From 72581c28ec6baece5b3fa838a400728dd92cf5b9 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Mon, 14 Jun 2021 01:31:45 +0200
Subject: [PATCH] wip

---
 bundles/gitea/items.py                 |   6 +-
 bundles/mailserver/items.py            |   1 +
 bundles/nginx/files/fastcgi.conf       |  27 +++++++
 bundles/nginx/items.py                 |   5 ++
 bundles/php/files/php.ini              | 102 +++++++++++++++++++++++++
 bundles/php/items.py                   |  37 +++++++++
 bundles/php/metadata.py                |   7 ++
 bundles/roundcube/files/config.inc.php |  79 +++++++++++++++++++
 bundles/roundcube/items.py             |  34 +++++++++
 bundles/roundcube/metadata.py          |  71 +++++++++++++++++
 groups/applications/mailserver.py      |   2 +
 groups/os/debian-10.py                 |   9 ++-
 nodes/htz.mails.py                     |  22 ++++--
 13 files changed, 390 insertions(+), 12 deletions(-)
 create mode 100644 bundles/nginx/files/fastcgi.conf
 create mode 100644 bundles/php/files/php.ini
 create mode 100644 bundles/php/items.py
 create mode 100644 bundles/php/metadata.py
 create mode 100644 bundles/roundcube/files/config.inc.php
 create mode 100644 bundles/roundcube/items.py
 create mode 100644 bundles/roundcube/metadata.py

diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py
index bb768fd..45023fb 100644
--- a/bundles/gitea/items.py
+++ b/bundles/gitea/items.py
@@ -1,6 +1,8 @@
+version = version=node.metadata.get('gitea/version')
+
 downloads['/usr/local/bin/gitea'] = {
-    'url': 'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64'.format(version=node.metadata['gitea']['version']),
-    'sha256': node.metadata['gitea']['sha256'],
+    'url': f'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64',
+    'sha256': node.metadataget('gitea/sha256'),
     'triggers': {
         'svc_systemd:gitea:restart',
     },
diff --git a/bundles/mailserver/items.py b/bundles/mailserver/items.py
index 7592696..6dbce93 100644
--- a/bundles/mailserver/items.py
+++ b/bundles/mailserver/items.py
@@ -1,3 +1,4 @@
 assert node.has_bundle('postfix')
 assert node.has_bundle('dovecot')
 assert node.has_bundle('letsencrypt')
+assert node.has_bundle('roundcube')
diff --git a/bundles/nginx/files/fastcgi.conf b/bundles/nginx/files/fastcgi.conf
new file mode 100644
index 0000000..bd151a6
--- /dev/null
+++ b/bundles/nginx/files/fastcgi.conf
@@ -0,0 +1,27 @@
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+fastcgi_param  REDIRECT_STATUS    200;
+
+# This is the only thing that's different to the debian default.
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index c49270d..ce88e13 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -38,6 +38,11 @@ files = {
             'svc_systemd:nginx:restart',
         },
     },
+    '/etc/nginx/fastcgi.conf': {
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    }, 
 }
 
 actions = {
diff --git a/bundles/php/files/php.ini b/bundles/php/files/php.ini
new file mode 100644
index 0000000..d06e97f
--- /dev/null
+++ b/bundles/php/files/php.ini
@@ -0,0 +1,102 @@
+[PHP]
+; Only needed for libapache2-mod-php?
+engine = On
+short_open_tag = Off
+precision = 14
+output_buffering = 4096
+zlib.output_compression = Off
+implicit_flush = Off
+serialize_precision = -1
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals
+ignore_user_abort = Off
+zend.enable_gc = On
+expose_php = Off
+
+max_execution_time = 30
+max_input_time = 60
+memory_limit = 256M
+
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+display_startup_errors = Off
+log_errors = On
+log_errors_max_len = 1024
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+report_memleaks = On
+html_errors = On
+error_log = syslog
+syslog.ident = php7.4
+syslog.filter = ascii
+
+arg_separator.output = "&amp;"
+variables_order = "GPCS"
+request_order = "GP"
+register_argc_argv = Off
+auto_globals_jit = On
+post_max_size = ${post_max_size}M
+default_mimetype = "text/html"
+default_charset = "UTF-8"
+
+enable_dl = Off
+file_uploads = On
+upload_max_filesize = ${post_max_size}M
+max_file_uploads = 20
+
+allow_url_fopen = On
+allow_url_include = Off
+default_socket_timeout = 10
+
+[CLI Server]
+cli_server.color = On
+
+[mail function]
+mail.add_x_header = Off
+
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.max_persistent = -1
+odbc.max_links = -1
+odbc.defaultlrl = 4096
+odbc.defaultbinmode = 1
+
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+
+[bcmath]
+bcmath.scale = 0
+
+[Session]
+session.save_handler = files
+session.use_strict_mode = 0
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.name = PHPSESSID
