diff --git a/README.md b/README.md --- a/README.md +++ b/README.md @@ -1,32 +1,41 @@ -## Quickstart Instructions - -Really quick? - -``` -$ bin/quickstart.sh -``` - -More detailed: - -``` -$ bin/regen-certs -$ docker pull kolab/centos7:latest -$ docker-compose down -$ docker-compose up -d -$ cd src/ -$ composer install -$ npm install -$ cp .env.example .env -$ echo "" >> .env -$ cat .env.local >> .env -$ ./artisan key:generate -$ ./artisan jwt:secret -f -$ ./artisan clear-compiled -$ npm run dev -$ rm -rf database/database.sqlite -$ touch database/database.sqlite -$ ./artisan migrate:refresh --seed -$ ./artisan serve -``` - -NOTE: Set `APP_PUBLIC_URL` and `MOLLIE_KEY` and other such private settings in `.env.local` +## Quickstart Instructions to try it out + +* Make sure you have docker and docker-compose available. +* Run 'make deploy' in the base directory. +* Add an /etc/hosts entry "127.0.0.1 kolab.local" +* navigate to https://kolab.local +* login as "john@kolab.org" with password "simple123" + +# Setup env.local + +To customize the installation, create a file src/env.local to override setting in src/.env.example. + +The setup script with merge these settings into src/.env, which is what is ultimately used by the installation. + +Take a look at ansible/env.local for an example of typical modifications required for an installation. + +# Use the ansible setup + +The ansible/ directory contains setup scripts to setup a fresh Fedora system with a kolab deployment. +Modify the Makefile with the required variables and then execute `make setup`. + +This will configure the remote system and execute bin/deploy.sh + +### Update + +* git pull +* Run "bin/update.sh" + +### Backup / Restore + +The "bin/backup.sh" script will stop all containers, snapshot the volumes to the backup/ directory, and restart the containers. + +"bin/restore.sh" will stop all containers, restore the volumes from tarballs in the backup/ directory, and restart the containers. + + +### Requirements +* docker +* openssl + +## TODO +* Only seed admin user, but not all the development stuff? diff --git a/ansible/env.local b/ansible/env.local --- a/ansible/env.local +++ b/ansible/env.local @@ -1,4 +1,3 @@ -MFA_DSN=mysql://root:Welcome2KolabSystems@127.0.0.1/roundcube APP_DOMAIN={{ host }} APP_WEBSITE_DOMAIN={{ host }} APP_KEY=base64:FG6ECzyAMSmyX+eYwO/FW3bwnarbKkBhqtO65vlMb1E= @@ -9,10 +8,14 @@ MEET_WEBRTC_LISTEN_IP='{{ public_ip }}' MEET_PUBLIC_DOMAIN={{ host }} MEET_SERVER_URLS=https://{{ host }}/meetmedia/api/ -WEBMAIL_URL=/roundcubemail APP_URL=https://{{ host }} ASSET_URL=https://{{ host }} +DB_HOST=mariadb +REDIS_HOST=redis +IMAP_URI=ssl://kolab:11993 +LDAP_HOSTS=kolab + MOLLIE_KEY= STRIPE_KEY= STRIPE_PUBLIC_KEY= @@ -30,23 +33,11 @@ PASSPORT_COMPANIONAPP_OAUTH_CLIENT_ID=9566e018-f05d-425c-9915-420cdb9258bb PASSPORT_COMPANIONAPP_OAUTH_CLIENT_SECRET=XjgV6SU9shO0QFKaU6pQPRC5rJpyRezDJTSoGLgz -APP_TENANT_ID=42 APP_PASSPHRASE=simple123 -MAIL_DRIVER=log - KOLAB_SSL_CERTIFICATE=/etc/letsencrypt/live/{{ host }}/cert.pem KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/letsencrypt/live/{{ host }}/fullchain.pem KOLAB_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/{{ host }}/privkey.pem PROXY_SSL_CERTIFICATE=/etc/letsencrypt/live/{{ host }}/fullchain.pem PROXY_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/{{ host }}/privkey.pem - -NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/{{ host }}/fullchain.pem -NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/{{ host }}/privkey.pem - -PGP_ENABLE=true -PGP_BINARY=/usr/bin/gpg -PGP_AGENT=/usr/bin/gpg-agent -PGP_GPGCONF=/usr/bin/gpgconf - diff --git a/bin/backup.sh b/bin/backup.sh new file mode 100755 --- /dev/null +++ b/bin/backup.sh @@ -0,0 +1,25 @@ +#!/bin/bash +mkdir -p backup + +backup_path="$(pwd)/backup/" + +function backup_volume { + volume_name=$1 + backup_destination=$2 + + echo "Backing up $volume_name to $backup_destination" + docker run --rm -v $volume_name:/data -v $backup_destination:/backup quay.io/centos/centos:stream8 tar -zcvf /backup/$volume_name.tar /data +} + +echo "Stopping containers" +docker-compose stop + +echo "Backing up volumes" +volumes=($(docker volume ls -f name=kolab | awk '{if (NR > 1) print $2}')) +for v in "${volumes[@]}" +do + backup_volume $v $backup_path +done + +echo "Restarting containers" +docker-compose start diff --git a/bin/quickstart.sh b/bin/quickstart.sh --- a/bin/quickstart.sh +++ b/bin/quickstart.sh @@ -27,16 +27,30 @@ export DOCKER_BUILDKIT=0 +COMPOSE_ARGS= +if [ "$1" != "--nodev" ]; then + COMPOSE_ARGS="-f docker-compose.yml -f docker-compose.local.yml" +fi docker-compose down --remove-orphans -src/artisan octane:stop >/dev/null 2>&1 || : -src/artisan horizon:terminate >/dev/null 2>&1 || : - -docker-compose build coturn kolab mariadb meet pdns proxy redis haproxy +docker volume rm kolab_mariadb || : +docker volume rm kolab_imap || : +docker volume rm kolab_ldap || : + +if [ "$1" != "--nodev" ]; then + src/artisan octane:stop >/dev/null 2>&1 || : + src/artisan horizon:terminate >/dev/null 2>&1 || : +else + # If we switch from an existing development setup to a compose deployment, + # we don't have a nice way to terminate octane/horizon. + # We can't use the artisan command because it will just block if redis is, + # no longer available, so we just kill all artisan processes running. + pkill -9 -f artisan || : +fi bin/regen-certs - -docker-compose up -d coturn kolab mariadb meet pdns proxy redis haproxy +docker-compose build coturn kolab mariadb meet pdns proxy redis haproxy +docker-compose ${COMPOSE_ARGS} up -d coturn kolab mariadb meet pdns redis # Workaround until we have docker-compose --wait (https://github.com/docker/compose/pull/8777) function wait_for_container { @@ -60,15 +74,11 @@ done; } -# Ensure the containers we depend on are fully started -wait_for_container 'kolab' -wait_for_container 'kolab-redis' - if [ "$1" == "--nodev" ]; then echo "starting everything in containers" - docker-compose build swoole + docker-compose -f docker-compose.build.yml build swoole docker-compose build webapp - docker-compose up -d webapp proxy + docker-compose up -d webapp proxy haproxy wait_for_container 'kolab-webapp' exit 0 fi @@ -97,6 +107,10 @@ test ! -z "$(php --modules | grep swoole)" || \ die "Is swoole installed?" +# Ensure the containers we depend on are fully started +wait_for_container 'kolab' +wait_for_container 'kolab-redis' + pushd ${base_dir}/src/ rm -rf vendor/ composer.lock @@ -137,4 +151,7 @@ ./artisan data:import || : nohup ./artisan octane:start --host=$(grep OCTANE_HTTP_HOST .env | tail -n1 | sed "s/OCTANE_HTTP_HOST=//") > octane.out & nohup ./artisan horizon > horizon.out & + popd + +docker-compose ${COMPOSE_ARGS} up --no-deps -d proxy haproxy diff --git a/bin/restore.sh b/bin/restore.sh new file mode 100755 --- /dev/null +++ b/bin/restore.sh @@ -0,0 +1,29 @@ +#!/bin/bash +backup_path="$(pwd)/backup/" + +function restore_volume { + volume_name=$1 + backup_destination=$2 + + echo "Restoring $volume_name from $backup_destination" + docker run --rm -v $volume_name:/data -v $backup_destination:/backup quay.io/centos/centos:stream8 bash -c "rm -rf /data/* && tar xvf /backup/$volume_name.tar -C /data --strip 1" +} + +echo "Stopping containers" +docker-compose stop + +# We currently expect the volumes to exist. +# We could alternatively create volumes form existing tar files +# for f in backup/*.tar; do +# echo "$(basename $f .tar)" ; +# done + +echo "Restoring volumes" +volumes=($(docker volume ls -f name=kolab | awk '{if (NR > 1) print $2}')) +for v in "${volumes[@]}" +do + restore_volume $v $backup_path +done +echo "Restarting containers" +docker-compose start + diff --git a/bin/update.sh b/bin/update.sh new file mode 100755 --- /dev/null +++ b/bin/update.sh @@ -0,0 +1,5 @@ +#!/bin/bash +docker-compose down --remove-orphans +docker-compose build coturn kolab mariadb meet pdns proxy redis haproxy webapp +bin/regen-certs +docker-compose up -d coturn kolab mariadb meet pdns proxy redis haproxy webapp diff --git a/ci/Makefile b/ci/Makefile --- a/ci/Makefile +++ b/ci/Makefile @@ -17,13 +17,13 @@ cd .. && bin/quickstart.sh --nodev build: - cd .. && DOCKER_BUILDKIT=0 docker compose build swoole && DOCKER_BUILDKIT=0 docker compose build tests && cd ci + cd .. && DOCKER_BUILDKIT=0 docker compose -f docker-compose.yml -f docker-compose.build.yml build swoole && DOCKER_BUILDKIT=0 docker compose -f docker-compose.yml -f docker-compose.build.yml build tests && cd ci lint: docker run -v ${PWD}/../:/src/kolab.orig -t kolab-tests /lint.sh test: - docker run --network=host -v ${PWD}/../src:/src/kolabsrc.orig -t kolab-tests /init.sh + docker run --network=kolab_kolab -v ${PWD}/../src:/src/kolabsrc.orig -t kolab-tests /init.sh all: configure setup build lint test diff --git a/ci/env.local b/ci/env.local --- a/ci/env.local +++ b/ci/env.local @@ -1,4 +1,4 @@ -MFA_DSN=mysql://root:Welcome2KolabSystems@127.0.0.1/roundcube +MFA_DSN=mysql://root:Welcome2KolabSystems@mariadb/roundcube APP_DOMAIN={{ host }} APP_WEBSITE_DOMAIN={{ host }} APP_KEY=base64:FG6ECzyAMSmyX+eYwO/FW3bwnarbKkBhqtO65vlMb1E= @@ -9,10 +9,16 @@ MEET_WEBRTC_LISTEN_IP='{{ public_ip }}' MEET_PUBLIC_DOMAIN={{ host }} MEET_SERVER_URLS=https://{{ host }}/meetmedia/api/ +MEET_LISTENING_HOST=172.18.0.1 WEBMAIL_URL=/roundcubemail APP_URL=https://{{ host }} ASSET_URL=https://{{ host }} +DB_HOST=mariadb +REDIS_HOST=redis +IMAP_URI=ssl://kolab:11993 +LDAP_HOSTS=kolab + MOLLIE_KEY= STRIPE_KEY= STRIPE_PUBLIC_KEY= @@ -39,8 +45,5 @@ KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/pki/tls/certs/kolab.hosted.com.chain.pem KOLAB_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/kolab.hosted.com.key -PROXY_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert -PROXY_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key - -NGINX_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert -NGINX_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key +PROXY_SSL_CERTIFICATE=/etc/certs/imap.hosted.com.cert +PROXY_SSL_CERTIFICATE_KEY=/etc/certs/imap.hosted.com.key diff --git a/docker-compose.build.yml b/docker-compose.build.yml new file mode 100644 --- /dev/null +++ b/docker-compose.build.yml @@ -0,0 +1,12 @@ +version: '3' +services: + swoole: + build: + context: ./docker/swoole/ + container_name: kolab-swoole + image: apheleia/swoole:4.8.x + tests: + build: + context: ./docker/tests/ + container_name: kolab-tests + image: kolab-tests diff --git a/docker-compose.local.yml b/docker-compose.local.yml new file mode 100644 --- /dev/null +++ b/docker-compose.local.yml @@ -0,0 +1,21 @@ +version: '3' +services: + kolab: + ports: + - "389:389" + - "8880:8880" + - "8443:8443" + - "10143:10143" + - "10587:10587" + - "11143:11143" + - "11993:11993" + - "12143:12143" + mariadb: + ports: + - "3306:3306" + redis: + ports: + - "6379:6379" + proxy: + extra_hosts: + - "webapp:127.0.0.1" diff --git a/docker-compose.yml b/docker-compose.yml --- a/docker-compose.yml +++ b/docker-compose.yml @@ -26,10 +26,15 @@ depends_on: mariadb: condition: service_healthy + pdns: + condition: service_healthy extra_hosts: - "kolab.mgmt.com:127.0.0.1" environment: - - DB_HOST=${DB_HOST} + - LDAP_HOST=127.0.0.1 + - LDAP_ADMIN_BIND_DN="cn=Directory Manager" + - LDAP_ADMIN_BIND_PW=Welcome2KolabSystems + - DB_HOST=mariadb - DB_ROOT_PASSWORD=Welcome2KolabSystems - DB_HKCCP_DATABASE=${DB_DATABASE} - DB_HKCCP_USERNAME=${DB_USERNAME} @@ -48,12 +53,20 @@ - MAIL_PORT=10587 healthcheck: interval: 10s - test: test -f /tmp/kolab-init.done + test: "systemctl is-active kolab-init || exit 1" timeout: 5s retries: 30 + start_period: 5m + # This makes docker's dns, resolve via pdns for this container. + # Please note it does not affect /etc/resolv.conf + dns: 172.18.0.11 hostname: kolab.mgmt.com image: kolab - network_mode: host + networks: + kolab: + ipv4_address: 172.18.0.5 + ports: + - "12143:12143" tmpfs: - /run - /tmp @@ -65,24 +78,36 @@ - /etc/letsencrypt/:/etc/letsencrypt/:ro - ./docker/certs/ca.cert:/etc/pki/tls/certs/ca.cert:ro - ./docker/certs/ca.cert:/etc/pki/ca-trust/source/anchors/ca.cert:ro - - ./docker/certs/kolab.hosted.com.cert:/etc/pki/tls/certs/kolab.hosted.com.cert - - ./docker/certs/kolab.hosted.com.chain.pem:/etc/pki/tls/certs/kolab.hosted.com.chain.pem - - ./docker/certs/kolab.hosted.com.key:/etc/pki/tls/certs/kolab.hosted.com.key + - ./docker/certs/kolab.hosted.com.cert:${KOLAB_SSL_CERTIFICATE:?err} + - ./docker/certs/kolab.hosted.com.chain.pem:${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?err} + - ./docker/certs/kolab.hosted.com.key:${KOLAB_SSL_CERTIFICATE_KEY:?err} - ./docker/kolab/utils:/root/utils:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro + - imap:/imapdata + - ldap:/ldapdata mariadb: container_name: kolab-mariadb environment: - MYSQL_ROOT_PASSWORD: Welcome2KolabSystems - TZ: "+02:00" + - MARIADB_ROOT_PASSWORD=Welcome2KolabSystems + - TZ="+02:00" + - DB_HKCCP_DATABASE=${DB_DATABASE} + - DB_HKCCP_USERNAME=${DB_USERNAME} + - DB_HKCCP_PASSWORD=${DB_PASSWORD} healthcheck: interval: 10s test: test -e /var/run/mysqld/mysqld.sock timeout: 5s retries: 30 - image: mariadb - network_mode: host + image: mariadb:latest + networks: + - kolab + volumes: + - ./docker/mariadb/mysql-init/:/docker-entrypoint-initdb.d/ + - mariadb:/var/lib/mysql haproxy: + depends_on: + proxy: + condition: service_healthy build: context: ./docker/haproxy/ healthcheck: @@ -93,7 +118,8 @@ container_name: kolab-haproxy hostname: haproxy.hosted.com image: kolab-haproxy - network_mode: host + networks: + - kolab tmpfs: - /run - /tmp @@ -107,6 +133,7 @@ build: context: ./docker/pdns/ container_name: kolab-pdns + hostname: pdns depends_on: mariadb: condition: service_healthy @@ -115,9 +142,10 @@ test: "systemctl status pdns || exit 1" timeout: 5s retries: 30 - hostname: pdns - image: apheleia/kolab-pdns - network_mode: host + image: kolab-pdns + networks: + kolab: + ipv4_address: 172.18.0.11 tmpfs: - /run - /tmp @@ -127,6 +155,11 @@ volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro proxy: + depends_on: + kolab: + condition: service_healthy + webapp: + condition: service_healthy build: context: ./docker/proxy/ args: @@ -139,9 +172,13 @@ timeout: 5s retries: 30 container_name: kolab-proxy - hostname: ${APP_WEBSITE_DOMAIN:?err} + hostname: proxy image: kolab-proxy - network_mode: host + extra_hosts: + - "meet:${MEET_LISTENING_HOST}" + networks: + kolab: + ipv4_address: 172.18.0.7 tmpfs: - /run - /tmp @@ -151,6 +188,13 @@ volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro + ports: + # - "80:80" + - "443:443" + - "465:465" + - "587:587" + - "143:143" + - "993:993" redis: build: context: ./docker/redis/ @@ -162,14 +206,12 @@ container_name: kolab-redis hostname: redis image: redis - network_mode: host + networks: + - kolab volumes: - ./docker/redis/redis.conf:/usr/local/etc/redis/redis.conf:ro - swoole: - build: - context: ./docker/swoole/ - container_name: kolab-swoole - image: apheleia/swoole:4.8.x + # ports: + # - "6379:6379" webapp: build: context: ./docker/webapp/ @@ -180,35 +222,31 @@ test: "/src/kolabsrc/artisan octane:status || exit 1" timeout: 5s retries: 30 + start_period: 5m depends_on: kolab: condition: service_healthy - network_mode: host - volumes: - - ./src:/src/kolabsrc.orig:ro - tests: - build: - context: ./docker/tests/ - container_name: kolab-tests - image: kolab-tests - depends_on: - kolab: + redis: condition: service_healthy - network_mode: host + networks: + - kolab volumes: - ./src:/src/kolabsrc.orig:ro + ports: + - "8000:8000" meet: build: context: ./docker/meet/ healthcheck: interval: 10s - test: "curl --insecure -H 'X-AUTH-TOKEN: ${MEET_SERVER_TOKEN}' --fail https://localhost:12443/meetmedia/api/health || exit 1" + test: "curl --insecure -H 'X-AUTH-TOKEN: ${MEET_SERVER_TOKEN}' --fail https://${MEET_LISTENING_HOST}:12443/meetmedia/api/health || exit 1" timeout: 5s retries: 30 + start_period: 5m environment: - WEBRTC_LISTEN_IP=${MEET_WEBRTC_LISTEN_IP:?err} - PUBLIC_DOMAIN=${MEET_PUBLIC_DOMAIN:?err} - - LISTENING_HOST=0.0.0.0 + - LISTENING_HOST=${MEET_LISTENING_HOST:?err} - LISTENING_PORT=12443 - TURN_SERVER=${MEET_TURN_SERVER} - TURN_STATIC_SECRET=${COTURN_STATIC_SECRET} @@ -224,3 +262,13 @@ - ./meet/server:/src/meet/:ro - ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.cert:/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN}.cert - ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.key:/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN}.key +networks: + kolab: + driver: bridge + ipam: + config: + - subnet: "172.18.0.0/24" +volumes: + mariadb: + imap: + ldap: diff --git a/docker/haproxy/haproxy.cfg b/docker/haproxy/haproxy.cfg --- a/docker/haproxy/haproxy.cfg +++ b/docker/haproxy/haproxy.cfg @@ -73,4 +73,4 @@ stick store-request src stick-table type ip size 200k expire 30m # NGINX imap with proxy protocol enabled - server s1 127.0.0.1:144 check send-proxy-v2 + server s1 proxy:144 check send-proxy-v2 diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile --- a/docker/kolab/Dockerfile +++ b/docker/kolab/Dockerfile @@ -15,6 +15,7 @@ epel-release epel-next-release && \ dnf -y module enable 389-directory-server:stable/default && \ dnf -y module enable mariadb:10.3 && \ + dnf -y install iputils vim-enhanced bind-utils && \ dnf clean all RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 @@ -28,28 +29,44 @@ COPY kolab-init.service /etc/systemd/system/kolab-init.service COPY kolab-setenv.service /etc/systemd/system/kolab-setenv.service -COPY kolab-vlv.service /etc/systemd/system/kolab-vlv.service COPY utils /root/utils RUN rm -rf /etc/systemd/system/multi-user.target.wants/{avahi-daemon,sshd}.