From 42fb3dd3d9d0dad818faa1bd23026cf1c60d887c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Deckert?= Date: Wed, 19 Jan 2022 13:14:45 +0100 Subject: [PATCH] ejabberd: added Movim --- ejabberd/Makefile | 20 +++++- ejabberd/appliance/02firstboot.start | 47 ++++++++++++++ ejabberd/nginx/proxy_params | 4 ++ ejabberd/package.accept_keywords | 3 +- ejabberd/package.use | 2 +- ejabberd/world | 1 + lamp/Makefile | 49 +++++++++++++++ lamp/appliance/02firstboot.start | 81 +++++++++++++++++++++++++ lamp/appliance/MySQL-Backup.sh | 32 ++++++++++ lamp/appliance/backup.service | 8 +++ lamp/appliance/backup.timer | 12 ++++ lamp/appliance/cert-renew.service | 8 +++ lamp/appliance/cert-renew.sh | 52 ++++++++++++++++ lamp/appliance/cert-renew.timer | 12 ++++ lamp/make.conf | 1 + lamp/mariadb/my.cnf.root | 11 ++++ lamp/package.accept_keywords | 2 + lamp/package.use | 8 +++ lamp/php/php.ini-opcache.diff | 44 ++++++++++++++ lamp/world | 15 +++++ privacyidea/Makefile | 2 +- privacyidea/appliance/02firstboot.start | 7 +++ privacyidea/package.accept_keywords | 1 + privacyidea/package.use | 1 + zabbix/package.use | 1 + 25 files changed, 419 insertions(+), 5 deletions(-) create mode 100644 ejabberd/nginx/proxy_params create mode 100644 lamp/Makefile create mode 100755 lamp/appliance/02firstboot.start create mode 100755 lamp/appliance/MySQL-Backup.sh create mode 100644 lamp/appliance/backup.service create mode 100644 lamp/appliance/backup.timer create mode 100644 lamp/appliance/cert-renew.service create mode 100755 lamp/appliance/cert-renew.sh create mode 100644 lamp/appliance/cert-renew.timer create mode 100644 lamp/make.conf create mode 100644 lamp/mariadb/my.cnf.root create mode 100644 lamp/package.accept_keywords create mode 100644 lamp/package.use create mode 100644 lamp/php/php.ini-opcache.diff create mode 100644 lamp/world diff --git a/ejabberd/Makefile b/ejabberd/Makefile index 34354c8..10759dd 100644 --- a/ejabberd/Makefile +++ b/ejabberd/Makefile @@ -1,8 +1,13 @@ 02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh -nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.orig +nginx_conf = $(CHROOT)/etc/nginx/nginx.conf.applorig example_com_conf = $(CHROOT)/etc/nginx/conf.d/example.com.conf ejabberd_example_com_conf = $(CHROOT)/etc/nginx/conf.d/ejabberd.example.com.conf +install_movim = /usr/share/movim + +MOVIM_VER ?= 0.19.1rc7 +MOVIM_TARBALL = movim-$(MOVIM_VER).tar.gz +MOVIM_URL = https://github.com/movim/movim/archive/refs/tags/v$(MOVIM_VER).tar.gz systemd-units: appliance/PostgreSQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer mkdir -p $(CHROOT)/usr/local/bin @@ -19,6 +24,10 @@ $(cert-renew.sh): appliance/cert-renew.sh cp $< $@ $(nginx_conf): nginx/nginx.conf + cp nginx/proxy_params $(CHROOT)/etc/nginx/ + sed -i 's#^listen = .*#listen = /run/php-fpm/www.socket#' $(CHROOT)/etc/php/fpm-php7.4/fpm.d/www.conf + sed -i 's#^;listen.owner = .*#listen.owner = nginx#' $(CHROOT)/etc/php/fpm-php7.4/fpm.d/www.conf + sed -i 's#^;listen.group = .