commit dacaa982eff8397b8e3cc44c602c9fc329af3a98 Author: Olivier Navas Date: Sun May 1 21:22:16 2022 +0200 premier commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..3f777a4 --- /dev/null +++ b/README.md @@ -0,0 +1,69 @@ +# Role : docker_roundcube + + +## Services fournis + +- main.yml : Installation de roundcube sur un serveur docker_host, en lien avec un keycloak pour l'authentification + +- configure_reverse_proxy.yml : Configuration d'un reverse proxy préalablement installé par le role reverse_proxy + + +## Variables + +Fournir les variables suivantes. Par exemple : + +```yaml +docker_roundcube_fqdn: roundcube.libretic.fr +docker_roundcube_data_dir: /data1 +docker_roundcube_service_id: roundcube +docker_roundcube_rp_cert: LE +docker_roundcube_rp_docker_host: machine.domaine.local +docker_roundcube_db_name: roundcube +docker_roundcube_db_user: roundcubedbuser +docker_roundcube_db_password: mdp_de_roundcubedbuser +docker_roundcube_mail_server: mail.libretic.fr +docker_roundcube_maxfilesize: 1M +docker_roundcube_plugins: plugin1,plugin2 +docker_roundcube_aspell_dicts: fr +docker_roundcube_username_domain: libretic.fr +docker_roundcube_php_maxpostsize: 1M +docker_roundcube_php_memory_limit: 1024M +docker_roundcube_oauth_provider_name: Libretic +docker_roundcube_oauth_client_id: roundcube_oidc_client_id +docker_roundcube_oauth_client_secret: roundcube_oidc_client_secret +docker_roundcube_oauth_auth_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/auth +docker_roundcube_oauth_token_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/token +docker_roundcube_oauth_identity_uri: https://auth.libretic.fr/auth/realms/master/protocol/openid-connect/userinfo +docker_roundcube_oauth_scope: "profile email" +docker_roundcube_oauth_identity_fields_array: ['email'] +docker_roundcube_oauth_login_redirect: "true" +``` + +| Option | Valeur par défaut | Description | +|----------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------| +| docker_roundcube_fqdn | | Le nom de domaine pour lequel le service roundcube répond | +| docker_roundcube_data_dir | | L'emplacement dans lequel se trouvent les volumes de donnees docker pour le service | +| docker_roundcube_service_id | | Le nom de service souhaité : conditionne le nommage des volumes et le routage par traefik | +| docker_roundcube_rp_docker_host | | pour configure_reverse_proxy.yml: fqdn de la machine contenant le conteneur docker | +| docker_roundcube_rp_cert | LE | Type de certificat pour le reverse proxy (LE = letsencrypt) | +| docker_roundcube_db_name | | Nom de la base de données postgres pour roundcube | +| docker_roundcube_db_user | | Nom du user postgres propriétaire de la base de données | +| docker_roundcube_db_password | | Mot du passe du user postgres | +| docker_roundcube_mail_server | | fqdn du serveur de mail ; la connexion se fera en tls | +| docker_roundcube_maxfilesize | | Taille max d'une pièce jointe en Mo : ex 10M | +| docker_roundcube_plugins | | Liste de plugins roundcube séparés par des virgules | +| docker_roundcube_aspell_dicts | fr | Dictionnaires pour la vérification d'orthographe | +| docker_roundcube_username_domain | | Suffixe ajouté à l'identifiant pour constituer le login | +| docker_roundcube_php_maxpostsize | | Taille maximum d'une requete post en Mo ; doit être supérieur à la taille d'une PJ, notamment si plusieurs PJ : ex 20 M | +| docker_roundcube_php_memory_limit | | Taille mémoire max utilisable par php | +| docker_roundcube_oauth_provider_name | | Nom affiché dans pour la sélection du fournisseur d'identité | +| docker_roundcube_oauth_client_id | | Identifiant de client openid connect | +| docker_roundcube_oauth_client_secret | | Secret du client openid connect | +| docker_roundcube_oauth_auth_uri | | Auth URI de la fédération d'identité | +| docker_roundcube_oauth_token_uri | | Token URI de la fédération d'identité | +| docker_roundcube_oauth_identity_uri | | Identity URI de la fédération d'identité | +| docker_roundcube_oauth_scope | profile email | OIDC scopes nécessaires pour roundcube | +| docker_roundcube_oauth_identity_fields_array | ['email'] | Attributs d'identité utilisés par roundcube pour retrouver le username | +| docker_roundcube_oauth_login_redirect | true | Activer la redirection vers le login openid connect ("true" ou "false") | + + diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..f0a5873 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,5 @@ +docker_roundcube_rp_cert: LE +docker_roundcube_aspell_dicts: fr +docker_roundcube_oauth_login_redirect: "true" +docker_roundcube_oauth_scope: "profile email" +docker_roundcube_oauth_identity_fields_array: "['email']" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..ea0d5f7 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,10 @@ +- name: docker-compose-up + shell: | + docker-compose up -d + args: + chdir: /opt/{{ docker_roundcube_service_id }}/ + +- name: reverse-proxy-reload + service: + name: apache2 + state: reloaded diff --git a/tasks/configure_reverse_proxy.yml b/tasks/configure_reverse_proxy.yml new file mode 100644 index 0000000..92c4fbd --- /dev/null +++ b/tasks/configure_reverse_proxy.yml @@ -0,0 +1,11 @@ +- name: prepare reverse_proxy + template: + src: "{{ item }}" + dest: /etc/apache2/vhosts.d/{{ docker_roundcube_fqdn }}/ + with_items: + - 0_vhost.conf + - 1_vhost_additional.conf + - 2_mds_exclusion.conf + notify: reverse-proxy-reload + + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..c35bc8a --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,21 @@ +- name: docker directory + file: + path: /opt/{{ docker_roundcube_service_id }}/ + state: directory + +- name: config directory + file: + path: /opt/{{ docker_roundcube_service_id }}/config + state: directory + +- name: prepare docker-compose.yml and config + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - { src: docker-compose.yml, dest: "/opt/{{ docker_roundcube_service_id }}/" } + - { src: php.ini, dest: "/opt/{{ docker_roundcube_service_id }}/" } + - { src: custom_config.php, dest: "/opt/{{ docker_roundcube_service_id }}/config/" } + notify: docker-compose-up + + diff --git a/templates/0_vhost.conf b/templates/0_vhost.conf new file mode 100644 index 0000000..fd838e4 --- /dev/null +++ b/templates/0_vhost.conf @@ -0,0 +1,2 @@ +# {{ ansible_managed }} +Use vhost_HTTPS_Generic {{ docker_roundcube_fqdn }} {{ docker_roundcube_rp_cert }} http {{ docker_roundcube_rp_docker_host }} info OpenAccessPolicy BlockCrawlerIndexing On diff --git a/templates/1_vhost_additional.conf b/templates/1_vhost_additional.conf new file mode 100644 index 0000000..e2bb153 --- /dev/null +++ b/templates/1_vhost_additional.conf @@ -0,0 +1 @@ +# {{ ansible_managed }} diff --git a/templates/2_mds_exclusion.conf b/templates/2_mds_exclusion.conf new file mode 100644 index 0000000..ab0d77f --- /dev/null +++ b/templates/2_mds_exclusion.conf @@ -0,0 +1,2 @@ +# {{ ansible_managed }} + diff --git a/templates/custom_config.php b/templates/custom_config.php new file mode 100644 index 0000000..da5722a --- /dev/null +++ b/templates/custom_config.php @@ -0,0 +1,85 @@ + 'domain' values to support multiple hosts +// Supported replacement variables: +// %h - user's IMAP hostname +// %n - hostname ($_SERVER['SERVER_NAME']) +// %t - hostname without the first part +// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part) +// %z - IMAP domain (IMAP hostname without the first part) +// For example %n = mail.domain.tld, %t = domain.tld +$config['username_domain'] = '{{ docker_roundcube_username_domain }}'; + +// Force domain configured in username_domain to be used for login. +// Any domain in username will be replaced by username_domain. +$config['username_domain_forced'] = false; + + +// ---------------------------------- +// OAuth +// ---------------------------------- + +// Enable OAuth2 by defining a provider. Use 'generic' here +$config['oauth_provider'] = 'generic'; + +// Provider name to be displayed on the login button +$config['oauth_provider_name'] = '{{ docker_roundcube_oauth_provider_name }}'; + +// Mandatory: OAuth client ID for your Roundcube installation +$config['oauth_client_id'] = '{{ docker_roundcube_oauth_client_id }}'; + +// Mandatory: OAuth client secret +$config['oauth_client_secret'] = '{{ docker_roundcube_oauth_client_secret }}'; + +// Mandatory: URI for OAuth user authentication (redirect) +$config['oauth_auth_uri'] = '{{ docker_roundcube_oauth_auth_uri }}'; + +// Mandatory: Endpoint for OAuth authentication requests (server-to-server) +$config['oauth_token_uri'] = '{{ docker_roundcube_oauth_token_uri }}'; + +// Optional: Endpoint to query user identity if