libretic
/
ansible-role-docker_roundcube
5
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

premier commit

This commit is contained in:
Navas 2022-05-01 21:22:16 +02:00
commit dacaa982ef
11 changed files with 273 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
README.md Normal file
View File

@ -0,0 +1,69 @@
# Role : docker_roundcube
## Services fournis
- main.yml : Installation de roundcube sur un serveur docker_host, en lien avec un keycloak pour l'authentification
- configure_reverse_proxy.yml : Configuration d'un reverse proxy préalablement installé par le role reverse_proxy
## Variables
Fournir les variables suivantes. Par exemple :
```yaml
docker_roundcube_fqdn: roundcube.libretic.fr
docker_roundcube_data_dir: /data1
docker_roundcube_service_id: roundcube
docker_roundcube_rp_cert: LE
docker_roundcube_rp_docker_host: machine.domaine.local
docker_roundcube_db_name: roundcube
docker_roundcube_db_user: roundcubedbuser
docker_roundcube_db_password: mdp_de_roundcubedbuser
docker_roundcube_mail_server: mail.libretic.fr
docker_roundcube_maxfilesize: 1M
docker_roundcube_plugins: plugin1,plugin2
docker_roundcube_aspell_dicts: fr
docker_roundcube_username_domain: libretic.fr
docker_roundcube_php_maxpostsize: 1M
docker_roundcube_php_memory_limit: 1024M
docker_roundcube_oauth_provider_name: Libretic
docker_roundcube_oauth_client_id: roundcube_oidc_client_id
docker_roundcube_oauth_client_secret: roundcube_oidc_client_secret
docker_roundcube_oauth_auth_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/auth
docker_roundcube_oauth_token_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/token
docker_roundcube_oauth_identity_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/userinfo
docker_roundcube_oauth_scope: "profile email"
docker_roundcube_oauth_identity_fields_array: ['email']
docker_roundcube_oauth_login_redirect: "true"
```
| Option | Valeur par défaut | Description |
|----------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------|
| docker_roundcube_fqdn | | Le nom de domaine pour lequel le service roundcube répond |
| docker_roundcube_data_dir | | L'emplacement dans lequel se trouvent les volumes de donnees docker pour le service |
| docker_roundcube_service_id | | Le nom de service souhaité : conditionne le nommage des volumes et le routage par traefik |
| docker_roundcube_rp_docker_host | | pour configure_reverse_proxy.yml: fqdn de la machine contenant le conteneur docker |
| docker_roundcube_rp_cert | LE | Type de certificat pour le reverse proxy (LE = letsencrypt) |
| docker_roundcube_db_name | | Nom de la base de données postgres pour roundcube |
| docker_roundcube_db_user | | Nom du user postgres propriétaire de la base de données |
| docker_roundcube_db_password | | Mot du passe du user postgres |
| docker_roundcube_mail_server | | fqdn du serveur de mail ; la connexion se fera en tls |
| docker_roundcube_maxfilesize | | Taille max d'une pièce jointe en Mo : ex 10M |
| docker_roundcube_plugins | | Liste de plugins roundcube séparés par des virgules |
| docker_roundcube_aspell_dicts | fr | Dictionnaires pour la vérification d'orthographe |
| docker_roundcube_username_domain | | Suffixe ajouté à l'identifiant pour constituer le login |
| docker_roundcube_php_maxpostsize | | Taille maximum d'une requete post en Mo ; doit être supérieur à la taille d'une PJ, notamment si plusieurs PJ : ex 20 M |
| docker_roundcube_php_memory_limit | | Taille mémoire max utilisable par php |
| docker_roundcube_oauth_provider_name | | Nom affiché dans pour la sélection du fournisseur d'identité |
| docker_roundcube_oauth_client_id | | Identifiant de client openid connect |
| docker_roundcube_oauth_client_secret | | Secret du client openid connect |
| docker_roundcube_oauth_auth_uri | | Auth URI de la fédération d'identité |
| docker_roundcube_oauth_token_uri | | Token URI de la fédération d'identité |
| docker_roundcube_oauth_identity_uri | | Identity URI de la fédération d'identité |
| docker_roundcube_oauth_scope | profile email | OIDC scopes nécessaires pour roundcube |
| docker_roundcube_oauth_identity_fields_array | ['email'] | Attributs d'identité utilisés par roundcube pour retrouver le username |
| docker_roundcube_oauth_login_redirect | true | Activer la redirection vers le login openid connect ("true" ou "false") |

