ungleich-public/cdist-contrib
ungleich-public/cdist-contrib
8
2
Fork 3
Code Issues 2 Pull requests 3 Projects Releases Wiki Activity

Compare commits

base: ungleich-public:master
Branches Tags
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma
romain-dartigues:package-xbps
romain-dartigues:opendkim-debian
romain-dartigues:master
romain-dartigues:opendkim-improvements
romain-dartigues:php
romain-dartigues:kjg_passwordconfig
romain-dartigues:synapse-upstream-apt-repository
romain-dartigues:haproxy-dualstack
romain-dartigues:synapse-upstream-repository
romain-dartigues:root-mail-dma
..
compare: romain-dartigues:master
Branches Tags
romain-dartigues:package-xbps
romain-dartigues:opendkim-debian
romain-dartigues:master
romain-dartigues:opendkim-improvements
romain-dartigues:php
romain-dartigues:kjg_passwordconfig
romain-dartigues:synapse-upstream-apt-repository
romain-dartigues:haproxy-dualstack
romain-dartigues:synapse-upstream-repository
romain-dartigues:root-mail-dma
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma

No commits in common. "master" and "master" have entirely different histories.
master ... master

43 changed files with 673 additions and 2000 deletions
Download patch file Download diff file Expand all files Collapse all files

14
type/__jitsi_meet/manifest
View file

@ -195,15 +195,6 @@ upstream jvb1 {
keepalive 2;
}
EOF
require="__directory${NGINX_ETC}/conf.d" __file "${NGINX_ETC}/conf.d/jicofo.conf" \
--mode 644 \
--source - << EOF
upstream jicofo {
zone upstreams 64K;
server 127.0.0.1:8888;
keepalive 2;
}
EOF
if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present'
@ -254,9 +245,6 @@ videobridge {
enabled = true
}
}
cc {
trust-bwe = false
}
}
EOFJVB
@ -276,7 +264,7 @@ if [ -f "${__object}/parameter/disable-prometheus-exporter" ]; then
else
EXPORTER_STATE="present"
fi
__single_binary_service prometheus-jitsi-meet-exporter \
__evilham_single_binary_service prometheus-jitsi-meet-exporter \
--state "${EXPORTER_STATE}" \
--do-not-manage-user \
--user "nobody" \

2
type/__jitsi_meet_domain/files/_update_jitsi_configurations.sh
View file

@ -7,7 +7,7 @@
# We could automate this, but are using it as an indicator for the
# latest branch with which we conciliated changes.
BRANCH="jitsi-meet_10655"
BRANCH="jitsi-meet_8319"
REPO="https://github.com/jitsi/jitsi-meet"
get_url() {

815
type/__jitsi_meet_domain/files/config.js.sh
View file

File diff suppressed because it is too large Load diff

809
type/__jitsi_meet_domain/files/config.js.sh.orig
View file

File diff suppressed because it is too large Load diff

27
type/__jitsi_meet_domain/files/interface_config.js.sh
View file

@ -52,6 +52,14 @@ var interfaceConfig = {
*/
DISABLE_PRESENCE_STATUS: false,
/**
* Whether the ringing sound in the call/ring overlay is disabled. If
* {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_RINGING: false,
/**
* Whether the speech to text transcription subtitles panel is disabled.
* If {@code undefined}, defaults to {@code false}.
@ -73,6 +81,8 @@ var interfaceConfig = {
ENABLE_DIAL_OUT: true,
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
@ -107,8 +117,8 @@ var interfaceConfig = {
// Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are:
// chrome, chromium, electron, firefox , safari, webkit
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi',
@ -203,6 +213,17 @@ var interfaceConfig = {
// NATIVE_APP_NAME: 'Jitsi Meet',
/**
* Specify Firebase dynamic link properties for the mobile apps.
*/
// MOBILE_DYNAMIC_LINK: {
// APN: 'org.jitsi.meet',
// APP_CODE: 'w2atb',
// CUSTOM_DOMAIN: undefined,
// IBI: 'com.atlassian.JitsiMeet.ios',
// ISI: '1165103905'
// },
/**
* Hide the logo on the deep linking pages.
*/
@ -216,7 +237,7 @@ var interfaceConfig = {
/**
* Specify custom URL for downloading f droid app.
*/
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/packages/org.jitsi.meet/',
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
// Connection indicators (
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,

27
type/__jitsi_meet_domain/files/interface_config.js.sh.orig
View file

@ -41,6 +41,14 @@ var interfaceConfig = {
*/
DISABLE_PRESENCE_STATUS: false,
/**
* Whether the ringing sound in the call/ring overlay is disabled. If
* {@code undefined}, defaults to {@code false}.
*
* @type {boolean}
*/
DISABLE_RINGING: false,
/**
* Whether the speech to text transcription subtitles panel is disabled.
* If {@code undefined}, defaults to {@code false}.
@ -62,6 +70,8 @@ var interfaceConfig = {
ENABLE_DIAL_OUT: true,
ENABLE_FEEDBACK_ANIMATION: false, // Enables feedback star animation.
FILM_STRIP_MAX_HEIGHT: 120,
GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
@ -96,8 +106,8 @@ var interfaceConfig = {
// Names of browsers which should show a warning stating the current browser
// has a suboptimal experience. Browsers which are not listed as optimal or
// unsupported are considered suboptimal. Valid values are:
// chrome, chromium, electron, firefox , safari, webkit
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'electron', 'safari', 'webkit' ],
// chrome, chromium, edge, electron, firefox, nwjs, opera, safari
OPTIMAL_BROWSERS: [ 'chrome', 'chromium', 'firefox', 'nwjs', 'electron', 'safari' ],
POLICY_LOGO: null,
PROVIDER_NAME: 'Jitsi',
@ -192,6 +202,17 @@ var interfaceConfig = {
// NATIVE_APP_NAME: 'Jitsi Meet',
/**
* Specify Firebase dynamic link properties for the mobile apps.
*/
// MOBILE_DYNAMIC_LINK: {
// APN: 'org.jitsi.meet',
// APP_CODE: 'w2atb',
// CUSTOM_DOMAIN: undefined,
// IBI: 'com.atlassian.JitsiMeet.ios',
// ISI: '1165103905'
// },
/**
* Hide the logo on the deep linking pages.
*/
@ -205,7 +226,7 @@ var interfaceConfig = {
/**
* Specify custom URL for downloading f droid app.
*/
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/packages/org.jitsi.meet/',
// MOBILE_DOWNLOAD_LINK_F_DROID: 'https://f-droid.org/en/packages/org.jitsi.meet/',
// Connection indicators (
// CONNECTION_INDICATOR_AUTO_HIDE_ENABLED,

