Commit d9554882 authored by ale's avatar ale
Browse files

Initial commit

parents
Pipeline #838 failed with stages
in 21 seconds
image: docker:latest
stages:
- build
- release
services:
- docker:dind
variables:
IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
RELEASE_TAG: $CI_REGISTRY_IMAGE:latest
GIT_SUBMODULE_STRATEGY: recursive
before_script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.git.autistici.org
build:
stage: build
script:
- env DEBIAN_FRONTEND=noninteractive apt-get -qy install make default-java-jre
- make
- docker build --build-arg ci_token=$CI_JOB_TOKEN --pull -t $IMAGE_TAG .
- docker push $IMAGE_TAG
release:
stage: release
script:
- docker pull $IMAGE_TAG
- docker tag $IMAGE_TAG $RELEASE_TAG
- docker push $RELEASE_TAG
only:
- master
FROM bitnami/minideb:stretch
COPY conf /tmp/conf
COPY build/src /var/www/webmail
COPY build.sh /tmp/build.sh
#COPY install-roundcube /tmp/install-roundcube
RUN /tmp/build.sh && rm -fr /tmp/build.sh /tmp/conf
EXPOSE 84
ENTRYPOINT ["/usr/local/bin/chaperone"]
# Which Roundcube version to install.
RC_VERSION = 1.3.4
TARGET = ./build
all: build
build:
mkdir -p $(TARGET)
./install-roundcube --version=$(RC_VERSION) --destdir=$(TARGET)/src $@
clean:
-rm -fr $(TARGET)
.PHONY: build clean
#install: build
# install -d -o root -g root -m 755 -p $(DESTDIR)/usr/share/ai-roundcube
# install -m 755 -o root -g root install-roundcube \
# $(DESTDIR)/usr/share/ai-roundcube/install-roundcube
# install -d -o root -g root -m 755 $(DESTDIR)/usr/sbin
# install -m 755 -o root -g root roundcube-maintenance \
# $(DESTDIR)/usr/sbin/roundcube-maintenance
# mkdir -p $(TARGET)/roundcubemail-standby
# (for f in standby/.htaccess standby/standby.html ; do \
# install -m 644 -o root -g root $$f $(TARGET)/roundcubemail-standby/ ; done)
#!/bin/sh
#
# Install script for git.autistici.org/ai/website
# inside a Docker container.
#
# The installation procedure requires installing some
# dedicated packages, so we have split it out to a script
# for legibility.
# Packages that are only used to build the site. These will be
# removed once we're done.
BUILD_PACKAGES="rsync"
# Packages required to serve the website and run the services.
# We have to keep the python3 packages around in order to run
# chaperone (installed via pip).
PACKAGES="
apache2
apache-exporter
libapache2-mod-removeip
libapache2-mod-sso
php-cli
php-fpm
php-mysql
php-gd
php-imap
php-mcrypt
mysql-client
python3-pip
python3-setuptools
python3-wheel
"
# Apache modules to enable.
APACHE_MODULES_ENABLE="
headers
proxy_fcgi
removeip
rewrite
setenvif
sso
"
# Apache modules that are enabled by default by the Debian package,
# and that we want to disable.
APACHE_MODULES_DISABLE="
ssl
"
# Config snippets to enable for Apache.
APACHE_CONFIG_ENABLE="
metrics
php7.0-fpm
"
# Config snippets to disable.
APACHE_CONFIG_DISABLE="
other-vhosts-access-log
serve-cgi-bin
"
# Sites to enable.
APACHE_SITES="
webmail
"
# The default bitnami/minideb image defines an 'install_packages'
# command which is just a convenient helper. Define our own in
# case we are using some other Debian image.
if [ "x$(which install_packages)" = "x" ]; then
install_packages() {
env DEBIAN_FRONTEND=noninteractive apt-get install -qqy --no-install-recommends "$@"