5
defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
docker_roundcube_rp_cert: LE
docker_roundcube_aspell_dicts: fr
docker_roundcube_oauth_login_redirect: "true"
docker_roundcube_oauth_scope: "profile email"
docker_roundcube_oauth_identity_fields_array: "['email']"

10
handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
- name: docker-compose-up
shell: |
docker-compose up -d
args:
chdir: /opt/{{ docker_roundcube_service_id }}/
- name: reverse-proxy-reload
service:
name: apache2
state: reloaded

11
tasks/configure_reverse_proxy.yml Normal file
View File

@ -0,0 +1,11 @@
- name: prepare reverse_proxy
template:
src: "{{ item }}"
dest: /etc/apache2/vhosts.d/{{ docker_roundcube_fqdn }}/
with_items:
- 0_vhost.conf
- 1_vhost_additional.conf
- 2_mds_exclusion.conf
notify: reverse-proxy-reload

21
tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
- name: docker directory
file:
path: /opt/{{ docker_roundcube_service_id }}/
state: directory
- name: config directory
file:
path: /opt/{{ docker_roundcube_service_id }}/config
state: directory
- name: prepare docker-compose.yml and config
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: docker-compose.yml, dest: "/opt/{{ docker_roundcube_service_id }}/" }
- { src: php.ini, dest: "/opt/{{ docker_roundcube_service_id }}/" }
- { src: custom_config.php, dest: "/opt/{{ docker_roundcube_service_id }}/config/" }
notify: docker-compose-up

2
templates/0_vhost.conf Normal file
View File

@ -0,0 +1,2 @@
# {{ ansible_managed }}
Use vhost_HTTPS_Generic {{ docker_roundcube_fqdn }} {{ docker_roundcube_rp_cert }} http {{ docker_roundcube_rp_docker_host }} info OpenAccessPolicy BlockCrawlerIndexing On

1
templates/1_vhost_additional.conf Normal file
View File

@ -0,0 +1 @@
# {{ ansible_managed }}

2
templates/2_mds_exclusion.conf Normal file
View File

@ -0,0 +1,2 @@
# {{ ansible_managed }}

85
templates/custom_config.php Normal file
View File

@ -0,0 +1,85 @@
<?php
// {{ ansible_managed }}
// Automatically add this domain to user names for login
// Only for IMAP servers that require full e-mail addresses for login
// Specify an array with 'host' => 'domain' values to support multiple hosts
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['username_domain'] = '{{ docker_roundcube_username_domain }}';
// Force domain configured in username_domain to be used for login.
// Any domain in username will be replaced by username_domain.
$config['username_domain_forced'] = false;
// ----------------------------------
// OAuth
// ----------------------------------
// Enable OAuth2 by defining a provider. Use 'generic' here
$config['oauth_provider'] = 'generic';
// Provider name to be displayed on the login button
$config['oauth_provider_name'] = '{{ docker_roundcube_oauth_provider_name }}';
// Mandatory: OAuth client ID for your Roundcube installation
$config['oauth_client_id'] = '{{ docker_roundcube_oauth_client_id }}';
// Mandatory: OAuth client secret
$config['oauth_client_secret'] = '{{ docker_roundcube_oauth_client_secret }}';
// Mandatory: URI for OAuth user authentication (redirect)
$config['oauth_auth_uri'] = '{{ docker_roundcube_oauth_auth_uri }}';
// Mandatory: Endpoint for OAuth authentication requests (server-to-server)
$config['oauth_token_uri'] = '{{ docker_roundcube_oauth_token_uri }}';
// Optional: Endpoint to query user identity if not provided in auth response
$config['oauth_identity_uri'] = '{{ docker_roundcube_oauth_identity_uri }}';
// Optional: disable SSL certificate check on HTTP requests to OAuth server
// See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values
$config['oauth_verify_peer'] = true;
// Mandatory: OAuth scopes to request (space-separated string)
$config['oauth_scope'] = '{{ docker_roundcube_oauth_scope }}';
// Optional: additional query parameters to send with login request (hash array)
$config['oauth_auth_parameters'] = [];
// Optional: array of field names used to resolve the username within the identity information
$config['oauth_identity_fields'] = {{ docker_roundcube_oauth_identity_fields_array }};
// Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session
$config['oauth_login_redirect'] = {{ docker_roundcube_oauth_login_redirect }};
$config['login_password_maxlen'] = 4096;
// managesieve server port. When empty the port will be determined automatically
// using getservbyname() function, with 4190 as a fallback.
$config['managesieve_port'] = 4190;
// managesieve server address, default is localhost.
// Replacement variables supported in host name:
// %h - user's IMAP hostname
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
$config['managesieve_host'] = 'tls://{{ docker_roundcube_mail_server }}';
// necessite d'avoir fait
// docker exec -ti roundcubelibreticfr_roundcubemail_1 bash
// root@27748d1b9dbd:/var/www/html# composer require roundcube/carddav
//$config['plugins'] = array_filter(array_unique(array_merge($config['plugins'], ['carddav'])));