2
type/__jitsi_meet_domain/files/jitsi-version
View file

@ -1 +1 @@
2.0.10655-1
2.0.8319-1

55
type/__jitsi_meet_domain/files/nginx.sh
View file

@ -12,11 +12,6 @@ JITSI_NGINX_CONFIG="$(cat <<EOF
# audio/wav wav;
#}
# These upstreams are managed by __jitsi_meet
#upstream jicofo {
# zone upstreams 64K;
# server 127.0.0.1:8888;
# keepalive 2;
#}
#upstream prosody {
# zone upstreams 64K;
# server 127.0.0.1:5280;
@ -50,8 +45,8 @@ server {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
server_name ${DOMAIN};
include snippets/acme-challenge.conf;
@ -67,10 +62,6 @@ server {
add_header Strict-Transport-Security "max-age=63072000" always;
set \$prefix "";
# Try the custom page for this domain, fallback to default page
set \$custom_index "index-${DOMAIN}.html";
# We expect this domain to be properly configured, the file should exist
set \$config_js_location "/etc/jitsi/meet/${DOMAIN}-config.js";
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
@ -82,7 +73,7 @@ server {
ssi_types application/x-javascript application/javascript;
# Try the custom page for this domain, fallback to default page
index \$custom_index index.html index.htm;
index index-${DOMAIN}.html index.html index.htm;
error_page 404 /static/404.html;
gzip on;
@ -91,10 +82,9 @@ server {
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
# include /etc/jitsi/meet/jaas/*.conf;
# We expect this domain to be properly configured, the file should exist
location = /config.js {
alias \$config_js_location;
alias /etc/jitsi/meet/${DOMAIN}-config.js;
}
# We expect this domain to be properly configured, the file should exist
location = /interface_config.js {
@ -120,13 +110,8 @@ server {
proxy_set_header Host \$http_host;
}
location ~ ^/_api/public/(.*)\$ {
autoindex off;
alias /etc/jitsi/meet/public/\$1;
}
# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)\$
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)\$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/\$1/\$2;
@ -194,30 +179,11 @@ server {
# alias /usr/share/jitsi-meet/load-test/libs/\$1;
#}
location = /_unlock {
add_header 'Access-Control-Allow-Origin' '*';
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
add_header "Cache-Control" "no-cache, no-store";
}
location ~ ^/conference-request/v1([/].*)?\$ {
proxy_pass http://jicofo/conference-request/v1\$1;
add_header "Cache-Control" "no-cache, no-store";
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Content-Type';
}
location ~ ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ {
rewrite ^/([^/?&:'"]+)/conference-request/v1([/].*)?\$ /conference-request/v1\$2;
}
location ~ ^/([^/?&:'"]+)\$ {
set \$roomname "\$1";
try_files \$uri @root_path;
}
location @root_path {
# rewrite ^/(.*)\$ /\$custom_index break;
rewrite ^/(.*)\$ / break;
}
@ -226,16 +192,9 @@ server {
set \$subdomain "\$1.";
set \$subdir "\$1/";
alias \$config_js_location;
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
## Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
#location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ {
# set \$subdomain "\$1.";
# set \$subdir "\$1/";
# rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)\$ /\$2;
#}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set \$subdomain "\$1.";

46
type/__jitsi_meet_domain/files/nginx.sh.orig
View file

@ -43,8 +43,8 @@ server {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
server_name jitsi-meet.example.com;
# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
@ -58,8 +58,6 @@ server {
add_header Strict-Transport-Security "max-age=63072000" always;
set $prefix "";
set $custom_index "";
set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
@ -79,10 +77,8 @@ server {
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 512;
include /etc/jitsi/meet/jaas/*.conf;
location = /config.js {
alias $config_js_location;
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
location = /external_api.js {
@ -96,13 +92,8 @@ server {
proxy_set_header Host $http_host;
}
location ~ ^/_api/public/(.*)$ {
autoindex off;
alias /etc/jitsi/meet/public/$1;
}
# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2;
@ -150,30 +141,12 @@ server {
# alias /usr/share/jitsi-meet/load-test/libs/$1;
#}
location = /_unlock {
add_header 'Access-Control-Allow-Origin' '*';
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains';
add_header "Cache-Control" "no-cache, no-store";
}
location ~ ^/conference-request/v1(\/.*)?$ {
proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
add_header "Cache-Control" "no-cache, no-store";
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Content-Type';
}
location ~ ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ {
rewrite ^/([^/?&:'"]+)/conference-request/v1(\/.*)?$ /conference-request/v1$2;
}
location ~ ^/([^/?&:'"]+)$ {
set $roomname "$1";
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ /$custom_index break;
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
@ -181,14 +154,7 @@ server {
set $subdomain "$1.";
set $subdir "$1/";
alias $config_js_location;
}
# Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
alias /etc/jitsi/meet/jitsi-meet.example.com-config.js;
}
# BOSH for subdomains