* && \ ln -s /etc/systemd/system/kolab-init.service \ /etc/systemd/system/multi-user.target.wants/kolab-init.service && \ ln -s /etc/systemd/system/kolab-setenv.service \ - /etc/systemd/system/multi-user.target.wants/kolab-setenv.service && \ - ln -s /etc/systemd/system/kolab-vlv.service \ - /etc/systemd/system/multi-user.target.wants/kolab-vlv.service + /etc/systemd/system/multi-user.target.wants/kolab-setenv.service -RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || : +RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || : RUN sed -i -r -e 's/^Listen 80$/Listen 9080/g' /etc/httpd/conf/httpd.conf #RUN sed -i -r -e 's/^Listen 443$/Listen 9443/g' /etc/httpd/conf/httpd.conf COPY kolab-init.sh /usr/local/sbin/ RUN chmod 750 /usr/local/sbin/kolab-init.sh -COPY kolab-vlv.sh /usr/local/sbin/ -RUN chmod 750 /usr/local/sbin/kolab-vlv.sh + +COPY kolab.conf /etc/kolab/kolab.conf +COPY cyrus.conf /etc/cyrus.conf +COPY imapd.conf /etc/imapd.conf +COPY imapd.annotations.conf /etc/imapd.annotations.conf +COPY guam.conf /etc/guam/sys.config + + +RUN mkdir -p /imapdata/{spool,lib} && \ + rm -rf /var/spool/imap && ln -s /imapdata/spool /var/spool/imap && \ + mv /var/lib/imap /var/lib/imap-bak && ln -s /imapdata/lib /var/lib/imap && \ + chmod -R 777 /imapdata && \ + chown cyrus:mail /var/spool/imap /var/lib/imap + +RUN mkdir -p /ldapdata/{config,ssca,run} /var/run/dirsrv && \ + ln -s /ldapdata/config /etc/dirsrv/slapd-kolab && \ + ln -s /ldapdata/ssca /etc/dirsrv/ssca && \ + ln -s /ldapdata/run /var/run/dirsrv && \ + chmod -R 777 /ldapdata /etc/dirsrv VOLUME [ "/sys/fs/cgroup" ] +VOLUME [ "/imapdata" ] +VOLUME [ "/ldapdata" ] WORKDIR /root/ diff --git a/docker/kolab/cyrus.conf b/docker/kolab/cyrus.conf new file mode 100644 --- /dev/null +++ b/docker/kolab/cyrus.conf @@ -0,0 +1,46 @@ +# standard standalone server implementation + +START { + # do not delete this entry! + recover cmd="ctl_cyrusdb -r" + + idled cmd="idled" +} + +# UNIX sockets start with a slash and are put into /var/lib/imap/sockets +SERVICES { + nginx cmd="imapd" listen=0.0.0.0:12143 prefork=1 + guam cmd="imapd" listen=0.0.0.0:13143 prefork=1 + imap cmd="imapd" listen=0.0.0.0:11143 prefork=1 + imaps cmd="imapd -s" listen=0.0.0.0:11993 prefork=5 + + sieve cmd="timsieved" listen="sieve" prefork=0 + + ptloader cmd="ptloader" listen="/var/lib/imap/socket/ptsock" prefork=0 + + lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 + + notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1 +} + +EVENTS { + # this is required + checkpoint cmd="ctl_cyrusdb -c" period=30 + + # this is only necessary if using duplicate delivery suppression, + # Sieve or NNTP + duplicateprune cmd="cyr_expire -E 3" at=0400 + + # Expire data older then 69 days. Two full months of 31 days + # each includes two full backup cycles, plus 1 week margin + # because we run our full backups on the first sat/sun night + # of each month. + deleteprune cmd="cyr_expire -E 4 -D 69" at=0430 + expungeprune cmd="cyr_expire -E 4 -X 69" at=0445 + + # this is only necessary if caching TLS sessions + tlsprune cmd="tls_prune" at=0400 + + # Create search indexes regularly (remove -s for cyrus 3+) + #squatter cmd="squatter -s -i" at=0530 +} diff --git a/docker/kolab/utils/10-change-port-numbers.sh b/docker/kolab/guam.conf old mode 100755 new mode 100644 rename from docker/kolab/utils/10-change-port-numbers.sh rename to docker/kolab/guam.conf --- a/docker/kolab/utils/10-change-port-numbers.sh +++ b/docker/kolab/guam.conf @@ -1,75 +1,3 @@ -#!/bin/bash - -cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem -chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem - -cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem -chown postfix:mail /etc/pki/tls/private/postfix.pem -chmod 655 /etc/pki/tls/private/postfix.pem - -sed -i "s/tls_server_cert:.*/tls_server_cert: \/etc\/pki\/cyrus-imapd\/cyrus-imapd.bundle.pem/" /etc/imapd.conf -sed -i "s/tls_server_key:.*/tls_server_key: \/etc\/pki\/cyrus-imapd\/cyrus-imapd.bundle.pem/" /etc/imapd.conf -sed -i "s/tls_server_ca_file:.*/tls_server_ca_file: \/etc\/pki\/cyrus-imapd\/cyrus-imapd.bundle.pem/" /etc/imapd.conf - -sed -i "s/smtpd_tls_key_file =.*/smtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf -sed -i "s/smtpd_tls_cert_file =.*/smtpd_tls_cert_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf - -sed -i -r \ - -e '/allowplaintext/ a\ -guam_allowplaintext: yes' \ - -e '/allowplaintext/ a\ -nginx_allowplaintext: yes' \ - /etc/imapd.conf - -sed -i \ - -e '/SERVICES/ a\ - nginx cmd="imapd" listen=127.0.0.1:12143 prefork=1' \ - -e '/SERVICES/ a\ - guam cmd="imapd" listen=127.0.0.1:13143 prefork=1' \ - -e '/SERVICES/ a\ - imap cmd="imapd" listen=127.0.0.1:11143 prefork=1' \ - -e 's/listen="127.0.0.1:9993"/listen=127.0.0.1:11993/g' \ - /etc/cyrus.conf - -systemctl restart cyrus-imapd - -# Remove the submission block, by matching from submission until the next empty line -sed -i -e '/submission inet/,/^$/d' /etc/postfix/master.cf - -# Insert a new submission block with a modified port -cat >> /etc/postfix/master.cf << EOF -127.0.0.1:10587 inet n - n - - smtpd - -o cleanup_service_name=cleanup_submission - -o syslog_name=postfix/submission - #-o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes - -o smtpd_sasl_authenticated_header=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o smtpd_data_restrictions=\$submission_data_restrictions - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions - -o smtpd_sender_restrictions=\$submission_sender_restrictions - -127.0.0.1:10465 inet n - n - - smtpd - -o cleanup_service_name=cleanup_submission - -o rewrite_service_name=rewrite_submission - -o syslog_name=postfix/smtps - -o mydestination= - -o local_recipient_maps= - -o relay_domains= - -o relay_recipient_maps= - #-o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes - -o smtpd_sasl_authenticated_header=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject - -o smtpd_sender_restrictions=\$submission_sender_restrictions - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions - -o smtpd_data_restrictions=\$submission_data_restrictions -EOF - -systemctl restart postfix - -cat > /etc/guam/sys.config << EOF -%% Example configuration for Guam. [ { kolab_guam, [ @@ -158,6 +86,3 @@ ] } ]. -EOF - -systemctl restart guam diff --git a/docker/kolab/imapd.annotations.conf b/docker/kolab/imapd.annotations.conf new file mode 100644 --- /dev/null +++ b/docker/kolab/imapd.annotations.conf @@ -0,0 +1,11 @@ +/vendor/kolab/activesync,mailbox,string,backend,value.priv,r +/vendor/kolab/color,mailbox,string,backend,value.shared value.priv,a +/vendor/kolab/displayname,mailbox,string,backend,value.shared value.priv,a +/vendor/kolab/folder-test,mailbox,string,backend,value.shared value.priv,a +/vendor/kolab/folder-type,mailbox,string,backend,value.shared value.priv,a +/vendor/kolab/incidences-for,mailbox,string,backend,value.shared value.priv,a +/vendor/kolab/pxfb-readable-for,mailbox,string,backend,value.shared value.priv,a +/vendor/kolab/uniqueid,mailbox,string,backend,value.shared value.priv,a +/vendor/kolab/h-share-attr-desc,mailbox,string,backend,value.shared value.priv,a +/vendor/horde/share-params,mailbox,string,backend,value.shared value.priv,a +/vendor/x-toltec/test,mailbox,string,backend,value.shared value.priv,a diff --git a/docker/kolab/imapd.conf b/docker/kolab/imapd.conf new file mode 100644 --- /dev/null +++ b/docker/kolab/imapd.conf @@ -0,0 +1,58 @@ +defaultpartition: default +configdirectory: /var/lib/imap/ +partition-default: /var/spool/imap/ +admins: cyrus-admin +sievedir: /var/lib/imap/sieve/ +sendmail: /usr/sbin/sendmail +sasl_pwcheck_method: saslauthd +sasl_mech_list: PLAIN LOGIN +allowplaintext: no +guam_allowplaintext: yes +nginx_allowplaintext: yes +tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem +tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem +# uncomment this if you're operating in a DSCP environment (RFC-4594) +# qosmarking: af13 +auth_mech: pts +pts_module: ldap +ptloader_sock: /var/lib/imap/socket/ptsock +ldap_uri: ldap://127.0.0.1:389 +ldap_sasl: 0 +ldap_base: dc=hosted,dc=com +ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=mgmt,dc=com +ldap_password: Welcome2KolabSystems +ldap_filter: (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson))) +ldap_user_attribute: mail +ldap_group_base: dc=mgmt,dc=com +ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition)) +ldap_group_scope: one +ldap_member_base: dc=mgmt,dc=com +ldap_member_method: attribute +ldap_member_attribute: nsrole +ldap_restart: 1 +ldap_timeout: 10 +ldap_time_limit: 10 +unixhierarchysep: 1 +virtdomains: userid +annotation_definitions: /etc/imapd.annotations.conf +sieve_extensions: fileinto reject envelope body vacation imapflags notify include regex subaddress relational copy date index +allowallsubscribe: 0 +allowusermoves: 1 +altnamespace: 1 +hashimapspool: 1 +anysievefolder: 1 +fulldirhash: 0 +sieveusehomedir: 0 +sieve_allowreferrals: 0 +lmtp_downcase_rcpt: 1 +lmtp_fuzzy_mailbox_match: 1 +username_tolower: 1 +deletedprefix: DELETED +delete_mode: delayed +expunge_mode: delayed +postuser: shared +# on systems with cyrus 3+ specify search engine +# search_engine: squat +ldap_domain_base_dn: ou=Domains,dc=mgmt,dc=com +chatty: 1 +debug: 1 diff --git a/docker/kolab/kolab-init.service b/docker/kolab/kolab-init.service --- a/docker/kolab/kolab-init.service +++ b/docker/kolab/kolab-init.service @@ -1,12 +1,13 @@ [Unit] Description=Kolab Setup Service Requires=kolab-setenv.service -After=kolab-setenv.service +After=kolab-setenv.service ldapdata.mount imapdata.mount [Service] Type=oneshot EnvironmentFile=/etc/openshift-environment ExecStart=/usr/local/sbin/kolab-init.sh +RemainAfterExit=yes [Install] WantedBy=multi-user.target diff --git a/docker/kolab/kolab-init.sh b/docker/kolab/kolab-init.sh --- a/docker/kolab/kolab-init.sh +++ b/docker/kolab/kolab-init.sh @@ -1,38 +1,15 @@ #!