bero/test
1
0
Fork 0
Code Issues 52 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
Derek Crudgington 2022-09-14 12:03:30 +00:00
parent f95bf165a6
commit f0d0bc1503
7 changed files with 1008 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
fstack/lib/checks.sh Normal file
View File

@ -0,0 +1,105 @@
#!/bin/bash
#
# Federated Stack Checks
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
check_docker() {
OSRELEASE=`lsb_release -a 2>/dev/null | grep ID | awk -F: '{ print $2 }' | xargs`
if ! command -v docker &> /dev/null; then
echo -ne "\n* Couldn't find docker, installing.."
spin &
SPINPID=$!
# Install Docker on Ubuntu
if [ $OSRELEASE == "Ubuntu" ]; then
# Update list of packages
sudo apt-get update -y &> /dev/null
[ $? -ne 0 ] && failcheck "Couldn't run sudo apt-get update"
# Install packages which let apt use packages over HTTPS
sudo apt install apt-transport-https ca-certificates curl software-properties-common -y &> /dev/null
[ $? -ne 0 ] && failcheck "Couldn't run sudo apt install for https packages"
# Add GPG key for the official Docker repository to this system
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - &> /dev/null
[ $? -ne 0 ] && failcheck "Couldn't run curl to add Docker GPG key"
# Add the docker repository to our APT sources list
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable" -y &> /dev/null
[ $? -ne 0 ] && failcheck "Couldn't run sudo add-apt-repository"
# Install docker packages
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-compose -y &> /dev/null
[ $? -ne 0 ] && failcheck "Couldn't run sudo apt install docker packages"
fi
kill -9 $SPINPID &> /dev/null
echo -ne "done."
fi
if ! command -v docker-compose &> /dev/null; then
echo -ne "\n* Couldn't find docker-compose, installing.."
spin &
SPINPID=$!
# Install Docker compose on Ubuntu
if [ $OSRELEASE == "Ubuntu" ]; then
sudo apt-get install docker-compose -y &> /dev/null
fi
kill -9 $SPINPID &> /dev/null
echo -ne "done."
fi
}
check_ports() {
EXTERNALIP=`dig @resolver4.opendns.com myip.opendns.com +short 2> /dev/null`
[ $? -ne 0 ] && failcheck "Couldn't run dig, dns is not working"
# Check if ss command exists
if command -v ss &> /dev/null; then
# Check every port we need if it's in use
for i in 25 53 80 143 389 587 993 8000; do
SS=`ss -tulwn | grep LISTEN | awk '{ print $5 }' | awk -F: '{ print $NF }' | grep "^$i$" | head -1`
# If port 53 (dns) in use by system-resolvd (Ubuntu) then auto fix
if [ "$SS" == 53 ]; then
if [ $OSRELEASE == "Ubuntu" ]; then
grep "127\.0" /etc/resolv.conf &> /dev/null
if [ $? -eq 0 ]; then
echo -ne "\n* Port 53 in use by systemd-resolved, fixing.."
spin &
SPINPID=$!
# Install resolvconf to fix
sudo apt install resolvconf -y &> /dev/null
[ $? -eq 0 ] && echo -ne "." || failcheck "Failed running sudo apt install resolvconf"
# Shut down systemd-resolved
systemctl stop systemd-resolved
[ $? -ne 0 ] && failcheck "Failed running systemctl stop systemd-resolved"
# Put nameserver entries so will exist on reboot
echo "nameserver 8.8.8.8" > /etc/resolvconf/resolv.conf.d/tail
echo "nameserver 8.8.8.8" > /run/resolvconf/resolv.conf
kill -9 $SPINPID &> /dev/null
echo -ne "done."
else
echo -ne "\nFAILED - Port 53 (dns) is already in use\n\n" && exit 2
fi
fi
elif [ "$SS" == "$i" ]; then
failcheck "FAILED - Port $i is already in use"
fi
done
fi
# Check Port 53 (dns) with nc
# elif command -v nc &> /dev/null; then
# nc -z $EXTERNALIP 53 &> /dev/null
# [ $? -eq 0 ] && failcheck "Port 53 (dns) is already in use."
#
# nc -z 127.0.0.1 53 &> /dev/null
# [ $? -eq 0 ] && failcheck "Port 53 (dns) is already in use."
# fi
}

223
fstack/lib/dns.sh Normal file
View File

@ -0,0 +1,223 @@
#!/bin/bash
#
# Federated Stack DNS
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_dns() {
echo -ne "\n* Configuring fstack/dns container.."
spin &
SPINPID=$!