+session.auto_start = 0
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_samesite =
+session.serialize_handler = php
+session.gc_probability = 1
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.referer_check =
+session.cache_limiter = nocache
+session.cache_expire = 180
+session.use_trans_sid = 0
+session.sid_length = 32
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+session.sid_bits_per_character = 6
+
+[Assertion]
+zend.assertions = -1
+
+[Date]
+date.timezone = Europe/London
diff --git a/bundles/php/items.py b/bundles/php/items.py
new file mode 100644
index 0000000..64b5aab
--- /dev/null
+++ b/bundles/php/items.py
@@ -0,0 +1,37 @@
+version = node.metadata.get('php/version')
+
+php_ini_context = {
+    'num_cpus': node.metadata.get('vm/cpu'),
+    'post_max_size': node.metadata.get('php/post_max_size', 10),
+}
+
+files = {
+    f'/etc/php/{version}/fpm/php.ini': {
+        'content_type': 'mako',
+        'context': php_ini_context,
+        'needs': {
+            # "all php packages"
+            'pkg_apt:'
+        },
+        'triggers': {
+            f'svc_systemd:php{version}-fpm:restart',
+        },
+    },
+    f'/etc/php/{version}/cli/php.ini': {
+        'content_type': 'mako',
+        'context': php_ini_context,
+        'needs': {
+            # "all php packages"
+            'pkg_apt:'
+        },
+    },
+}
+
+svc_systemd = {
+    f'php{version}-fpm': {
+        'needs': {
+            'pkg_apt:',
+            f'file:/etc/php/{version}/fpm/php.ini',
+        },
+    },
+}
diff --git a/bundles/php/metadata.py b/bundles/php/metadata.py
new file mode 100644
index 0000000..f658c87
--- /dev/null
+++ b/bundles/php/metadata.py
@@ -0,0 +1,7 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'php': {},
+        },
+    },
+}
diff --git a/bundles/roundcube/files/config.inc.php b/bundles/roundcube/files/config.inc.php
new file mode 100644
index 0000000..bcaef07
--- /dev/null
+++ b/bundles/roundcube/files/config.inc.php
@@ -0,0 +1,79 @@
+<?php
+
+% if installer:
+$config['enable_installer'] = true;
+% endif
+
+/* Local configuration for Roundcube Webmail */
+
+// ----------------------------------
+// SQL DATABASE
+// ----------------------------------
+// Database connection string (DSN) for read+write operations
+// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
+// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
+// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
+// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
+$config['db_dsnw'] = '${database['provider']}://${database['user']}:${database['password']}@${database['host']}/${database['name']}';
+
+// ----------------------------------
+// IMAP
+// ----------------------------------
+// The mail host chosen to perform the log-in.
+// Leave blank to show a textbox at login, give a list of hosts
+// to display a pulldown menu or set one host as string.
+// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
+// Supported replacement variables:
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %s - domain name after the '@' from e-mail address provided at login screen
+// For example %n = mail.domain.tld, %t = domain.tld
+// WARNING: After hostname change update of mail_host column in users table is
+//          required to match old user data records with the new host.
+$config['default_host'] = 'localhost';
+
+// ----------------------------------
+// SMTP
+// ----------------------------------
+// SMTP server host (for sending mails).
+// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
+// If left blank, the PHP mail() function is used
+// Supported replacement variables:
+// %h - user's IMAP hostname
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %z - IMAP domain (IMAP hostname without the first part)
+// For example %n = mail.domain.tld, %t = domain.tld
+$config['smtp_server'] = '';
+
+// SMTP username (if required) if you use %u as the username Roundcube
+// will use the current username for login
+$config['smtp_user'] = '%u';
+
+// SMTP password (if required) if you use %p as the password Roundcube
+// will use the current user's password for login
+$config['smtp_pass'] = '%p';
+
+// provide an URL where a user can get support for this Roundcube installation
+// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
+$config['support_url'] = '';
+
+// this key is used to encrypt the users imap password which is stored
+// in the session record (and the client cookie if remember password is enabled).
+// please provide a string of exactly 24 chars.