*#listen.group = nginx#' $(CHROOT)/etc/php/fpm-php7.4/fpm.d/www.conf mv $(CHROOT)/etc/nginx/nginx.conf $@ cp $< $(CHROOT)/etc/nginx/nginx.conf @@ -30,12 +39,19 @@ $(ejabberd_example_com_conf): nginx/conf.d/ejabberd.example.com.conf mkdir -p $(CHROOT)/etc/nginx/conf.d cp $< $@ +$(install_movim): + RUN test -f /var/cache/distfiles/$(MOVIM_TARBALL) || \ + RUN wget $(MOVIM_URL) -O /var/cache/distfiles/$(MOVIM_TARBALL) + RUN sh -c 'tar xf /var/cache/distfiles/$(MOVIM_TARBALL) -C /usr/share && mv $(install_movim)-$(MOVIM_VER) $(install_movim) && cd $(install_movim) && echo yes | composer install' + cp $(CHROOT)/$(install_movim)/etc/systemd/system/movim.service $(CHROOT)/etc/systemd/system/ + sed -i 's#include fastcgi_params;#include fastcgi_params;\n\t\tfastcgi_param SCRIPT_FILENAME $$request_filename;\n\t\tfastcgi_pass unix:/run/php-fpm/www.socket;#' $(CHROOT)/$(install_movim)/etc/nginx/conf.d/movim.conf + preinstall: # workaround for https://bugs.gentoo.org/716968 mkdir -p $(CHROOT)/etc/ssl/ejabberd touch $(CHROOT)/etc/ssl/ejabberd/server.pem -postinstall: systemd-units $(nginx_conf) $(example_com_conf) $(ejabberd_example_com_conf) $(02firstboot) $(cert-renew.sh) +postinstall: systemd-units $(nginx_conf) $(example_com_conf) $(ejabberd_example_com_conf) $(02firstboot) $(cert-renew.sh) $(install_movim) # workaround for https://bugs.gentoo.org/716968 rm -rf $(CHROOT)/etc/ssl/ejabberd # configure postgresql diff --git a/ejabberd/appliance/02firstboot.start b/ejabberd/appliance/02firstboot.start index daa280e..cf476ae 100755 --- a/ejabberd/appliance/02firstboot.start +++ b/ejabberd/appliance/02firstboot.start @@ -15,6 +15,7 @@ PGVER=$(eselect postgresql show) [ -e /01firstboot ] && exit 0 [ -e /02firstboot ] || exit 0 +# ejabberd configuration if [ ! -L "/etc/jabber/ejabberd.yml" ]; then if [ ! -f "/$LABEL/etc/jabber/ejabberd.yml" ]; then echo 'Create ejabberd configuration' @@ -44,6 +45,43 @@ if [ ! -L "/etc/jabber/ejabberd.yml" ]; then fi fi +# Movim configuration +if [ ! -L "/usr/share/movim/config/db.inc.php" ]; then + if [ ! -f "/$LABEL/usr/share/movim/config/db.inc.php" ]; then + echo 'Create Movim configuration' + mkdir -p "/$LABEL/usr/share/movim/config" + chown nginx:nginx "/$LABEL/usr/share/movim/config" + cp "/usr/share/movim/config/db.example.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php" + cp "/usr/share/movim/config/db.example.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php.orig" + sed -i "s/'username' .*/'username' => 'movim',/" "/$LABEL/usr/share/movim/config/db.inc.php" + ln -s "/$LABEL/usr/share/movim/config/db.inc.php" "/usr/share/movim/config/db.inc.php" + else + echo 'Linking Movim configuration' + cp -f "/$LABEL/usr/share/movim/config/db.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php.alt" + mv -f "/$LABEL/usr/share/movim/config/db.inc.php.orig" "/$LABEL/usr/share/movim/config/db.inc.php.orig-alt" + cp "/usr/share/movim/config/db.example.inc.php" "/$LABEL/usr/share/movim/config/db.inc.php.orig" + ln -s "/$LABEL/usr/share/movim/config/db.inc.php" "/usr/share/movim/config/db.inc.php" + fi +fi +if [ ! -L "/usr/share/movim/log" ]; then + echo 'Create Movim log directory' + mkdir -p "/$LABEL/usr/share/movim/log" + chown nginx:nginx "/$LABEL/usr/share/movim/log" + ln -s "/$LABEL/usr/share/movim/log" "/usr/share/movim/log" +fi +if [ ! -L "/usr/share/movim/cache" ]; then + echo 'Create Movim internal cache directory' + mkdir -p "/$LABEL/usr/share/movim/cache" + chown nginx:nginx "/$LABEL/usr/share/movim/cache" + ln -s "/$LABEL/usr/share/movim/cache" "/usr/share/movim/cache" +fi +if [ ! -L "/usr/share/movim/public/cache" ]; then + echo 'Create Movim public cache directory' + mkdir -p "/$LABEL/usr/share/movim/public/cache" + chown nginx:nginx "/$LABEL/usr/share/movim/public/cache" + ln -s "/$LABEL/usr/share/movim/public/cache" "/usr/share/movim/public/cache" +fi + # Database if [ ! -L "/var/lib/postgresql" ]; then systemctl stop postgresql-$PGVER @@ -61,6 +99,11 @@ if [ ! -L "/var/lib/postgresql" ]; then psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';" psql -U postgres -d postgres -c "CREATE DATABASE ejabberd WITH OWNER ejabberd;" psql -U ejabberd -d ejabberd < /usr/share/ejabberd/sql/pg.new.sql + + echo 'Create movim database...' + psql -U postgres -d postgres -c "CREATE ROLE movim WITH LOGIN;" + psql -U postgres -d postgres -c "ALTER USER movim WITH PASSWORD '$DATABASE_PASS';" + psql -U postgres -d postgres -c "CREATE DATABASE movim WITH OWNER movim;" else echo 'start PostgreSQL DB...' rm -rf "/$LABEL/var/lib/postgresql.orig" @@ -68,14 +111,18 @@ if [ ! -L "/var/lib/postgresql" ]; then ln -s "/$LABEL/var/lib/postgresql" "/var/lib/postgresql" systemctl start postgresql-$PGVER psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';" + psql -U postgres -d postgres -c "ALTER USER movim WITH PASSWORD '$DATABASE_PASS';" fi else echo 'Set new database password...' systemctl restart postgresql-$PGVER psql -U postgres -d postgres -c "ALTER USER ejabberd WITH PASSWORD '$DATABASE_PASS';" + psql -U postgres -d postgres -c "ALTER USER movim WITH PASSWORD '$DATABASE_PASS';" fi # update config with new database password sed -i "s/sql_password: .*/sql_password: \"$DATABASE_PASS\"/" "/$LABEL/etc/jabber/ejabberd.yml" +sed -i "s/'password' .*/'password' => '$DATABASE_PASS',/" "/$LABEL/usr/share/movim/config/db.inc.php" +cd /usr/share/movim && echo yes | composer movim:migrate # Certificate if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then diff --git a/ejabberd/nginx/proxy_params b/ejabberd/nginx/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/ejabberd/nginx/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/ejabberd/package.accept_keywords b/ejabberd/package.accept_keywords index 0093bcb..4a695f7 100644 --- a/ejabberd/package.accept_keywords +++ b/ejabberd/package.accept_keywords @@ -1,8 +1,9 @@ # ejabberd net-im/ejabberd dev-erlang/p1_oauth2 -dev-erlang/ezlib dev-erlang/eimp +dev-erlang/eredis +dev-erlang/ezlib dev-erlang/iconv dev-erlang/idna dev-erlang/jiffy diff --git a/ejabberd/package.use b/ejabberd/package.use index 6b5cec6..89d1812 100644 --- a/ejabberd/package.use +++ b/ejabberd/package.use @@ -1,6 +1,6 @@ # Nginx app-eselect/eselect-php fpm -dev-lang/php cli curl fpm gd pdo postgres webp +dev-lang/php cli curl fpm gd pdo postgres webp zip media-gfx/imagemagick jpeg -openmp webp www-servers/nginx