Projekt

Allgemein

Profil

« Zurück | Weiter » 

Revision ec0cba6c

Von Enrique Morales vor fast 2 Jahren hinzugefügt

  • ID ec0cba6cadbaffb5c55fbaebc940b1e1223d338a
  • Vorgänger 414f1ecb

Ansible verzeichnis in scripts/ verschoben

Unterschiede anzeigen:

ansible/config-files/apache/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
#erp
AddHandler fcgid-script .fpl
AliasMatch ^/kivitendo-erp/[^/]+\.pl /var/www/kivitendo-erp/dispatcher.fpl
Alias /kivitendo-erp/ /var/www/kivitendo-erp/
<Directory /var/www/kivitendo-erp>
AllowOverride All
Options ExecCGI Includes FollowSymlinks
Require all granted
</Directory>
<DirectoryMatch /var/www/kivitendo-erp/users>
Order Deny,Allow
Deny from All
</DirectoryMatch>
#erp end
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
ansible/config-files/kivitendo.conf
[authentication]
# The cleartext password for access to the administrative part. It
# can only be changed in this file, not via the administrative
# interface.
admin_password = admin123
# Which modules to use for authentication. Valid values are 'DB' and
# 'LDAP'. You can use multiple modules separated by spaces.
#
# Multiple LDAP modules with different configurations can be used by
# postfixing 'LDAP' with the name of the configuration section to use:
# 'LDAP:ldap_fallback' would use the data from
# '[authentication/ldap_fallback]'. The name defaults to 'ldap' if it
# isn't given.
#
# Note that the LDAP module doesn't support changing the password.
module = DB
# The cookie name can be changed if desired.
cookie_name = kivitendo_session_id
# The number of minutes a session is valid. The default value is eight
# hours.
session_timeout = 480
# The number of seconds to penalize failed login attempts. 0 disables
# it.
failed_login_penalty = 5
[authentication/database]
# Connection information for the database with the user and group
# inforamtion. This information is always needed, even if LDAP is
# used for authentication, as the user information is stored in this
# database while LDAP is only used for password verification.
#
# If 'module' is set to 'DB' then this database also contains the
# users' passwords.
host = 127.0.0.1
port = 5432
db = kivitendo_auth
user = postgres
password =
[authentication/ldap]
# This section is only relevant if 'module' is set to 'LDAP'. It names
# the LDAP server the passwords are verified against by doing a LDAP
# bind operation.
#
# At least the parameters 'host', 'attribute' and 'base_dn' have to be
# specified.
#
# tls: Activate encryption via TLS
# verify: If 'tls' is used, how to verify the server's certificate.
# Can be one of 'require' or 'none'.
# attribute: Name of the LDAP attribute containing the user's login name
# base_dn: Base DN the LDAP searches start from
# filter: An optional LDAP filter specification. The string '<%login%>'
# is replaced by the user's login name before the search is started.
# bind_dn and bind_password:
# If searching the LDAP tree requires user credentials
# (e.g. ActiveDirectory) then these two parameters specify
# the user name and password to use.
# timeout: Timeout when connecting to the server in seconds.
#
# You can specify a fallback LDAP server to use in case the main one
# isn't reachable by duplicating this whole section as
# "[authentication/ldap_fallback]".
#
host = localhost
port = 389
tls = 0
attribute = uid
base_dn =
filter =
bind_dn =
bind_password =
timeout = 10
verify = require
[system]
# Set language for login and admin forms. Currently "de" (German)
# and "en" (English, not perfect) are available.
language = de
# Set stylesheet for login and admin forms. Supported:
# lx-office-erp
# kivitendo - default
# design40
stylesheet = kivitendo
# MassPrint Timeout
# must be less than cgi timeout
#
massprint_timeout = 30
# Set default_manager for admin forms. Currently "german"
# and "swiss" are available.
default_manager = german
# The memory limits given here determine the maximum process size
# (vsz, the total amount of memory this process uses including memory
# swapped out or shared with other processes) or resident set size
# (rss, the amount of memory not swapped out/shared with other
# processes). If either limit is reached at the end of the request
# then the kivitendo process will exit.
#
# This only applies for processes under FCGI and the task manager.
# For CGI configurations the process will be terminated after each request
# regardless of this setting.
#
# Note: this will only terminate processes with too high memory consumption. It
# is assumed that an external managing service will start new instances. For
# FCGI this will usually be apache or the wrapper scripts for nginx, for the
# task server this will have to be the system manager.
#
# Numbers can be postfixed with KB, MB, GB. If no number is given or
# the number is 0 then no checking will be performed.
memory_limit_rss =
memory_limit_vsz =
[paths]
# path to temporary files (must be writeable by the web server)
userspath = users
# spool directory for batch printing
spool = spool
# templates base directory
templates = templates
# Path to the old memberfile (ignored on new installations)
memberfile = users/members