EXTERNAL_IP_LASTDIGIT=`echo $EXTERNALIP | awk -F . '{ print $4 }'`
EXTERNALIP_INADDR=`echo $EXTERNALIP | awk -F . '{ print $3"."$2"."$1".in-addr.arpa"}'`
EXTERNALIP_INADDR_CAPS=`echo $EXTERNALIP | awk -F . '{ print $3"."$2"."$1".IN-ADDR.ARPA"}'`
mkdir -p fstack/dns/data/root
mkdir -p fstack/dns/data/etc/bind/zones
mkdir -p fstack/dns/data/var/log/letsencrypt
cat > fstack/dns/docker-compose.yml <<'EOF'
version: '3.8'
services:
dns:
image: alpine:latest
container_name: dns
hostname: dns
restart: always
working_dir: /root
networks:
fstack:
ipv4_address: 172.99.0.10
volumes:
- ./data/etc/bind:/etc/bind
- ./data/etc/letsencrypt:/etc/letsencrypt
- ./data/var/log/letsencrypt:/var/log/letsencrypt
- ./data/root:/root
ports:
- "53:53/udp"
- "53:53/tcp"
command: [ "/root/dns-cert.sh" ]
networks:
fstack:
external: true
EOF
cat > fstack/dns/data/root/dns-cert.sh <<'EOF'
#!/bin/sh -x
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
if [ ! -e /etc/bind/.firstdone ]; then
# Install bind and certbot packages
apk add --no-cache bind
apk add --no-cache certbot
# Install ACME DNS script
if [ ! -e /root/acme-dns-auth.py ]; then
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
chmod +x acme-dns-auth.py
fi
[ ! -e /usr/bin/python ] && ln -s /usr/bin/python3 /usr/bin/python
# Run rndc to create bind keys for rndc to run
rndc-confgen -a
cat /etc/bind/rndc.key >> /etc/bind/named.conf
# Run Certbot and insert CNAME record into bind configuration
DOMAIN=`ls /etc/bind/zones | head -1`
echo "Trying to certbot for DOMAIN $DOMAIN"
CNAME_RECORD=`certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n 2>1 | grep acme-dns | awk '{ print $3 }'`
echo "Got CNAME record: $CNAME_RECORD"
echo "$CNAME_RECORD" > /etc/bind/.cnamerecord
echo -e "_acme-challenge\tIN\tCNAME\t$CNAME_RECORD" >> /etc/bind/zones/$DOMAIN
# Reload Bind configuration without restarting the container or process
named -f -g &
crond &
# rndc reload $DOMAIN
# rndc reload
sleep 7
# Run Certbot again to generate the certificate
certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n &> /dev/null
if [ $? -eq 0 ]; then
echo "[fstack]: SUCCESS generating certificates for $DOMAIN!"
echo "[fstack]: Certificates are at /etc/letsencrypt/live/$DOMAIN"
echo -ne "#!/bin/sh\n\n/usr/bin/certbot renew -q" > /etc/periodic/15min/certbot-renew.sh
chmod +x /etc/periodic/15min/certbot-renew.sh
else
touch /etc/bind/.failedcert
touch /etc/bind/.firstdone
echo "[fstack]: FAILED generating certificates for $DOMAIN"
echo "[fstack]: Check that you have DNS setup properly"
exit 2;
fi
touch /etc/bind/.firstdone
wait -n
elif [ -e /etc/bind/.firstdone ] && [ -e /etc/bind/.failedcert ]; then
DOMAIN=`ls /etc/bind/zones | head -1`
named -f -g &
crond &
sleep 7
# Run Certbot again to generate the certificate
certbot certonly --manual --manual-auth-hook /root/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.$DOMAIN -d $DOMAIN --agree-tos --email hostmaster@$DOMAIN -n &> /dev/null
if [ $? -eq 0 ]; then
rm /etc/bind/.failedcert
echo "[fstack]: SUCCESS generating certificates for $DOMAIN!"