/bin/bash -if [ -d "/etc/dirsrv/slapd-kolab/" ]; then - exit 0 -fi - -cp -av /bin/true /usr/sbin/ds_systemd_ask_password_acl - pushd /root/utils/ ./01-reverse-etc-hosts.sh && echo "01 done" ./02-write-my.cnf.sh && echo "02 done" -./03-setup-kolab.sh && echo "03 done" +./03-setup-ldap.sh && echo "03 ldap done" +./03-setup-kolab.sh && echo "03 kolab done" ./04-reset-mysql-kolab-password.sh && echo "04 done" -./05-replace-localhost.sh && echo "05 done" -./06-mysql-for-kolabdev.sh && echo "06 done" -./07-adjust-base-dns.sh && echo "07 done" -./08-disable-amavisd.sh && echo "08 done" -./09-enable-debugging.sh && echo "09 done" -./10-change-port-numbers.sh && echo "10 done" +./05-adjust-configs.sh && echo "05 done" ./10-reset-kolab-service-password.sh && echo "10 done" ./11-reset-cyrus-admin-password.sh && echo "11 done" -./12-create-hosted-kolab-service.sh && echo "12 done" -./13-create-ou-domains.sh && echo "13 done" -./14-create-management-domain.sh && echo "14 done" -./15-create-hosted-domain.sh && echo "15 done" -./16-remove-cn-kolab-cn-config.sh && echo "16 done" -./17-remove-hosted-service-access-from-mgmt-domain.sh && echo "17 done" -./18-adjust-kolab-conf.sh && echo "18 done" -./19-turn-on-vlv-in-roundcube.sh && echo "19 done" -./20-add-alias-attribute-index.sh && echo "20 done" -./21-adjust-postfix-config.sh && echo "21 done" -# FIXME we can only create the resource once the owner exists -#./22-create-resource.sh && echo "22 done" ./23-patch-system.sh && echo "23 done" -./24-roundcubeconfig.sh && echo "24 done" touch /tmp/kolab-init.done diff --git a/docker/kolab/kolab-vlv.service b/docker/kolab/kolab-vlv.service deleted file mode 100644 --- a/docker/kolab/kolab-vlv.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Kolab VLV and SSS Service - -[Service] -Type=oneshot -ExecStart=/usr/local/sbin/kolab-vlv.sh - -[Install] -WantedBy=multi-user.target diff --git a/docker/kolab/kolab-vlv.sh b/docker/kolab/kolab-vlv.sh deleted file mode 100755 --- a/docker/kolab/kolab-vlv.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -pushd /root/utils/ - -while [ ! -f /tmp/kolab-init.done ]; do - sleep 5 -done - -./50-add-vlv-searches.sh -./51-add-vlv-indexes.sh -./52-run-vlv-index-tasks.sh diff --git a/docker/kolab/kolab.conf b/docker/kolab/kolab.conf new file mode 100644 --- /dev/null +++ b/docker/kolab/kolab.conf @@ -0,0 +1,83 @@ +[kolab] +primary_domain = mgmt.com +auth_mechanism = ldap +imap_backend = cyrus-imap +default_locale = en_US +sync_interval = 300 +domain_sync_interval = 600 +policy_uid = %(surname)s.lower() +daemon_rcpt_policy = False +[imap] +virtual_domains = userid + +[ldap] +ldap_uri = ldap://127.0.0.1:389 +timeout = 10 +supported_controls = 0,2,3 +base_dn = dc=mgmt,dc=com +bind_dn = cn=Directory Manager +bind_pw = Welcome2KolabSystems +service_bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com +service_bind_pw = Welcome2KolabSystems +user_base_dn = dc=hosted,dc=com +user_scope = sub +user_filter = (objectclass=inetorgperson) +kolab_user_base_dn = dc=hosted,dc=com +kolab_user_filter = (objectclass=kolabinetorgperson) +group_base_dn = dc=hosted,dc=com +group_filter = (|(objectclass=groupofuniquenames)(objectclass=groupofurls)) +group_scope = sub +kolab_group_filter = (|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls)) +sharedfolder_base_dn = dc=hosted,dc=com +sharedfolder_filter = (objectclass=kolabsharedfolder) +sharedfolder_acl_entry_attribute = acl +resource_base_dn = dc=hosted,dc=com +resource_filter = (|%(group_filter)s(objectclass=kolabsharedfolder)) +domain_base_dn = ou=Domains,dc=mgmt,dc=com +domain_filter = (&(associatedDomain=*)) +domain_name_attribute = associateddomain +domain_rootdn_attribute = inetdomainbasedn +quota_attribute = mailquota +modifytimestamp_format = %Y%m%d%H%M%SZ +unique_attribute = nsuniqueid +mail_attributes = mail, alias +mailserver_attribute = mailhost +auth_attributes = mail, uid + +[kolab_smtp_access_policy] +cache_uri = mysql://kolab:Welcome2KolabSystems@mariadb/kolab +cache_retention = 86400 +address_search_attrs = mail, alias +delegate_sender_header = True +alias_sender_header = True +sender_header = True +xsender_header = True +empty_sender_hosts = 3.2.1.0/24, 6.6.6.0/24 + +[kolab_wap] +mgmt_root_dn = dc=mgmt,dc=com +hosted_root_dn = dc=hosted,dc=com +api_url = http://127.0.0.1:9080/kolab-webadmin/api +skin = default +sql_uri = mysql://kolab:Welcome2KolabSystems@mariadb/kolab +ssl_verify_peer = false +ssl_verify_host = false + +[cyrus-imap] +uri = imaps://127.0.0.1:11993 +admin_login = cyrus-admin +admin_password = Welcome2KolabSystems + +[cyrus-sasl] +result_attribute = mail + +[wallace] +webmail_url = https://%(domain)s/roundcubemail +modules = resources, invitationpolicy +kolab_invitation_policy = ACT_ACCEPT_IF_NO_CONFLICT:example.org, ACT_MANUAL +invitationpolicy_autoupdate_other_attendees_on_reply = false +resource_calendar_expire_days = 100 + +[mgmt.com] +default_quota = 1048576 +daemon_rcpt_policy = False diff --git a/docker/kolab/utils/02-write-my.cnf.sh b/docker/kolab/utils/02-write-my.cnf.sh --- a/docker/kolab/utils/02-write-my.cnf.sh +++ b/docker/kolab/utils/02-write-my.cnf.sh @@ -2,7 +2,7 @@ cat > /root/.my.cnf << EOF [client] -host=${DB_HOST:-127.0.0.1} +host=${DB_HOST} user=root password=${DB_ROOT_PASSWORD} EOF diff --git a/docker/kolab/utils/03-setup-kolab.sh b/docker/kolab/utils/03-setup-kolab.sh --- a/docker/kolab/utils/03-setup-kolab.sh +++ b/docker/kolab/utils/03-setup-kolab.sh @@ -2,20 +2,6 @@ . ./settings.sh -if [ -f /root/kolab.conf.template ]; then - eval "echo \"$(cat /root/kolab.conf.template)\"" > /root/kolab.conf.ref - KOLAB_CONFIG_REF="--config=/root/kolab.conf.ref" - cp -f ${KOLAB_CONFIG_REF#--config=} /etc/kolab/kolab.conf -fi - -CMD="$(which setup-kolab) \ - --default ${LDAP_HOST+--without-ldap} ${KOLAB_CONFIG_REF} \ - --fqdn=kolab.${domain} \ - --timezone=Europe/Zurich \ - --mysqlhost=${DB_HOST:-127.0.0.1} \ - --mysqlserver=existing \ - --mysqlrootpw=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ - --directory-manager-pwd=${LDAP_ADMIN_BIND_PW:-Welcome2KolabSystems}" echo ${CMD} | tee -a /root/setup-kolab.log echo -n "Wait for MariaDB container: " | tee -a /root/setup-kolab.log @@ -25,14 +11,76 @@ done | tee -a /root/setup-kolab.log echo "OK!" | tee -a /root/setup-kolab.log -if [ ! -z "${LDAP_HOST}" ]; then - echo -n "Wait for DS389 container: " | tee -a /root/setup-kolab.log - while ! ldapsearch -h ${LDAP_HOST} -D "${LDAP_ADMIN_BIND_DN}" -w "${LDAP_ADMIN_BIND_PW}" -b "" -s base > /dev/null 2>&1 ; do - echo -n '.' - sleep 3 - done | tee -a /root/setup-kolab.log - echo "OK!" | tee -a /root/setup-kolab.log +echo -n "Wait for DS389 container: " | tee -a /root/setup-kolab.log +while ! ldapsearch -h ${LDAP_HOST} -D "${LDAP_ADMIN_BIND_DN}" -w "${LDAP_ADMIN_BIND_PW}" -b "" -s base > /dev/null 2>&1 ; do + echo -n '.' + sleep 3 +done | tee -a /root/setup-kolab.log +echo "OK!" | tee -a /root/setup-kolab.log + + +cat > /tmp/kolab-setup-my.cnf << EOF +[client] +host=${DB_HOST} +user=root +password=${DB_ROOT_PASSWORD} +EOF + + +CMD="$(which setup-kolab) mta \ + --default" +${CMD} 2>&1 | tee -a /root/setup-kolab.log + + + +CMD="$(which setup-kolab) php \ + --default \ + --timezone=Europe/Zurich" +${CMD} 2>&1 | tee -a /root/setup-kolab.log + +# setup imap +if [ -f "/var/lib/imap/db" ]; then + echo "IMAP directory exists, nothing to do" +else + echo "Initializing IMAP volume" + cp -ar /var/lib/imap-bak/* /var/lib/imap/ + systemctl start cyrus-imapd fi +systemctl stop saslauthd +systemctl start kolab-saslauthd +systemctl enable kolab-saslauthd +#Setup guam +systemctl start guam +systemctl enable guam + + +#TODO just add /etc/kolab-freebusy/ +# CMD="$(which setup-kolab) freebusy \ +# --default" +# ${CMD} 2>&1 | tee -a /root/setup-kolab.log + +cat > /tmp/kolab-setup-my.cnf << EOF +[client] +host=${DB_HOST} +user=root +password=${DB_ROOT_PASSWORD} +EOF + +# Configure roundcube and setup db +# The db setup will just fail if the db already exists, +# but no harm done +CMD="$(which setup-kolab) roundcube \ + --default" +${CMD} 2>&1 | tee -a /root/setup-kolab.log + +cat > /tmp/kolab-setup-my.cnf << EOF +[client] +host=${DB_HOST} +user=root +password=${DB_ROOT_PASSWORD} +EOF +CMD="$(which setup-kolab) syncroton \ + --default" ${CMD} 2>&1 | tee -a /root/setup-kolab.log diff --git a/docker/kolab/utils/03-setup-ldap.sh b/docker/kolab/utils/03-setup-ldap.sh new file mode 100755 --- /dev/null +++ b/docker/kolab/utils/03-setup-ldap.sh @@ -0,0 +1,259 @@ +#!/bin/bash + +. ./settings.sh + +cp -av /bin/true /usr/sbin/ds_systemd_ask_password_acl + +if [ -f "/etc/dirsrv/slapd-kolab/dse.ldif" ]; then + echo "LDAP directory exists, nothing to do" + + mkdir -p /var/log/dirsrv/slapd-kolab/ + chmod 777 /var/log/dirsrv/slapd-kolab/ + systemctl start dirsrv@kolab + mkdir /run/dirsrv + chmod 777 /run/dirsrv + mkdir -p /run/lock/dirsrv/slapd-kolab/ + chmod 777 /run/lock/dirsrv/slapd-kolab/ + mkdir -p /var/lib/dirsrv/slapd-kolab + chown dirsrv:dirsrv /var/lib/dirsrv/slapd-kolab + + systemctl start dirsrv@kolab +else + sed -i -e 's/sys.exit/print("exit") #sys.exit/' /usr/lib/python3.6/site-packages/pykolab/setup/setup_ldap.py + + echo "LDAP directory does not exist, setting it up." + CMD="$(which setup-kolab) ldap \ + --default ${LDAP_HOST} \ + --fqdn=kolab.