projekt kivitendo

<VirtualHost *:80>

	# The ServerName directive sets the request scheme, hostname and port that

	# the server uses to identify itself. This is used when creating

	# redirection URLs. In the context of virtual hosts, the ServerName

	# specifies what hostname must appear in the request's Host: header to

	# match this virtual host. For the default virtual host (this file) this

	# value is not decisive as it is used as a last resort host regardless.

	# However, you must set it for any further virtual host explicitly.

	#ServerName www.example.com

	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html

	#erp

	AddHandler fcgid-script .fpl

	AliasMatch ^/kivitendo-erp/[^/]+\.pl /var/www/kivitendo-erp/dispatcher.fpl

	Alias       /kivitendo-erp/          /var/www/kivitendo-erp/

	<Directory /var/www/kivitendo-erp>

				AllowOverride All

				Options ExecCGI Includes FollowSymlinks

				Require all granted

	</Directory>

	<DirectoryMatch /var/www/kivitendo-erp/users>

			Order Deny,Allow

			Deny from All

	</DirectoryMatch> 

	#erp end	

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

	# error, crit, alert, emerg.

	# It is also possible to configure the loglevel for particular

	# modules, e.g.

	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log

	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are

	# enabled or disabled at a global level, it is possible to

	# include a line for only one particular virtual host. For example the

	# following line enables the CGI configuration for this host only

	# after it has been globally disabled with "a2disconf".

	#Include conf-available/serve-cgi-bin.conf

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

[authentication]

# The cleartext password for access to the administrative part.  It

# can only be changed in this file, not via the administrative

# interface.

admin_password = admin123

# Which modules to use for authentication. Valid values are 'DB' and

# 'LDAP'. You can use multiple modules separated by spaces.

#

# Multiple LDAP modules with different configurations can be used by

# postfixing 'LDAP' with the name of the configuration section to use:

# 'LDAP:ldap_fallback' would use the data from

# '[authentication/ldap_fallback]'. The name defaults to 'ldap' if it

# isn't given.

#

# Note that the LDAP module doesn't support changing the password.

module = DB

# The cookie name can be changed if desired.

cookie_name = kivitendo_session_id

# The number of minutes a session is valid. The default value is eight

# hours.

session_timeout = 480

# The number of seconds to penalize failed login attempts. 0 disables

# it.

failed_login_penalty = 5

[authentication/database]

# Connection information for the database with the user and group

# inforamtion.  This information is always needed, even if LDAP is

# used for authentication, as the user information is stored in this

# database while LDAP is only used for password verification.

#

# If 'module' is set to 'DB' then this database also contains the

# users' passwords.

host     = 127.0.0.1

port     = 5432

db       = kivitendo_auth

user     = postgres

password =

[authentication/ldap]

# This section is only relevant if 'module' is set to 'LDAP'. It names

# the LDAP server the passwords are verified against by doing a LDAP

# bind operation.

#

# At least the parameters 'host', 'attribute' and 'base_dn' have to be

# specified.

#

# tls:       Activate encryption via TLS

# verify:    If 'tls' is used, how to verify the server's certificate.

#            Can be one of 'require' or 'none'.

# attribute: Name of the LDAP attribute containing the user's login name

# base_dn:   Base DN the LDAP searches start from

# filter:    An optional LDAP filter specification. The string '<%login%>'

#            is replaced by the user's login name before the search is started.

# bind_dn and bind_password:

#            If searching the LDAP tree requires user credentials

#            (e.g. ActiveDirectory) then these two parameters specify

#            the user name and password to use.

# timeout:   Timeout when connecting to the server in seconds.

#

# You can specify a fallback LDAP server to use in case the main one

# isn't reachable by duplicating this whole section as

# "[authentication/ldap_fallback]".

#

host          = localhost

port          = 389

tls           = 0

attribute     = uid

base_dn       =

filter        =

bind_dn       =

bind_password =

timeout       = 10

verify        = require

[system]

