premier commit
This commit is contained in:
commit
dacaa982ef
11 changed files with 273 additions and 0 deletions
69
README.md
Normal file
69
README.md
Normal file
|
@ -0,0 +1,69 @@
|
|||
# Role : docker_roundcube
|
||||
|
||||
|
||||
## Services fournis
|
||||
|
||||
- main.yml : Installation de roundcube sur un serveur docker_host, en lien avec un keycloak pour l'authentification
|
||||
|
||||
- configure_reverse_proxy.yml : Configuration d'un reverse proxy préalablement installé par le role reverse_proxy
|
||||
|
||||
|
||||
## Variables
|
||||
|
||||
Fournir les variables suivantes. Par exemple :
|
||||
|
||||
```yaml
|
||||
docker_roundcube_fqdn: roundcube.libretic.fr
|
||||
docker_roundcube_data_dir: /data1
|
||||
docker_roundcube_service_id: roundcube
|
||||
docker_roundcube_rp_cert: LE
|
||||
docker_roundcube_rp_docker_host: machine.domaine.local
|
||||
docker_roundcube_db_name: roundcube
|
||||
docker_roundcube_db_user: roundcubedbuser
|
||||
docker_roundcube_db_password: mdp_de_roundcubedbuser
|
||||
docker_roundcube_mail_server: mail.libretic.fr
|
||||
docker_roundcube_maxfilesize: 1M
|
||||
docker_roundcube_plugins: plugin1,plugin2
|
||||
docker_roundcube_aspell_dicts: fr
|
||||
docker_roundcube_username_domain: libretic.fr
|
||||
docker_roundcube_php_maxpostsize: 1M
|
||||
docker_roundcube_php_memory_limit: 1024M
|
||||
docker_roundcube_oauth_provider_name: Libretic
|
||||
docker_roundcube_oauth_client_id: roundcube_oidc_client_id
|
||||
docker_roundcube_oauth_client_secret: roundcube_oidc_client_secret
|
||||
docker_roundcube_oauth_auth_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/auth
|
||||
docker_roundcube_oauth_token_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/token
|
||||
docker_roundcube_oauth_identity_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/userinfo
|
||||
docker_roundcube_oauth_scope: "profile email"
|
||||
docker_roundcube_oauth_identity_fields_array: ['email']
|
||||
docker_roundcube_oauth_login_redirect: "true"
|
||||
```
|
||||
|
||||
| Option | Valeur par défaut | Description |
|
||||
|----------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------|
|
||||
| docker_roundcube_fqdn | | Le nom de domaine pour lequel le service roundcube répond |
|
||||
| docker_roundcube_data_dir | | L'emplacement dans lequel se trouvent les volumes de donnees docker pour le service |
|
||||
| docker_roundcube_service_id | | Le nom de service souhaité : conditionne le nommage des volumes et le routage par traefik |
|
||||
| docker_roundcube_rp_docker_host | | pour configure_reverse_proxy.yml: fqdn de la machine contenant le conteneur docker |
|
||||
| docker_roundcube_rp_cert | LE | Type de certificat pour le reverse proxy (LE = letsencrypt) |
|
||||
| docker_roundcube_db_name | | Nom de la base de données postgres pour roundcube |
|
||||
| docker_roundcube_db_user | | Nom du user postgres propriétaire de la base de données |
|
||||
| docker_roundcube_db_password | | Mot du passe du user postgres |
|
||||
| docker_roundcube_mail_server | | fqdn du serveur de mail ; la connexion se fera en tls |
|
||||
| docker_roundcube_maxfilesize | | Taille max d'une pièce jointe en Mo : ex 10M |
|
||||
| docker_roundcube_plugins | | Liste de plugins roundcube séparés par des virgules |
|
||||
| docker_roundcube_aspell_dicts | fr | Dictionnaires pour la vérification d'orthographe |
|
||||
| docker_roundcube_username_domain | | Suffixe ajouté à l'identifiant pour constituer le login |
|
||||
| docker_roundcube_php_maxpostsize | | Taille maximum d'une requete post en Mo ; doit être supérieur à la taille d'une PJ, notamment si plusieurs PJ : ex 20 M |
|
||||
| docker_roundcube_php_memory_limit | | Taille mémoire max utilisable par php |
|
||||
| docker_roundcube_oauth_provider_name | | Nom affiché dans pour la sélection du fournisseur d'identité |
|
||||
| docker_roundcube_oauth_client_id | | Identifiant de client openid connect |
|
||||
| docker_roundcube_oauth_client_secret | | Secret du client openid connect |