not provided in auth response +$config['oauth_identity_uri'] = '{{ docker_roundcube_oauth_identity_uri }}'; + +// Optional: disable SSL certificate check on HTTP requests to OAuth server +// See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values +$config['oauth_verify_peer'] = true; + +// Mandatory: OAuth scopes to request (space-separated string) +$config['oauth_scope'] = '{{ docker_roundcube_oauth_scope }}'; + +// Optional: additional query parameters to send with login request (hash array) +$config['oauth_auth_parameters'] = []; + +// Optional: array of field names used to resolve the username within the identity information +$config['oauth_identity_fields'] = {{ docker_roundcube_oauth_identity_fields_array }}; + +// Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session +$config['oauth_login_redirect'] = {{ docker_roundcube_oauth_login_redirect }}; + + + +$config['login_password_maxlen'] = 4096; + + + +// managesieve server port. When empty the port will be determined automatically +// using getservbyname() function, with 4190 as a fallback. +$config['managesieve_port'] = 4190; + +// managesieve server address, default is localhost. +// Replacement variables supported in host name: +// %h - user's IMAP hostname +// %n - http hostname ($_SERVER['SERVER_NAME']) +// %d - domain (http hostname without the first part) +// For example %n = mail.domain.tld, %d = domain.tld +$config['managesieve_host'] = 'tls://{{ docker_roundcube_mail_server }}'; + + +// necessite d'avoir fait +// docker exec -ti roundcubelibreticfr_roundcubemail_1 bash +// root@27748d1b9dbd:/var/www/html# composer require roundcube/carddav + +//$config['plugins'] = array_filter(array_unique(array_merge($config['plugins'], ['carddav']))); diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml new file mode 100644 index 0000000..ddb949a --- /dev/null +++ b/templates/docker-compose.yml @@ -0,0 +1,55 @@ +# {{ ansible_managed }} +version: '3.3' + +services: + roundcubemail: + image: roundcube/roundcubemail:1.5.2-apache + restart: always + depends_on: + - roundcubedb + links: + - roundcubedb + volumes: + - {{ docker_roundcube_data_dir }}/{{ docker_roundcube_service_id }}/roundcube_www:/var/www/html + - ./config/:/var/roundcube/config/ + - ./php.ini:/usr/local/etc/php/php.ini + labels: + - "traefik.enable=true" + - "traefik.docker.network=traefik" + - "traefik.http.routers.{{ docker_roundcube_service_id }}.entrypoints=web" + - "traefik.http.routers.{{ docker_roundcube_service_id }}.rule=Host(`{{ docker_roundcube_fqdn }}`)" + - "traefik.http.services.{{ docker_roundcube_service_id }}.loadbalancer.server.port=80" + networks: + - roundcube + - traefik + environment: + - ROUNDCUBEMAIL_DB_TYPE=pgsql + - ROUNDCUBEMAIL_DB_HOST=roundcubedb + - ROUNDCUBEMAIL_DB_NAME={{ docker_roundcube_db_name }} + - ROUNDCUBEMAIL_DB_USER={{ docker_roundcube_db_user }} + - ROUNDCUBEMAIL_DB_PASSWORD={{ docker_roundcube_db_password }} + - ROUNDCUBEMAIL_SKIN=elastic + - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://{{ docker_roundcube_mail_server }} + - ROUNDCUBEMAIL_SMTP_SERVER=tls://{{ docker_roundcube_mail_server }} + - ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE={{ docker_roundcube_maxfilesize }} + - ROUNDCUBEMAIL_PLUGINS={{ docker_roundcube_plugins }} + - ROUNDCUBEMAIL_ASPELL_DICTS={{ docker_roundcube_aspell_dicts }} + + roundcubedb: + image: postgres:13 + restart: always + volumes: + - /etc/timezone:/etc/timezone + - {{ docker_roundcube_data_dir }}/{{ docker_roundcube_service_id }}/roundcube_db/postgres:/var/lib/postgresql/data + networks: + - roundcube + environment: + - POSTGRES_DB={{ docker_roundcube_db_name }} + - POSTGRES_USER={{ docker_roundcube_db_user }} + - POSTGRES_PASSWORD={{ docker_roundcube_db_password }} + +networks: + traefik: + external: true + roundcube: + internal: true diff --git a/templates/php.ini b/templates/php.ini new file mode 100644 index 0000000..f108cb1 --- /dev/null +++ b/templates/php.ini @@ -0,0 +1,12 @@ +# {{ ansible_managed }} +# Ce fichier surchage les parametres php.ini par defaut + +[PHP] +php_upload_max_filesize = {{ docker_roundcube_maxfilesize }} +php_post_max_size = {{ docker_roundcube_php_maxpostsize }} +php_max_execution_time = 200 +php_memory_limit = {{ docker_roundcube_php_memory_limit }} + +[Date] +date.timezone = 'Europe/Paris' +