50
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh
View file

@ -30,10 +30,6 @@ PROSODY_CONFIG="$(cat <<EOFPROSODY
-- Managed remotely, changes will be lost
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
-- We need this for prosody 13.0
component_admins_as_room_owners = true
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
@ -74,11 +70,6 @@ unlimited_jids = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}",
"jvb@auth.${JITSI_HOST:?}"
}
-- https://prosody.im/doc/modules/mod_smacks
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_old_sessions = 1;
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
@ -97,17 +88,23 @@ VirtualHost "${JITSI_DOMAIN:?}"
key = "/etc/prosody/certs/${JITSI_DOMAIN:?}.key";
certificate = "/etc/prosody/certs/${JITSI_DOMAIN:?}.crt";
}
av_moderation_component = "avmoderation.${JITSI_DOMAIN:?}"
speakerstats_component = "speakerstats.${JITSI_DOMAIN:?}"
conference_duration_component = "conferenceduration.${JITSI_DOMAIN:?}"
end_conference_component = "endconference.${JITSI_DOMAIN:?}"
-- we need bosh
modules_enabled = {
"bosh";
"websocket";
"smacks";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"features_identity";
"conference_duration";
"end_conference";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
"room_metadata";
${PROSODY_WEBSOCKET} "websocket";
${PROSODY_WEBSOCKET} "smacks";
}
@ -118,6 +115,7 @@ ${PROSODY_WEBSOCKET} "smacks";
c2s_require_encryption = false
lobby_muc = "lobby.${JITSI_DOMAIN:?}"
breakout_rooms_muc = "breakout.${JITSI_DOMAIN:?}"
room_metadata_component = "metadata.${JITSI_DOMAIN:?}"
main_muc = "conference.${JITSI_DOMAIN:?}"
-- muc_lobby_whitelist = { "recorder.${JITSI_DOMAIN:?}" } -- Here we can whitelist jibri to enter lobby enabled rooms
@ -125,18 +123,13 @@ Component "conference.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
"muc_password_whitelist";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}" }
muc_password_whitelist = {
"${FOCUS_USER:?}@auth.${JITSI_HOST:?}"
}
muc_room_locking = false
muc_room_default_public_jids = true
@ -144,7 +137,6 @@ Component "breakout.${JITSI_DOMAIN:?}" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"muc_rate_limit";
@ -158,12 +150,13 @@ Component "breakout.${JITSI_DOMAIN:?}" "muc"
Component "internal.auth.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
modules_enabled = {
"muc_hide_all";
"ping";
}
admins = { "${FOCUS_USER:?}@auth.${JITSI_HOST:?}", "jvb@auth.${JITSI_HOST:?}" }
muc_room_locking = false
muc_room_default_public_jids = true
-- https://prosody.im/doc/modules/mod_muc
muc_room_cache_size = 1000
${PROSODY_DOMAIN_END}
${PROSODY_MAIN_START}
-- This will be managed by __jitsi_meet
@ -176,17 +169,8 @@ VirtualHost "auth.${JITSI_DOMAIN:?}"
modules_enabled = {
"limits_exception";
"smacks";
}
authentication = "internal_hashed"
smacks_hibernation_time = 15;
VirtualHost "recorder.${JITSI_DOMAIN:?}"
modules_enabled = {
"smacks";
}
authentication = "internal_hashed"
smacks_max_old_sessions = 2000;
${PROSODY_MAIN_END}
${PROSODY_DOMAIN_START}
-- This will be managed by __jitsi_meet_domain
@ -199,30 +183,28 @@ Component "focus.${JITSI_DOMAIN:?}" "client_proxy"
Component "speakerstats.${JITSI_DOMAIN:?}" "speakerstats_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "conferenceduration.${JITSI_DOMAIN:?}" "conference_duration_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "endconference.${JITSI_DOMAIN:?}" "end_conference"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "avmoderation.${JITSI_DOMAIN:?}" "av_moderation_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "filesharing.${JITSI_DOMAIN:?}" "filesharing_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
Component "lobby.${JITSI_DOMAIN:?}" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_hide_all";
"muc_rate_limit";
"polls";
}
Component "metadata.${JITSI_DOMAIN:?}" "room_metadata_component"
muc_component = "conference.${JITSI_DOMAIN:?}"
breakout_rooms_component = "breakout.${JITSI_DOMAIN:?}"
Component "polls.${JITSI_DOMAIN:?}" "polls_component"
${PROSODY_DOMAIN_END}
${PROSODY_SECUREDOMAIN_START}

49
type/__jitsi_meet_domain/files/prosody.cfg.lua.sh.orig
View file

@ -1,6 +1,3 @@
-- We need this for prosody 13.0
component_admins_as_room_owners = true
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
@ -15,7 +12,6 @@ external_services = {
cross_domain_bosh = false;
consider_bosh_secure = true;
consider_websocket_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)
@ -39,11 +35,6 @@ unlimited_jids = {
"jvb@auth.jitmeet.example.com"
}
-- https://prosody.im/doc/modules/mod_smacks
smacks_max_unacked_stanzas = 5;
smacks_hibernation_time = 60;
smacks_max_old_sessions = 1;
VirtualHost "jitmeet.example.com"
authentication = "jitsi-anonymous" -- do not delete me
-- Properties below are modified by jitsi-meet-tokens package config
@ -58,21 +49,28 @@ VirtualHost "jitmeet.example.com"
key = "/etc/prosody/certs/jitmeet.example.com.key";
certificate = "/etc/prosody/certs/jitmeet.example.com.crt";
}
av_moderation_component = "avmoderation.jitmeet.example.com"
speakerstats_component = "speakerstats.jitmeet.example.com"
conference_duration_component = "conferenceduration.jitmeet.example.com"
end_conference_component = "endconference.jitmeet.example.com"
-- we need bosh
modules_enabled = {
"bosh";
"websocket";
"smacks";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"external_services";
"features_identity";
"conference_duration";
"end_conference";
"muc_lobby_rooms";
"muc_breakout_rooms";
"av_moderation";
"room_metadata";
}
c2s_require_encryption = false
lobby_muc = "lobby.jitmeet.example.com"
breakout_rooms_muc = "breakout.jitmeet.example.com"
room_metadata_component = "metadata.jitmeet.example.com"
main_muc = "conference.jitmeet.example.com"
-- muc_lobby_whitelist = { "recorder.jitmeet.example.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
@ -80,17 +78,13 @@ Component "conference.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"polls";
--"token_verification";
"muc_rate_limit";
"muc_password_whitelist";
}
admins = { "focusUser@auth.jitmeet.example.com" }
muc_password_whitelist = {
"focusUser@auth.jitmeet.example.com"
}
muc_room_locking = false
muc_room_default_public_jids = true
@ -98,7 +92,6 @@ Component "breakout.jitmeet.example.com" "muc"
restrict_room_creation = true
storage = "memory"
modules_enabled = {
"muc_hide_all";
"muc_meeting_id";
"muc_domain_mapper";
"muc_rate_limit";
@ -112,7 +105,6 @@ Component "breakout.jitmeet.example.com" "muc"
Component "internal.auth.jitmeet.example.com" "muc"
storage = "memory"
modules_enabled = {
"muc_hide_all";
"ping";
}
admins = { "focusUser@auth.jitmeet.example.com", "jvb@auth.jitmeet.example.com" }
@ -122,17 +114,8 @@ Component "internal.auth.jitmeet.example.com" "muc"
VirtualHost "auth.jitmeet.example.com"
modules_enabled = {
"limits_exception";
"smacks";
}
authentication = "internal_hashed"
smacks_hibernation_time = 15;
VirtualHost "recorder.jitmeet.example.com"
modules_enabled = {
"smacks";
}
authentication = "internal_hashed"
smacks_max_old_sessions = 2000;
-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.jitmeet.example.com" "client_proxy"
@ -141,27 +124,25 @@ Component "focus.jitmeet.example.com" "client_proxy"
Component "speakerstats.jitmeet.example.com" "speakerstats_component"
muc_component = "conference.jitmeet.example.com"
Component "conferenceduration.jitmeet.example.com" "conference_duration_component"
muc_component = "conference.jitmeet.example.com"
Component "endconference.jitmeet.example.com" "end_conference"
muc_component = "conference.jitmeet.example.com"
Component "avmoderation.jitmeet.example.com" "av_moderation_component"
muc_component = "conference.jitmeet.example.com"
Component "filesharing.jitmeet.example.com" "filesharing_component"
muc_component = "conference.jitmeet.example.com"
Component "lobby.jitmeet.example.com" "muc"
storage = "memory"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
"muc_hide_all";
"muc_rate_limit";
"polls";
}
Component "metadata.jitmeet.example.com" "room_metadata_component"
muc_component = "conference.jitmeet.example.com"
breakout_rooms_component = "breakout.jitmeet.example.com"
Component "polls.jitmeet.example.com" "polls_component"