echo "[fstack]: Certificates are at /etc/letsencrypt/live/$DOMAIN"
else
touch /etc/bind/.failedcert
echo "[fstack]: FAILED generating certificates for $DOMAIN"
echo "[fstack]: Check that you have DNS setup properly"
exit 2;
fi
wait -n
else
[ ! `pgrep -x named` ] && named -f -g && crond
fi
EOF
chmod +x fstack/dns/data/root/dns-cert.sh
cat > fstack/dns/data/etc/bind/named.conf <<EOF
options {
directory "/var/bind";
listen-on { any; };
listen-on-v6 { none; };
allow-transfer { none; };
allow-recursion { none; };
recursion no;
dnssec-validation auto;
};
zone "$DOMAIN" {
type master;
file "/etc/bind/zones/$DOMAIN";
};
zone "$EXTERNALIP_INADDR" {
type master;
file "/etc/bind/zones/$DOMAIN.rev";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
EOF
cat > fstack/dns/data/etc/bind/zones/$DOMAIN <<EOF
\$TTL 2d
\$ORIGIN $DOMAIN.
$DOMAIN. IN SOA ns1.$DOMAIN. hostmaster.$DOMAIN. (
18 ; Serial
12h ; Refresh
15m ; Retry
3w ; Expire
3h ; Negative Cache TTL
)
IN NS ns1.$DOMAIN.
IN NS ns2.$DOMAIN.
MX 10 mail.$DOMAIN.
IN TXT "v=spf1 mx a:mail.$DOMAIN ~all"
ns1 IN A $EXTERNALIP
ns2 IN A $EXTERNALIP
mail IN A $EXTERNALIP
www IN A $EXTERNALIP
computer IN A $EXTERNALIP
$DOMAIN. IN A $EXTERNALIP
EOF
cat > fstack/dns/data/etc/bind/zones/$DOMAIN.rev <<EOF
\$TTL 2d
\$ORIGIN $EXTERNALIP_INADDR_CAPS.
@ IN SOA ns1.$DOMAIN. hostmaster.$DOMAIN. (
12 ; Serial
12h ; Refresh
15m ; Retry
3w ; Expire
3h ; Negative Cache TTL
)
IN NS ns1.$DOMAIN.
IN NS ns2.$DOMAIN.
$EXTERNAL_IP_LASTDIGIT IN PTR computer.$DOMAIN.
EOF
echo -ne "done."
kill $SPINPID &> /dev/null
}
start_dns() {
echo -ne "\n* Starting fstack/dns service.."
spin &
SPINPID=$!
if [ $DEBUG ]; then
# Start fstack/dns with output to console for debug
docker-compose -f fstack/dns/docker-compose.yml -p dns up
[ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/dns"
else
# Start fstack/dns with output to /dev/null
docker-compose -f fstack/dns/docker-compose.yml -p dns up -d &> /dev/null
# Keep trying to see that certificates are generated
RETRY="18"
while [ $RETRY -gt 0 ]; do
ls fstack/dns/data/etc/letsencrypt/live/$DOMAIN/*.pem &> /dev/null
if [ $? -eq 0 ]; then
kill -9 $SPINPID &> /dev/null
echo -ne "done."
# echo -ne "* Certificates at fstack/dns/data/etc/letsencrypt/live/$DOMAIN\n"
break
else
if [ "$RETRY" == 1 ]; then
docker-compose -f fstack/dns/docker-compose.yml -p dns down &> /dev/null
fail "There was a problem starting service fstack/dns\nCheck the output of 'docker logs dns' or turn on\ndebug with -d"
fi
((RETRY--))
sleep 9
fi
done
fi
}

216
fstack/lib/ldap.sh Normal file
View File

@ -0,0 +1,216 @@
#!/bin/bash
#
# Federated Stack LDAP
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_ldap() {
echo -ne "\n* Configuring fstack/ldap container.."
spin &
SPINPID=$!
