ejabberd: added Movim

2022-01-19 13:14:45 +01:00 · 2022-01-19 13:14:45 +01:00 · 42fb3dd3d9
parent 2ada81cc65
commit 42fb3dd3d9
25 changed files with 419 additions and 5 deletions
--- a/ejabberd/Makefile
+++ b/ejabberd/Makefile
@ -1,8 +1,13 @@
 02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
 cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
-nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.orig
+nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.applorig
 example_com_conf = $(CHROOT)/etc/nginx/conf.d/example.com.conf
 ejabberd_example_com_conf = $(CHROOT)/etc/nginx/conf.d/ejabberd.example.com.conf
+install_movim = /usr/share/movim
+
+MOVIM_VER ?= 0.19.1rc7
+MOVIM_TARBALL = movim-$(MOVIM_VER).tar.gz
+MOVIM_URL = https://github.com/movim/movim/archive/refs/tags/v$(MOVIM_VER).tar.gz

 systemd-units: appliance/PostgreSQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
 	mkdir -p $(CHROOT)/usr/local/bin
@ -19,6 +24,10 @@ $(cert-renew.sh): appliance/cert-renew.sh
 	cp $< $@

 $(nginx_conf): nginx/nginx.conf
+	cp nginx/proxy_params $(CHROOT)/etc/nginx/
+	sed -i 's#^listen = .*#listen = /run/php-fpm/www.socket#' $(CHROOT)/etc/php/fpm-php7.4/fpm.d/www.conf
+	sed -i 's#^;listen.owner = .*#listen.owner = nginx#' $(CHROOT)/etc/php/fpm-php7.4/fpm.d/www.conf
+	sed -i 's#^;listen.group = .*#listen.group = nginx#' $(CHROOT)/etc/php/fpm-php7.4/fpm.d/www.conf
 	mv $(CHROOT)/etc/nginx/nginx.conf $@
 	cp $< $(CHROOT)/etc/nginx/nginx.conf

@ -30,12 +39,19 @@ $(ejabberd_example_com_conf): nginx/conf.d/ejabberd.example.com.conf
 	mkdir -p $(CHROOT)/etc/nginx/conf.d
 	cp $< $@

+$(install_movim):
+	RUN test -f /var/cache/distfiles/$(MOVIM_TARBALL) || \
+		RUN wget $(MOVIM_URL) -O /var/cache/distfiles/$(MOVIM_TARBALL)
+	RUN sh -c 'tar xf /var/cache/distfiles/$(MOVIM_TARBALL) -C /usr/share && mv $(install_movim)-$(MOVIM_VER) $(install_movim) && cd $(install_movim) && echo yes | composer install'
+	cp $(CHROOT)/$(install_movim)/etc/systemd/system/movim.service $(CHROOT)/etc/systemd/system/
+	sed -i 's#include fastcgi_params;#include fastcgi_params;\n\t\tfastcgi_param SCRIPT_FILENAME $$request_filename;\n\t\tfastcgi_pass unix:/run/php-fpm/www.socket;#' $(CHROOT)/$(install_movim)/etc/nginx/conf.d/movim.conf
+
 preinstall:
 	# workaround for https://bugs.gentoo.org/716968
 	mkdir -p $(CHROOT)/etc/ssl/ejabberd
 	touch $(CHROOT)/etc/ssl/ejabberd/server.pem

-postinstall: systemd-units $(nginx_conf) $(example_com_conf) $(ejabberd_example_com_conf) $(02firstboot) $(cert-renew.sh)
+postinstall: systemd-units $(nginx_conf) $(example_com_conf) $(ejabberd_example_com_conf) $(02firstboot) $(cert-renew.sh) $(install_movim)
 	# workaround for https://bugs.gentoo.org/716968
 	rm -rf $(CHROOT)/etc/ssl/ejabberd
 	# configure postgresql
--- a/ejabberd/appliance/02firstboot.start
+++ b/ejabberd/appliance/02firstboot.start
@ -15,6 +15,7 @@ PGVER=$(eselect postgresql show)
 [ -e /01firstboot ] && exit 0
 [ -e /02firstboot ] || exit 0