# Set language for login and admin forms. Currently "de" (German)

# and "en" (English, not perfect) are available.

language = de

# Set stylesheet for login and admin forms. Supported:

#  lx-office-erp

#  kivitendo - default

#  design40

stylesheet = kivitendo

# MassPrint Timeout

# must be less than cgi timeout

#

massprint_timeout = 30

# Set default_manager for admin forms. Currently "german"

# and "swiss" are available.

default_manager = german

# The memory limits given here determine the maximum process size

# (vsz, the total amount of memory this process uses including memory

# swapped out or shared with other processes) or resident set size

# (rss, the amount of memory not swapped out/shared with other

# processes). If either limit is reached at the end of the request

# then the kivitendo process will exit.

#

# This only applies for processes under FCGI and the task manager.

# For CGI configurations the process will be terminated after each request

# regardless of this setting.

#

# Note: this will only terminate processes with too high memory consumption. It

# is assumed that an external managing service will start new instances. For

# FCGI this will usually be apache or the wrapper scripts for nginx, for the

# task server this will have to be the system manager.

#

# Numbers can be postfixed with KB, MB, GB. If no number is given or

# the number is 0 then no checking will be performed.

memory_limit_rss =

memory_limit_vsz =

[paths]

# path to temporary files (must be writeable by the web server)

userspath = users

# spool directory for batch printing

spool = spool

# templates base directory

templates = templates

# Path to the old memberfile (ignored on new installations)

memberfile = users/members

# Path to ELSTER geierlein webserver path inside kivitendo

# (must be inside kivitendo but you can set an ALIAS for apache/oe

# if set the export to geierlein is enabled

# geierlein_path = geierlein

#

# document path for FileSystem FileManagement:

#  (must be reachable read/write but not executable from webserver)

# document_path = /var/local/kivi_documents

#

[mail_delivery]

# Delivery method can be 'sendmail' or 'smtp'. For 'method = sendmail' the

# parameter 'mail_delivery.sendmail' is used as the executable to call. If

# 'applications.sendmail' still exists (backwards compatibility) then

# 'applications.sendmail' will be used instead of 'mail_delivery.sendmail'.

# If method is empty, mail delivery is disabled.

method = smtp

# Location of sendmail for 'method = sendmail'

sendmail = /usr/sbin/sendmail -t<%if myconfig_email%> -f <%myconfig_email%><%end%>

# Settings for 'method = smtp'. Only set 'port' if your SMTP server

# runs on a non-standard port (25 for 'security=none' or

# 'security=tls', 465 for 'security=ssl').

host = localhost

#port = 25

# Security can be 'tls', 'ssl' or 'none'. Unset equals 'none'. This

# determines whether or not encryption is used and which kind. For

# 'tls' the module 'Net::SSLGlue' is required; for 'ssl'

# 'Net::SMTP::SSL' is required and 'none' only uses 'Net::SMTP'.

security = none

# Authentication is only used if 'login' is set. You should only use

# that with 'tls' or 'ssl' encryption.

login =

password =

[applications]

# Location of OpenOffice.org/LibreOffice writer

openofficeorg_writer = lowriter

# Location of the html2ps binary

html2ps = html2ps

# Location of the Ghostscript binary

ghostscript = gs

# Location of the program to create PDFs from TeX documents

latex = latexmk --pdflatex

# Location of the Python interpreter to use when converting from

# OpenDocument to PDF. Some distributions compile UNO support only

# into binaries located in different locations than the main Python

# binary.

python_uno = python3

[environment]

# Add the following paths to the PATH environment variable.

path = /usr/local/bin:/usr/X11R6/bin:/usr/X11/bin

# Add the following paths to the PERL5LIB environment variable.

# "/sw/lib/perl5" is for Mac OS X with Fink's Perl.

lib = /sw/lib/perl5

# Add the following paths to the PYTHONPATH environment variable for

# locating Python modules. Python is used when converting OpenDocument

# files into PDF files.

python_uno_path =

[print_templates]