}
fi
set -e
# Install the main A/I package repository.
install_packages curl gnupg
echo "deb http://deb.autistici.org/urepo ai3/" > /etc/apt/sources.list.d/ai.list
curl -s http://deb.autistici.org/repo.key | apt-key add -
apt-get -q update
install_packages ${BUILD_PACKAGES} ${PACKAGES}
# Install the configuration, overlayed over /etc.
rsync -a /tmp/conf/ /etc/
# Enable/disable Apache modules and configs.
a2enmod -q ${APACHE_MODULES_ENABLE}
a2dismod -q -f ${APACHE_MODULES_DISABLE}
a2enconf -q ${APACHE_CONFIG_ENABLE}
a2disconf -q ${APACHE_CONFIG_DISABLE}
a2ensite ${APACHE_SITES}
# Create runtime directories (since we're not going to use init
# scripts or systemd units to start the services).
mkdir -p /var/run/apache2 /var/run/php
# Fix runtime permissions for the Roundcube data directories.
for d in temp logs ; do
chown www-data:www-data /var/www/webmail/$d
chmod 700 /var/www/webmail/$d
done
# Install Chaperone (minimalistic init service).
pip3 install chaperone
rm -fr /root/.cache/pip
# Remove packages used for installation.
apt-get remove -y --purge curl gnupg ${BUILD_PACKAGES}
apt-get autoremove -y
apt-get clean
rm -fr /var/lib/apt/lists/*
rm -fr /tmp/conf
# Forward Prometheus scrapes to the apache-exporter.
ProxyPass /metrics http://127.0.0.1:9118/metrics
<Directory />
AllowOverride None
Require all denied
</Directory>
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header set X-Content-Type-Options: "nosniff"
<VirtualHost *:83>
DocumentRoot /var/www/html
</VirtualHost>
<VirtualHost *:84>
ServerName webmail.${DOMAIN}
ServerAlias *.webmail.${DOMAIN}
DocumentRoot /var/www/webmail
SetEnvIf X-Forwarded-Proto https HTTPS=on
LogFormat "%{X-AI-Noblogs-Site}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" http_host_combined
CustomLog "|/usr/bin/logger -t apache -p local3.info" http_host_combined
RewriteEngine On
<Directory /var/www/webmail>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
apache2.service: {
command: "bash -c 'source /etc/apache2/envvars && exec /usr/sbin/apache2 -DFOREGROUND'",
kill_signal: SIGWINCH
}
fpm.service: {
command: "/usr/sbin/php-fpm7.0 --force-stderr --nodaemonize"
}
#fakemail.service: {
# command: "python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25",
# env_set: {
# 'PYTHONUNBUFFERED': '1'
# }
#}
console.logging: {
selector: '*.warn',
stdout: true,
}
settings: {
env_set: {
"LANG": "en_us.UTF-8",
"LC_CTYPE": "$(LANG)",
}
}
[www]
user = www-data
group = www-data
listen = /run/php/php7.0-fpm.sock
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 25
pm.start_servers = 3
pm.min_spare_servers = 3
pm.max_spare_servers = 10
pm.max_requests = 10000
pm.status_path = /status
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = yes
access.log = /proc/self/fd/2
chdir = /
; Already enabled by default - do not enable twice.
; php_admin_value[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 256
php_admin_value[opcache.interned_strings_buffer] = 16
php_admin_value[opcache.max_accelerated_files] = 4000
php_admin_value[opcache.validate_timestamps] = 0
php_admin_value[opcache.fast_shutdown] = 1
#!/bin/bash
#
# Install RoundCube.
#
# This script will setup a full Roundcube installation, based on the
# upstream source distribution and a set of our patches and plugins.
#
# It is usually invoked by the Debian packaging scripts, but it can
# also be run standalone on a live system.
#
set -e
set -u
# External plugins to install.
EXTERNAL_PLUGINS=(
sauserprefs="https://github.com/JohnDoh/Roundcube-Plugin-SpamAssassin-User-Prefs-SQL/archive/1.17.1.tar.gz"
)
# Install directory.
ROOT=${ROOT:-./build}
SRCDIR=$(readlink -m $(dirname $0))
download_roundcube_source() {
local rc_version=$1
local target=$2
local rc_dist_url=https://github.com/roundcube/roundcubemail/releases/download/${rc_version}/roundcubemail-${rc_version}-complete.tar.gz
echo "Downloading Roundcube ${rc_version}..." >&2
mkdir -p "${target}"
curl -Ls "${rc_dist_url}" \
| tar -x -z --strip-components=1 \
--exclude="*/installer/*" \
-C ${target} -f -
}
apply_patches() {
local target=$1
local pname
for p in ${SRCDIR}/patches/*.patch ; do
pname=$(basename "$p")
echo "Applying patch $pname..." >&2
patch --directory=${target} --batch -p1 -l -E < "$p"
done
}
postprocess_sources() {
local target=$1
echo "Compiling Javascript files..." >&2
(cd ${target} && ./bin/jsshrink.sh)
echo "Compiling CSS files..." >&2
(cd ${target} && ./bin/cssshrink.sh)
}
install_local_plugins() {
local target=$1
local plugindir=${target}/plugins
local pname
for p in ${SRCDIR}/plugins/* ; do
test -d $p || continue
pname=$(basename "$p")
echo "Installing plugin ${pname}..." >&2
#ln -sfn ${p} ${plugindir}/${pname}
cp -r ${p} ${plugindir}/${pname}
done
}
install_external_plugins() {
local target=$1
local plugindir=${target}/plugins
local pname purl tarfile pdir
for i in ${!EXTERNAL_PLUGINS[@]}; do
pname=${EXTERNAL_PLUGINS[$i]%%=*}
purl=${EXTERNAL_PLUGINS[$i]##*=}
pdir=${plugindir}/${pname}
echo "Installing external plugin ${pname}..." >&2
mkdir -p "${pdir}"