|
||||
| docker_roundcube_oauth_auth_uri | | Auth URI de la fédération d'identité |
|
||||
| docker_roundcube_oauth_token_uri | | Token URI de la fédération d'identité |
|
||||
| docker_roundcube_oauth_identity_uri | | Identity URI de la fédération d'identité |
|
||||
| docker_roundcube_oauth_scope | profile email | OIDC scopes nécessaires pour roundcube |
|
||||
| docker_roundcube_oauth_identity_fields_array | ['email'] | Attributs d'identité utilisés par roundcube pour retrouver le username |
|
||||
| docker_roundcube_oauth_login_redirect | true | Activer la redirection vers le login openid connect ("true" ou "false") |
|
||||
|
||||
|
5
defaults/main.yml
Normal file
5
defaults/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
docker_roundcube_rp_cert: LE
|
||||
docker_roundcube_aspell_dicts: fr
|
||||
docker_roundcube_oauth_login_redirect: "true"
|
||||
docker_roundcube_oauth_scope: "profile email"
|
||||
docker_roundcube_oauth_identity_fields_array: "['email']"
|
10
handlers/main.yml
Normal file
10
handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
- name: docker-compose-up
|
||||
shell: |
|
||||
docker-compose up -d
|
||||
args:
|
||||
chdir: /opt/{{ docker_roundcube_service_id }}/
|
||||
|
||||
- name: reverse-proxy-reload
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
11
tasks/configure_reverse_proxy.yml
Normal file
11
tasks/configure_reverse_proxy.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
- name: prepare reverse_proxy
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/apache2/vhosts.d/{{ docker_roundcube_fqdn }}/
|
||||
with_items:
|
||||
- 0_vhost.conf
|
||||
- 1_vhost_additional.conf
|
||||
- 2_mds_exclusion.conf
|
||||
notify: reverse-proxy-reload
|
||||
|
||||
|
21
tasks/main.yml
Normal file
21
tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
- name: docker directory
|
||||
file:
|
||||
path: /opt/{{ docker_roundcube_service_id }}/
|
||||
state: directory
|
||||
|
||||
- name: config directory
|
||||
file:
|
||||
path: /opt/{{ docker_roundcube_service_id }}/config
|
||||
state: directory
|
||||
|
||||
- name: prepare docker-compose.yml and config
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- { src: docker-compose.yml, dest: "/opt/{{ docker_roundcube_service_id }}/" }
|
||||
- { src: php.ini, dest: "/opt/{{ docker_roundcube_service_id }}/" }
|
||||
- { src: custom_config.php, dest: "/opt/{{ docker_roundcube_service_id }}/config/" }
|
||||
notify: docker-compose-up
|
||||
|
||||
|
2
templates/0_vhost.conf
Normal file
2
templates/0_vhost.conf
Normal file
|
@ -0,0 +1,2 @@
|
|||
# {{ ansible_managed }}
|
||||
Use vhost_HTTPS_Generic {{ docker_roundcube_fqdn }} {{ docker_roundcube_rp_cert }} http {{ docker_roundcube_rp_docker_host }} info OpenAccessPolicy BlockCrawlerIndexing On
|
1
templates/1_vhost_additional.conf
Normal file
1
templates/1_vhost_additional.conf
Normal file
|
@ -0,0 +1 @@
|
|||
# {{ ansible_managed }}
|
2
templates/2_mds_exclusion.conf
Normal file
2
templates/2_mds_exclusion.conf
Normal file
|
@ -0,0 +1,2 @@
|
|||
# {{ ansible_managed }}
|
||||
|
85
templates/custom_config.php
Normal file
85
templates/custom_config.php
Normal file
|
@ -0,0 +1,85 @@
|
|||
<?php
|
||||
// {{ ansible_managed }}
|
||||
|
||||
// Automatically add this domain to user names for login
|
||||
// Only for IMAP servers that require full e-mail addresses for login
|
||||
// Specify an array with 'host' => 'domain' values to support multiple hosts
|
||||
// Supported replacement variables:
|
||||
// %h - user's IMAP hostname
|
||||
// %n - hostname ($_SERVER['SERVER_NAME'])
|
||||
// %t - hostname without the first part
|
||||
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
|
||||
// %z - IMAP domain (IMAP hostname without the first part)
|
||||
// For example %n = mail.domain.tld, %t = domain.tld
|
||||
$config['username_domain'] = '{{ docker_roundcube_username_domain }}';
|
||||
|
||||
// Force domain configured in username_domain to be used for login.
