diff --git a/Makefile b/Makefile index 1881bf4..40fc83e 100644 --- a/Makefile +++ b/Makefile @@ -19,13 +19,14 @@ KOPANO_ZPUSH_REPOSITORY_URL := http://repo.z-hub.io/z-push:/final/Debian_9.0/ RELEASE_KEY_DOWNLOAD := 0 DOWNLOAD_COMMUNITY_PACKAGES := 1 +COMPOSE_FILE := docker-compose.yml-example -include .env export # convert lowercase componentname to uppercase COMPONENT = $(shell echo $(component) | tr a-z A-Z) -build-all: build-ssl build-base build-core build-utils build-webapp build-zpush build-kweb build-ldap-demo +build-all: build-ssl build-base build-core build-utils build-webapp build-zpush build-kweb build-konnect build-playground build-ldap-demo build: component ?= base build: @@ -66,6 +67,12 @@ build-ssl: build-kweb: docker build -t $(docker_repo)/kopano_web kweb/ +build-konnect: + docker build -t $(docker_repo)/kopano_konnect konnect/ + +build-playground: + docker build -t $(docker_repo)/kopano_playground playground/ + build-ldap-demo: docker build -t $(docker_repo)/kopano_ldap_demo ldap-demo/ @@ -137,13 +144,13 @@ publish-kweb: build-kweb docker push $(docker_repo)/kopano_web:latest test: - docker-compose down -v || true + docker-compose -f $(COMPOSE_FILE) down -v || true make build-all - docker-compose build - docker-compose up -d - docker-compose ps + docker-compose -f $(COMPOSE_FILE) build + docker-compose -f $(COMPOSE_FILE) up -d + docker-compose -f $(COMPOSE_FILE) ps test-quick: - docker-compose stop || true - docker-compose up -d - docker-compose ps + docker-compose -f $(COMPOSE_FILE) stop || true + docker-compose -f $(COMPOSE_FILE) up -d + docker-compose -f $(COMPOSE_FILE) ps diff --git a/README.md b/README.md index 80dd154..6d1aa73 100644 --- a/README.md +++ b/README.md @@ -69,11 +69,15 @@ While using kweb is recommended, this is of course possible. - The `kopano_webapp` image is accessible on port 80 and serves the WebApp both on `/` and `/webapp`. - The `kopano_zpush` image is accessible on port 80 and serves Z-Push on `/Microsoft-Server-ActiveSync` (additional urls may be needed in the future see #39). +### What are and how can I use the Kapi Playground and OIDC Playground? + +This project includes a Docker container to easily inspect the data returned by the Kopano Rest API (KAPI), as well as the OpenID (Connect) Service Provider. To explore these applications you need to pass the URL of the "Issuer" when opening these. For the Kapi Playground this would for example be `https://kopano.demo/kapi-playground/?iss=https://kopano.demo`. + ### I want to use these Docker images outside of an evaluation environment. What do I need to adjust to make this possible? To get a quick impression of Kopano this git repository bundles a locally build ldap image with some example users. When using the docker-compose.yml in a production environment make sure to: -- either remove `ldap-demo/bootstrap/ldif/demo-users.ldif` from the locally built ldap image or complelty remove the local ldap from the compose file +- either remove `ldap-demo/bootstrap/ldif/demo-users.ldif` from the locally built ldap image or complety remove the local ldap from the compose file - adapt ldap queries in .env to match you actual ldap server and users - all additional configuration of the Kopano components should be specified in the compose file and **not within the running container** diff --git a/core/Dockerfile b/core/Dockerfile index 3d3ee0e..5f4dbe4 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -29,6 +29,7 @@ RUN \ set -x && \ apt-get install --no-install-recommends -y \ kopano-server-packages \ + kopano-grapi kopano-kapid \ ${ADDITIONAL_KOPANO_PACKAGES} \ && \ set +x && \ diff --git a/core/defaultconfigs/grapi.py b/core/defaultconfigs/grapi.py new file mode 100644 index 0000000..48407c7 --- /dev/null +++ b/core/defaultconfigs/grapi.py @@ -0,0 +1,5 @@ +import os +import kcconf + +# Override configs from environment variables +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) diff --git a/core/defaultconfigs/kapid.py b/core/defaultconfigs/kapid.py new file mode 100644 index 0000000..1ed786b --- /dev/null +++ b/core/defaultconfigs/kapid.py @@ -0,0 +1,18 @@ +import os +import kcconf + +# Component specific configurations +kcconf.configkopano({ + r"/etc/kopano/kapid.cfg": + { + 'log_level': "info", + 'listen': "0.0.0.0:8039", + 'DEFAULT_PLUGIN_PUBS_SECRET_KEY_FILE': "/kopano/ssl/kapid-pubs-secret.key", + 'plugin_kvs_db_datasource': "/kopano/data/kapi-kvs/kvs.db", + 'plugin_grapi_socket_path': "/var/run/kopano/grapi" + + } +}) + +# Override configs from environment variables +kcconf.configkopano(kcconf.parseenvironmentvariables(r"/etc/kopano/")) diff --git a/core/start-service.sh b/core/start-service.sh index cdb5536..9f818e8 100755 --- a/core/start-service.sh +++ b/core/start-service.sh @@ -16,7 +16,7 @@ fi fi done -mkdir -p /kopano/data/attachments /tmp/$SERVICE_TO_START /var/run/kopano +mkdir -p /kopano/data/attachments /kopano/data/kapi-kvs /tmp/$SERVICE_TO_START /var/run/kopano echo "Configure core service '$SERVICE_TO_START'" | ts /usr/bin/python3 /kopano/$SERVICE_TO_START.py @@ -72,6 +72,28 @@ ical) unset "${!KCCONF_@}" exec /usr/sbin/kopano-ical -F ;; +grapi) + LC_CTYPE=en_US.UTF-8 + export socket_path=/var/run/kopano/grapi + mkdir $socket_path + chown -R kapi:kopano $socket_path + # cleaning up env variables + unset "${!KCCONF_@}" + exec kopano-grapi serve + ;; +kapid) + dockerize \ + -wait file://var/run/kopano/grapi/notify.sock \ + -wait http://kopano_konnect:8777/.well-known/openid-configuration \ + -timeout 360s + LC_CTYPE=en_US.UTF-8 + sed -i s/\ *=\ */=/g /etc/kopano/kapid.cfg + export $(grep -v '^#' /etc/kopano/kapid.cfg | xargs -d '\n') + kopano-kapid setup + # cleaning up env variables + unset "${!KCCONF_@}" + exec kopano-kapid serve --log-timestamp=false + ;; monitor) dockerize \ -wait file://var/run/kopano/server.sock \ diff --git a/docker-compose.yml-example b/docker-compose.yml-example index 2a54f29..add685a 100644 --- a/docker-compose.yml-example +++ b/docker-compose.yml-example @@ -5,9 +5,6 @@ services: image: ${docker_repo:?err}/kopano_web container_name: web restart: always - links: - - kopano_webapp - - kopano_zpush ports: - "2015:2015" - "${HTTP}:8080" @@ -49,8 +46,6 @@ services: - PHPLDAPADMIN_LDAP_HOSTS=ldap - PHPLDAPADMIN_HTTPS=false command: -l debug - links: - - ldap networks: - ldap-net - web-net @@ -63,8 +58,6 @@ services: container_name: mail depends_on: - ldap - links: - - ldap ports: - "25:25" volumes: @@ -138,12 +131,9 @@ services: - kopanossl/:/kopano/ssl kopano_server: - image: ${docker_repo}/kopano_core:${CORE_VERSION} + image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} hostname: kopano_server container_name: kopano_server - links: - - db - - ldap depends_on: - db - ldap @@ -155,7 +145,7 @@ services: - SERVICE_TO_START=server - TZ=${TZ} - KCCONF_SERVER_COREDUMP_ENABLED=no - - KCCONF_SERVER_LOG_LEVEL=4 + - KCCONF_SERVER_LOG_LEVEL=3 - KCCONF_SERVER_MYSQL_HOST=${MYSQL_HOST} - KCCONF_SERVER_MYSQL_PORT=3306 - KCCONF_SERVER_MYSQL_DATABASE=${MYSQL_DATABASE} @@ -175,9 +165,15 @@ services: - KCUNCOMMENT_LDAP_1=${KCUNCOMMENT_LDAP_1} - KCCOMMENT_LDAP_1=${KCCOMMENT_LDAP_1} - ADDITIONAL_KOPANO_PACKAGES=${ADDITIONAL_KOPANO_PACKAGES} + - KCCONF_SERVER_ENABLE_SSO=yes + - KCCONF_SERVER_KCOIDC_ISSUER_IDENTIFIER=https://${FQDN} + - KCCONF_SERVER_KCOIDC_INSECURE_SKIP_VERIFY=${INSECURE} + - KCCONF_SERVER_KCOIDC_INITIALIZE_TIMEOUT=360 networks: - kopano-net - ldap-net + extra_hosts: + - ${EXTRAHOSTS} volumes: - kopanodata/:/kopano/data - kopanossl/:/kopano/ssl @@ -187,8 +183,6 @@ services: image: ${docker_repo:?err}/kopano_webapp:${WEBAPP_VERSION} hostname: kopano_webapp container_name: kopano_webapp - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano @@ -203,8 +197,6 @@ services: image: ${docker_repo:?err}/kopano_zpush:${ZPUSH_VERSION} hostname: kopano_zpush container_name: kopano_zpush - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano @@ -215,18 +207,46 @@ services: - web-net - kopano-net + kopano_grapi: + image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} + container_name: kopano_grapi + volumes: + - kopanosocket/:/run/kopano + environment: + - SERVICE_TO_START=grapi + - TZ=${TZ} + networks: + - kopano-net + + kopano_kapi: + image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} + container_name: kopano_kapi + volumes: + - kopanodata/:/kopano/data + - kopanossl/:/kopano/ssl + - kopanosocket/:/run/kopano + environment: + - SERVICE_TO_START=kapid + - TZ=${TZ} + - KCCONF_KAPID_LOG_LEVEL=DEBUG + - KCCONF_KAPID_OIDC_ISSUER_IDENTIFIER=https://${FQDN} + - KCCONF_KAPID_INSECURE=${INSECURE} + extra_hosts: + - ${EXTRAHOSTS} + networks: + - kopano-net + - web-net + kopano_dagent: image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} container_name: kopano_dagent - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano environment: - SERVICE_TO_START=dagent - TZ=${TZ} - - KCCONF_DAGENT_LOG_LEVEL=6 + - KCCONF_DAGENT_LOG_LEVEL=3 - KCCONF_DAGENT_SSLKEY_FILE=/kopano/ssl/kdagent.pem networks: - kopano-net @@ -236,15 +256,13 @@ services: container_name: kopano_spooler hostname: spooler domainname: ${LDAP_DOMAIN} - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano environment: - SERVICE_TO_START=spooler - TZ=${TZ} - - KCCONF_SPOOLER_LOG_LEVEL=4 + - KCCONF_SPOOLER_LOG_LEVEL=3 - KCCONF_SPOOLER_SMTP_SERVER=mail - KCCONF_SPOOLER_SSLKEY_FILE=/kopano/ssl/kspooler.pem networks: @@ -253,8 +271,6 @@ services: kopano_gateway: image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} container_name: kopano_gateway - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano @@ -269,8 +285,6 @@ services: kopano_ical: image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} container_name: kopano_ical - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano @@ -284,8 +298,6 @@ services: kopano_monitor: image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} container_name: kopano_monitor - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano @@ -298,8 +310,6 @@ services: kopano_search: image: ${docker_repo:?err}/kopano_core:${CORE_VERSION} container_name: kopano_search - links: - - kopano_server volumes: - kopanossl/:/kopano/ssl - kopanosocket/:/run/kopano @@ -309,6 +319,27 @@ services: - TZ=${TZ} networks: - kopano-net + + kopano_konnect: + image: ${docker_repo:?err}/kopano_konnect + container_name: kopano_konnect + command: wrapper.sh + volumes: + - kopanossl/:/kopano/ssl + - kopanosocket/:/run/kopano + environment: + - FQDN=${FQDN} + networks: + - kopano-net + - web-net + + kopano_playground: + image: ${docker_repo:?err}/kopano_playground + container_name: kopano_playground + networks: + - kopano-net + - web-net + volumes: web: ldap: diff --git a/konnect/Dockerfile b/konnect/Dockerfile new file mode 100644 index 0000000..6cf251c --- /dev/null +++ b/konnect/Dockerfile @@ -0,0 +1,14 @@ +FROM kopano/konnectd:0.16.1 + +RUN apk add --update \ + openssl \ + && rm -rf /var/cache/apk/* + +ENV DOCKERIZE_VERSION v0.6.1 +RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ + && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ + && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz + +RUN mkdir -p /etc/kopano/ +COPY identifier-registration.yaml /etc/kopano +COPY wrapper.sh /usr/local/bin diff --git a/konnect/identifier-registration.yaml b/konnect/identifier-registration.yaml new file mode 100755 index 0000000..5fcd561 --- /dev/null +++ b/konnect/identifier-registration.yaml @@ -0,0 +1,54 @@ +--- + +# OpenID Connect client registry. +clients: +# - id: oidc-client-example.js +# name: OIDC Playground +# application_type: web +# redirect_uris: +# - https://devmail.kopano.com/kapi-playground/ +# - id: playground.js +# name: OIDC Playground +# application_type: web +# redirect_uris: +# - https://my-host:8509/ + +# - id: playground-trusted.js +# name: Trusted OIDC Playground +# trusted: yes +# application_type: web +# redirect_uris: +# - https://my-host:8509/ + +# - id: playground-trusted.js +# name: Trusted Insecure OIDC Playground +# trusted: yes +# application_type: web +# insecure: yes + +# - id: client-with-keys +# secret: super +# application_type: native +# redirect_uris: +# - http://localhost +# jwks: +# keys: +# - kty: EC +# use: sig +# kid: client-with-keys-key-1 +# crv: P-256 +# x: RTZpWoRbjwX1YavmSHVBj6Cy3Yzdkkp6QLvTGB22D0c +# y: jeavjwcX0xlDSchFcBMzXSU7wGs2VPpNxWCwmxFvmF0 +# request_object_signing_alg: ES256 + +# - id: first +# secret: lala +# application_type: native +# redirect_uris: +# - my://app + +# - id: second +# secret: lulu +# application_type: native +# redirect_uris: +# - http://localhost diff --git a/konnect/wrapper.sh b/konnect/wrapper.sh new file mode 100755 index 0000000..a735770 --- /dev/null +++ b/konnect/wrapper.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +dockerize \ + -wait file:///kopano/ssl/konnectd-tokens-signing-key.pem \ + -wait file:///kopano/ssl/konnectd-encryption.key \ + -timeout 360s +exec konnectd serve \ + --signing-private-key=/kopano/ssl/konnectd-tokens-signing-key.pem \ + --encryption-secret=/kopano/ssl/konnectd-encryption.key \ + --iss=https://$FQDN \ + --identifier-registration-conf /etc/kopano/identifier-registration.yaml \ + kc diff --git a/kweb/kweb.cfg b/kweb/kweb.cfg index e1e40fa..2c30eff 100644 --- a/kweb/kweb.cfg +++ b/kweb/kweb.cfg @@ -3,22 +3,119 @@ } *, :8443 { + log stdout + errors stdout + gzip + header / Server kweb tls {%EMAIL%} + limits { + header 1MB + body 50MB + } + redir 302 { if {path} is / / /webapp/ } - proxy /webapp/ kopano_webapp:80 { + # Config + configjson /api/config/v1/kopano/ config/kopano + + # Konnect + proxy /upstreams/konnect/ { + without /upstreams/konnect/ + upstream kopano_konnect:8777 + policy least_conn + health_check /health-check + fail_timeout 10s + try_duration 30s + keepalive 100 transparent + header_downstream Feature-Policy "midi 'none'" + header_downstream X-Frame-Options "sameorigin" } - redir /webapp /webapp/ + ratelimit * 100 200 minute { + /upstreams/konnect/v1/ + /signin/v1/identifier/_/ + whitelist 127.0.0.1/8 + } + rewrite /.well-known/openid-configuration { + to /upstreams/konnect/{path} + } + rewrite /konnect/v1/ { + to /upstreams/konnect/{path} + } + rewrite /signin/v1/ { + to /upstreams/konnect/{path} + } + redir /signin /signin/v1/identifier + + # Kapi + proxy /upstreams/kapi/ { + without /upstreams/kapi/ + upstream kopano_kapi:8039 + policy least_conn + health_check /health-check + fail_timeout 10s + try_duration 30s + keepalive 100 + transparent + websocket + } + ratelimit * 100 200 minute { + /upstreams/kapi/api/ + whitelist 127.0.0.1/8 + } + rewrite /api/gc/v1/ { + to /upstreams/kapi/{path} + } + rewrite /api/pubs/v1/ { + to /upstreams/kapi/{path} + } + rewrite /api/kvs/v1/ { + to /upstreams/kapi/{path} + } + + # playground for oidc + proxy /oidc-playground/ http://kopano_playground:8888/ { + fail_timeout 10s + try_duration 30s + transparent + keepalive 100 + } + folderish /oidc-playground + + # playground for Kapi + proxy /kapi-playground/ http://kopano_playground:8888/ { + fail_timeout 10s + try_duration 30s + transparent + keepalive 100 + } + folderish /kapi-playground + + proxy /webapp/ kopano_webapp:80 { + fail_timeout 10s + try_duration 30s + transparent + keepalive 100 + } + folderish /webapp proxy /Microsoft-Server-ActiveSync kopano_zpush:80 { transparent + keepalive 0 + timeout 3540s + } + + proxy /AutoDiscover/AutoDiscover.xml kopano_zpush:80 { + transparent + keepalive 0 + fail_timeout 10s + try_duration 30s } proxy /ldap-admin/ ldap-admin:80 { diff --git a/playground/Dockerfile b/playground/Dockerfile new file mode 100644 index 0000000..b2f60ce --- /dev/null +++ b/playground/Dockerfile @@ -0,0 +1,14 @@ +from alpine:3.8 as builder +RUN apk add --update \ + git make \ + && rm -rf /var/cache/apk/* +RUN mkdir -p /web/oidc-playground /web/kapi-playground +RUN git clone https://stash.kopano.io/scm/~seisenmann/oidc-playground.git +RUN mv oidc-playground/www/* /web/oidc-playground +RUN git clone https://stash.kopano.io/scm/kc/kapi.git +RUN mv kapi/examples/* /web/kapi-playground +RUN cd /web/kapi-playground && rm Makefile && ln -s oidc-client-example.html index.html + +from halverneus/static-file-server:v1.5.2 +env PORT 8888 +COPY --from=builder /web /web diff --git a/setup.sh b/setup.sh index fa44f7c..c027a9b 100755 --- a/setup.sh +++ b/setup.sh @@ -50,6 +50,10 @@ if [ ! -e ./.env ]; then read -p "Which tag do you want to use for Z-Push? [$value_default]: " new_value ZPUSH_VERSION=${new_value:-$value_default} + value_default=latest + read -p "Which tag do you want to use for Kopano Konnect? [$value_default]: " new_value + KONNECT_VERSION=${new_value:-$value_default} + value_default="Kopano Demo" read -p "Name of the Organisation for LDAP [$value_default]: " new_value LDAP_ORGANISATION=${new_value:-$value_default} @@ -62,6 +66,13 @@ if [ ! -e ./.env ]; then read -p "Email address to use for Lets Encrypt. Use 'self_signed' as your email to create self signed certificates [$value_default]: " new_value EMAIL=${new_value:-$value_default} + # Let Kapi accept self signed certs if required + if [ "$EMAIL" == "self_signed" ]; then + INSECURE="yes" + else + INSECURE="no" + fi + LDAP_BASE_DN=$(fqdn_to_dn $FQDN) value_default="$LDAP_BASE_DN" read -p "Name of the BASE DN for LDAP [$value_default]: " new_value @@ -191,6 +202,7 @@ if [ ! -e ./.env ]; then CORE_VERSION=$CORE_VERSION WEBAPP_VERSION=$WEBAPP_VERSION ZPUSH_VERSION=$ZPUSH_VERSION +KONNECT_VERSION=$KONNECT_VERSION LDAP_ORGANISATION="$LDAP_ORGANISATION" LDAP_DOMAIN=$FQDN @@ -230,8 +242,13 @@ EMAIL=$EMAIL HTTP=80 HTTPS=443 -# Docker Repository to push to +# Settings for test environments +EXTRAHOSTS=$FQDN:$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p') +INSECURE=$INSECURE + +# Docker Repository to push to/pull from docker_repo=zokradonh +COMPOSE_PROJECT_NAME=kopano # Modify below to build a different version, than the kopano nightly release #KOPANO_CORE_REPOSITORY_URL=https://serial:REPLACE-ME@download.kopano.io/supported/core:/final/Debian_9.0/ diff --git a/ssl/Dockerfile b/ssl/Dockerfile index 4d84f70..20942ae 100644 --- a/ssl/Dockerfile +++ b/ssl/Dockerfile @@ -16,8 +16,7 @@ RUN apk add --update \ && rm -rf /var/cache/apk/* COPY start.sh /start.sh -COPY gencerts.sh /gencerts.sh -RUN chmod a+x /start.sh /gencerts.sh +RUN chmod a+x /start.sh -CMD ["/start.sh"] \ No newline at end of file +CMD ["/start.sh"] diff --git a/ssl/gencerts.sh b/ssl/gencerts.sh deleted file mode 100755 index 513ebac..0000000 --- a/ssl/gencerts.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -# https://github.com/google/easypki - -# TODO integrate this directly into start.sh? - -echo "Creating CA and Server certificates..." -easypki create --filename internalca --organizational-unit primary --expire 3650 --ca "Internal Kopano System" - -mkdir -p /kopano/ssl/clients/ -cp /kopano/easypki/internalca/certs/internalca.crt /kopano/ssl/ca.pem - -for s in kserver kdagent kmonitor ksearch kspooler kwebapp - do - easypki create --ca-name internalca --organizational-unit $s --expire 3650 $s - cp /kopano/easypki/internalca/keys/$s.key /kopano/ssl/$s.pem - cat /kopano/easypki/internalca/certs/$s.crt >> /kopano/ssl/$s.pem - openssl x509 -in /kopano/easypki/internalca/certs/$s.crt -pubkey -noout > /kopano/ssl/clients/$s-public.pem -done - -ls -l /kopano/ssl/*.pem diff --git a/ssl/start.sh b/ssl/start.sh index 087ce45..ad4c36a 100755 --- a/ssl/start.sh +++ b/ssl/start.sh @@ -1,7 +1,47 @@ #!/bin/sh -if [ -f /kopano/ssl/ca.pem ]; then - exit 0 +mkdir -p /kopano/ssl/clients/ + +if [ ! -f /kopano/ssl/ca.pem ]; then + # https://github.com/google/easypki + echo "Creating CA and server certificates..." + easypki create --filename internalca --organizational-unit primary --expire 3650 --ca "Internal Kopano System" + + for s in kserver kdagent kmonitor ksearch kspooler kwebapp; do + easypki create --ca-name internalca --organizational-unit $s --expire 3650 $s + cp /kopano/easypki/internalca/keys/$s.key /kopano/ssl/$s.pem.tmp + cat /kopano/easypki/internalca/certs/$s.crt >> /kopano/ssl/$s.pem.tmp + openssl x509 -in /kopano/easypki/internalca/certs/$s.crt -pubkey -noout > /kopano/ssl/clients/$s-public.pem.tmp + mv /kopano/ssl/$s.pem.tmp /kopano/ssl/$s.pem + mv /kopano/ssl/clients/$s-public.pem.tmp /kopano/ssl/clients/$s-public.pem + done + + cp /kopano/easypki/internalca/certs/internalca.crt /kopano/ssl/ca.pem.tmp + mv /kopano/ssl/ca.pem.tmp /kopano/ssl/ca.pem fi -/gencerts.sh +# Konnect - create encryption key if not already present +enckey="/kopano/ssl/konnectd-encryption.key" +if [ ! -f $enckey ]; then + echo "creating new encryption key" + openssl rand -out $enckey.tmp 32 + mv $enckey.tmp $enckey +fi + +# Konnect - create token signing key if not already present +signkey="/kopano/ssl/konnectd-tokens-signing-key.pem" +if [ ! -f $signkey ]; then + echo "creating new token signing key" + openssl genpkey -algorithm RSA -out $signkey.tmp -pkeyopt rsa_keygen_bits:4096 + mv $signkey.tmp $signkey +fi + +# Kapi +secretkey="/kopano/ssl/kapid-pubs-secret.key" +if [ ! -f $secretkey ]; then + openssl rand -out $secretkey.tmp -hex 64 + mv $secretkey.tmp $secretkey +fi + +ls -l /kopano/ssl/*.pem +ls -l /kopano/ssl/*.key