# Path to ELSTER geierlein webserver path inside kivitendo
# (must be inside kivitendo but you can set an ALIAS for apache/oe
# if set the export to geierlein is enabled
# geierlein_path = geierlein
#
# document path for FileSystem FileManagement:
# (must be reachable read/write but not executable from webserver)
# document_path = /var/local/kivi_documents
#
[mail_delivery]
# Delivery method can be 'sendmail' or 'smtp'. For 'method = sendmail' the
# parameter 'mail_delivery.sendmail' is used as the executable to call. If
# 'applications.sendmail' still exists (backwards compatibility) then
# 'applications.sendmail' will be used instead of 'mail_delivery.sendmail'.
# If method is empty, mail delivery is disabled.
method = smtp
# Location of sendmail for 'method = sendmail'
sendmail = /usr/sbin/sendmail -t<%if myconfig_email%> -f <%myconfig_email%><%end%>
# Settings for 'method = smtp'. Only set 'port' if your SMTP server
# runs on a non-standard port (25 for 'security=none' or
# 'security=tls', 465 for 'security=ssl').
host = localhost
#port = 25
# Security can be 'tls', 'ssl' or 'none'. Unset equals 'none'. This
# determines whether or not encryption is used and which kind. For
# 'tls' the module 'Net::SSLGlue' is required; for 'ssl'
# 'Net::SMTP::SSL' is required and 'none' only uses 'Net::SMTP'.
security = none
# Authentication is only used if 'login' is set. You should only use
# that with 'tls' or 'ssl' encryption.
login =
password =
[applications]
# Location of OpenOffice.org/LibreOffice writer
openofficeorg_writer = lowriter
# Location of the html2ps binary
html2ps = html2ps
# Location of the Ghostscript binary
ghostscript = gs
# Location of the program to create PDFs from TeX documents
latex = latexmk --pdflatex
# Location of the Python interpreter to use when converting from
# OpenDocument to PDF. Some distributions compile UNO support only
# into binaries located in different locations than the main Python
# binary.
python_uno = python3
[environment]
# Add the following paths to the PATH environment variable.
path = /usr/local/bin:/usr/X11R6/bin:/usr/X11/bin
# Add the following paths to the PERL5LIB environment variable.
# "/sw/lib/perl5" is for Mac OS X with Fink's Perl.
lib = /sw/lib/perl5
# Add the following paths to the PYTHONPATH environment variable for
# locating Python modules. Python is used when converting OpenDocument
# files into PDF files.
python_uno_path =
[print_templates]
# If you have LaTeX installed set to 1
latex = 1
# Minimal support for Excel print templates
excel = 0
# Enable or disable support for OpenDocument print templates
opendocument = 1
# Chose whether or not OpenOffice/LibreOffice should remain running after a
# conversion. If yes then the conversion of subsequent documents will
# be a bit faster. You need to have Python and the Python UNO bindings
# (part of OpenOffice/LibreOffice) installed.
openofficeorg_daemon = 0
openofficeorg_daemon_port = 2002
[task_server]
# Set to 1 for debug messages in /tmp/kivitendo-debug.log
debug = 0
# Chose a system user the daemon should run under when started as root.
run_as =
# Task servers can run on multiple machines. Each needs its own unique
# ID. If unset, it defaults to the host name. All but one task server
# must have 'only_run_tasks_for_this_node' set to 1.
node_id =
only_run_tasks_for_this_node = 0
[task_server/notify_on_failure]
# If you want email notifications for failed jobs then set this to a
# kivitendo user (login) name. The subject can be changed as well.
send_email_to =
# The "From:" header for said email.
email_from = kivitendo Daemon <root@localhost>
# The subject for said email.
email_subject = kivitendo Task-Server: Hintergrundjob fehlgeschlagen
# The template file used for the email's body.
email_template = templates/webpages/task_server/failure_notification_email.txt
[periodic_invoices]
# The user name or email address a report about the posted and printed
# invoices is sent to.
send_email_to =
# The "From:" header for said email.
email_from = kivitendo Daemon <root@localhost>
# The subject for said email.
email_subject = Benachrichtigung: automatisch erstellte Rechnungen
# The template file used for the email's body.
email_template = templates/webpages/oe/periodic_invoices_email.txt
# Whether to always send the mail (0), or only if there were errors
# (1).
send_for_errors_only = 0
[self_test]
# modules to be tested
# Add without SL::BackgroundJob::SelfTest:: prefix
# Separate with space.
modules = Transactions
# you probably don't want to be spammed with "everything ok" every day. enable
# this when you add new tests to make sure they run correctly for a few days
send_email_on_success = 0
# will log into the standard logfile
log_to_file = 0
# user login (!) to send the email to.
send_email_to =
# will be used to send your report mail
email_from =
# The subject line for your report mail
email_subject = kivitendo self test report
# template. currently txt and html templates are recognized and correctly mime send.
email_template = templates/mail/self_test/status_mail.txt
[follow_up_reminder]
# Email notifications for due follow ups.
# The "From:" header for said email.
email_from = kivitendo Daemon <root@localhost>
# The subject for said email.
email_subject = kivitendo: fällige Wiedervorlagen