|
||||
// Any domain in username will be replaced by username_domain.
|
||||
$config['username_domain_forced'] = false;
|
||||
|
||||
|
||||
// ----------------------------------
|
||||
// OAuth
|
||||
// ----------------------------------
|
||||
|
||||
// Enable OAuth2 by defining a provider. Use 'generic' here
|
||||
$config['oauth_provider'] = 'generic';
|
||||
|
||||
// Provider name to be displayed on the login button
|
||||
$config['oauth_provider_name'] = '{{ docker_roundcube_oauth_provider_name }}';
|
||||
|
||||
// Mandatory: OAuth client ID for your Roundcube installation
|
||||
$config['oauth_client_id'] = '{{ docker_roundcube_oauth_client_id }}';
|
||||
|
||||
// Mandatory: OAuth client secret
|
||||
$config['oauth_client_secret'] = '{{ docker_roundcube_oauth_client_secret }}';
|
||||
|
||||
// Mandatory: URI for OAuth user authentication (redirect)
|
||||
$config['oauth_auth_uri'] = '{{ docker_roundcube_oauth_auth_uri }}';
|
||||
|
||||
// Mandatory: Endpoint for OAuth authentication requests (server-to-server)
|
||||
$config['oauth_token_uri'] = '{{ docker_roundcube_oauth_token_uri }}';
|
||||
|
||||
// Optional: Endpoint to query user identity if not provided in auth response
|
||||
$config['oauth_identity_uri'] = '{{ docker_roundcube_oauth_identity_uri }}';
|
||||
|
||||
// Optional: disable SSL certificate check on HTTP requests to OAuth server
|
||||
// See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values
|
||||
$config['oauth_verify_peer'] = true;
|
||||
|
||||
// Mandatory: OAuth scopes to request (space-separated string)
|
||||
$config['oauth_scope'] = '{{ docker_roundcube_oauth_scope }}';
|
||||
|
||||
// Optional: additional query parameters to send with login request (hash array)
|
||||
$config['oauth_auth_parameters'] = [];
|
||||
|
||||
// Optional: array of field names used to resolve the username within the identity information
|
||||
$config['oauth_identity_fields'] = {{ docker_roundcube_oauth_identity_fields_array }};
|
||||
|
||||
// Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session
|
||||
$config['oauth_login_redirect'] = {{ docker_roundcube_oauth_login_redirect }};
|
||||
|
||||
|
||||
|
||||
$config['login_password_maxlen'] = 4096;
|
||||
|
||||
|
||||
|
||||
// managesieve server port. When empty the port will be determined automatically
|
||||
// using getservbyname() function, with 4190 as a fallback.
|
||||
$config['managesieve_port'] = 4190;
|
||||
|
||||
// managesieve server address, default is localhost.