${domain} \ + --directory-manager-pwd=${LDAP_ADMIN_BIND_PW}" + ${CMD} 2>&1 | tee -a /root/setup-kolab.log + + + # Create hosted kolab service + ( + echo "dn: uid=hosted-kolab-service,ou=Special Users,${rootdn}" + echo "objectclass: top" + echo "objectclass: inetorgperson" + echo "objectclass: person" + echo "uid: hosted-kolab-service" + echo "cn: Hosted Kolab Service Account" + echo "sn: Service Account" + echo "givenname: Hosted Kolab" + echo "userpassword: ${hosted_kolab_service_pw}" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + # Create ou domain + ( + echo "dn: ou=Domains,${rootdn}" + echo "ou: Domains" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + # Create management domain + ( + echo "dn: associateddomain=${domain},${domain_base_dn}" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "inetDomainStatus: active" + echo "objectClass: top" + echo "objectClass: domainrelatedobject" + echo "objectClass: inetdomain" + echo "associatedDomain: ${domain}" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + + # Create hosted domains + ( + echo "dn: associateddomain=${hosted_domain},${domain_base_dn}" + echo "objectclass: top" + echo "objectclass: domainrelatedobject" + echo "objectclass: inetdomain" + echo "inetdomainstatus: active" + echo "associateddomain: ${hosted_domain}" + echo "inetdomainbasedn: ${hosted_domain_rootdn}" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + ( + echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config" + echo "objectClass: top" + echo "objectClass: extensibleobject" + echo "objectClass: nsbackendinstance" + echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')" + echo "nsslapd-suffix: ${hosted_domain_rootdn}" + echo "nsslapd-cachesize: -1" + echo "nsslapd-cachememsize: 10485760" + echo "nsslapd-readonly: off" + echo "nsslapd-require-index: off" + echo "nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')" + echo "nsslapd-dncachememsize: 10485760" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + ( + #On centos7 + #echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config" + #On centos8 + echo "dn: cn=\"${hosted_domain_rootdn}\",cn=mapping tree,cn=config" + echo "objectClass: top" + echo "objectClass: extensibleObject" + echo "objectClass: nsMappingTree" + echo "nsslapd-state: backend" + echo "cn: ${hosted_domain_rootdn}" + echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + ( + echo "dn: ${hosted_domain_rootdn}" + echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)" + echo "aci: (targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${hosted_domain_rootdn}\" or roledn=\"ldap:///cn=kolab-admin,${hosted_domain_rootdn}\");)" + echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)" + echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)" + echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)" + echo "objectClass: top" + echo "objectClass: domain" + echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + ( + for role in "2fa-user" "activesync-user" "imap-user"; do + echo "dn: cn=${role},${hosted_domain_rootdn}" + echo "cn: ${role}" + echo "description: ${role} role" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsmanagedroledefinition" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "" + done + + echo "dn: ou=Groups,${hosted_domain_rootdn}" + echo "ou: Groups" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: ou=People,${hosted_domain_rootdn}" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "ou: People" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: ou=Special Users,${hosted_domain_rootdn}" + echo "ou: Special Users" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: ou=Resources,${hosted_domain_rootdn}" + echo "ou: Resources" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: ou=Shared Folders,${hosted_domain_rootdn}" + echo "ou: Shared Folders" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: uid=cyrus-admin,ou=Special Users,${hosted_domain_rootdn}" + echo "sn: Administrator" + echo "uid: cyrus-admin" + echo "objectClass: top" + echo "objectClass: person" + echo "objectClass: inetorgperson" + echo "objectClass: organizationalperson" + echo "givenName: Cyrus" + echo "cn: Cyrus Administrator" + echo "" + + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + + # Remove cn kolab cn config + ( + echo "associateddomain=${domain},cn=kolab,cn=config" + echo "cn=kolab,cn=config" + ) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c + + + # Remove hosted service access from mgmt domain + ( + echo "dn: associateddomain=${domain},ou=Domains,${rootdn}" + echo "changetype: modify" + echo "replace: aci" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "" + ) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + + + # Add alias attribute index + # + export index_attr=alias + + ( + echo "dn: cn=${index_attr},cn=index,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config" + echo "objectclass: top" + echo "objectclass: nsindex" + echo "cn: ${index_attr}" + echo "nsSystemIndex: false" + echo "nsindextype: pres" + echo "nsindextype: eq" + echo "nsindextype: sub" + + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c + + + ( + echo "dn: cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" + echo "objectclass: top" + echo "objectclass: extensibleObject" + echo "cn: ${hosted_domain_db} ${index_attr} index" + echo "nsinstance: ${hosted_domain_db}" + echo "nsIndexAttribute: ${index_attr}:pres" + echo "nsIndexAttribute: ${index_attr}:eq" + echo "nsIndexAttribute: ${index_attr}:sub" + echo "" + ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c + + ldap_complete=0 + + while [ ${ldap_complete} -ne 1 ]; do + result=$( + ldapsearch \ + -x \ + -h "${ldap_host}" \ + -D "${ldap_binddn}" \ + -w "${ldap_bindpw}" \ + -c \ + -LLL \ + -b "cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" \ + '(!(nstaskexitcode=0))' \ + -s base 2>/dev/null + ) + if [ -z "$result" ]; then + ldap_complete=1 + echo "" + else + echo -n "." + sleep 1 + fi + done + + ./50-add-vlv-searches.sh + ./51-add-vlv-indexes.sh + ./52-run-vlv-index-tasks.sh +fi + diff --git a/docker/kolab/utils/04-reset-mysql-kolab-password.sh b/docker/kolab/utils/04-reset-mysql-kolab-password.sh --- a/docker/kolab/utils/04-reset-mysql-kolab-password.sh +++ b/docker/kolab/utils/04-reset-mysql-kolab-password.sh @@ -18,3 +18,5 @@ mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \ -e "SET PASSWORD FOR '${DB_RC_USERNAME}'@'%' = PASSWORD('${DB_RC_PASSWORD}');" +mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \ + -e "GRANT ALL PRIVILEGES ON roundcube.* TO '${DB_RC_USERNAME}'@'%' IDENTIFIED BY '${DB_RC_PASSWORD}';" diff --git a/docker/kolab/utils/05-adjust-configs.sh b/docker/kolab/utils/05-adjust-configs.sh new file mode 100755 --- /dev/null +++ b/docker/kolab/utils/05-adjust-configs.sh @@ -0,0 +1,166 @@ +#!/bin/bash + +# Replace localhost +sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/iRony/dav.inc.php +sed -i -e "/host/s/localhost/${LDAP_HOST}/g" \ + -e "/fbsource/s/localhost/${IMAP_HOST}/g" /etc/kolab-freebusy/config.ini +#sed -i -e "s/server_host.*/server_host = ${LDAP_HOST}/g" /etc/postfix/ldap/* +sed -i -e "/password_ldap_host/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/password.inc.php +sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/kolab_auth.inc.php +sed -i -e "s#.*db_dsnw.*# \$config['db_dsnw'] = 'mysql://${DB_RC_USERNAME}:${DB_RC_PASSWORD}@${DB_HOST}/roundcube';#" \ + -e "/default_host/s|= .*$|= 'ssl://${IMAP_HOST}';|" \ + -e "/default_port/s|= .*$|= ${IMAP_PORT};|" \ + -e "/smtp_server/s|= .*$|= 'tls://${MAIL_HOST}';|" \ + -e "/smtp_port/s/= .*$/= ${MAIL_PORT};/" \ + -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/config.inc.php +sed -i -e "/hosts/s/localhost/${LDAP_HOST}/" /etc/roundcubemail/calendar.inc.php + + +. ./settings.sh + +#Adjust basedn +sed -i -r \ + -e "s/(\s+)base => '.*',$/\1base => '${hosted_domain_rootdn}',/g" \ + -e "/\\\$mydomain = / a\ +\$myhostname = '${HOSTNAME:-kolab}.${DOMAIN:-mgmt.com}';" \ + -e "s/^base_dn = .*$/base_dn = ${hosted_domain_rootdn}/g" \ + -e "s/^search_base = .*$/search_base = ${hosted_domain_rootdn}/g" \ + -e "s/(\s+)'base_dn'(\s+)=> '.*',/\1'base_dn'\2=> '${hosted_domain_rootdn}',/g" \ + -e "s/(\s+)'search_base_dn'(\s+)=> '.*',/\1'search_base_dn'\2=> '${hosted_domain_rootdn}',/g" \ + -e "s/(\s+)'user_specific'(\s+)=> false,/\1'user_specific'\2=> true,/g" \ + /etc/amavisd/amavisd.conf \ + /etc/kolab-freebusy/config.ini \ + /etc/postfix/ldap/*.cf \ + /etc/roundcubemail/config.inc.php \ + /etc/roundcubemail/calendar.inc.php \ + /etc/roundcubemail/kolab_auth.inc.php + +sed -i -r \ + -e "s/^search_base = .*$/search_base = ${domain_base_dn}/g" \ + /etc/postfix/ldap/mydestination.cf + + +#Disable amavisd +postconf -e content_filter='smtp-wallace:[127.0.0.1]:10026' + +systemctl stop amavisd +systemctl disable amavisd + +systemctl stop clamd@amavisd +systemctl disable clamd@amavisd + + +# Change port numbers +cat ${SSL_CERTIFICATE} ${SSL_CERTIFICATE_FULLCHAIN} ${SSL_CERTIFICATE_KEY} > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem +chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem + +cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem +chown postfix:mail /etc/pki/tls/private/postfix.pem +chmod 655 /etc/pki/tls/private/postfix.pem + +sed -i "s/smtpd_tls_key_file =.*/smtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf +sed -i "s/smtpd_tls_cert_file =.