nginx_modules_stream_map nginx_modules_stream_ssl_preread diff --git a/ejabberd/world b/ejabberd/world index 2960277..f5f88ae 100644 --- a/ejabberd/world +++ b/ejabberd/world @@ -1,6 +1,7 @@ app-crypt/certbot-nginx dev-db/postgresql dev-lang/php +dev-php/composer dev-php/pecl-imagick media-gfx/gd-captcha media-gfx/imagemagick diff --git a/lamp/Makefile b/lamp/Makefile new file mode 100644 index 0000000..91c706e --- /dev/null +++ b/lamp/Makefile @@ -0,0 +1,49 @@ +02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start +cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh +PHPCONFIG = $(CHROOT)/var/tmp/phpconfig + +systemd-units: appliance/MySQL-Backup.sh appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer + cp appliance/MySQL-Backup.sh $(CHROOT)/usr/local/bin/ + cp appliance/backup.service appliance/backup.timer appliance/cert-renew.service appliance/cert-renew.timer $(CHROOT)/etc/systemd/system/ + +$(02firstboot): appliance/02firstboot.start + mkdir -p $(CHROOT)/etc/local.d + cp $< $@ + touch $(CHROOT)/02firstboot + +$(cert-renew.sh): appliance/cert-renew.sh + mkdir -p $(CHROOT)/etc/ssl + cp $< $@ + +$(PHPCONFIG): + # Apache-/PHP-Konfiguration + patch $(CHROOT)/etc/php/apache2-*/php.ini < php/php.ini-opcache.diff + find $(CHROOT)/etc/php/apache2-*/ -iname php.ini -print | xargs \sed -i \ + -e 's:.*date.timezone =.*:date.timezone = Europe/Berlin:' \ + -e 's:.*max_execution_time =.*:max_execution_time = 3600:' \ + -e 's:.*max_input_time =.*:max_input_time = 3600:' \ + -e 's:.*memory_limit =.*:memory_limit = 512M:' \ + -e 's:.*post_max_size =.*:post_max_size = 8G:' \ + -e 's:.*upload_max_filesize =*.:upload_max_filesize = 8G:' \ + -e 's:.*always_populate_raw_post_data =.*:always_populate_raw_post_data = -1:' + touch $(PHPCONFIG) + +$(CHROOT)/var/lib/mysql: mariadb/my.cnf.root + # MariaDB-Konfiguration ($$, weil make ein $ entfernt) + sed -i "s/^character-set-server.*$$/character-set-server = utf8mb4/" $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + sed -iE 's/^\(log-bin\)/#\1/' $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "collation-server = utf8mb4_general_ci" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "transaction_isolation = READ-COMMITTED" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "binlog_format = ROW" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "expire_logs_days = 3" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_file_per_table = 1" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + echo "innodb_large_prefix = on" >> $(CHROOT)/etc/mysql/mariadb.d/50-distro-server.cnf + cp mariadb/my.cnf.root $(CHROOT)/root/.my.cnf + chmod 0600 $(CHROOT)/root/.my.cnf + rm -rf $(CHROOT)/var/lib/mysql/* + RUN bash -c 'yes gentoo | emerge --config dev-db/mariadb' + +preinstall: + +postinstall: systemd-units $(PHPCONFIG) $(02firstboot) $(cert-renew.sh) $(CHROOT)/var/lib/mysql diff --git a/lamp/appliance/02firstboot.start b/lamp/appliance/02firstboot.start new file mode 100755 index 0000000..77c462f --- /dev/null +++ b/lamp/appliance/02firstboot.start @@ -0,0 +1,81 @@ +#!