+$config['des_key'] = '${des_key}';
+
+// Name your service. This is displayed on the login screen and in the window title
+$config['product_name'] = '${product_name}';
+
+// ----------------------------------
+// PLUGINS
+// ----------------------------------
+// List of active plugins (in plugins/ directory)
+$config['plugins'] = array(${', '.join(f'"{plugin}"' for plugin in plugins)});
+
+// the default locale setting (leave empty for auto-detection)
+// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
+$config['language'] = 'de_DE';
diff --git a/bundles/roundcube/items.py b/bundles/roundcube/items.py
new file mode 100644
index 0000000..8c4d5e3
--- /dev/null
+++ b/bundles/roundcube/items.py
@@ -0,0 +1,34 @@
+assert node.has_bundle('php')
+assert node.has_bundle('mailserver')
+
+git_deploy['/opt/roundcube'] = {
+    'repo': "https://github.com/roundcube/roundcubemail.git",
+    'rev': node.metadata.get('roundcube/version'),
+}
+
+files['/opt/roundcube/config/config.inc.php'] = {
+    'content_type': 'mako',
+    'context': {
+        'installer': node.metadata.get('roundcube/installer'),
+        'product_name': node.metadata.get('roundcube/product_name'),
+        'des_key': node.metadata.get('roundcube/des_key'),
+        'database': node.metadata.get('roundcube/database'),
+        'plugins': node.metadata.get('roundcube/plugins'),
+    },
+    'needs': [
+        'git_deploy:/opt/roundcube',
+    ],
+}
+
+directories['/opt/roundcube/logs'] = {
+    'owner': 'www-data',
+    'needs': [
+        'git_deploy:/opt/roundcube',
+    ],
+}
+directories['/opt/roundcube/temp'] = {
+    'owner': 'www-data',
+    'needs': [
+        'git_deploy:/opt/roundcube',
+    ],
+}
diff --git a/bundles/roundcube/metadata.py b/bundles/roundcube/metadata.py
new file mode 100644
index 0000000..0a29c1b
--- /dev/null
+++ b/bundles/roundcube/metadata.py
@@ -0,0 +1,71 @@
+database_password = repo.vault.password_for(f'{node.name} postgresql roundcube')
+
+defaults = {
+    'apt': {
+        'packages': {
+            'php': {},
+            'php-auth-sasl': {},
+            'php-cli': {},
+            'php-fpm': {},
+            'php-imagick': {},
+            'php-intl': {},
+            'php-mail-mime': {},
+            'php-mbstring': {},
+            'php-net-idna2': {},
+            'php-net-smtp': {},
+            'php-net-socket': {},
+            'php-pear': {},
+            'php-pgsql': {},
+            'php-xml': {},
+            'php-zip': {},
+        },
+    },
+    'nginx': {
+        'vhosts': {
+            'roundcube': {
+                'webroot': '/opt/roundcube',
+                'php': True,
+            },
+        },
+    },
+    'roundcube': {
+        'database': {
+            'provider': 'pgsql',
+            'host': 'localhost',
+            'name': 'roundcube',
+            'user': 'roundcube',
+            'password': database_password,
+        },
+        'plugins': [
+            'managesieve',
+            'password',
+        ],
+        'des_key': repo.vault.password_for(f'{node.name} roundcube des_key'),
+    },
+    'postgresql': {
+        'roles': {
+            'roundcube': {
+                'password': database_password,
+            },
+        },
+        'databases': {
+            'roundcube': {
+                'owner': 'roundcube',
+            },
+        },
+    },
+}
+
+@metadata_reactor.provides(
+    'nginx/vhosts/roundcube/domain'
+)
+def domain(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                'roundcube': {
+                    'domain': metadata.get('mailserver/hostname'),
+                },
+            },
+        },
+    }
diff --git a/groups/applications/mailserver.py b/groups/applications/mailserver.py
index 46acec7..32d1830 100644
--- a/groups/applications/mailserver.py
+++ b/groups/applications/mailserver.py
@@ -3,7 +3,9 @@
         'dovecot',
         'letsencrypt',
         'mailserver',
+        'php',
         'postfix',
         'postgresql',
+        'roundcube',
     ],
 }
diff --git a/groups/os/debian-10.py b/groups/os/debian-10.py
index cb52f89..13421f1 100644
--- a/groups/os/debian-10.py
+++ b/groups/os/debian-10.py
@@ -3,9 +3,12 @@
         'debian',
     ],
     'metadata': {
+        'php': {
+            'version': '7.3',
+        },
         'postgresql': {
-            'version': 11,
-        }
+            'version': '11',
+        },
     }, 
-    'os_version': (10,)
+    'os_version': (10,),
 }
diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py
index 768b71b..c2786ad 100644
--- a/nodes/htz.mails.py
+++ b/nodes/htz.mails.py
@@ -39,8 +39,22 @@
             },
         },
         'mailserver': {
+            'hostname': 'mail2.sublimity.de',
             'admin_email': 'postmaster@sublimity.de',
-            'hostname': 'mail.sublimity.de',
+        },
+        'roundcube': {
+            'product_name': 'Sublimity Mail',
+            'version': '1.4.11',
+            'installer': True,
+        },
+        'vm': {
+            'cpu': 2,
+        },
+        'wireguard': {
+            'my_ip': '172.19.136.2/22',
+            'peers': {
+                'home.server': {},
+            },
         },
         'zfs': {
             'pools': {
@@ -49,11 +63,5 @@
                 },
             },
         },
-        'wireguard': {
-            'my_ip': '172.19.136.2/22',
-            'peers': {
-                'home.server': {},
-            },
-        },
     },
 }