*/smtpd_tls_cert_file = \/etc\/pki\/tls\/private\/postfix.pem/" /etc/postfix/main.cf + +# Remove the submission block, by matching from submission until the next empty line +sed -i -e '/submission inet/,/^$/d' /etc/postfix/master.cf + +# Insert a new submission block with a modified port +cat >> /etc/postfix/master.cf << EOF +127.0.0.1:10587 inet n - n - - smtpd + -o cleanup_service_name=cleanup_submission + -o syslog_name=postfix/submission + #-o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_authenticated_header=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_data_restrictions=\$submission_data_restrictions + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions + -o smtpd_sender_restrictions=\$submission_sender_restrictions + +127.0.0.1:10465 inet n - n - - smtpd + -o cleanup_service_name=cleanup_submission + -o rewrite_service_name=rewrite_submission + -o syslog_name=postfix/smtps + -o mydestination= + -o local_recipient_maps= + -o relay_domains= + -o relay_recipient_maps= + #-o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_authenticated_header=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_sender_restrictions=\$submission_sender_restrictions + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions + -o smtpd_data_restrictions=\$submission_data_restrictions +EOF + + +sed -i -r \ + -e "s/'vlv'(\s+)=> false,/'vlv'\1=> true,/g" \ + -e "s/'vlv_search'(\s+)=> false,/'vlv_search'\1=> true,/g" \ + -e "s/inetOrgPerson/inetorgperson/g" \ + -e "s/kolabInetOrgPerson/inetorgperson/g" \ + /etc/roundcubemail/*.inc.php + + +# Adjust postfix + +# new: (inetdomainstatus:1.2.840.113556.1.4.803:=1) +# active: (inetdomainstatus:1.2.840.113556.1.4.803:=2) +# suspended: (inetdomainstatus:1.2.840.113556.1.4.803:=4) +# deleted: (inetdomainstatus:1.2.840.113556.1.4.803:=8) +# confirmed: (inetdomainstatus:1.2.840.113556.1.4.803:=16) +# verified: (inetdomainstatus:1.2.840.113556.1.4.803:=32) +# ready: (inetdomainstatus:1.2.840.113556.1.4.803:=64) + +sed -i -r \ + -e 's/^query_filter.*$/query_filter = (\&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4)))/g' \ + /etc/postfix/ldap/mydestination.cf + +# new: (inetuserstatus:1.2.840.113556.1.4.803:=1) +# active: (inetuserstatus:1.2.840.113556.1.4.803:=2) +# suspended: (inetuserstatus:1.2.840.113556.1.4.803:=4) +# deleted: (inetuserstatus:1.2.840.113556.1.4.803:=8) +# ldapready: (inetuserstatus:1.2.840.113556.1.4.803:=16) +# imapready: (inetuserstatus:1.2.840.113556.1.4.803:=32) + +sed -i -r \ + -e 's/^query_filter.*$/query_filter = (\&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4)))/g' \ + /etc/postfix/ldap/local_recipient_maps.cf + +systemctl restart postfix + + + +sed -i -r -e "s|$config\['kolab_files_url'\] = .*$|$config['kolab_files_url'] = 'https://' \. \$_SERVER['HTTP_HOST'] . '/chwala/';|g" /etc/roundcubemail/kolab_files.inc.php + +sed -i -r -e "s|$config\['kolab_invitation_calendars'\] = .*$|$config['kolab_invitation_calendars'] = true;|g" /etc/roundcubemail/calendar.inc.php + +sed -i -r -e "/^.*'contextmenu',$/a 'enigma'," /etc/roundcubemail/config.inc.php + +sed -i -r -e "s|$config\['enigma_passwordless'\] = .*$|$config['enigma_passwordless'] = true;|g" /etc/roundcubemail/enigma.inc.php +sed -i -r -e "s|$config\['enigma_multihost'\] = .*$|$config['enigma_multihost'] = true;|g" /etc/roundcubemail/enigma.inc.php + +echo "\$config['enigma_woat'] = true;" >> /etc/roundcubemail/enigma.inc.php + +# Run it over haproxy then nginx for 2fa. We need to use startls because otherwise the proxy protocol doesn't work. +sed -i -r -e "s|$config\['default_host'\] = .*$|$config['default_host'] = 'tls://haproxy';|g" /etc/roundcubemail/config.inc.php +sed -i -r -e "s|$config\['default_port'\] = .*$|$config['default_port'] = 145;|g" /etc/roundcubemail/config.inc.php + +# So we can just append +sed -i "s/?>//g" /etc/roundcubemail/config.inc.php + +# Enable the PROXY protocol +cat << EOF >> /etc/roundcubemail/config.inc.php + \$config['imap_conn_options'] = Array( + 'ssl' => Array( + 'verify_peer_name' => false, + 'verify_peer' => false, + 'allow_self_signed' => true + ), + 'proxy_protocol' => 2 + ); + \$config['proxy_whitelist'] = array('127.0.0.1', '172.18.0.7'); +EOF + +echo "?>" >> /etc/roundcubemail/config.inc.php diff --git a/docker/kolab/utils/05-replace-localhost.sh b/docker/kolab/utils/05-replace-localhost.sh deleted file mode 100755 --- a/docker/kolab/utils/05-replace-localhost.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -if [[ ${DB_HOST} == "localhost" || ${DB_HOST} == "127.0.0.1" ]]; then - mysql -h ${DB_HOST} -u root --password=${DB_ROOT_PASSWORD} \ - -e "UPDATE mysql.db SET Host = '127.0.0.1' WHERE Host = 'localhost';" - - mysql -h ${DB_HOST} -u root --password=${DB_ROOT_PASSWORD} \ - -e "FLUSH PRIVILEGES;" -fi - -sed -i -e "s#^ldap_servers:.*#ldap_servers: ldap://${LDAP_HOST:-127.0.0.1}:389#" /etc/imapd.conf -sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/iRony/dav.inc.php -sed -i -e "s#^ldap_uri.*#ldap_uri = ldap://${LDAP_HOST:-127.0.0.1}:389#" \ - -e "s#^cache_uri.*mysql://\(.*\):\(.*\)@\(.*\)\/\(.*\)#cache_uri = mysql://${DB_KOLAB_USERNAME}:${DB_KOLAB_PASSWORD}@${DB_HOST}/${DB_KOLAB_DATABASE}#" \ - -e "s#^sql_uri.*mysql://\(.*\):\(.*\)@\(.*\)\/\(.*\)#sql_uri = mysql://${DB_KOLAB_USERNAME}:${DB_KOLAB_PASSWORD}@${DB_HOST}/${DB_KOLAB_DATABASE}#" \ - -e "s#^uri.*#uri = imaps://${IMAP_HOST:-127.0.0.1}:11993#" /etc/kolab/kolab.conf -sed -i -e "/host/s/localhost/${LDAP_HOST:-127.0.0.1}/g" \ - -e "/fbsource/s/localhost/${IMAP_HOST:-127.0.0.1}/g" /etc/kolab-freebusy/config.ini -#sed -i -e "s/server_host.*/server_host = ${LDAP_HOST:-127.0.0.1}/g" /etc/postfix/ldap/* -sed -i -e "/password_ldap_host/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/password.inc.php -sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/kolab_auth.inc.php -sed -i -e "s#.*db_dsnw.*# \$config['db_dsnw'] = 'mysql://${DB_RC_USERNAME}:${DB_RC_PASSWORD}@${DB_HOST}/roundcube';#" \ - -e "/default_host/s|= .*$|= 'ssl://${IMAP_HOST:-127.0.0.1}';|" \ - -e "/default_port/s|= .*$|= ${IMAP_PORT:-11993};|" \ - -e "/smtp_server/s|= .*$|= 'tls://${MAIL_HOST:-127.0.0.1}';|" \ - -e "/smtp_port/s/= .*$/= ${MAIL_PORT:-10587};/" \ - -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/config.inc.php -sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/calendar.inc.php - -systemctl restart cyrus-imapd postfix diff --git a/docker/kolab/utils/06-mysql-for-kolabdev.sh b/docker/kolab/utils/06-mysql-for-kolabdev.sh deleted file mode 100755 --- a/docker/kolab/utils/06-mysql-for-kolabdev.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \ - -e "CREATE DATABASE IF NOT EXISTS ${DB_HKCCP_DATABASE};" - -mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \ - -e "GRANT ALL PRIVILEGES ON ${DB_HKCCP_DATABASE}.* TO '${DB_HKCCP_USERNAME}'@'%' IDENTIFIED BY '${DB_HKCCP_PASSWORD}';" - -mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD} \ - -e "FLUSH PRIVILEGES;" - diff --git a/docker/kolab/utils/07-adjust-base-dns.sh b/docker/kolab/utils/07-adjust-base-dns.sh deleted file mode 100755 --- a/docker/kolab/utils/07-adjust-base-dns.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -echo "ldap_domain_base_dn: ${domain_base_dn}" >> /etc/imapd.conf - -sed -i -r \ - -e "s/^ldap_base: .*$/ldap_base: ${hosted_domain_rootdn}/g" \ - /etc/imapd.conf - -sed -i -r \ - -e "s/(\s+)base => '.*',$/\1base => '${hosted_domain_rootdn}',/g" \ - -e "/\\\$mydomain = / a\ -\$myhostname = '${HOSTNAME:-kolab}.${DOMAIN:-mgmt.com}';" \ - -e "s/^base_dn = .*$/base_dn = ${hosted_domain_rootdn}/g" \ - -e "s/^search_base = .*$/search_base = ${hosted_domain_rootdn}/g" \ - -e "s/(\s+)'base_dn'(\s+)=> '.*',/\1'base_dn'\2=> '${hosted_domain_rootdn}',/g" \ - -e "s/(\s+)'search_base_dn'(\s+)=> '.*',/\1'search_base_dn'\2=> '${hosted_domain_rootdn}',/g" \ - -e "s/(\s+)'user_specific'(\s+)=> false,/\1'user_specific'\2=> true,/g" \ - /etc/amavisd/amavisd.conf \ - /etc/kolab-freebusy/config.ini \ - /etc/postfix/ldap/*.cf \ - /etc/roundcubemail/config.inc.php \ - /etc/roundcubemail/calendar.inc.php \ - /etc/roundcubemail/kolab_auth.inc.php - -sed -i -r \ - -e "s/^search_base = .*$/search_base = ${domain_base_dn}/g" \ - /etc/postfix/ldap/mydestination.cf - -systemctl restart cyrus-imapd postfix diff --git a/docker/kolab/utils/08-disable-amavisd.sh b/docker/kolab/utils/08-disable-amavisd.sh deleted file mode 100755 --- a/docker/kolab/utils/08-disable-amavisd.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -postconf -e content_filter='smtp-wallace:[127.0.0.1]:10026' - -systemctl restart postfix - -systemctl stop amavisd -systemctl disable amavisd - -systemctl stop clamd@amavisd -systemctl disable clamd@amavisd diff --git a/docker/kolab/utils/12-create-hosted-kolab-service.sh b/docker/kolab/utils/12-create-hosted-kolab-service.sh deleted file mode 100755 --- a/docker/kolab/utils/12-create-hosted-kolab-service.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -( - echo "dn: uid=hosted-kolab-service,ou=Special Users,${rootdn}" - echo "objectclass: top" - echo "objectclass: inetorgperson" - echo "objectclass: person" - echo "uid: hosted-kolab-service" - echo "cn: Hosted Kolab Service Account" - echo "sn: Service Account" - echo "givenname: Hosted Kolab" - echo "userpassword: ${hosted_kolab_service_pw}" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" - diff --git a/docker/kolab/utils/13-create-ou-domains.sh b/docker/kolab/utils/13-create-ou-domains.sh deleted file mode 100755 --- a/docker/kolab/utils/13-create-ou-domains.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - - . ./settings.sh - -( - echo "dn: ou=Domains,${rootdn}" - echo "ou: Domains" - echo "objectClass: top" - echo "objectClass: organizationalunit" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/14-create-management-domain.sh b/docker/kolab/utils/14-create-management-domain.sh deleted file mode 100755 --- a/docker/kolab/utils/14-create-management-domain.