# If you have LaTeX installed set to 1

latex = 1

# Minimal support for Excel print templates

excel = 0

# Enable or disable support for OpenDocument print templates

opendocument = 1

# Chose whether or not OpenOffice/LibreOffice should remain running after a

# conversion. If yes then the conversion of subsequent documents will

# be a bit faster. You need to have Python and the Python UNO bindings

# (part of OpenOffice/LibreOffice) installed.

openofficeorg_daemon = 0

openofficeorg_daemon_port = 2002

[task_server]

# Set to 1 for debug messages in /tmp/kivitendo-debug.log

debug = 0

# Chose a system user the daemon should run under when started as root.

run_as =

# Task servers can run on multiple machines. Each needs its own unique

# ID. If unset, it defaults to the host name. All but one task server

# must have 'only_run_tasks_for_this_node' set to 1.

node_id =

only_run_tasks_for_this_node = 0

[task_server/notify_on_failure]

# If you want email notifications for failed jobs then set this to a

# kivitendo user (login) name. The subject can be changed as well.

send_email_to  =

# The "From:" header for said email.

email_from     = kivitendo Daemon <root@localhost>

# The subject for said email.

email_subject  = kivitendo Task-Server: Hintergrundjob fehlgeschlagen

# The template file used for the email's body.

email_template = templates/webpages/task_server/failure_notification_email.txt

[periodic_invoices]

# The user name or email address a report about the posted and printed

# invoices is sent to.

send_email_to  =

# The "From:" header for said email.

email_from     = kivitendo Daemon <root@localhost>

# The subject for said email.

email_subject  = Benachrichtigung: automatisch erstellte Rechnungen

# The template file used for the email's body.

email_template = templates/webpages/oe/periodic_invoices_email.txt

# Whether to always send the mail (0), or only if there were errors

# (1).

send_for_errors_only = 0

[self_test]

# modules to be tested

# Add without SL::BackgroundJob::SelfTest:: prefix

# Separate with space.

modules = Transactions

# you probably don't want to be spammed with "everything ok" every day. enable

# this when you add new tests to make sure they run correctly for a few days

send_email_on_success = 0

# will log into the standard logfile

log_to_file = 0

# user login (!) to send the email to.

send_email_to  =

# will be used to send your report mail

email_from     =

# The subject line for your report mail

email_subject  = kivitendo self test report

# template. currently txt and html templates are recognized and correctly mime send.

email_template = templates/mail/self_test/status_mail.txt

[follow_up_reminder]

# Email notifications for due follow ups.

# The "From:" header for said email.

email_from     = kivitendo Daemon <root@localhost>

# The subject for said email.

email_subject  = kivitendo: fällige Wiedervorlagen

# The template file used for the email's body.

# If empty fu/follow_up_reminder_mail.html will be used.

email_template =

[console]

# Automatic login will only work if both "client" and "login" are

# given.  "client" can be a client's database ID or its name. "login"

# is simply a user's login name.

client =

login =

# autorun lines will be executed after autologin.

# be warned that loading huge libraries will noticably lengthen startup time.

#autorun = require "bin/mozilla/common.pl";

#        = use English qw(-no_match_vars);

#        = use List::Util qw(min max);

#        = sub take { my $max = shift; my $r = ref($_[0]) eq 'ARRAY' ? $_[0] : \@_; return @{$r}[0..List::Util::min($max, scalar(@{$r})) - 1]; }

# location of history file for permanent history

history_file = users/console_history

# location of a separate log file for the console. everything normally written

# to the kivitendo log will be put here if triggered from the console

log_file = /tmp/kivitendo_console_debug.log

[testing]

# Several tests need a database they can alter data in freely. This

# database will be dropped & created before any other test is run. The

# following parameters must be given:

[testing/database]

host               = 127.0.0.1

port               = 5432

db                 =

user               = postgres

password           =

template           = template1

superuser_user     = postgres

superuser_password =

[devel]

# Several settings related to the development of kivitendo.

# "client" is used by several scripts (e.g. rose_auto_create_model.pl)

# when they need access to the database. It can be either a client's

# database ID or its name.

client =

[debug]