|
||||
// Replacement variables supported in host name:
|
||||
// %h - user's IMAP hostname
|
||||
// %n - http hostname ($_SERVER['SERVER_NAME'])
|
||||
// %d - domain (http hostname without the first part)
|
||||
// For example %n = mail.domain.tld, %d = domain.tld
|
||||
$config['managesieve_host'] = 'tls://{{ docker_roundcube_mail_server }}';
|
||||
|
||||
|
||||
// necessite d'avoir fait
|
||||
// docker exec -ti roundcubelibreticfr_roundcubemail_1 bash
|
||||
// root@27748d1b9dbd:/var/www/html# composer require roundcube/carddav
|
||||
|
||||
//$config['plugins'] = array_filter(array_unique(array_merge($config['plugins'], ['carddav'])));
|
55
templates/docker-compose.yml
Normal file
55
templates/docker-compose.yml
Normal file
|
@ -0,0 +1,55 @@
|
|||
# {{ ansible_managed }}
|
||||
version: '3.3'
|
||||
|
||||
services:
|
||||
roundcubemail:
|
||||
image: roundcube/roundcubemail:1.5.2-apache
|
||||
restart: always
|
||||
depends_on:
|
||||
- roundcubedb
|
||||
links:
|
||||
- roundcubedb
|
||||
volumes:
|
||||
- {{ docker_roundcube_data_dir }}/{{ docker_roundcube_service_id }}/roundcube_www:/var/www/html
|
||||
- ./config/:/var/roundcube/config/
|
||||
- ./php.ini:/usr/local/etc/php/php.ini
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.docker.network=traefik"
|
||||
- "traefik.http.routers.{{ docker_roundcube_service_id }}.entrypoints=web"
|
||||
- "traefik.http.routers.{{ docker_roundcube_service_id }}.rule=Host(`{{ docker_roundcube_fqdn }}`)"
|
||||
- "traefik.http.services.{{ docker_roundcube_service_id }}.loadbalancer.server.port=80"
|
||||
networks:
|
||||
- roundcube
|
||||
- traefik
|
||||
environment:
|
||||
- ROUNDCUBEMAIL_DB_TYPE=pgsql
|
||||
- ROUNDCUBEMAIL_DB_HOST=roundcubedb
|
||||
- ROUNDCUBEMAIL_DB_NAME={{ docker_roundcube_db_name }}
|
||||
- ROUNDCUBEMAIL_DB_USER={{ docker_roundcube_db_user }}
|
||||
- ROUNDCUBEMAIL_DB_PASSWORD={{ docker_roundcube_db_password }}
|
||||
- ROUNDCUBEMAIL_SKIN=elastic
|
||||
- ROUNDCUBEMAIL_DEFAULT_HOST=ssl://{{ docker_roundcube_mail_server }}
|
||||
- ROUNDCUBEMAIL_SMTP_SERVER=tls://{{ docker_roundcube_mail_server }}
|
||||
- ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE={{ docker_roundcube_maxfilesize }}
|
||||
- ROUNDCUBEMAIL_PLUGINS={{ docker_roundcube_plugins }}
|
||||
- ROUNDCUBEMAIL_ASPELL_DICTS={{ docker_roundcube_aspell_dicts }}
|
||||
|
||||
roundcubedb:
|
||||
image: postgres:13
|
||||
restart: always
|
||||
volumes:
|
||||
- /etc/timezone:/etc/timezone
|
||||
- {{ docker_roundcube_data_dir }}/{{ docker_roundcube_service_id }}/roundcube_db/postgres:/var/lib/postgresql/data
|
||||
networks:
|
||||
- roundcube
|
||||
environment:
|
||||
- POSTGRES_DB={{ docker_roundcube_db_name }}
|
||||
- POSTGRES_USER={{ docker_roundcube_db_user }}
|
||||
- POSTGRES_PASSWORD={{ docker_roundcube_db_password }}
|
||||
|
||||
networks:
|
||||
traefik:
|
||||
external: true
|
||||
roundcube:
|
||||
internal: true
|
12
templates/php.ini
Normal file
12
templates/php.ini
Normal file
|
@ -0,0 +1,12 @@
|
|||
# {{ ansible_managed }}
|
||||
# Ce fichier surchage les parametres php.ini par defaut
|
||||
|
||||
[PHP]
|
||||
php_upload_max_filesize = {{ docker_roundcube_maxfilesize }}
|
||||
php_post_max_size = {{ docker_roundcube_php_maxpostsize }}
|
||||
php_max_execution_time = 200
|
||||
php_memory_limit = {{ docker_roundcube_php_memory_limit }}
|
||||
|
||||
[Date]
|
||||
date.timezone = 'Europe/Paris'
|
||||
|
Loading…
Reference in a new issue