if [ ! -d "fstack/ldap" ]; then
mkdir -p fstack/ldap/data &> /dev/null
mkdir -p fstack/ldap/data/var/lib/ldap &> /dev/null
mkdir -p fstack/ldap/data/etc/ldap/slap.d &> /dev/null
mkdir -p fstack/ldap/data/certs &> /dev/null
mkdir -p fstack/ldap/data/root &> /dev/null
cp -rf fstack/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem fstack/ldap/data/certs/
fi
DOMAIN_ARRAY=(${DOMAIN//./ })
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_LAST=${DOMAIN_ARRAY[1]}
LDAPADMINPASS=`echo -n $ADMINPASS | openssl dgst -sha1 -binary | openssl enc -base64 | awk '{print "{SHA}"$0}'`
cat > fstack/ldap/docker-compose.yml <<EOF
version: '3.8'
services:
ldap:
image: osixia/openldap:latest
container_name: ldap
hostname: ldap.$DOMAIN
domainname: $DOMAIN
restart: always
working_dir: /root
networks:
fstack:
ipv4_address: 172.99.0.11
volumes:
- ./data/var/lib/ldap:/var/lib/ldap
- ./data/etc/ldap/slapd.d:/etc/ldap/slapd.d
- ./data/certs:/container/service/slapd/assets/certs
- ./data/root:/root
environment:
- LDAP_ORGANISATION=$COMPANY
- LDAP_DOMAIN=$DOMAIN
- LDAP_ADMIN_PASSWORD=$ADMINPASS
- LDAP_RFC2307BIS_SCHEMA=true
- LDAP_REMOVE_CONFIG_AFTER_SETUP=true
- LDAP_TLS=true
- LDAP_TLS_CRT_FILENAME=fullchain1.pem
- LDAP_TLS_KEY_FILENAME=privkey1.pem
- LDAP_TLS_CA_CRT_FILENAME=chain1.pem
- LDAP_TLS_VERIFY_CLIENT=try
ldapadmin:
image: wheelybird/ldap-user-manager:latest
container_name: ldapadmin
hostname: ldapadmin.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
fstack:
ipv4_address: 172.99.0.12
ports:
- 8080:80
- 8443:443
volumes:
- ./data/certs:/opt/ssl
environment:
- SERVER_HOSTNAME=ldapadmin.$DOMAIN
- LDAP_URI=ldap://ldap.$DOMAIN
- LDAP_BASE_DN=dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- LDAP_REQUIRE_STARTTLS=true
- LDAP_ADMINS_GROUP=admins
- LDAP_ADMIN_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- LDAP_ADMIN_BIND_PWD=$ADMINPASS
- NO_HTTPS=false
- SERVER_CERT_FILENAME=fullchain1.pem
- SERVER_KEY_FILENAME=privkey1.pem
- CA_CERT_FILENAME=chain1.pem
depends_on:
- ldap
networks:
fstack:
external: true
EOF
cat > fstack/ldap/data/root/ldap.ldif <<EOF
dn: ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
ou: people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
dn: ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
ou: groups
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
dn: cn=lastGID,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: device
objectClass: top
description: Records the last GID used to create a Posix group. This prevent
s the re-use of a GID from a deleted group.
structuralObjectClass: device
cn: lastGID
dn: cn=lastUID,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: device
objectClass: top
description: Records the last UID used to create a Posix account. This preve
nts the re-use of a UID from a deleted account.
structuralObjectClass: device
cn: lastUID
dn: cn=everybody,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: everybody
uniqueMember: uid=admin-federated,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
gidNumber: 2001
structuralObjectClass: groupOfUniqueNames
dn: cn=admins,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins
uniqueMember: uid=admin-$DOMAIN_FIRST,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
gidNumber: 2002
structuralObjectClass: groupOfUniqueNames
dn: uid=admin,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
sn: admin
uid: admin
mail: admin@$DOMAIN
mailalias: admin@$DOMAIN
cn: admin
mailEnabled: true
objectClass: person
objectClass: inetOrgPerson
objectClass: PostfixBookMailAccount
objectClass: posixAccount
userPassword: $LDAPADMINPASS
uidNumber: 2001
gidNumber: 2001
loginShell: /bin/bash
homeDirectory: /home/admin
structuralObjectClass: inetOrgPerson
memberOf: cn=everybody,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
memberOf: cn=admins,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
EOF
cat > fstack/ldap/data/root/ldap.sh <<'EOF'
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
if [ ! -f .initialized ]; then
echo "Importing default scheme ldap.ldif into LDAP"
slapadd -v -l /root/ldap.ldif
[ $? -ne 0 ] && echo "FAILED importing ldap.dif" && exit 2
touch .initialized
fi
EOF
chmod +x fstack/ldap/data/root/ldap.sh
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_ldap() {
# Start fstack/ldap with output to /dev/null
echo -ne "\n* Starting fstack/ldap service.."