/bin/bash + +# variables +LABEL="DATA" +TLD="example.com" +HOST="lamp" +ORGNAME="lamp example" + +# start +set -e + +[ -e /01firstboot ] && exit 0 +[ -e /02firstboot ] || exit 0 + +# Database +systemctl stop mariadb +if [ ! -d "/$LABEL/var/lib/mysql/mysql" ]; then + echo 'Initialize MariaDB...' + mkdir -p "/$LABEL/var/lib" + rm -rf "/$LABEL/var/lib/mysql" + if [ ! -L /var/lib/mysql ]; then + rm -rf "/$LABEL/var/lib/mysql.orig" + cp -a "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" + mv "/var/lib/mysql" "/$LABEL/var/lib/mysql" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + elif [ -d "/$LABEL/var/lib/mysql.orig" ]; then + cp -a "/$LABEL/var/lib/mysql.orig" "/$LABEL/var/lib/mysql" + rm -rf "/var/lib/mysql" + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" + else + echo '### ERROR initialize database !!! ###' + exit 1 + fi +else + echo 'Use existing MariaDB...' + if [ ! -L /var/lib/mysql ]; then + rm -rf "/$LABEL/var/lib/mysql.orig" + mv "/var/lib/mysql" "/$LABEL/var/lib/mysql.orig" + else + rm -f "/var/lib/mysql" + fi + ln -s "/$LABEL/var/lib/mysql" "/var/lib/mysql" +fi + +if [ -x "/$LABEL/etc/ssl/cert-renew.sh" ]; then + # angepaßtes Zertifikat vorhanden (kein example) + if [ ! -L /etc/ssl/cert-renew.sh ]; then + rm -f "/$LABEL/etc/ssl/cert-renew.sh.orig" + mv "/etc/ssl/cert-renew.sh" "/$LABEL/etc/ssl/cert-renew.sh.orig" + else + rm -f "/etc/ssl/cert-renew.sh" + fi + ln -s "/$LABEL/etc/ssl/cert-renew.sh" "/etc/ssl/cert-renew.sh" +else + echo 'Create example certificate...' + mkdir -p "/$LABEL/CERTS/KEYS/" + mkdir -p "/$LABEL/CERTS/$HOST.$TLD" + echo "FQDN = $HOST.$TLD" > "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ORGNAME = $ORGNAME" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo "ALTNAMES = DNS:$HOST.$TLD , DNS:$TLD" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req ]\ndefault_bits = 4096\ndefault_md = sha256\nprompt = no\nencrypt_key = no\ndistinguished_name = dn\nreq_extensions = req_ext\ndefault_keyfile = ../KEYS/\$FQDN-key.pem\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ dn ]\nC = DE\nO = \$ORGNAME\nCN = \$FQDN\n" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + echo -e "\n[ req_ext ]\nsubjectAltName = \$ALTNAMES" >> "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" + openssl req -x509 -new -config "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD.cnf" -out "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" -keyout "/$LABEL/CERTS/KEYS/$HOST.$TLD-key.pem" + cp "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-cert.pem" "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-fullchain.pem" + touch "/$LABEL/CERTS/$HOST.$TLD/$HOST.$TLD-chain.pem" +fi + +rm -rf /etc/ssl/apache2 +mkdir -p /etc/ssl +ln -sf "/$LABEL/etc/ssl/apache2" "/etc/ssl/apache2" + +/etc/ssl/cert-renew.sh + +echo +echo "Success!" +echo "Do not forget to upgrade the MySQL database:" +echo " # mysql_upgrade" +echo + +rm /02firstboot diff --git a/lamp/appliance/MySQL-Backup.sh b/lamp/appliance/MySQL-Backup.sh new file mode 100755 index 0000000..19ccfc9 --- /dev/null +++ b/lamp/appliance/MySQL-Backup.sh @@ -0,0 +1,32 @@ +#!