14
type/__opendkim/man.rst
View file

@ -41,25 +41,21 @@ subdomains
umask
Set the umask for the socket and PID file.
userid
Change the user the opendkim program is to run as.
By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
command-line and FreeBSD's rc will set it to `mailnull`.
custom-config
The string following this parameter is appended as-is in the configuration, to
enable more complex configurations.
BOOLEAN PARAMETERS
------------------
syslog
Log to syslog.
DEPRECATED PARAMETERS
---------------------
userid
Change the user the opendkim program is to run as.
By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
command-line and FreeBSD's rc will set it to `mailnull`.
EXAMPLES
--------

9
type/__opendkim/manifest
View file

@ -29,7 +29,6 @@ case "$os" in
'freebsd')
CFG_DIR="/usr/local/etc/mail"
service="milter-opendkim"
start_service="milteropendkim"
;;
*)
printf "__opendkim does not yet support %s.\n" "$os" >&2
@ -91,11 +90,7 @@ fi
require="__package/opendkim" __file "$target_file" \
--source "$source_file" --mode 0644
# Due to the way rc.conf works on *BSD, we find ourselves in the awkward
# situation, where a service's name can contain a '-' symbol, but the
# rc.conf setting to enable a service at boot cannot.
# Unless start_service has been defined before, these two match.
require="__package/opendkim" __start_on_boot "${start_service:-${service}}"
require="__package/opendkim" __start_on_boot "${service}"
# Ensure Key and Signing tables exist and have proper permissions
key_table="${CFG_DIR}/KeyTable"
@ -110,7 +105,7 @@ require="__package/opendkim" \
--mode 444
require="__file${target_file} __file${key_table}
__file${signing_table} __start_on_boot/${start_service:-${service}}" \
__file${signing_table} __start_on_boot/${service}" \
__check_messages opendkim \
--pattern "^__file${target_file}" \
--execute "service ${service} restart"

2
type/__opendkim/parameter/deprecated/userid
View file

@ -1,2 +0,0 @@
This can cause inconsistencies with permissions and will stop being supported.
If you still need this, you can use --custom-config 'UserId $USERID'.

32
type/__opendkim_genkey/explorer/key-state
View file

@ -1,32 +0,0 @@
#!/bin/sh -e
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ];
then
# Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi
KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')"
DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private"
if [ -s "${DEFAULT_PATH}" ]; then
# This is the main location for the key
FOUND_PATH="${DEFAULT_PATH}"
else
# This is a backwards-compatible location for the key
# Keys generated post March 2022 should not land here
if [ -f "${__object:?}/parameter/selector" ]; then
SELECTOR="$(cat "${__object:?}/parameter/selector")"
if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then
FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private"
fi
fi
fi
if [ -n "${FOUND_PATH}" ]; then
printf "present\t%s" "${FOUND_PATH}"
else
# We didn't find the key
# We pass the default path here, to easen logic in the rest of the type
printf "absent\t%s" "${DEFAULT_PATH}"
fi

33
type/__opendkim_genkey/gencode-remote
View file

@ -19,8 +19,8 @@
#
# Required parameters
DOMAIN="$(cat "${__object:?}/domain")"
SELECTOR="$(cat "${__object:?}/selector")"
DOMAIN="$(cat "${__object:?}/parameter/domain")"
SELECTOR="$(cat "${__object:?}/parameter/selector")"
# Optional parameters
BITS=
@ -28,6 +28,12 @@ if [ -f "${__object:?}/parameter/bits" ]; then
BITS="-b $(cat "${__object:?}/parameter/bits")"
fi
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; then
# Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi
# Boolean parameters
SUBDOMAINS=
if [ -f "${__object:?}/parameter/no-subdomains" ]; then
@ -42,24 +48,9 @@ fi
user="$(cat "${__object:?}/user")"
group="$(cat "${__object:?}/group")"
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
if [ "${KEY_STATE:?}" = "absent" ]; then
# opendkim-genkey(8) does not allow specifying the file name.
# To err on the safe side (and avoid potentially killing other keys)
# we operate on a temporary directory first, then move the resulting key
cat <<-EOF
tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)"
opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS
# Relocate and ensure permissions
mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}'
chown ${user}:${group} '${KEY_LOCATION}'
chmod 0600 '${KEY_LOCATION}'
if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
# This is usually generated, if it weren't we do not want to fail
mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true
chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true
# Cleanup after ourselves
rmdir "\${tmp_dir:?}" || true
EOF
echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
fi

