alias-maps"
#en dessous de ce degré de "vérité", les boîtes non trouvées en table sont rejetées. (100 correspond à un "vrai" simple, mais il est possible de définir différents degrés d'appartenance à la table des utilisateurs dans des configurations plus complexes: une boîte pourrait par exemple avoir le bon nom de domaine mais pas le bon nom d'utilisateur, mais ne pas être rejetée;)
postconf -e "virtual_minimum_uid = 100"
@@ -107,10 +96,12 @@ EOF
service saslauthd restart
service postfix restart
-#DMARC: ajout de mon nom d'hôte
cat <<EOF >> /etc/opendmarc.conf
+#ajout de mon nom d'hôte
TrustedAuthservIDs ${MY_HOSTNAME}
AuthservID ${MY_HOSTNAME}
+#si le mail vient de quelqu'un (de chez picasoft) qui s'est connecté avec un client SMTP (un humain ou mattermost) alors son mail n'aura pas de headers spf/dkim, ce qui fait qu'il est invalide au vu de notre propre politique dmarc. On trust donc tous les gens qui se sont connectés en sasl et on les force à pass le dmarc.
+IgnoreAuthenticatedClients true
EOF
#configuration DKIM