+# ejabberd configuration
 if [ ! -L "/etc/jabber/ejabberd.yml" ]; then
    if [ ! -f "/$LABEL/etc/jabber/ejabberd.yml" ]; then
 	echo 'Create ejabberd configuration'
@ -44,6 +45,43 @@ if [ ! -L "/etc/jabber/ejabberd.yml" ]; then
    fi
 fi

+# Movim configuration
+if [ ! -L "/usr/share/movim/config/db.inc.php" ]; then
+    if [ ! -f "/$LABEL/usr/share/movim/config/db.inc.php" ]; then
+	echo 'Create Movim configuration'
+	mkdir -p "/$LABEL/usr/share/movim/config"
+	chown nginx:nginx "/$LABEL/usr/share/movim/config"
+	cp "/usr/share/movim/config/db.example.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php"
+	cp "/usr/share/movim/config/db.example.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php.orig"
+	sed -i "s/'username' .*/'username'    => 'movim',/" "/$LABEL/usr/share/movim/config/db.inc.php"
+	ln -s "/$LABEL/usr/share/movim/config/db.inc.php" "/usr/share/movim/config/db.inc.php"
+    else
+	echo 'Linking Movim configuration'
+	cp -f "/$LABEL/usr/share/movim/config/db.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php.alt"
+	mv -f "/$LABEL/usr/share/movim/config/db.inc.php.orig" "/$LABEL/usr/share/movim/config/db.inc.php.orig-alt"
+	cp "/usr/share/movim/config/db.example.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php.orig"
+	ln -s "/$LABEL/usr/share/movim/config/db.inc.php" "/usr/share/movim/config/db.inc.php"
+    fi
+fi
+if [ ! -L "/usr/share/movim/log" ]; then
+	echo 'Create Movim log directory'
+	mkdir -p "/$LABEL/usr/share/movim/log"
+	chown nginx:nginx "/$LABEL/usr/share/movim/log"
+	ln -s "/$LABEL/usr/share/movim/log" "/usr/share/movim/log"
+fi
+if [ ! -L "/usr/share/movim/cache" ]; then
+	echo 'Create Movim internal cache directory'
+	mkdir -p "/$LABEL/usr/share/movim/cache"
+	chown nginx:nginx "/$LABEL/usr/share/movim/cache"
+	ln -s "/$LABEL/usr/share/movim/cache" "/usr/share/movim/cache"
+fi
+if [ ! -L "/usr/share/movim/public/cache" ]; then
+	echo 'Create Movim public cache directory'
+	mkdir -p "/$LABEL/usr/share/movim/public/cache"
+	chown nginx:nginx "/$LABEL/usr/share/movim/public/cache"
+	ln -s "/$LABEL/usr/share/movim/public/cache" "/usr/share/movim/public/cache"
+fi
+
 # Database
 if [ ! -L "/var/lib/postgresql" ]; then
    systemctl stop postgresql-$PGVER
@ -61,6 +99,11 @@ if [ ! -L "/var/lib/postgresql" ]; then
 	psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';"
 	psql -U postgres -d postgres -c "CREATE DATABASE ejabberd WITH OWNER ejabberd;"
 	psql -U ejabberd -d ejabberd < /usr/share/ejabberd/sql/pg.new.sql
+
+	echo 'Create movim database...'
+	psql -U postgres -d postgres -c "CREATE ROLE movim WITH LOGIN;"
+	psql -U postgres -d postgres -c "ALTER USER movim WITH PASSWORD '$DATABASE_PASS';"
+	psql -U postgres -d postgres -c "CREATE DATABASE movim WITH OWNER movim;"
    else
 	echo 'start PostgreSQL DB...'
 	rm -rf "/$LABEL/var/lib/postgresql.orig"
@ -68,14 +111,18 @@ if [ ! -L "/var/lib/postgresql" ]; then
 	ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql"
 	systemctl start postgresql-$PGVER
 	psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';"
+	psql -U postgres -d postgres -c "ALTER USER movim WITH PASSWORD '$DATABASE_PASS';"
    fi
 else
    echo 'Set new database password...'
    systemctl restart postgresql-$PGVER
    psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';"
+    psql -U postgres -d postgres -c "ALTER USER movim WITH PASSWORD '$DATABASE_PASS';"
 fi
 # update config with new database password
 sed -i "s/sql_password: .*/sql_password: \"$DATABASE_PASS\"/" "/$LABEL/etc/jabber/ejabberd.yml"
+sed -i "s/'password' .*/'password'    => '$DATABASE_PASS',/" "/$LABEL/usr/share/movim/config/db.inc.php"
+cd /usr/share/movim && echo yes | composer movim:migrate