spin &
SPINPID=$!
if [ $DEBUG ]; then
# Start fstack/ldap with output to console for debug
docker-compose -f fstack/ldap/docker-compose.yml -p ldap up
[ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/dns"
else
docker-compose -f fstack/ldap/docker-compose.yml -p ldap up -d &> /dev/null
# Keep trying ldap port to make sure it's up
# before we proceed
RETRY="23"
while [ $RETRY -gt 0 ]; do
nc -z 172.99.0.11 636 &> /dev/null
if [ $? -eq 0 ]; then
break
else
if [ "$RETRY" == 1 ]; then
docker-compose -f fstack/ldap/docker-compose.yml -p ldap down &> /dev/null
kill -9 $SPINPID &> /dev/null
fail "There was a problem starting service fstack/ldap\nCheck the output of 'docker logs ldap' or turn on\ndebug with -d"
fi
((RETRY--))
sleep 7
fi
done
fi
# Run our ldap.sh script inside the ldap container
# This imports the inital LDAP configuration
docker exec -it ldap /root/ldap.sh &> /dev/null
[ $? -ne 0 ] && fail "Couldn't run ldap.sh inside ldap container"
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

200
fstack/lib/mail.sh Normal file
View File

@ -0,0 +1,200 @@
#!/bin/bash
#
# Federated Stack Mail
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_mail() {
echo -ne "\n* Configuring fstack/mail container.."
spin &
SPINPID=$!
if [ ! -d "fstack/mail" ]; then
mkdir -p fstack/mail/data/root/certs &> /dev/null
mkdir -p fstack/mail/data/var/mail &> /dev/null
mkdir -p fstack/mail/data/var/mail-state &> /dev/null
mkdir -p fstack/mail/data/var/log/mail &> /dev/null
mkdir -p fstack/mail/data/tmp/docker-mailserver &> /dev/null
mkdir -p fstack/mail/data/etc/apache2/sites-enabled &> /dev/null
cp -rf fstack/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem fstack/mail/data/root/certs/
fi
# DOMAIN_ARRAY=(${DOMAIN//./ })
# DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
# DOMAIN_LAST=${DOMAIN_ARRAY[1]}
cat > fstack/mail/docker-compose.yml <<EOF
version: '3.8'
services:
mail:
image: docker.io/mailserver/docker-mailserver:latest
container_name: mail
hostname: mail.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
fstack:
ipv4_address: 172.99.0.13
ports:
- "25:25"
- "143:143"
- "465:465"
- "587:587"
- "993:993"
volumes:
- ./data/root/certs:/root/certs
- ./data/var/mail:/var/mail/
- ./data/var/mail-state:/var/mail-state/
- ./data/var/log/mail:/var/log/mail/
- ./data/tmp/docker-mailserver:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
environment:
- ENABLE_SPAMASSASSIN=1
- SPAMASSASSIN_SPAM_TO_INBOX=1
- ENABLE_CLAMAV=0
- ENABLE_FAIL2BAN=0
- ENABLE_POSTGREY=1
- ONE_DIR=1
- DMS_DEBUG=0
- LOG_LEVEL=debug
- ENABLE_LDAP=1
- SSL_TYPE=manual
- SSL_CERT_PATH=/root/certs/fullchain1.pem
- SSL_KEY_PATH=/root/certs/privkey1.pem
- LDAP_START_TLS=yes
- DOVECOT_TLS=yes
- SASLAUTHD_LDAP_START_TLS=yes
- LDAP_SERVER_HOST=ldap.$DOMAIN
- LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- LDAP_BIND_PW=$ADMINPASS
- LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
- LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=inetOrgPerson)(mailEnabled=TRUE)))
- LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
# DOVECOT
- DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
- DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
- DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
# SASLAUTHD
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_SERVER=ldap.$DOMAIN
- SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- SASLAUTHD_LDAP_PASSWORD=$ADMINPASS
- SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
- SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(uid=%U))
- POSTMASTER_ADDRESS=postmaster@localhost.localdomain