55
templates/docker-compose.yml Normal file
View File

@ -0,0 +1,55 @@
# {{ ansible_managed }}
version: '3.3'
services:
roundcubemail:
image: roundcube/roundcubemail:1.5.2-apache
restart: always
depends_on:
- roundcubedb
links:
- roundcubedb
volumes:
- {{ docker_roundcube_data_dir }}/{{ docker_roundcube_service_id }}/roundcube_www:/var/www/html
- ./config/:/var/roundcube/config/
- ./php.ini:/usr/local/etc/php/php.ini
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik"
- "traefik.http.routers.{{ docker_roundcube_service_id }}.entrypoints=web"
- "traefik.http.routers.{{ docker_roundcube_service_id }}.rule=Host(`{{ docker_roundcube_fqdn }}`)"
- "traefik.http.services.{{ docker_roundcube_service_id }}.loadbalancer.server.port=80"
networks:
- roundcube
- traefik
environment:
- ROUNDCUBEMAIL_DB_TYPE=pgsql
- ROUNDCUBEMAIL_DB_HOST=roundcubedb
- ROUNDCUBEMAIL_DB_NAME={{ docker_roundcube_db_name }}
- ROUNDCUBEMAIL_DB_USER={{ docker_roundcube_db_user }}
- ROUNDCUBEMAIL_DB_PASSWORD={{ docker_roundcube_db_password }}
- ROUNDCUBEMAIL_SKIN=elastic
- ROUNDCUBEMAIL_DEFAULT_HOST=ssl://{{ docker_roundcube_mail_server }}
- ROUNDCUBEMAIL_SMTP_SERVER=tls://{{ docker_roundcube_mail_server }}
- ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE={{ docker_roundcube_maxfilesize }}
- ROUNDCUBEMAIL_PLUGINS={{ docker_roundcube_plugins }}
- ROUNDCUBEMAIL_ASPELL_DICTS={{ docker_roundcube_aspell_dicts }}
roundcubedb:
image: postgres:13
restart: always
volumes:
- /etc/timezone:/etc/timezone
- {{ docker_roundcube_data_dir }}/{{ docker_roundcube_service_id }}/roundcube_db/postgres:/var/lib/postgresql/data
networks:
- roundcube
environment:
- POSTGRES_DB={{ docker_roundcube_db_name }}
- POSTGRES_USER={{ docker_roundcube_db_user }}
- POSTGRES_PASSWORD={{ docker_roundcube_db_password }}
networks:
traefik:
external: true
roundcube:
internal: true

12
templates/php.ini Normal file
View File

@ -0,0 +1,12 @@
# {{ ansible_managed }}
# Ce fichier surchage les parametres php.ini par defaut
[PHP]
php_upload_max_filesize = {{ docker_roundcube_maxfilesize }}
php_post_max_size = {{ docker_roundcube_php_maxpostsize }}
php_max_execution_time = 200
php_memory_limit = {{ docker_roundcube_php_memory_limit }}
[Date]
date.timezone = 'Europe/Paris'