 # Certificate
 if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
--- a/ejabberd/nginx/proxy_params
+++ b/ejabberd/nginx/proxy_params
@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
--- a/ejabberd/package.accept_keywords
+++ b/ejabberd/package.accept_keywords
@ -1,8 +1,9 @@
 # ejabberd
 net-im/ejabberd
 dev-erlang/p1_oauth2
-dev-erlang/ezlib
 dev-erlang/eimp
+dev-erlang/eredis
+dev-erlang/ezlib
 dev-erlang/iconv
 dev-erlang/idna
 dev-erlang/jiffy
--- a/ejabberd/package.use
+++ b/ejabberd/package.use
@ -1,6 +1,6 @@
 # Nginx
 app-eselect/eselect-php fpm
-dev-lang/php cli curl fpm gd pdo postgres webp
+dev-lang/php cli curl fpm gd pdo postgres webp zip
 media-gfx/imagemagick jpeg -openmp webp
 www-servers/nginx nginx_modules_stream_map nginx_modules_stream_ssl_preread

--- a/ejabberd/world
+++ b/ejabberd/world
@ -1,6 +1,7 @@
 app-crypt/certbot-nginx
 dev-db/postgresql
 dev-lang/php
+dev-php/composer
 dev-php/pecl-imagick
 media-gfx/gd-captcha
 media-gfx/imagemagick
--- a/lamp/Makefile
+++ b/lamp/Makefile
@ -0,0 +1,49 @@
+02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
+cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
+PHPCONFIG = $(CHROOT)/var/tmp/phpconfig
+
+systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer
+	cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/
+	cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/
+
+$(02firstboot): appliance/02firstboot.start
+	mkdir -p $(CHROOT)/etc/local.d
+	cp $< $@
+	touch $(CHROOT)/02firstboot
+
+$(cert-renew.sh): appliance/cert-renew.sh
+	mkdir -p $(CHROOT)/etc/ssl
+	cp $< $@
+
+$(PHPCONFIG):
+	# Apache-/PHP-Konfiguration
+	patch $(CHROOT)/etc/php/apache2-*/php.ini < php/php.ini-opcache.diff
+	find $(CHROOT)/etc/php/apache2-*/ -iname php.ini -print | xargs \sed -i \
+		-e 's:.*date.timezone =.*:date.timezone = Europe/Berlin:' \
+		-e 's:.*max_execution_time =.*:max_execution_time = 3600:' \
+		-e 's:.*max_input_time =.*:max_input_time = 3600:' \
+		-e 's:.*memory_limit =.*:memory_limit = 512M:' \
+		-e 's:.*post_max_size =.*:post_max_size = 8G:' \
+		-e 's:.*upload_max_filesize =*.:upload_max_filesize = 8G:' \
+		-e 's:.*always_populate_raw_post_data =.*:always_populate_raw_post_data = -1:'
+	touch $(PHPCONFIG)
+
+$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root
+	# MariaDB-Konfiguration ($$, weil make ein $ entfernt)
+	sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	sed -iE 's/^\(log-bin\)/#\1/' $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf
+	cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf
+	chmod 0600 $(CHROOT)/root/.my.cnf
+	rm -rf $(CHROOT)/var/lib/mysql/*
+	RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb'
+
+preinstall:
+
+postinstall: systemd-units $(PHPCONFIG) $(02firstboot) $(cert-renew.sh) $(CHROOT)/var/lib/mysql
--- a/lamp/appliance/02firstboot.start
+++ b/lamp/appliance/02firstboot.start
@ -0,0 +1,81 @@
+#!/bin/bash
+
+# variables
+LABEL="DATA"
+TLD="example.com"
+HOST="lamp"
+ORGNAME="lamp example"
+
+# start
+set -e
+
+[ -e /01firstboot ] && exit 0
+[ -e /02firstboot ] || exit 0
+
+# Database
+systemctl stop mariadb
+if [ ! -d "/$LABEL/var/lib/mysql/mysql" ]; then
+    echo 'Initialize MariaDB...'
+    mkdir -p "/$LABEL/var/lib"
+    rm -rf "/$LABEL/var/lib/mysql"
+    if [ ! -L /var/lib/mysql ]; then
+        rm -rf "/$LABEL/var/lib/mysql.orig"
+        cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
+        mv "/var/lib/mysql" "/$LABEL/var/lib/mysql"
+        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then
+        cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql"
+        rm -rf "/var/lib/mysql"
+        ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+    else
+        echo '### ERROR initialize database !!! ###'
+        exit 1
+    fi
+else
+    echo 'Use existing MariaDB...'
+    if [ ! -L /var/lib/mysql ]; then
+        rm -rf "/$LABEL/var/lib/mysql.orig"