83
type/__opendkim_genkey/man.rst
View file

@ -10,27 +10,23 @@ DESCRIPTION
-----------
This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
usage by `opendkim(8)` to sign outgoing emails.
It also manages the key, identified by its `$__object_id` in OpenDKIM's
KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and
`--sigdomain` respectively).
This type will also manage the entries in the OpenDKIM's SigningTable by
associating any given `sigkey` values to this key.
Take into account that if you use this type without the `--domain` and
`--selector` parameters, the `$__object_id` must be in form `$domain/$selector`.
usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain,
selector and keyname in the `$selector._domainkey.$domain` format will be added
to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
will be added to the OpenDKIM signing table, using either the domain or the
provided key for the `domain:selector:keyfile` value in the table. An existing
key will not be overwritten.
Currently, this type is only implemented for Alpine Linux and FreeBSD.
Please contribute an implementation if you can.
NOTE: the name of the key file under `--directory` will default to
`$__object_id.private`, but if that fails and `--selector` is used,
`SELECTOR.private` will be considered.
Take care when using unrelated keys that might collide this way.
For more information see:
https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20
REQUIRED PARAMETERS
-------------------
domain
The domain to generate the key for.
selector
The DKIM selector to generate the key for.
OPTIONAL PARAMETERS
@ -42,36 +38,10 @@ bits
directory
The directory in which to generate the key, `/var/db/dkim/` by default.
domain
The domain to generate the key for.
If omitted, `--selector` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
selector
The DKIM selector to generate the key for.
If omitted, `--domain` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
sigdomain
Specified in the KeyTable, the domain to use in the signature's "d=" value.
Defaults to the specified domain. If `%`, it will be replaced by the apparent
domain of the sender when generating a signature.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
See `KeyTable` in `opendkim.conf(5)` for more information.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
sigkey
The key used in the `SigningTable` for this signing key. Defaults to the
The key used in the SigningTable for this signing key. Defaults to the
specified domain. If `%`, OpenDKIM will replace it with the domain found
in the `From:` header. See `opendkim.conf(5)` for more options.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
This can be passed multiple times, resulting in multiple lines in the
SigningTable, which can be used to support signing of subdomains or multiple
domains with the same key; in that case, you probably want to set
`--sigdomain` to `%`, else the domains will not be aligned.
BOOLEAN PARAMETERS
------------------
@ -87,7 +57,6 @@ EXAMPLES
.. code-block:: sh
# Setup the OpenDKIM service
__opendkim \
--socket inet:8891@localhost \
--basedir /var/lib/opendkim \
@ -96,24 +65,14 @@ EXAMPLES
--umask 002 \
--syslog
# Continue only after the service has been set up
export require="__opendkim"
require='__opendkim' \
__opendkim_genkey default \
--domain example.com \
--selector default
# Generate a key for 'example.com' with selector 'default'
__opendkim_genkey default \
--domain example.com \
--selector default
# Generate a key for 'foo.com' with selector 'backup'
__opendkim_genkey 'foo.com/backup'
# Generate a key for 'example.org' with selector 'main'
# that can also sign 'cdi.st' and subdomains of 'example.org'
__opendkim_genkey 'example.org/main' \
--sigdomain '%' \
--sigkey 'example.org' \
--sigkey '.example.org' \
--sigkey 'cdi.st'
__opendkim_genkey myfoo \
--domain foo.com \
--selector backup
SEE ALSO

76
type/__opendkim_genkey/manifest
View file

@ -35,48 +35,17 @@ case "$os" in
;;
*)
cat <<- EOF >&2
__opendkim_genkey currently only supports Alpine Linux and FreeBSD.
Please contribute an implementation for $os if you can.
__opendkim_genkey currently only supports Alpine Linux. Please
contribute an implementation for $os if you can.
EOF
exit 1
;;
esac
# Persist user and group for gencode-remote
printf '%s' "${user}" > "${__object:?}/user"
printf '%s' "${group}" > "${__object:?}/group"
# Logic to simplify the type as documented in
# https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711
DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)"
SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)"
if [ -z "${DOMAIN}${SELECTOR}" ]; then
# Neither SELECTOR nor DOMAIN were passed, try to use __object_id
if echo "${__object_id:?}" | \
grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then
# __object_id matches, let's get the data
DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)"
SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)"
else
# It doesn't match the pattern, this is sad
cat <<- EOF >&2
The arguments --domain and --selector were not used.
So __object_id must match DOMAIN/SELECTOR.
But instead the type got: ${__object_id:?}
EOF
exit 1
fi
elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then
# Only one was passed, this is sad :-(
cat <<- EOF >&2
You must pass either both --selector and --domain or none of them.
If these arguments are absent, __object_id must match: DOMAIN/SELECTOR.
EOF
exit 1
# else: both were passed
fi
# Persist data for gencode-remote
printf '%s' "${user:?}" > "${__object:?}/user"
printf '%s' "${group:?}" > "${__object:?}/group"
printf '%s' "${DOMAIN:?}" > "${__object:?}/domain"
printf '%s' "${SELECTOR:?}" > "${__object:?}/selector"
SELECTOR="$(cat "${__object:?}/parameter/selector")"
DOMAIN="$(cat "${__object:?}/parameter/domain")"
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ];
@ -90,11 +59,6 @@ if [ -f "${__object:?}/parameter/sigkey" ];
then
SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
fi
SIGDOMAIN="${DOMAIN:?}"
if [ -f "${__object:?}/parameter/sigdomain" ];
then
SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")"
fi
# Ensure the key-container directory exists with the proper permissions
__directory "${DIRECTORY}" \
@ -112,28 +76,10 @@ esac
key_table="${CFG_DIR}/KeyTable"
signing_table="${CFG_DIR}/SigningTable"
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")"
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
__line "__opendkim_genkey/${__object_id:?}" \
__line "line-key-${__object_id:?}" \
--file "${key_table}" \
--line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \
--regex "^${__object_id:?}[[:space:]]" \
--state 'replace'
--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
sigtable_block() {
for sigkey in ${SIGKEY:?}; do
echo "${sigkey:?} ${__object_id:?}"
done
}
__block "__opendkim_genkey/${__object_id:?}" \
__line "line-sig-${__object_id:?}" \
--file "${signing_table}" \
--text "$(sigtable_block)"
if [ "${KEY_STATE:?}" = "present" ]; then
# Ensure proper permissions for the key file
__file "${KEY_LOCATION}" \
--owner "${user}" \
--group "${group}" \
--mode 0600
fi
--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"