/bin/bash +PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" + +DIR="/DATA/Backup/MySQL" + +if [ -z $1 ]; then + echo "database name missing! use --all for all db's" + exit 1; +elif [ $1 = '--all' ]; then + echo "full backup" + for i in `mysqlshow --defaults-file=/root/.my.cnf | awk '{print $2}' | grep -v Databases`; do + if [ "$i" != "information_schema" ] && [ "$i" != "performance_schema" ]; then + if test -f ${DIR}/${i}.sql; then + echo "Move ${DIR}/${i}.sql to ${DIR}/${i}.sql.1" + mv ${DIR}/${i}.sql ${DIR}/${i}.sql.1 + fi + echo "dump ${i} to ${DIR}/${i}.sgl" + mysqldump --defaults-file=/root/.my.cnf --single-transaction --events --opt -QF -r${DIR}/${i}.sql $i + chmod 600 ${DIR}/${i}.sql + fi + done; +elif [ -n $1 ]; then + echo "Starting backup of $1" + if test -f $DIR/$1.sql; then + echo "Move $DIR/$1.sql to $DIR/$1.sql.1" + mv ${DIR}/${1}.sql ${DIR}/${1}.sql.1 + fi + mysqldump --defaults-file=/root/.my.cnf --single-transaction --opt -QF -r${DIR}/${1}.sql $1 + chmod 600 ${DIR}/${1}.sql +fi +echo "Done" +exit 0; diff --git a/lamp/appliance/backup.service b/lamp/appliance/backup.service new file mode 100644 index 0000000..13ca921 --- /dev/null +++ b/lamp/appliance/backup.service @@ -0,0 +1,8 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/MySQL-Backup.sh --all diff --git a/lamp/appliance/backup.timer b/lamp/appliance/backup.timer new file mode 100644 index 0000000..ec59929 --- /dev/null +++ b/lamp/appliance/backup.timer @@ -0,0 +1,12 @@ +[Unit] +Description=execute backup tasks +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 02:19:00 +Unit=backup.service + +[Install] +WantedBy=default.target diff --git a/lamp/appliance/cert-renew.service b/lamp/appliance/cert-renew.service new file mode 100644 index 0000000..59ec86d --- /dev/null +++ b/lamp/appliance/cert-renew.service @@ -0,0 +1,8 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=yes + +[Service] +Type=oneshot +ExecStart=/etc/ssl/cert-renew.sh diff --git a/lamp/appliance/cert-renew.sh b/lamp/appliance/cert-renew.sh new file mode 100755 index 0000000..ccedc40 --- /dev/null +++ b/lamp/appliance/cert-renew.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +HOST="lamp" +TLD="example.com" +FQDN="$HOST.$TLD" +LABEL="DATA" + +CERT_DIR=/$LABEL/CERTS +CERT_APACHE=/$LABEL/etc/ssl/apache2 +GETREPO="" +GETUSER="" +GETPASS="" + +function getCurrentVersion() { +# Get hash from latest revision + git log --format=format:%H -1 +} + +cd $CERT_DIR + +if [ -z "$GETREPO" ]; then + GIT_REVISION=0 + GIT_NEW_REVISION=1 + cd $FQDN +elif [ ! -d "$FQDN" ]; then + GIT_REVISION=0 + git clone "https://$GETUSER:$GETPASS@$GETREPO" + cd $FQDN + GIT_NEW_REVISION=$(getCurrentVersion) +else + cd $FQDN + GIT_REVISION=$(getCurrentVersion) + git commit -m "CRON: auto commit" + git fetch + git merge origin/master -m "Auto Merge" + GIT_NEW_REVISION=$(getCurrentVersion) +fi + +echo "old: $GIT_REVISION" +echo "new: $GIT_NEW_REVISION" + +if [ $GIT_REVISION != $GIT_NEW_REVISION ] +then + echo "Update Apache certificate..." + mkdir -p $CERT_APACHE + cp $CERT_DIR/$FQDN/$FQDN-fullchain.pem $CERT_APACHE/server.crt + cp $CERT_DIR/KEYS/$FQDN-key.pem $CERT_APACHE/server.key + echo "Restarting Apache..." + systemctl is-active --quiet apache2 && systemctl restart apache2 +fi + +exit 0 diff --git a/lamp/appliance/cert-renew.timer b/lamp/appliance/cert-renew.timer new file mode 100644 index 0000000..fa2ee54 --- /dev/null +++ b/lamp/appliance/cert-renew.timer @@ -0,0 +1,12 @@ +[Unit] +Description=renew certificates from git store +RefuseManualStart=no +RefuseManualStop=no + +[Timer] +Persistent=false +OnCalendar=Sun *-*-* 04:03:00 +Unit=cert-renew.service + +[Install] +WantedBy=default.target diff --git a/lamp/make.conf b/lamp/make.conf new file mode 100644 index 0000000..b2aad95 --- /dev/null +++ b/lamp/make.conf @@ -0,0 +1 @@ +PHP_TARGETS="php8-0" diff --git a/lamp/mariadb/my.cnf.root b/lamp/mariadb/my.cnf.root new file mode 100644 index 0000000..b5ac578 --- /dev/null +++ b/lamp/mariadb/my.cnf.root @@ -0,0 +1,11 @@ +[mysqladmin] +user = root +password = gentoo + +[mysql] +user = root +password = gentoo + +[client] +user = root +password = gentoo diff --git a/lamp/package.accept_keywords b/lamp/package.accept_keywords new file mode 100644 index 0000000..8e34d53 --- /dev/null +++ b/lamp/package.accept_keywords @@ -0,0 +1,2 @@ +# GeoIP +dev-php/maxmind-db-reader diff --git a/lamp/package.use b/lamp/package.use new file mode 100644 index 0000000..3ac410c --- /dev/null +++ b/lamp/package.use @@ -0,0 +1,8 @@ +# GeoIP +dev-php/maxmind-db-reader extension + +# LAMP +app-eselect/eselect-php apache2 fpm +dev-lang/php apache2 bcmath curl exif gd gmp imap intl ldap ldap-sasl mysql mysqli pdo sockets sqlite sysvipc truetype unicode xmlreader xmlrpc xmlwriter zip +media-gfx/imagemagick -openmp +www-servers/apache apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_proxy_wstunnel diff --git a/lamp/php/php.ini-opcache.diff b/lamp/php/php.ini-opcache.diff new file mode 100644 index 0000000..f8dd134 --- /dev/null +++ b/lamp/php/php.ini-opcache.diff @@ -0,0 +1,44 @@ +--- php.ini.orig 2020-06-10 17:18:21.946478636 +0200 ++++ php.ini 2020-06-10 17:49:47.009780070 +0200 +@@ -1766,20 +1766,20 @@ + + [opcache] + ; Determines if Zend OPCache is enabled +-;opcache.enable=1 ++opcache.enable=1 + + ; Determines if Zend OPCache is enabled for the CLI version of PHP + ;opcache.enable_cli=0 + + ; The OPcache shared memory storage size. +-;opcache.memory_consumption=128 ++opcache.memory_consumption=128 + + ; The amount of memory for interned strings in Mbytes. +-;opcache.interned_strings_buffer=8 ++opcache.interned_strings_buffer=8 + + ; The maximum number of keys (scripts) in the OPcache hash table. + ; Only numbers between 200 and 1000000 are allowed. +-;opcache.max_accelerated_files=10000 ++opcache.max_accelerated_files=10000 + + ; The maximum percentage of "wasted" memory until a restart is scheduled. + ;opcache.max_wasted_percentage=5 +@@ -1797,14 +1797,14 @@ + ; How often (in seconds) to check file timestamps for changes to the shared + ; memory storage allocation. ("1" means validate once per second, but only + ; once per request. "0" means always validate) +-;opcache.revalidate_freq=2 ++opcache.revalidate_freq=1 + + ; Enables or disables file search in