+        mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig"
+    else
+        rm -f "/var/lib/mysql"
+    fi
+    ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql"
+fi
+
+if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then
+    # angepaßtes Zertifikat vorhanden (kein example)
+    if [ ! -L /etc/ssl/cert-renew.sh ]; then
+        rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig"
+        mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig"
+    else
+        rm -f "/etc/ssl/cert-renew.sh"
+    fi
+    ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh"
+else
+    echo 'Create example certificate...'
+    mkdir -p "/$LABEL/CERTS/KEYS/"
+    mkdir -p "/$LABEL/CERTS/$HOST.$TLD"
+    echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf"
+    openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem"
+    cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem"
+    touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem"
+fi
+
+rm -rf /etc/ssl/apache2
+mkdir -p /etc/ssl
+ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2"
+
+/etc/ssl/cert-renew.sh
+
+echo
+echo "Success!"
+echo "Do not forget to upgrade the MySQL database:"
+echo "   # mysql_upgrade"
+echo
+
+rm /02firstboot
--- a/lamp/appliance/MySQL-Backup.sh
+++ b/lamp/appliance/MySQL-Backup.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+DIR="/DATA/Backup/MySQL"
+
+if [ -z $1 ]; then
+ echo "database name missing! use --all for all db's"
+ exit 1;
+elif [ $1 = '--all' ]; then
+ echo "full backup"
+ for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do
+  if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then
+   if test -f ${DIR}/${i}.sql; then
+    echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1"
+    mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1
+   fi
+   echo "dump ${i} to ${DIR}/${i}.sgl"
+   mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i
+   chmod 600 ${DIR}/${i}.sql
+  fi
+ done;
+elif [ -n $1 ]; then
+ echo "Starting backup of $1"
+ if test -f $DIR/$1.sql; then
+  echo "Move $DIR/$1.sql to $DIR/$1.sql.1"
+  mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1
+ fi
+ mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1
+ chmod 600 ${DIR}/${1}.sql
+fi
+echo "Done"
+exit 0;
--- a/lamp/appliance/backup.service
+++ b/lamp/appliance/backup.service
@ -0,0 +1,8 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/MySQL-Backup.sh --all
--- a/lamp/appliance/backup.timer
+++ b/lamp/appliance/backup.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=execute backup tasks
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 02:19:00
+Unit=backup.service
+ 
+[Install]
+WantedBy=default.target
--- a/lamp/appliance/cert-renew.service
+++ b/lamp/appliance/cert-renew.service
@ -0,0 +1,8 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=yes
+ 
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl/cert-renew.sh
--- a/lamp/appliance/cert-renew.sh
+++ b/lamp/appliance/cert-renew.sh
@ -0,0 +1,52 @@
+#!/bin/bash
+
+HOST="lamp"
+TLD="example.com"
+FQDN="$HOST.$TLD"
+LABEL="DATA"
+
+CERT_DIR=/$LABEL/CERTS
+CERT_APACHE=/$LABEL/etc/ssl/apache2
+GETREPO=""
+GETUSER=""
+GETPASS=""
+
+function getCurrentVersion() {
+# Get hash from latest revision
+  git log --format=format:%H -1
+}
+
+cd $CERT_DIR
+
+if [ -z "$GETREPO" ]; then
+  GIT_REVISION=0
+  GIT_NEW_REVISION=1
+  cd $FQDN
+elif [ ! -d "$FQDN" ]; then
+  GIT_REVISION=0
+  git clone "https://$GETUSER:$GETPASS@$GETREPO"
+  cd $FQDN
+  GIT_NEW_REVISION=$(getCurrentVersion)
+else
+  cd $FQDN
+  GIT_REVISION=$(getCurrentVersion)
+  git commit -m "CRON: auto commit"
+  git fetch
+  git merge origin/master -m "Auto Merge"
+  GIT_NEW_REVISION=$(getCurrentVersion)
+fi
+
+echo "old: $GIT_REVISION"
+echo "new: $GIT_NEW_REVISION"
+
+if [ $GIT_REVISION != $GIT_NEW_REVISION ]
+then
+  echo "Update Apache certificate..."
+  mkdir -p $CERT_APACHE
+  cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt
+  cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key
+  echo "Restarting Apache..."
+  systemctl is-active --quiet apache2 && systemctl restart apache2
+fi
+
+exit 0
--- a/lamp/appliance/cert-renew.timer
+++ b/lamp/appliance/cert-renew.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=renew certificates from git store
+RefuseManualStart=no
+RefuseManualStop=no
+ 
+[Timer]
+Persistent=false
+OnCalendar=Sun *-*-* 04:03:00
+Unit=cert-renew.service
+ 
+[Install]
+WantedBy=default.target
--- a/lamp/make.conf
+++ b/lamp/make.conf
@ -0,0 +1 @@
+PHP_TARGETS="php8-0"
--- a/lamp/mariadb/my.cnf.root
+++ b/lamp/mariadb/my.cnf.root
@ -0,0 +1,11 @@
+[mysqladmin]
+user        = root
+password    = gentoo
+
+[mysql]
+user        = root
+password    = gentoo
+
+[client]
+user        = root
+password    = gentoo
--- a/lamp/package.accept_keywords
+++ b/lamp/package.accept_keywords
@ -0,0 +1,2 @@
+# GeoIP
+dev-php/maxmind-db-reader
--- a/lamp/package.use
+++ b/lamp/package.use
@ -0,0 +1,8 @@
+# GeoIP
+dev-php/maxmind-db-reader extension
+
+# LAMP
+app-eselect/eselect-php apache2 fpm
+dev-lang/php apache2 bcmath curl exif gd gmp imap intl ldap ldap-sasl mysql mysqli pdo sockets sqlite sysvipc truetype unicode xmlreader xmlrpc xmlwriter zip
+media-gfx/imagemagick -openmp
+www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel
--- a/lamp/php/php.ini-opcache.diff
+++ b/lamp/php/php.ini-opcache.diff
@ -0,0 +1,44 @@
+--- php.ini.orig	2020-06-10 17:18:21.946478636 +0200
+++ php.ini	2020-06-10 17:49:47.009780070 +0200
+@@ -1766,20 +1766,20 @@
+ 
+ [opcache]
+ ; Determines if Zend OPCache is enabled
+-;opcache.enable=1
+opcache.enable=1
+ 
+ ; Determines if Zend OPCache is enabled for the CLI version of PHP
+ ;opcache.enable_cli=0
+ 
+ ; The OPcache shared memory storage size.
+-;opcache.memory_consumption=128
+opcache.memory_consumption=128
+ 
+ ; The amount of memory for interned strings in Mbytes.
+-;opcache.interned_strings_buffer=8
+opcache.interned_strings_buffer=8
+ 
+ ; The maximum number of keys (scripts) in the OPcache hash table.
+ ; Only numbers between 200 and 1000000 are allowed.
+-;opcache.max_accelerated_files=10000
+opcache.max_accelerated_files=10000
+ 
+ ; The maximum percentage of "wasted" memory until a restart is scheduled.
+ ;opcache.max_wasted_percentage=5
+@@ -1797,14 +1797,14 @@
+ ; How often (in seconds) to check file timestamps for changes to the shared
+ ; memory storage allocation. ("1" means validate once per second, but only
+ ; once per request. "0" means always validate)
+-;opcache.revalidate_freq=2
+opcache.revalidate_freq=1
+ 
+ ; Enables or disables file search in include_path optimization
+ ;opcache.revalidate_path=0
+ 
+ ; If disabled, all PHPDoc comments are dropped from the code to reduce the
+ ; size of the optimized code.
+-;opcache.save_comments=1
+opcache.save_comments=1
+ 
+ ; Allow file existence override (file_exists, etc.) performance feature.
+ ;opcache.enable_file_override=0
--- a/lamp/world
+++ b/lamp/world
@ -0,0 +1,15 @@
+app-arch/unzip
+app-crypt/certbot-apache
+dev-db/mariadb
+dev-db/phpmyadmin
+dev-db/redis
+dev-libs/libmaxminddb
+dev-php/composer
+dev-php/maxmind-db-reader
+dev-php/pecl-apcu
+dev-php/pecl-imagick
+dev-python/passlib
+dev-python/redis-py
+net-misc/geoipupdate
+www-apache/mod_wsgi
+www-servers/apache
--- a/privacyidea/Makefile
+++ b/privacyidea/Makefile
@ -1,5 +1,5 @@
 PIUSER = $(CHROOT)/var/tmp/piuser
-02firstboot = $(CHROOT)/etc/local.d/02firstboot.start
+02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start
 cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh
 apache_conf = $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.orig
 pi_log = $(CHROOT)/var/log/privacyidea/privacyidea.log
--- a/privacyidea/appliance/02firstboot.start
+++ b/privacyidea/appliance/02firstboot.start
@ -145,4 +145,11 @@ systemctl enable apache2
 systemctl restart freeradius
 systemctl restart apache2