# Use DBIx::Log4perl for logging DBI calls. The string LXDEBUGFILE

# will be replaced by the file name configured for $::lxdebug.

dbix_log4perl = 0

dbix_log4perl_config = log4perl.logger = FATAL, LOGFILE

                     = log4perl.appender.LOGFILE=Log::Log4perl::Appender::File

                     = log4perl.appender.LOGFILE.filename=LXDEBUGFILE

                     = log4perl.appender.LOGFILE.mode=append

                     = log4perl.appender.LOGFILE.Threshold = ERROR

                     = log4perl.appender.LOGFILE.layout=PatternLayout

                     = log4perl.appender.LOGFILE.layout.ConversionPattern=[%r] %F %L %c - %m%n

                     = log4perl.logger.DBIx.Log4perl=DEBUG, A1

                     = log4perl.appender.A1=Log::Log4perl::Appender::File

                     = log4perl.appender.A1.filename=LXDEBUGFILE

                     = log4perl.appender.A1.mode=append

                     = log4perl.appender.A1.layout=Log::Log4perl::Layout::PatternLayout

                     = log4perl.appender.A1.layout.ConversionPattern=%d %p> %F{1}:%L %M - %m%n

# Activate certain global debug messages. If you want to combine

# several options then list them separated by spaces.

#

# Possible values include:

#   NONE   - no debug output (default)

#   INFO

#   DEBUG1

#   DEBUG2

#   QUERY              - Dump SQL queries (only in legacy code; see also "dbix_log4perl" above)

#   TRACE              - Track function calls and returns

#   BACKTRACE_ON_ERROR - Print a function call backtrace when $form->error() is called

#   REQUEST_TIMER      - Log timing of HTTP requests

#   REQUEST            - Log each request. Careful! Passwords get filtered, but

#                        there may be confidential information being logged here

#   WARN               - warnings

#   SHOW_CALLER        - include the file name & line number from where a call

#                        to "message" or "dump" was called

#   ALL                - all possible debug messages

#

#   DEVEL              - sames as "INFO QUERY TRACE BACKTRACE_ON_ERROR REQUEST_TIMER"

#

# Example:

#   global_level = TRACE QUERY

global_level = NONE

# Activate monitoring of the content of $form. If it is active then

# monitoring can be turned on for certain variables with the

# following:

#   $form->{"Watchdog::<variable>"} = 1;

# Monitoring has a performance cost and is therefore deactivated by

# default.

watch_form = 0

# If you want to debug the creation of LaTeX files then set this to 1.

# That way the temporary LaTeX files created during PDF creation are

# not removed and remain in the "users" directory.

keep_temp_files = 0

# Restart the FastCGI process if changes to the program or template

# files have been detected. The restart will occur after the request

# in which the changes have been detected has completed.

restart_fcgi_process_on_changes = 0

# The file name where the debug messages are written to.

file_name = /tmp/kivitendo-debug.log

# If set to 1 then the installation will be kept unlocked even if a

# database upgrade fails.

keep_installation_unlocked = 0

# If set to 1 then all resource links (JavaScript, CSS files) output

# via $::request->{layout}->use_stylesheet() / use_javascript() will

# be made unique by appending a random GET parameter. This will cause

# the web browser to always reload the resources.

auto_reload_resources = 0

# If set to 1 each exception will include a full stack backtrace.

backtrace_on_die = 0

[cti]

# If you want phone numbers to be clickable then this must be set to a

# command that does the actually dialing. Within this command three

# variables are replaced before it is executed:

#

# 1. <%phone_extension%> and <%phone_password%> are taken from the user

#    configuration (changeable in the admin interface).

# 2. <%number%> is the number to dial. It has already been sanitized

#    and formatted correctly regarding e.g. the international dialing

#    prefix.

#

# The following is an example that works with the OpenUC telephony

# server:

# dial_command = curl --insecure -X PUT https://<%phone_extension%>:<%phone_password%>@IP.AD.DR.ESS:8443/sipxconfig/rest/my/call/<%number%>