include_path optimization + ;opcache.revalidate_path=0 + + ; If disabled, all PHPDoc comments are dropped from the code to reduce the + ; size of the optimized code. +-;opcache.save_comments=1 ++opcache.save_comments=1 + + ; Allow file existence override (file_exists, etc.) performance feature. + ;opcache.enable_file_override=0 diff --git a/lamp/world b/lamp/world new file mode 100644 index 0000000..b1e9a71 --- /dev/null +++ b/lamp/world @@ -0,0 +1,15 @@ +app-arch/unzip +app-crypt/certbot-apache +dev-db/mariadb +dev-db/phpmyadmin +dev-db/redis +dev-libs/libmaxminddb +dev-php/composer +dev-php/maxmind-db-reader +dev-php/pecl-apcu +dev-php/pecl-imagick +dev-python/passlib +dev-python/redis-py +net-misc/geoipupdate +www-apache/mod_wsgi +www-servers/apache diff --git a/privacyidea/Makefile b/privacyidea/Makefile index 10a7c95..1b40129 100644 --- a/privacyidea/Makefile +++ b/privacyidea/Makefile @@ -1,5 +1,5 @@ PIUSER = $(CHROOT)/var/tmp/piuser -02firstboot = $(CHROOT)/etc/local.d/02firstboot.start +02firstboot = $(CHROOT)/usr/local/bin/02firstboot.start cert-renew.sh = $(CHROOT)/etc/ssl/cert-renew.sh apache_conf = $(CHROOT)/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.orig pi_log = $(CHROOT)/var/log/privacyidea/privacyidea.log diff --git a/privacyidea/appliance/02firstboot.start b/privacyidea/appliance/02firstboot.start index a711bf7..3143cc6 100755 --- a/privacyidea/appliance/02firstboot.start +++ b/privacyidea/appliance/02firstboot.start @@ -145,4 +145,11 @@ systemctl enable apache2 systemctl restart freeradius systemctl restart apache2 +echo +echo "Success!" +echo "Do not forget to upgrade the MySQL database and the privacyIDEA Schema:" +echo " # mysql_upgrade" +echo " # privacyidea-schema-upgrade /usr/lib/privacyidea/migrations" +echo + rm /02firstboot diff --git a/privacyidea/package.accept_keywords b/privacyidea/package.accept_keywords index 1bd0427..db5adfe 100644 --- a/privacyidea/package.accept_keywords +++ b/privacyidea/package.accept_keywords @@ -1,4 +1,5 @@ # privacyIDEA +dev-perl/URI-Encode dev-python/responses dev-python/pyusb dev-python/imagesize diff --git a/privacyidea/package.use b/privacyidea/package.use index 32a62c9..3b631a7 100644 --- a/privacyidea/package.use +++ b/privacyidea/package.use @@ -10,6 +10,7 @@ sci-libs/hdf5 -cxx -fortran -hl # RADIUS (ohne Samba kein rlm_mschap.so) net-dialup/freeradius kerberos ldap mysql -python samba net-fs/samba ads gnutls ldap winbind +sys-libs/ldb ldap # LDAP net-nds/openldap overlays perl sasl diff --git a/zabbix/package.use b/zabbix/package.use index 5cfa4a5..b58763e 100644 --- a/zabbix/package.use +++ b/zabbix/package.use @@ -6,6 +6,7 @@ dev-java/openjdk-bin headless-awt dev-lang/php apache2 bcmath curl gd ldap mysql mysqli sockets sysvipc truetype xmlreader xmlwriter media-libs/gd jpeg png net-analyzer/zabbix curl frontend java ldap libxml2 mysql openipmi -postgres proxy server snmp ssh xmpp +net-analyzer/zabbix-headers curl frontend java ldap libxml2 mysql openipmi -postgres proxy server snmp ssh xmpp net-analyzer/net-snmp perl net-analyzer/fping suid net-print/cups-filters -foomatic -postscript