+echo
+echo "Success!"
+echo "Do not forget to upgrade the MySQL database and the privacyIDEA Schema:"
+echo "   # mysql_upgrade"
+echo "   # privacyidea-schema-upgrade /usr/lib/privacyidea/migrations"
+echo
+
 rm /02firstboot
--- a/privacyidea/package.accept_keywords
+++ b/privacyidea/package.accept_keywords
@ -1,4 +1,5 @@
 # privacyIDEA
+dev-perl/URI-Encode
 dev-python/responses
 dev-python/pyusb
 dev-python/imagesize
--- a/privacyidea/package.use
+++ b/privacyidea/package.use
@ -10,6 +10,7 @@ sci-libs/hdf5 -cxx -fortran -hl
 # RADIUS (ohne Samba kein rlm_mschap.so)
 net-dialup/freeradius kerberos ldap mysql -python samba
 net-fs/samba ads gnutls ldap winbind
+sys-libs/ldb ldap

 # LDAP
 net-nds/openldap overlays perl sasl
--- a/zabbix/package.use
+++ b/zabbix/package.use
@ -6,6 +6,7 @@ dev-java/openjdk-bin headless-awt
 dev-lang/php apache2 bcmath curl gd ldap mysql mysqli sockets sysvipc truetype xmlreader xmlwriter
 media-libs/gd jpeg png
 net-analyzer/zabbix curl frontend java ldap libxml2 mysql openipmi -postgres proxy server snmp ssh xmpp
+net-analyzer/zabbix-headers curl frontend java ldap libxml2 mysql openipmi -postgres proxy server snmp ssh xmpp
 net-analyzer/net-snmp perl
 net-analyzer/fping suid
 net-print/cups-filters -foomatic -postscript