- POSTFIX_MESSAGE_SIZE_LIMIT=100000000
cap_add:
- NET_ADMIN
- SYS_PTRACE
webmail:
image: roundcube/roundcubemail:latest
container_name: webmail
hostname: webmail.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
fstack:
ipv4_address: 172.99.0.14
ports:
- 9002:80
- 9443:443
volumes:
- ./data/root/certs:/root/certs
- ./data/etc/apache2/sites-enabled:/etc/apache2/sites-enabled
- ./data/var/roundcube:/var/roundcube
environment:
- ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.$DOMAIN
- ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.$DOMAIN
- ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE=4096M
depends_on:
- mail
networks:
fstack:
external: true
EOF
cat > fstack/mail/data/etc/apache2/sites-enabled/000-default.conf <<'EOF'
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
<VirtualHost *:80>
ServerAdmin admin@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /root/certs/fullchain1.pem
SSLCertificateKeyFile /root/certs/privkey1.pem
ServerAdmin admin@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
EOF
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_mail() {
echo -ne "\n* Starting fstack/mail service.."
spin &
SPINPID=$!
if [ $DEBUG ]; then
# Start fstack/mail with output to console for debug
docker-compose -f fstack/mail/docker-compose.yml -p mail up
[ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/mail"
else
docker-compose -f fstack/mail/docker-compose.yml -p mail up -d &> /dev/null
# Keep trying mail port 25 to make sure it's up
# before we proceed
RETRY="23"
while [ $RETRY -gt 0 ]; do
nc -z 172.99.0.13 25 &> /dev/null
if [ $? -eq 0 ]; then
break
else
if [ "$RETRY" == 1 ]; then
docker-compose -f fstack/mail/docker-compose.yml -p mail down &> /dev/null
kill -9 $SPINPID &> /dev/null
fail "There was a problem starting service fstack/mail\nCheck the output of 'docker logs mail' or turn on\ndebug with -d"
fi
((RETRY--))
sleep 7
fi
done
fi
# Generate the DKIM DNS key
docker exec -it mail setup config dkim keysize 2048 domain $DOMAIN &> /dev/null
[ $? -ne 0 ] && fail "Couldn't generate DKIM record"
# Insert the DKIM DNS TXT entry into fstack/dns container
cat fstack/mail/data/tmp/docker-mailserver/opendkim/keys/$DOMAIN/mail.txt >> fstack/dns/data/etc/bind/zones/$DOMAIN
[ $? -ne 0 ] && fail "Couldn't insert DKIM record into fstack/dns container"
# Insert the DMARC DNS TXT entry into fstack/dns container
echo "_dmarc.$DOMAIN. IN TXT \"v=DMARC1; p=none; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\"" >> fstack/dns/data/etc/bind/zones/$DOMAIN
[ $? -ne 0 ] && fail "Couldn't insert DMARC record into fstack/dns container"
# Reload DNS configuration in fstack/dns container
docker exec -it dns rndc reload $DOMAIN &> /dev/null
[ $? -ne 0 ] && fail "Couldn't run rndc reload DOMAIN on fstack/dns container"
docker exec -it dns rndc reload &> /dev/null
[ $? -ne 0 ] && fail "Couldn't run rndc reload on fstack/dns container"
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

17
fstack/lib/network.sh Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
#
# Federated Stack Network
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_network() {
echo -ne "\n* Configuring federated network.."
spin &
SPINPID=$!
docker network create --subnet 172.99.0.0/16 fstack &> /dev/null
[ $? -ne 0 ] && fail "Couldn't run docker network create"
echo -ne "done."
kill -9 $SPINPID &> /dev/null
}

145
fstack/lib/nextcloud.sh Normal file
View File

@ -0,0 +1,145 @@
#!/bin/bash
#
# Federated Stack NextCloud
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_nextcloud() {
echo -ne "\n* Configuring fstack/nextcloud container.."
spin &
SPINPID=$!