4
type/__opendkim_genkey/parameter/optional
View file

@ -1,6 +1,4 @@
bits
directory
domain
unrestricted
selector
sigdomain
sigkey

1
type/__opendkim_genkey/parameter/optional_multiple
View file

@ -1 +0,0 @@
sigkey

2
type/__opendkim_genkey/parameter/required Normal file
View file

@ -0,0 +1,2 @@
domain
selector

45
type/__php_fpm/files/php.ini.sh
View file

@ -1,45 +0,0 @@
#!/bin/sh
cat <<EOF
; This file is managed by cdist, and has been shortened for readability.
; The fine manual is at http://php.net/configuration.file.
[PHP]
; Production recommended defaults
display_errors = Off
display_startup_errors = Off
enable_dl = Off
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors = On
output_buffering = 4096
register_argc_argv = Off
request_order = "GP"
short_open_tag = Off
variables_order = "GPCS"
zend.assertions = -1
; Local custom variations
include_path = ".:${PHP_INCLUDEDIR}"
memory_limit = ${MEMORY_LIMIT:?}
post_max_size = ${UPLOAD_MAX_FILESIZE:?}
upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?}
EOF
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
cat <<-EOF
; opcache enabled by type flag
opcache.enable=1
opcache.enable_cli=1
EOF
fi
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
cat <<-EOF
; acpu enabled by type flag
apc.enabled=1
apc.enable_cli=1
apc.shm_size=512M
EOF
fi

74
type/__php_fpm/man.rst
View file

@ -1,74 +0,0 @@
cdist-type__php_fpm(7)
======================
NAME
----
cdist-type__php_fpm - Setup and configure PHP-FPM
DESCRIPTION
-----------
This type installs and configures PHP-FPM for a given version of PHP. It is
expected to be used in combination with cdist-type__php_fpm_pool, which
configures specific pools.
This type supports Debian, Ubuntu and Alpine Linux.
REQUIRED PARAMETERS
-------------------
php-version
The PHP version for which the type is working. Will impact installed
packages, configuration files, &c
OPTIONAL PARAMETERS
-------------------
memory-limit
The system-wide memory limit for PHP-FPM. Can be overriden per-pool.
Default is 512M.
upload-max-filesize
The maximum filesize accepted by PHP-FPM for file uploads. Default is
2M.
BOOLEAN PARAMETERS
------------------
enable-opcache
Enable PHP opcache.
enable-apcu
Enable PHP APCu.
EXAMPLES
--------
.. code-block:: sh
# Dead simple setup
__php_fpm --php-version 8.1
# Custom setup
__php_fpm \
--php-version 8.1 \
--memory-limit 768M \
--upload-max-filesize 200M \
--enable-opcache \
--enable-apcu
SEE ALSO
--------
cdist-type__php_fpm_pool(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

68
type/__php_fpm/manifest
View file

@ -1,68 +0,0 @@
#!/bin/sh
os=$(cat "${__global:?}/explorer/os")
PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER
case "$os" in
'alpine')
# Alpine packages looks like php81-fpm - we make sure to remove dots from user
# input.
PHPVER=$(echo "$PHPVER" | tr -d '.')
package="php${PHPVER}-fpm"
opcache_package="php${PHPVER}-opcache"
apcu_package="php${PHPVER}-pecl-apcu"
service="php-fpm${PHPVER}"
php_confdir="/etc/php${PHPVER}"
php_ini="${php_confdir:?}/php.ini"
PHP_INCLUDEDIR="/usr/share/php${PHPVER:?}"
export PHP_INCLUDEDIR
;;
'debian'|'ubuntu')
package="php${PHPVER}-fpm"
opcache_package="php${PHPVER}-opcache"
apcu_package="php${PHPVER}-apcu"
service="php${PHPVER}-fpm"
php_confdir="/etc/php/${PHPVER}"
php_ini="${php_confdir:?}/fpm/php.ini"
PHP_INCLUDEDIR="/usr/share/php/${PHPVER:?}"
export PHP_INCLUDEDIR
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
__package "$package"
require="__package/$package" __start_on_boot "$service"
if [ -f "${__object:?}/parameter/enable-opcache" ]; then
__package "$opcache_package"
fi
if [ -f "${__object:?}/parameter/enable-apcu" ]; then
__package "$apcu_package"
fi
MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit")
export MEMORY_LIMIT
UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize")
export UPLOAD_MAX_FILESIZE
mkdir -p "${__object:?}/files"
"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini"
require="__package/$package" __file "${php_ini:?}" \
--mode 644 --source "${__object:?}/files/php.ini" \
--onchange "service $service restart"
require="__file/${php_ini:?}" __service "$service" --action start

2
type/__php_fpm/parameter/boolean
View file

@ -1,2 +0,0 @@
enable-opcache
enable-apcu

1
type/__php_fpm/parameter/default/memory-limit
View file

@ -1 +0,0 @@
512M

1
type/__php_fpm/parameter/default/upload-max-filesize
View file

@ -1 +0,0 @@
2M

2
type/__php_fpm/parameter/optional
View file

@ -1,2 +0,0 @@
upload-max-filesize
memory-limit

1
type/__php_fpm/parameter/required
View file

@ -1 +0,0 @@
php-version

0
type/__php_fpm/singleton
View file

34
type/__php_fpm_pool/files/www.conf.sh
View file

@ -1,34 +0,0 @@
#!/bin/sh
cat <<EOF
; PHP-FPM configuration file for $POOL_NAME, PHP version $PHPVER.
; This file is managed by cdist, do not edit by hand!
[$POOL_NAME]
; Local non-default configuration
user = $POOL_USER
group = $POOL_GROUP
listen = $POOL_LISTEN_ADDR
listen.owner = $POOL_LISTEN_OWNER
; Mandatory configuration options with default production values
pm = dynamic
pm.max_children = 10
pm.min_spare_servers = 1
pm.max_spare_servers = 3
env[HOSTNAME] = \$HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
EOF
if [ -f "${__object:?}/parameter/memory-limit" ]; then
echo "php_admin_value[memory_limit] = $(cat "$__object/parameter/memory-limit")"
fi
if [ -f "${__object:?}/parameter/open-basedir" ]; then
echo "php_admin_value[open_basedir] = $(cat "${__object:?}/parameter/open-basedir")"
fi