curl -Ls "${purl}" \
| tar -x -z --strip-components=1 -C "${pdir}" -f -
done
}
install_skins() {
local target=$1
rsync -a ${SRCDIR}/skins/ ${target}/skins/
}
fix_permissions() {
local target=$1
for rundir in temp logs ; do
chown www-data:www-data ${target}/${rundir}
chmod 0700 ${target}/${rundir}
done
}
run_upgrade_scripts() {
local rc_cur_version=$1
local target=$2
# Is this a fresh install, or an upgrade?
if [ -z "${rc_cur_version}" ]; then
echo "New installation, setting up MySQL db..." >&2
mysql --defaults-file=/root/.my.cnf ai_roundcube -e '' 2>/dev/null \
|| mysqladmin create ai_roundcube
mysql --defaults-file=/root/.my.cnf ai_roundcube \
< ${target}/SQL/mysql.initial.sql
else
echo "Upgrade detected, running Roundcube upgrade script..." >&2
${target}/bin/update.sh --version=${rc_cur_version}
fi
}
build() {
local rc_version=$1
local target=$2
# Download and extract the source.
download_roundcube_source ${rc_version} ${target}
# Apply our patches.
apply_patches ${target}
# Install plugins.
install_local_plugins ${target}
install_external_plugins ${target}
# Install skins.
install_skins ${target}
# Final source post-processing.
postprocess_sources ${target}
}
# install is unused
install() {
local target=$1
# Fix permissions.
fix_permissions ${target}
}
# postinstall is unused
postinstall() {
local rc_version=$1
local target=$2
# Check the current version against RC_VERSION.
local version_file=${target}/.release
local cur_version=$(cat ${version_file} 2>/dev/null)
# Get rid of an eventual ".aiNN" suffix.
local rc_cur_version=$(echo ${cur_version#webmail-} | sed -e 's/\.ai.*$//')
if [ "${rc_version}" = "${cur_version}" ]; then
echo "Webmail is already up-to-date (${cur_version})." >&2
return
fi
# Run post-installation steps.
run_upgrade_scripts "${rc_cur_version}" "${target}"
echo ${rc_version} > ${version_file}
}
usage() {
cat <<EOF
Usage: $(basename "$0") [<OPTIONS>] COMMAND
Build and setup A/I-patched Roundcube sources.
Known commands are 'build', 'install' and 'postinstall'.
Options:
-v, --version=RC_VERSION Roundcube version to build
--destdir=DIR Install Roundcube in this directory
EOF
}
main() {
# Parse command-line options.
while :; do
case "$1" in
-h|--help)
usage
exit 0
;;
-v|--version)
if [ -n "$2" ]; then
RC_VERSION=$2
shift 2
continue
else
echo "Error: --version requires an argument" >&2
exit 1
fi
;;
--version=*)
RC_VERSION=${1#*=}
;;
--destdir)
if [ -n "$2" ]; then
TARGET=$2
shift 2
continue
else
echo "Error: --destdir requires an argument" >&2
exit 1
fi
;;
--destdir=*)
TARGET=${1#*=}
;;
-?*)
usage
echo "Error: unknown option '$1'" >&2
exit 1
;;
*)
break
esac
shift
done
if [ -z "${TARGET}" ]; then
echo "Must specify --destdir" >&2
exit 1
fi
case "$1" in
build)
if [ -z "${RC_VERSION}" ]; then
echo "Must specify --version" >&2
exit 1
fi
build ${RC_VERSION} ${TARGET}
;;
install)
install ${TARGET}
;;
postinstall)
if [ -z "${RC_VERSION}" ]; then
echo "Must specify --version" >&2
exit 1
fi
postinstall ${RC_VERSION} ${TARGET}
;;
*)
echo "Unknown command '$1'" >&2
exit 1
;;
esac
}
shopt -s nullglob
set -e
main "$@"
Some of these plugins are ours, some come from myroundcube.net.
The MyRoundcube plugins are probably outdated, but we don't like
their "plugin center" app so we're sticking with these obsolete
versions.
myroundcube.net plugins:
* webmail_notifier
<?php
/**
* Support the A/I sso module, and interactions with the A/I user panel
*
* @version 0.0.1
* @author joe
* @website http://www.autistici.org
* @licence Do what the fuck you want with this crap
*
**/
// a/i crappy sso module
require_once 'auth-token.php';
class ai_auth extends rcube_plugin
{
public $task = 'login|logout';
public function init()
{
$this->add_hook('startup', array($this, 'startup'));
$this->add_hook('authenticate', array($this, 'authenticate'));
$this->add_hook('login_failed', array($this, 'redirect_to_login'));
$this->add_hook('logout_after', array($this, 'redirect_to_logout'));
}
public function startup()
{