# if [ ! -d "fstack/nextcloud" ]; then
mkdir -p fstack/nextcloud/data/root/certs &> /dev/null
mkdir -p fstack/nextcloud/data/var/www/html &> /dev/null
cp -rf fstack/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem fstack/nextcloud/data/root/certs/
# fi
DOMAIN_ARRAY=(${DOMAIN//./ })
DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
DOMAIN_LAST=${DOMAIN_ARRAY[1]}
cat > fstack/nextcloud/docker-compose.yml <<EOF
version: '3.8'
services:
nextcloud:
image: nextcloud:latest
container_name: nextcloud
hostname: nextcloud.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
fstack:
ipv4_address: 172.99.0.15
ports:
- "8000:80"
volumes:
- ./data/root:/root
- ./data/var/www/html:/var/www/html
environment:
- SQLITE_DATABASE=db1
- NEXTCLOUD_ADMIN_USER=nextcloud
- NEXTCLOUD_ADMIN_PASSWORD=$ADMINPASS
# - NEXTCLOUD_TRUSTED_DOMAINS=northendnetwork.com
# - VIRTUAL_HOST=nextcloud.northendnetwork.com
# - NEXTCLOUD_LDAP_HOST=ldap.northendnetwork.com
networks:
fstack:
external: true
EOF
cat > fstack/nextcloud/data/root/nextcloud.sh <<EOF
#!/bin/sh
./occ app:enable user_ldap
./occ ldap:create-empty-config
./occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
./occ ldap:set-config s01 ldapAgentName cn=admin,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
./occ ldap:set-config s01 ldapAgentPassword $ADMINPASS
./occ ldap:set-config s01 ldapBase ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
./occ ldap:set-config s01 ldapBaseGroups ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
./occ ldap:set-config s01 ldapBaseUsers ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
./occ ldap:set-config s01 ldapEmailAttribute mail
./occ ldap:set-config s01 ldapGidNumber gidNumber
./occ ldap:set-config s01 ldapGroupDisplayName cn
./occ ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=inetOrgPerson)))'
./occ ldap:set-config s01 ldapGroupFilterMode 0
./occ ldap:set-config s01 ldapGroupFilterObjectclass inetOrgPerson
./occ ldap:set-config s01 ldapGroupMemberAssocAttr gidNumber
./occ ldap:set-config s01 ldapLoginFilter '(&(|(objectclass=inetOrgPerson))(uid=%uid))'
./occ ldap:set-config s01 ldapLoginFilterEmail 0
./occ ldap:set-config s01 ldapLoginFilterMode 0
./occ ldap:set-config s01 ldapLoginFilterUsername 1
./occ ldap:set-config s01 ldapLoginFilterEmail 0
./occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
./occ ldap:set-config s01 ldapNestedGroups 0
./occ ldap:set-config s01 ldapPagingSize 500
./occ ldap:set-config s01 ldapPort 636
./occ ldap:set-config s01 ldapTLS 1
./occ ldap:set-config s01 ldapUserAvatarRule default
./occ ldap:set-config s01 ldapUserDisplayName cn
./occ ldap:set-config s01 ldapUserFilter '(|(objectclass=inetOrgPerson))'
./occ ldap:set-config s01 ldapUserFilterMode 0
./occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson
./occ ldap:set-config s01 ldapUuidGroupAttribute auto
./occ ldap:set-config s01 ldapUuidUserAttribute auto
./occ ldap:set-config s01 turnOffCertCheck 0
./occ ldap:set-config s01 turnOnPasswordChange 0
./occ ldap:set-config s01 useMemberOfToDetectMembership 1
./occ ldap:set-config s01 ldapConfigurationActive 1
./occ config:system:delete trusted_domains
./occ config:system:set trusted_domains 1 --value=*
EOF
chmod +x fstack/nextcloud/data/root/nextcloud.sh
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
start_nextcloud() {
echo -ne "\n* Starting fstack/nextcloud service.."
spin &
SPINPID=$!