79
type/__php_fpm_pool/man.rst
View file

@ -1,79 +0,0 @@
cdist-type__php_fpm_pool(7)
===========================
NAME
----
cdist-type__php_fpm_pool - Setup and configure a PHP-FPM pool
DESCRIPTION
-----------
This type configures a pool named after the `__object_id` for a specified PHP
version. Note that this types expects a same-version cdist-type__php_fpm type
to have been run first: the user is responsible for doing so.
This type supports Debian, Ubuntu and Alpine Linux.
REQUIRED PARAMETERS
-------------------
php-version
The PHP version for which the type is working. Will impact installed
packages, configuration files, &c
pool-user
The local user under which the pool processes should run.
pool-group
The local group under which the pool processes should run.
pool-listen-addr
The socket or address to which the pool should bind for listening.
pool-listen-owner
The owner of the socket if a socket is used.
OPTIONAL PARAMETERS
-------------------
memory-limit
The pool memory limit for PHP-FPM. Will default to the setting in the
system-wide php.ini file.
openbasedir
Limit the files that can be accessed by PHP to the specified
directory-tree, including the file itself.
EXAMPLES
--------
.. code-block:: sh
# Setup PHP-FPM
__php_fpm --php-version 8
# Setup the pool
__php_fpm_pool www \
--php-version 8 \
--pool-user nextcloud \
--pool-group www-data \
--pool-listen-addr "/run/php8/php-fpm.sock" \
--pool-listen-owner nginx \
--memory-limit 1G
SEE ALSO
--------
cdist-type__php_fpm(7)
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2022 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

40
type/__php_fpm_pool/manifest
View file

@ -1,40 +0,0 @@
#!/bin/sh
os=$(cat "${__global:?}/explorer/os")
name=${__object_id:?}
PHPVER=$(cat "${__object:?}/parameter/php-version")
export PHPVER
case "$os" in
'alpine')
PHPVER=$(echo "$PHP_VERSION" | tr -d '.')
service="php-fpm${PHPVER}"
php_confdir="/etc/php${PHPVER}"
php_pooldir="${php_confdir:?}/php-fpm.d"
;;
'debian'|'ubuntu')
service="php${PHPVER}-fpm"
php_confdir="/etc/php/${PHPVER}"
php_pooldir="${php_confdir:?}/fpm/pool.d"
;;
*)
printf "Your operating system is currently not supported by this type\n" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
POOL_NAME="$name"
POOL_USER=$(cat "${__object:?}/parameter/pool-user")
POOL_GROUP=$(cat "${__object:?}/parameter/pool-group")
POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr")
POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner")
export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME
mkdir -p "${__object:?}/files"
"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf"
__file "${php_pooldir:?}/${name}.conf" \
--mode 644 --source "${__object:?}/files/www.conf" \
--onchange "service $service reload"

2
type/__php_fpm_pool/parameter/optional
View file

@ -1,2 +0,0 @@
memory-limit
open-basedir

5
type/__php_fpm_pool/parameter/required
View file

@ -1,5 +0,0 @@
php-version
pool-user
pool-group
pool-listen-addr
pool-listen-owner

44
type/__single_binary_service/man.rst
View file

@ -27,6 +27,22 @@ This type supports services managed by `__runit(7)` when `systemd` is not
the init system being used.
REQUIRED PARAMETERS
-------------------
checksum
This will be passed verbatim to `__download(7)`.
Use something like `sha256:...`.
url
This will be passed verbatim to `__download(7)`.
version
This type will use a thumbstone file with a "version" number to track
whether or not a service must be updated.
This thumbstone file is placed under
`/usr/local/bin/.${__object_id}.cdist.version`.
BOOLEAN PARAMETERS
------------------
unpack
@ -43,36 +59,12 @@ do-not-manage-user
OPTIONAL PARAMETERS
-------------------
version
Required when installing a service.
This type will use a thumbstone file with a "version" number to track
whether or not a service must be updated.
This thumbstone file is placed under
`/usr/local/bin/.${__object_id}.cdist.version`.
checksum
This will be passed verbatim to `__download(7)`.
Use something like `sha256:...`.
Required if using `--url`.
config-file-destination
The remote path in which to locate the service's configuration.
Defaults to `ETC_DIR/${__object_id}.conf`.
config-file-source
If present, this file's contents will be placed under
`/etc/${__object_id}.conf` with permissions `0440` and ownership assigned to
`--user` and `--group`.
If `-` is passed, this type's `stdin` will be used.
local-source
A file on the cdist controller that will be used instead of downloading
the binary.
url
This will be passed verbatim to `__download(7)`.
When used, you must specify `--checksum` as well.
user
The user under which the service will run. Defaults to `root`.
If this user is not `root` and `--do-not-manage-user` is not present,
@ -138,10 +130,6 @@ unpack-extension
working-directory
If set, the working directory with which the service will be started.
working-directory-permissions
The permissions that will be set for the working directory.
Defaults to `0750`.
OPTIONAL MULTIPLE PARAMETERS
----------------------------