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -( - echo "dn: associateddomain=${domain},${domain_base_dn}" - echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)" - echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" - echo "inetDomainStatus: active" - echo "objectClass: top" - echo "objectClass: domainrelatedobject" - echo "objectClass: inetdomain" - echo "associatedDomain: ${domain}" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/15-create-hosted-domain.sh b/docker/kolab/utils/15-create-hosted-domain.sh deleted file mode 100755 --- a/docker/kolab/utils/15-create-hosted-domain.sh +++ /dev/null @@ -1,116 +0,0 @@ -#!/bin/bash - -. ./settings.sh - - ( - echo "dn: associateddomain=${hosted_domain},${domain_base_dn}" - echo "objectclass: top" - echo "objectclass: domainrelatedobject" - echo "objectclass: inetdomain" - echo "inetdomainstatus: active" - echo "associateddomain: ${hosted_domain}" - echo "inetdomainbasedn: ${hosted_domain_rootdn}" - echo "" - ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" - - ( - echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config" - echo "objectClass: top" - echo "objectClass: extensibleobject" - echo "objectClass: nsbackendinstance" - echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')" - echo "nsslapd-suffix: ${hosted_domain_rootdn}" - echo "nsslapd-cachesize: -1" - echo "nsslapd-cachememsize: 10485760" - echo "nsslapd-readonly: off" - echo "nsslapd-require-index: off" - echo "nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')" - echo "nsslapd-dncachememsize: 10485760" - echo "" - ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" - -( - #On centos7 - #echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config" - #On centos8 - echo "dn: cn=\"${hosted_domain_rootdn}\",cn=mapping tree,cn=config" - echo "objectClass: top" - echo "objectClass: extensibleObject" - echo "objectClass: nsMappingTree" - echo "nsslapd-state: backend" - echo "cn: ${hosted_domain_rootdn}" - echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" - -( - echo "dn: ${hosted_domain_rootdn}" - echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)" - echo "aci: (targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${hosted_domain_rootdn}\" or roledn=\"ldap:///cn=kolab-admin,${hosted_domain_rootdn}\");)" - echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)" - echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)" - echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)" - echo "objectClass: top" - echo "objectClass: domain" - echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" - -( - for role in "2fa-user" "activesync-user" "imap-user"; do - echo "dn: cn=${role},${hosted_domain_rootdn}" - echo "cn: ${role}" - echo "description: ${role} role" - echo "objectclass: top" - echo "objectclass: ldapsubentry" - echo "objectclass: nsmanagedroledefinition" - echo "objectclass: nsroledefinition" - echo "objectclass: nssimpleroledefinition" - echo "" - done - - echo "dn: ou=Groups,${hosted_domain_rootdn}" - echo "ou: Groups" - echo "objectClass: top" - echo "objectClass: organizationalunit" - echo "" - - echo "dn: ou=People,${hosted_domain_rootdn}" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" - echo "ou: People" - echo "objectClass: top" - echo "objectClass: organizationalunit" - echo "" - - echo "dn: ou=Special Users,${hosted_domain_rootdn}" - echo "ou: Special Users" - echo "objectClass: top" - echo "objectClass: organizationalunit" - echo "" - - echo "dn: ou=Resources,${hosted_domain_rootdn}" - echo "ou: Resources" - echo "objectClass: top" - echo "objectClass: organizationalunit" - echo "" - - echo "dn: ou=Shared Folders,${hosted_domain_rootdn}" - echo "ou: Shared Folders" - echo "objectClass: top" - echo "objectClass: organizationalunit" - echo "" - - echo "dn: uid=cyrus-admin,ou=Special Users,${hosted_domain_rootdn}" - echo "sn: Administrator" - echo "uid: cyrus-admin" - echo "objectClass: top" - echo "objectClass: person" - echo "objectClass: inetorgperson" - echo "objectClass: organizationalperson" - echo "givenName: Cyrus" - echo "cn: Cyrus Administrator" - echo "" - -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/16-remove-cn-kolab-cn-config.sh b/docker/kolab/utils/16-remove-cn-kolab-cn-config.sh deleted file mode 100755 --- a/docker/kolab/utils/16-remove-cn-kolab-cn-config.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -( - echo "associateddomain=${domain},cn=kolab,cn=config" - echo "cn=kolab,cn=config" -) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c diff --git a/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh b/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh deleted file mode 100755 --- a/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -( - echo "dn: associateddomain=${domain},ou=Domains,${rootdn}" - echo "changetype: modify" - echo "replace: aci" - echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)" - echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" - echo "" -) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/18-adjust-kolab-conf.sh b/docker/kolab/utils/18-adjust-kolab-conf.sh deleted file mode 100755 --- a/docker/kolab/utils/18-adjust-kolab-conf.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -sed -r -i \ - -e "s/^base_dn.*$/base_dn = ${rootdn}/g" \ - -e "s/^domain_base_dn.*$/domain_base_dn = ${domain_base_dn}/g" \ - -e "s/^user_base_dn.*$/user_base_dn = ${hosted_domain_rootdn}/g" \ - -e "s/^kolab_user_base_dn.*$/kolab_user_base_dn = ${hosted_domain_rootdn}/g" \ - -e "s/^group_base_dn.*$/group_base_dn = ${hosted_domain_rootdn}/g" \ - -e "s/^sharedfolder_base_dn.*$/sharedfolder_base_dn = ${hosted_domain_rootdn}/g" \ - -e "s/^resource_base_dn.*$/resource_base_dn = ${hosted_domain_rootdn}/g" \ - -e '/^primary_mail/ a\ -daemon_rcpt_policy = False' \ - -e '/^primary_mail/d' \ - -e '/secondary_mail/,+10d' \ - -e '/autocreate_folders/,+77d' \ - -e "/^\[kolab_wap\]/ a\ -mgmt_root_dn = ${rootdn}" \ - -e "/^\[kolab_wap\]/ a\ -hosted_root_dn = ${hosted_domain_rootdn}" \ - -e "/^\[kolab_wap\]/ a\ -api_url = http://127.0.0.1:9080/kolab-webadmin/api" \ - -e 's/^auth_attributes.*$/auth_attributes = mail, uid/g' \ - -e 's|^uri = imaps.*$|uri = imaps://127.0.0.1:11993|g' \ - -e "/^\[wallace\]/ a\ -webmail_url = https://%(domain)s/roundcubemail" \ - /etc/kolab/kolab.conf - -systemctl restart kolabd -systemctl restart kolab-saslauthd diff --git a/docker/kolab/utils/19-turn-on-vlv-in-roundcube.sh b/docker/kolab/utils/19-turn-on-vlv-in-roundcube.sh deleted file mode 100755 --- a/docker/kolab/utils/19-turn-on-vlv-in-roundcube.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -sed -i -r \ - -e "s/'vlv'(\s+)=> false,/'vlv'\1=> true,/g" \ - -e "s/'vlv_search'(\s+)=> false,/'vlv_search'\1=> true,/g" \ - -e "s/inetOrgPerson/inetorgperson/g" \ - -e "s/kolabInetOrgPerson/inetorgperson/g" \ - /etc/roundcubemail/*.inc.php diff --git a/docker/kolab/utils/20-add-alias-attribute-index.sh b/docker/kolab/utils/20-add-alias-attribute-index.sh deleted file mode 100755 --- a/docker/kolab/utils/20-add-alias-attribute-index.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -export index_attr=alias - -( - echo "dn: cn=${index_attr},cn=index,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config" - echo "objectclass: top" - echo "objectclass: nsindex" - echo "cn: ${index_attr}" - echo "nsSystemIndex: false" - echo "nsindextype: pres" - echo "nsindextype: eq" - echo "nsindextype: sub" - -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c - - -( - echo "dn: cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" - echo "objectclass: top" - echo "objectclass: extensibleObject" - echo "cn: ${hosted_domain_db} ${index_attr} index" - echo "nsinstance: ${hosted_domain_db}" - echo "nsIndexAttribute: ${index_attr}:pres" - echo "nsIndexAttribute: ${index_attr}:eq" - echo "nsIndexAttribute: ${index_attr}:sub" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c - -ldap_complete=0 - -while [ ${ldap_complete} -ne 1 ]; do - result=$( - ldapsearch \ - -x \ - -h ${ldap_host} \ - -D "${ldap_binddn}" \ - -w "${ldap_bindpw}" \ - -c \ - -LLL \ - -b "cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" \ - '(!(nstaskexitcode=0))' \ - -s base 2>/dev/null - ) - if [ -z "$result" ]; then - ldap_complete=1 - echo "" - else - echo -n "." - sleep 1 - fi -done - diff --git a/docker/kolab/utils/21-adjust-postfix-config.sh b/docker/kolab/utils/21-adjust-postfix-config.sh deleted file mode 100755 --- a/docker/kolab/utils/21-adjust-postfix-config.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -# new: (inetdomainstatus:1.2.840.113556.1.4.803:=1) -# active: (inetdomainstatus:1.2.840.113556.1.4.803:=2) -# suspended: (inetdomainstatus:1.2.840.113556.1.4.803:=4) -# deleted: (inetdomainstatus:1.2.840.113556.1.4.803:=8) -# confirmed: (inetdomainstatus:1.2.840.113556.1.4.803:=16) -# verified: (inetdomainstatus:1.2.840.113556.1.4.803:=32) -# ready: (inetdomainstatus:1.2.840.113556.1.4.803:=64) - -sed -i -r \ - -e 's/^query_filter.*$/query_filter = (\&(associatedDomain=%s)(inetdomainstatus:1.2.840.113556.1.4.803:=18)(!(inetdomainstatus:1.2.840.113556.1.4.803:=4)))/g' \ - /etc/postfix/ldap/mydestination.cf - -# new: (inetuserstatus:1.2.840.113556.1.4.803:=1) -# active: (inetuserstatus:1.2.840.113556.1.4.803:=2) -# suspended: (inetuserstatus:1.2.840.113556.1.4.803:=4) -# deleted: (inetuserstatus:1.2.840.113556.1.4.803:=8) -# ldapready: (inetuserstatus:1.2.840.113556.1.4.803:=16) -# imapready: (inetuserstatus:1.2.840.113556.1.4.803:=32) - -sed -i -r \ - -e 's/^query_filter.