if [ $DEBUG ]; then
# Start fstack/nextcloud with output to console for debug
docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up
[ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service fstack/nextcloud"
else
docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud up -d &> /dev/null
# Keep trying nextcloud port 8000 to make sure it's up
# before we proceed
RETRY="23"
while [ $RETRY -gt 0 ]; do
nc -z 172.99.0.15 80 &> /dev/null
if [ $? -eq 0 ]; then
break
else
if [ "$RETRY" == 1 ]; then
docker-compose -f fstack/nextcloud/docker-compose.yml -p nextcloud down &> /dev/null
kill -9 $SPINPID &> /dev/null
fail "There was a problem starting service fstack/nextcloud\nCheck the output of 'docker logs nextcloud' or turn on\ndebug with -d"
fi
((RETRY--))
sleep 7
fi
done
fi
# Set nextcloud.sh executable
docker exec -it nextcloud mv /root/nextcloud.sh /var/www/html/
docker exec -it nextcloud chown www-data:root /var/www/html/nextcloud.sh
docker exec -it nextcloud chmod 755 /var/www/html/nextcloud.sh
[ $? -ne 0 ] && fail "Couldn't chown nextcloud.sh in fstack/nextcloud container"
# Run nextcloud.sh - Setup LDAP, configuration for nextcloud
docker exec -it -u 33 nextcloud /var/www/html/nextcloud.sh &> /dev/null
[ $? -ne 0 ] && fail "Couldn't run nextcloud.sh inside fstack/nextcloud container"
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

102
install-federated.sh Executable file
View File

@ -0,0 +1,102 @@
#!/bin/bash
#
# Federated Stack installation script
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
trap cleanup `seq 0 15`
cleanup() {
kill -9 $SPINPID &> /dev/null
exit 2
}
spin() {
spinner="/|\\-/|\\-"
while :
do
for i in `seq 0 7`
do
echo -n "${spinner:$i:1}"
echo -en "\010"
sleep 1
done
done
}
fail() {
echo -ne "FAILED\n\n$1\n\n"
kill -9 $SPINPID &> /dev/null
# [ -d "fstack/dns" ] && rm -rf fstack/dns
# docker network rm fstack &> /dev/null
exit 2;
}
failcheck() {
echo -ne "\n\nFAILED - $1\n\n"
exit 2;
}
get_config() {
# FSTACKURL="http://137.184.95.3:8000"
# [ ! -d "fstack/lib" ] && mkdir -p fstack/lib
# Download each library file
# for i in checks network dns ldap mail; do
# if [ ! -f "fstack/lib/$i.sh" ]; then
# curl $FSTACKURL/$i.sh -o fstack/lib/$i.sh -s -f &> /dev/null
# [ $? -ne 0 ] && failcheck "Couldn't download $i.sh"
# fi
# done
. fstack/lib/checks.sh
. fstack/lib/network.sh
. fstack/lib/dns.sh
. fstack/lib/ldap.sh
. fstack/lib/mail.sh
. fstack/lib/nextcloud.sh
echo -ne "\nFederated Stack install script\n\n"
read -p '* Enter domain name (domain.com): ' DOMAIN
read -p '* Enter company name (Domain Company): ' COMPANY
read -sp '* Enter admin password to use for initial login: ' ADMINPASS
[ -z "$DOMAIN" ] && failcheck "Must enter a domain name"
[ -z "$COMPANY" ] && failcheck "Must enter a company name"
[ -z "$ADMINPASS" ] && failcheck "Must enter a admin password"
}
while getopts d OPTION; do
case "$OPTION" in
d) DEBUG=ON;;
esac
done
# Download lib scripts and take in setup variables
get_config
echo -ne "\n\nStarting Federated install for $DOMAIN\n"
# Check that we have docker installed. Check that
# we have all ports available and ont in use
check_docker
check_ports
# Configure docker private network
config_network
# Configure fstack/dns container and start it
config_dns
start_dns
# Configure fstack/ldap container and start it
config_ldap
start_ldap
# Configure fstack/mail container and start it
config_mail
start_mail
# Configure fstack/nextcloud container and start it
config_nextcloud
start_nextcloud
# Print out fstack environment details
echo -ne "\n\nInstall completed successfully.\n\n"
echo -ne "Certificates at fstack/dns/data/etc/letsencrypt/archive/$DOMAIN\n"
echo -ne "Webmail is at http://www.$DOMAIN:9002\n"
echo -ne "Login user: admin Password: Provided at start\n"