113
type/__single_binary_service/manifest
View file

@ -1,4 +1,4 @@
#!/bin/sh -eu
#!/bin/sh -e
SERVICE_NAME="${__object_id}"
OS="$(cat "${__global}/explorer/os")"
@ -32,7 +32,7 @@ case "${INIT}" in
service_command="sv %s ${SERVICE_NAME}"
;;
*)
echo "Init system '${INIT}' is currently not supported." >&2
echo "Init system ${INIT}' is currently not supported." >&2
exit 1
;;
esac
@ -44,7 +44,7 @@ BIN_DIR="/usr/local/bin"
__directory "${BIN_DIR}" \
--state "exists" \
--mode 0755
export require="${require:-} __directory${BIN_DIR}"
export require="${require} __directory${BIN_DIR}"
STATE="$(cat "${__object}/parameter/state")"
USER="$(cat "${__object}/parameter/user")"
@ -86,36 +86,18 @@ fi
SERVICE_DEFINITION="$(cat "${__object}/parameter/service-definition" 2>/dev/null || true)"
CHECKSUM="$(cat "${__object}/parameter/checksum")"
SHOULD_VERSION="$(cat "${__object}/parameter/version" 2>/dev/null || true)"
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
fi
DOWNLOAD_URL="$(cat "${__object}/parameter/url")"
LOCAL_SOURCE="$(cat "${__object}/parameter/local-source")"
if [ "${STATE}" = "present" ] && [ -z "${SHOULD_VERSION}" ]; then
cat >&1 <<-EOM
When installing a service, --version must be specified.
EOM
exit 1
fi
if [ "${STATE}" = "present" ] && [ -z "${DOWNLOAD_URL}${LOCAL_SOURCE}" ]; then
cat >&1 <<-EOM
Exactly one of --url or --local-source must be specified.
EOM
exit 1
fi
if [ -n "${DOWNLOAD_URL}" ] && [ -z "${CHECKSUM}" ]; then
cat >&1 <<-EOM
You must specify --checksum when using --url.
EOM
exit 1
fi
if [ "${LOCAL_SOURCE}" = "-" ]; then
LOCAL_SOURCE="${__object}/stdin"
fi
CHECKSUM="$(cat "${__object}/parameter/checksum")"
SHOULD_VERSION="$(cat "${__object}/parameter/version")"
# Create a user for the service if it is not root
USER_HOME_DIR="/root"
require_user_created=""
service_require=""
if [ "${USER}" != "root" ] && \
[ ! -f "${__object}/parameter/do-not-manage-user" ]; then
if [ "${STATE}" = "absent" ]; then
@ -126,45 +108,24 @@ if [ "${USER}" != "root" ] && \
if [ "${USER_HOME_DIR}" != "/nonexistent" ]; then
USER_CREATE_HOME="--create-home"
fi
require="${require} ${user_require:-}" __user "${USER}" \
require="${require} ${user_require}" __user "${USER}" \
--system \
--state "${STATE}" \
--home "${USER_HOME_DIR}" \
--comment "cdist-managed service user" \
${USER_CREATE_HOME}
require_user_created="__user/${USER}"
# Track dependencies
service_require="${service_require} ${require_user_created}"
fi
# Adapt directory permissions when necessary
WORKING_DIRECTORY_PERMISSIONS="$(cat "${__object}/parameter/working-directory-permissions")"
WORKING_DIRECTORY_PATH="$(cat "${__object}/parameter/working-directory" 2>/dev/null || true)"
if [ -n "${WORKING_DIRECTORY_PATH}" ]; then
WORKING_DIRECTORY_SYSTEMD="WorkingDirectory=${WORKING_DIRECTORY_PATH}"
WORKING_DIRECTORY_RUNIT="cd '${WORKING_DIRECTORY_PATH}'"
require="${require_user_created}" __directory \
"${WORKING_DIRECTORY_PATH}" --state present \
--mode "${WORKING_DIRECTORY_PERMISSIONS}" \
--owner "${USER}" --group "${GROUP}"
service_require="${service_require} __user/${USER}"
fi
# Place config file if necessary
CONFIG_FILE_DEST="$(cat "${__object}/parameter/config-file-destination" 2>/dev/null || true)"
if [ -z "${CONFIG_FILE_DEST}" ]; then
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
else
require="${require_user_created}" __directory \
"$(dirname "${WORKING_DIRECTORY_PATH}")" --state present \
--mode "${WORKING_DIRECTORY_PERMISSIONS}" \
--owner "${USER}" --group "${GROUP}"
fi
CONFIG_FILE_DEST="${ETC_DIR}/${SERVICE_NAME}.conf"
CONFIG_FILE_SOURCE="$(cat "${__object}/parameter/config-file-source" 2>/dev/null || true)"
if [ "${CONFIG_FILE_SOURCE}" = "-" ]; then
CONFIG_FILE_SOURCE="${__object}/stdin"
fi
if [ -n "${CONFIG_FILE_SOURCE}" ] && [ "${STATE}" = "present" ]; then
require="${require} ${require_user_created}" __file \
require="${require} __user/${USER}" __file \
"${CONFIG_FILE_DEST}" \
--owner "${USER}" \
--group "${GROUP}" \
@ -203,7 +164,7 @@ Group=${GROUP}
ExecStart=${SERVICE_EXEC}
Restart=always
EnvironmentFile=${SYSTEMD_ENV_FILE}
${WORKING_DIRECTORY_SYSTEMD:-}
${WORKING_DIRECTORY_SYSTEMD}
[Install]
WantedBy=multi-user.target
@ -300,23 +261,15 @@ EOF
UNPACK_EXTENSION="$(cat "${__object}/parameter/unpack-extension")"
UNPACK_ARGS="$(cat "${__object}/parameter/unpack-args" \
2>/dev/null || true)"
# Place packed file
if [ -n "${DOWNLOAD_URL}" ]; then
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
require_place_file="__download${TMP_PATH}${UNPACK_EXTENSION}"
else
# TODO: this doesn't use CHECKSUM
__file "${TMP_PATH}${UNPACK_EXTENSION}" \
--source "${LOCAL_SOURCE}"
require_place_file="__file${TMP_PATH}${UNPACK_EXTENSION}"
fi
# Download packed file
__download "${TMP_PATH}${UNPACK_EXTENSION}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
# Unpack file and also perform service upgrade
# shellcheck disable=SC2086
require="${require_place_file}" \
require="__download${TMP_PATH}${UNPACK_EXTENSION}" \
__unpack "${TMP_PATH}${UNPACK_EXTENSION}" \
${UNPACK_ARGS} \
--destination "${TMP_PATH}"
@ -324,20 +277,14 @@ EOF
else
# Create temp directory
__directory "${TMP_PATH}"
# Place in temp directory with the specified binary name
if [ -n "${DOWNLOAD_URL}" ]; then
require="__directory${TMP_PATH}" __download \
"${TMP_PATH}/${BINARY}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
version_bump_require="__download${TMP_PATH}/${BINARY}"
else
require="__directory${TMP_PATH}" __file \
"${TMP_PATH}/${BINARY}" \
--source "${LOCAL_SOURCE}"
version_bump_require="__file${TMP_PATH}/${BINARY}"
fi
# Download binary directoy to the temp directory with the
# specified binary name
require="__directory${TMP_PATH}" __download \
"${TMP_PATH}/${BINARY}" \
--url "${DOWNLOAD_URL}" \
--download remote \
--sum "${CHECKSUM}"
version_bump_require="__download${TMP_PATH}/${BINARY}"
fi
# Perform update of cdist-managed version file

0
type/__single_binary_service/parameter/default/checksum
View file

0
type/__single_binary_service/parameter/default/local-source
View file

0
type/__single_binary_service/parameter/default/url
View file

1
type/__single_binary_service/parameter/default/working-directory-permissions
View file

@ -1 +0,0 @@
0750

6
type/__single_binary_service/parameter/optional
View file

@ -1,20 +1,14 @@
checksum
config-file-source
config-file-destination
env
user
group
state
binary
local-source
service-args
service-exec
service-description
service-definition
unpack-extension
unpack-args
url
user-home-dir
version
working-directory
working-directory-permissions

3
type/__single_binary_service/parameter/required Normal file
View file

@ -0,0 +1,3 @@
url
checksum
version