*$/query_filter = (\&(|(mail=%s)(alias=%s))(|(objectclass=kolabinetorgperson)(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))(|(|(objectclass=groupofuniquenames)(objectclass=groupofurls))(objectclass=kolabsharedfolder))(objectclass=kolabsharedfolder))(!(inetuserstatus:1.2.840.113556.1.4.803:=4)))/g' \ - /etc/postfix/ldap/local_recipient_maps.cf - -systemctl restart postfix diff --git a/docker/kolab/utils/22-create-resource.sh b/docker/kolab/utils/22-create-resource.sh deleted file mode 100755 --- a/docker/kolab/utils/22-create-resource.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - - . ./settings.sh - -( - echo "dn: cn=TestResource,ou=Resources,ou=kolab.org,${hosted_domain_rootdn}" - echo "cn: TestResource" - echo "owner: uid=jack@kolab.org,ou=People,ou=kolab.org,${hosted_domain_rootdn}" - echo "kolabTargetFolder: shared/Resources/TestResource@kolab.org" - echo "mail: resource-confroom-testresource@kolab.org" - echo "objectClass: top" - echo "objectClass: kolabsharedfolder" - echo "objectClass: kolabresource" - echo "objectClass: mailrecipient" - echo "kolabFolderType: event" - echo "kolabInvitationPolicy: ACT_STORE_AND_NOTIFY" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/24-roundcubeconfig.sh b/docker/kolab/utils/24-roundcubeconfig.sh deleted file mode 100755 --- a/docker/kolab/utils/24-roundcubeconfig.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -sed -i -r -e "s|$config\['kolab_files_url'\] = .*$|$config['kolab_files_url'] = 'https://' \. \$_SERVER['HTTP_HOST'] . '/chwala/';|g" /etc/roundcubemail/kolab_files.inc.php - -sed -i -r -e "s|$config\['kolab_invitation_calendars'\] = .*$|$config['kolab_invitation_calendars'] = true;|g" /etc/roundcubemail/calendar.inc.php - -sed -i -r -e "/^.*'contextmenu',$/a 'enigma'," /etc/roundcubemail/config.inc.php - -sed -i -r -e "s|$config\['enigma_passwordless'\] = .*$|$config['enigma_passwordless'] = true;|g" /etc/roundcubemail/enigma.inc.php -sed -i -r -e "s|$config\['enigma_multihost'\] = .*$|$config['enigma_multihost'] = true;|g" /etc/roundcubemail/enigma.inc.php - -echo "\$config['enigma_woat'] = true;" >> /etc/roundcubemail/enigma.inc.php - -# Run it over haproxy then nginx for 2fa. We need to use startls because otherwise the proxy protocol doesn't work. -sed -i -r -e "s|$config\['default_host'\] = .*$|$config['default_host'] = 'tls://127.0.0.1';|g" /etc/roundcubemail/config.inc.php -sed -i -r -e "s|$config\['default_port'\] = .*$|$config['default_port'] = 145;|g" /etc/roundcubemail/config.inc.php - -# So we can just append -sed -i "s/?>//g" /etc/roundcubemail/config.inc.php - -# Enable the PROXY protocol -cat << EOF >> /etc/roundcubemail/config.inc.php - \$config['imap_conn_options'] = Array( - 'ssl' => Array( - 'verify_peer_name' => false, - 'verify_peer' => false, - 'allow_self_signed' => true - ), - 'proxy_protocol' => 2 - ); - \$config['proxy_whitelist'] = array('127.0.0.1'); -EOF - -echo "?>" >> /etc/roundcubemail/config.inc.php - - -# Send dns queries over powerdns -rm -f /etc/resolv.conf -echo "nameserver 127.0.0.1:9953" > /etc/resolv.conf diff --git a/docker/kolab/utils/settings.sh b/docker/kolab/utils/settings.sh --- a/docker/kolab/utils/settings.sh +++ b/docker/kolab/utils/settings.sh @@ -3,13 +3,13 @@ export rootdn=${LDAP_ADMIN_ROOT_DN:-"dc=mgmt,dc=com"} export domain=${DOMAIN:-"mgmt.com"} export domain_db=${DOMAIN_DB:-"mgmt_com"} -export ldap_host=${LDAP_HOST:-"127.0.0.1"} +export ldap_host=${LDAP_HOST} export ldap_binddn=${LDAP_ADMIN_BIND_DN:-"cn=Directory Manager"} export ldap_bindpw=${LDAP_ADMIN_BIND_PW:-"Welcome2KolabSystems"} export cyrus_admin=${IMAP_ADMIN_LOGIN:-"cyrus-admin"} -export imap_host=${IMAP_HOST:-"127.0.0.1"} +export imap_host=${IMAP_HOST} export cyrus_admin_pw=${IMAP_ADMIN_PASSWORD:-"Welcome2KolabSystems"} export kolab_service_pw=${LDAP_SERVICE_BIND_PW:-"Welcome2KolabSystems"} diff --git a/docker/mariadb/mysql-init/80-add-users.sh b/docker/mariadb/mysql-init/80-add-users.sh deleted file mode 100644 --- a/docker/mariadb/mysql-init/80-add-users.sh +++ /dev/null @@ -1,29 +0,0 @@ -create_arbitrary_users() { - - # Do not care what option is compulsory here, just create what is specified - log_info "Creating user specified by (${2}) ..." -mysql $mysql_flags </dev/null; then - chver=$(rpmquery --queryformat="%{VERSION}" chromium | awk -F'.' '{print $1}') - ./artisan dusk:chrome-driver ${chver} -fi - if [ ! -f 'resources/countries.php' ]; then ./artisan data:countries fi diff --git a/src/.env.example b/src/.env.example --- a/src/.env.example +++ b/src/.env.example @@ -2,11 +2,11 @@ APP_ENV=local APP_KEY= APP_DEBUG=true -APP_URL=http://127.0.0.1:8000 +APP_URL=https://kolab.local #APP_PASSPHRASE= -APP_PUBLIC_URL= -APP_DOMAIN=kolabnow.com -APP_WEBSITE_DOMAIN=kolabnow.com +APP_PUBLIC_URL=https://kolab.local +APP_DOMAIN=kolab.local +APP_WEBSITE_DOMAIN=kolab.local APP_THEME=default APP_TENANT_ID=5 APP_LOCALE=en @@ -23,9 +23,9 @@ SIGNUP_LIMIT_EMAIL=0 SIGNUP_LIMIT_IP=0 -ASSET_URL=http://127.0.0.1:8000 +ASSET_URL=https://kolab.local -WEBMAIL_URL=/apps +WEBMAIL_URL=/roundcubemail/ SUPPORT_URL=/support SUPPORT_EMAIL= @@ -36,7 +36,7 @@ DB_CONNECTION=mysql DB_DATABASE=kolabdev -DB_HOST=127.0.0.1 +DB_HOST=mariadb DB_PASSWORD=kolab DB_PORT=3306 DB_USERNAME=kolabdev @@ -51,12 +51,13 @@ OPENEXCHANGERATES_API_KEY="from openexchangerates.org" -MFA_DSN=mysql://roundcube:Welcome2KolabSystems@127.0.0.1/roundcube +MFA_DSN=mysql://roundcube:Welcome2KolabSystems@mariadb/roundcube MFA_TOTP_DIGITS=6 MFA_TOTP_INTERVAL=30 MFA_TOTP_DIGEST=sha1 -IMAP_URI=ssl://127.0.0.1:11993 +IMAP_URI=ssl://kolab:11993 +IMAP_HOST=172.18.0.5 IMAP_ADMIN_LOGIN=cyrus-admin IMAP_ADMIN_PASSWORD=Welcome2KolabSystems IMAP_VERIFY_HOST=false @@ -64,7 +65,7 @@ LDAP_BASE_DN="dc=mgmt,dc=com" LDAP_DOMAIN_BASE_DN="ou=Domains,dc=mgmt,dc=com" -LDAP_HOSTS=127.0.0.1 +LDAP_HOSTS=kolab LDAP_PORT=389 LDAP_SERVICE_BIND_DN="uid=kolab-service,ou=Special Users,dc=mgmt,dc=com" LDAP_SERVICE_BIND_PW="Welcome2KolabSystems" @@ -81,22 +82,24 @@ LDAP_HOSTED_BIND_PW="Welcome2KolabSystems" LDAP_HOSTED_ROOT_DN="dc=hosted,dc=com" -COTURN_PUBLIC_IP=127.0.0.1 +COTURN_PUBLIC_IP='172.18.0.1' COTURN_STATIC_SECRET="Welcome2KolabSystems" MEET_WEBHOOK_TOKEN=Welcome2KolabSystems MEET_SERVER_TOKEN=Welcome2KolabSystems -MEET_SERVER_URLS=https://localhost:12443/meetmedia/api/ -MEET_SERVER_VERIFY_TLS=true +MEET_SERVER_URLS=https://kolab.local/meetmedia/api/ +MEET_SERVER_VERIFY_TLS=false -MEET_WEBRTC_LISTEN_IP= -MEET_PUBLIC_DOMAIN=127.0.0.1:12443 -MEET_TURN_SERVER='turn:127.0.0.1:3478?transport=tcp' +MEET_WEBRTC_LISTEN_IP='172.18.0.1' +MEET_PUBLIC_DOMAIN=kolab.local +MEET_TURN_SERVER='turn:172.18.0.1:3478' +MEET_LISTENING_HOST=172.18.0.1 -PGP_ENABLED= -PGP_BINARY= -PGP_AGENT= -PGP_GPGCONF= + +PGP_ENABLE=true +PGP_BINARY=/usr/bin/gpg +PGP_AGENT=/usr/bin/gpg-agent +PGP_GPGCONF=/usr/bin/gpgconf PGP_LENGTH= # Set these to IP addresses you serve WOAT with. @@ -104,7 +107,7 @@ WOAT_NS1=ns01.domain.tld WOAT_NS2=ns02.domain.tld -REDIS_HOST=127.0.0.1 +REDIS_HOST=redis REDIS_PASSWORD=null REDIS_PORT=6379 @@ -117,6 +120,7 @@ STRIPE_PUBLIC_KEY= STRIPE_WEBHOOK_SECRET= +MAIL_DRIVER=log MAIL_MAILER=smtp MAIL_HOST=smtp.mailtrap.io MAIL_PORT=2525 @@ -179,13 +183,5 @@ KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/pki/tls/certs/kolab.hosted.com.chain.pem KOLAB_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/kolab.hosted.com.key -PROXY_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert -PROXY_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key - -NGINX_SSL_CERTIFICATE=/etc/pki/tls/certs/imap.hosted.com.cert -NGINX_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/imap.hosted.com.key - -PGP_ENABLE=true -PGP_BINARY=/usr/bin/gpg -PGP_AGENT=/usr/bin/gpg-agent -PGP_GPGCONF=/usr/bin/gpgconf +PROXY_SSL_CERTIFICATE=/etc/certs/imap.hosted.com.cert +PROXY_SSL_CERTIFICATE_KEY=/etc/certs/imap.hosted.com.key diff --git a/src/config/imap.php b/src/config/imap.php --- a/src/config/imap.php +++ b/src/config/imap.php @@ -1,12 +1,12 @@ env('IMAP_URI', '127.0.0.1'), + 'uri' => env('IMAP_URI', 'ssl://kolab:11993'), 'admin_login' => env('IMAP_ADMIN_LOGIN', 'cyrus-admin'), 'admin_password' => env('IMAP_ADMIN_PASSWORD', null), 'verify_peer' => env('IMAP_VERIFY_PEER', true), 'verify_host' => env('IMAP_VERIFY_HOST', true), - 'host' => env('IMAP_HOST', '127.0.0.1'), + 'host' => env('IMAP_HOST', '172.18.0.5'), 'imap_port' => env('IMAP_PORT', 12143), 'guam_port' => env('IMAP_GUAM_PORT', 9143), ]; diff --git a/src/config/smtp.php b/src/config/smtp.php --- a/src/config/smtp.php +++ b/src/config/smtp.php @@ -1,6 +1,6 @@ env('SMTP_HOST', '127.0.0.1'), + 'host' => env('SMTP_HOST', '172.18.0.5'), 'port' => env('SMTP_PORT', 10465), ]; diff --git a/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php b/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php --- a/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php +++ b/src/database/migrations/2020_06_04_115409_create_powerdns_tables.php @@ -14,6 +14,15 @@ */ public function up() { + //Drop the tables from the mysql initialization + Schema::dropIfExists('powerdns_domains'); + Schema::dropIfExists('powerdns_records'); + Schema::dropIfExists('powerdns_masters'); + Schema::dropIfExists('powerdns_comments'); + Schema::dropIfExists('powerdns_domain_settings'); + Schema::dropIfExists('powerdns_cryptokeys'); + Schema::dropIfExists('powerdns_tsigkeys'); + Schema::create( 'powerdns_domains', function (Blueprint $table) {