dial_command =

# If you need to dial something before the actual number then set

# external_prefix to it.

external_prefix = 0

# The prefix for international calls (numbers starting with +).

international_dialing_prefix = 00

# Our own country code

our_country_code = 49

# PostgreSQL Client Authentication Configuration File

# ===================================================

#

# Refer to the "Client Authentication" section in the PostgreSQL

# documentation for a complete description of this file.  A short

# synopsis follows.

#

# This file controls: which hosts are allowed to connect, how clients

# are authenticated, which PostgreSQL user names they can use, which

# databases they can access.  Records take one of these forms:

#

# local         DATABASE  USER  METHOD  [OPTIONS]

# host          DATABASE  USER  ADDRESS  METHOD  [OPTIONS]

# hostssl       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]

# hostnossl     DATABASE  USER  ADDRESS  METHOD  [OPTIONS]

# hostgssenc    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]

# hostnogssenc  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]

#

# (The uppercase items must be replaced by actual values.)

#

# The first field is the connection type:

# - "local" is a Unix-domain socket

# - "host" is a TCP/IP socket (encrypted or not)

# - "hostssl" is a TCP/IP socket that is SSL-encrypted

# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted

# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted

# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted

#

# DATABASE can be "all", "sameuser", "samerole", "replication", a

# database name, or a comma-separated list thereof. The "all"

# keyword does not match "replication". Access to replication

# must be enabled in a separate record (see example below).

#

# USER can be "all", a user name, a group name prefixed with "+", or a

# comma-separated list thereof.  In both the DATABASE and USER fields

# you can also write a file name prefixed with "@" to include names

# from a separate file.

#

# ADDRESS specifies the set of hosts the record matches.  It can be a

# host name, or it is made up of an IP address and a CIDR mask that is

# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that

# specifies the number of significant bits in the mask.  A host name

# that starts with a dot (.) matches a suffix of the actual host name.

# Alternatively, you can write an IP address and netmask in separate

# columns to specify the set of hosts.  Instead of a CIDR-address, you

# can write "samehost" to match any of the server's own IP addresses,

# or "samenet" to match any address in any subnet that the server is

# directly connected to.

#

# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",

# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".

# Note that "password" sends passwords in clear text; "md5" or

# "scram-sha-256" are preferred since they send encrypted passwords.

#

# OPTIONS are a set of options for the authentication in the format

# NAME=VALUE.  The available options depend on the different

# authentication methods -- refer to the "Client Authentication"

# section in the documentation for a list of which options are

# available for which authentication methods.

#

# Database and user names containing spaces, commas, quotes and other

# special characters must be quoted.  Quoting one of the keywords

# "all", "sameuser", "samerole" or "replication" makes the name lose

# its special character, and just match a database or username with

# that name.

#

# This file is read on server startup and when the server receives a

# SIGHUP signal.  If you edit the file on a running system, you have to

# SIGHUP the server for the changes to take effect, run "pg_ctl reload",

# or execute "SELECT pg_reload_conf()".

#

# Put your actual configuration here

# ----------------------------------

#

# If you want to allow non-local connections, you need to add more

# "host" records.  In that case you will also need to make PostgreSQL

# listen on a non-local interface via the listen_addresses

# configuration parameter, or via the -i or -h command line switches.

# DO NOT DISABLE!

# If you change this first entry you will need to make sure that the

# database superuser can access the database using some other method.

# Noninteractive access to all databases is required during automatic

# maintenance (custom daily cronjobs, replication, and similar tasks).

#

# Database administrative login by Unix domain socket

local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only

local   all             all                                     peer

# IPv4 local connections:

host    all             all             127.0.0.1/32            trust

# IPv6 local connections:

host    all             all             ::1/128                 scram-sha-256

# Allow replication connections from localhost, by a user with the

# replication privilege.

local   replication     all                                     peer

host    replication     all             127.0.0.1/32            scram-sha-256

host    replication     all             ::1/128                 scram-sha-256

---

- name: install Kivi dependencies

  hosts: "{{ target }}"

  tasks:

  - name: update repos and install dependencies

    ansible.builtin.apt:

      name:

        - git

        - libalgorithm-checkdigits-perl

        - libapache2-mod-fcgid

        - libarchive-zip-perl

        - libcam-pdf-perl

        - libcgi-pm-perl

        - libclone-perl

        - libconfig-std-perl

        - libcrypt-pbkdf2-perl

        - libdaemon-generic-perl

        - libdatetime-event-cron-perl

        - libdatetime-perl

        - libdatetime-set-perl

        - libdbd-pg-perl

        - libdbi-perl

        - libemail-address-perl

        - libemail-mime-perl

        - libexception-class-perl

        - libfcgi-perl

        - libfile-copy-recursive-perl

        - libfile-flock-perl

        - libfile-mimeinfo-perl

        - libfile-slurp-perl

        - libgd-gd2-perl

        - libhtml-restrict-perl

        - libimage-info-perl

        - libimager-perl

        - libimager-qrcode-perl

        - libipc-run-perl

        - libjson-perl

        - liblist-moreutils-perl

        - liblist-utilsby-perl

        - libmath-round-perl

        - libnet-smtp-ssl-perl

        - libnet-sslglue-perl

        - libparams-validate-perl

        - libpbkdf2-tiny-perl

        - libpdf-api2-perl

        - libregexp-ipv6-perl

        - librest-client-perl

        - librose-db-object-perl

        - librose-db-perl

        - librose-object-perl

        - libset-infinite-perl

        - libsort-naturally-perl

        - libstring-shellquote-perl

        - libtemplate-perl

        - libtext-csv-xs-perl

        - libtext-iconv-perl

        - libtext-unidecode-perl

        - libtry-tiny-perl

        - liburi-perl

        - libwww-perl

        - libxml-libxml-perl

        - libxml-writer-perl

        - libyaml-perl

        - poppler-utils

      state: present

      update_cache: yes

    become: true

- name: postrgesql for kivi

  hosts: "{{ target }}"

  tasks:

  - name: install postgresql

    ansible.builtin.apt:

      name:

        - postgresql

        - postgresql-contrib

      state: present

    become: true

  - name: copy config files

    ansible.builtin.copy:

      src: config-files/postgresql/pg_hba.conf

      dest: /etc/postgresql/14/main/pg_hba.conf

      mode: '640'

    become: true

  - name: start postgresql

    ansible.builtin.service:

      name: postgresql

      state: restarted

    become: true

- name: apache server for kivi

  hosts: "{{ target }}"

  tasks:

  - name: install apache server

    ansible.builtin.apt:

      name: apache2

      state: present

    become: true

  - name: start apache if not running

    ansible.builtin.service:

      name: apache2

      state: started

  - name: copy config files

    ansible.builtin.copy:

      src: config-files/apache/000-default.conf

      dest: /etc/apache2/sites-available/000-default.conf

      mode: '640'

    become: true

  - name: activate fastcgi

    ansible.builtin.shell:

      cmd: a2enmod fcgid

    become: true

- name: install Kivi

  hosts: "{{ target }}"

  tasks:

  - name: ensure git is installed

    ansible.builtin.apt:

      name: git

      state: present

    become: true

  - name: clone repo

    ansible.builtin.git:

      repo: 'https://github.com/kivitendo/kivitendo-erp.git'

      dest: /var/www/kivitendo-erp

      version: release-3.8.0

    become: true

  - name: copy config files

    ansible.builtin.copy:

      src: config-files/kivitendo.conf

      dest: /var/www/kivitendo-erp/config/kivitendo.conf

    become: true

  - name: make webdav directory

    ansible.builtin.file:

      path: /var/www/kivitendo-erp/webdav

      state: directory

    become: true

  - name: change permissions

    ansible.builtin.shell:

      cmd: chown -R www-data users spool webdav

      chdir: /var/www/kivitendo-erp

    become: true

  - name: restart apache

    ansible.builtin.shell:

      cmd: systemctl restart apache2

    become: true