# The template file used for the email's body.
# If empty fu/follow_up_reminder_mail.html will be used.
email_template =
[console]
# Automatic login will only work if both "client" and "login" are
# given. "client" can be a client's database ID or its name. "login"
# is simply a user's login name.
client =
login =
# autorun lines will be executed after autologin.
# be warned that loading huge libraries will noticably lengthen startup time.
#autorun = require "bin/mozilla/common.pl";
# = use English qw(-no_match_vars);
# = use List::Util qw(min max);
# = sub take { my $max = shift; my $r = ref($_[0]) eq 'ARRAY' ? $_[0] : \@_; return @{$r}[0..List::Util::min($max, scalar(@{$r})) - 1]; }
# location of history file for permanent history
history_file = users/console_history
# location of a separate log file for the console. everything normally written
# to the kivitendo log will be put here if triggered from the console
log_file = /tmp/kivitendo_console_debug.log
[testing]
# Several tests need a database they can alter data in freely. This
# database will be dropped & created before any other test is run. The
# following parameters must be given:
[testing/database]
host = 127.0.0.1
port = 5432
db =
user = postgres
password =
template = template1
superuser_user = postgres
superuser_password =
[devel]
# Several settings related to the development of kivitendo.
# "client" is used by several scripts (e.g. rose_auto_create_model.pl)
# when they need access to the database. It can be either a client's
# database ID or its name.
client =
[debug]
# Use DBIx::Log4perl for logging DBI calls. The string LXDEBUGFILE
# will be replaced by the file name configured for $::lxdebug.
dbix_log4perl = 0
dbix_log4perl_config = log4perl.logger = FATAL, LOGFILE
= log4perl.appender.LOGFILE=Log::Log4perl::Appender::File
= log4perl.appender.LOGFILE.filename=LXDEBUGFILE
= log4perl.appender.LOGFILE.mode=append
= log4perl.appender.LOGFILE.Threshold = ERROR
= log4perl.appender.LOGFILE.layout=PatternLayout
= log4perl.appender.LOGFILE.layout.ConversionPattern=[%r] %F %L %c - %m%n
= log4perl.logger.DBIx.Log4perl=DEBUG, A1
= log4perl.appender.A1=Log::Log4perl::Appender::File
= log4perl.appender.A1.filename=LXDEBUGFILE
= log4perl.appender.A1.mode=append
= log4perl.appender.A1.layout=Log::Log4perl::Layout::PatternLayout
= log4perl.appender.A1.layout.ConversionPattern=%d %p> %F{1}:%L %M - %m%n
# Activate certain global debug messages. If you want to combine
# several options then list them separated by spaces.
#
# Possible values include:
# NONE - no debug output (default)
# INFO
# DEBUG1
# DEBUG2
# QUERY - Dump SQL queries (only in legacy code; see also "dbix_log4perl" above)
# TRACE - Track function calls and returns
# BACKTRACE_ON_ERROR - Print a function call backtrace when $form->error() is called
# REQUEST_TIMER - Log timing of HTTP requests
# REQUEST - Log each request. Careful! Passwords get filtered, but
# there may be confidential information being logged here
# WARN - warnings
# SHOW_CALLER - include the file name & line number from where a call
# to "message" or "dump" was called
# ALL - all possible debug messages
#
# DEVEL - sames as "INFO QUERY TRACE BACKTRACE_ON_ERROR REQUEST_TIMER"
#
# Example:
# global_level = TRACE QUERY
global_level = NONE
# Activate monitoring of the content of $form. If it is active then
# monitoring can be turned on for certain variables with the
# following:
# $form->{"Watchdog::<variable>"} = 1;
# Monitoring has a performance cost and is therefore deactivated by
# default.
watch_form = 0
# If you want to debug the creation of LaTeX files then set this to 1.
# That way the temporary LaTeX files created during PDF creation are
# not removed and remain in the "users" directory.
keep_temp_files = 0
# Restart the FastCGI process if changes to the program or template
# files have been detected. The restart will occur after the request
# in which the changes have been detected has completed.
restart_fcgi_process_on_changes = 0
# The file name where the debug messages are written to.
file_name = /tmp/kivitendo-debug.log
# If set to 1 then the installation will be kept unlocked even if a
# database upgrade fails.
keep_installation_unlocked = 0
# If set to 1 then all resource links (JavaScript, CSS files) output
# via $::request->{layout}->use_stylesheet() / use_javascript() will
# be made unique by appending a random GET parameter. This will cause
# the web browser to always reload the resources.
auto_reload_resources = 0
# If set to 1 each exception will include a full stack backtrace.
backtrace_on_die = 0
[cti]
# If you want phone numbers to be clickable then this must be set to a
# command that does the actually dialing. Within this command three
# variables are replaced before it is executed:
#
# 1. <%phone_extension%> and <%phone_password%> are taken from the user
# configuration (changeable in the admin interface).
# 2. <%number%> is the number to dial. It has already been sanitized
# and formatted correctly regarding e.g. the international dialing
# prefix.
#
# The following is an example that works with the OpenUC telephony
# server:
# dial_command = curl --insecure -X PUT https://<%phone_extension%>:<%phone_password%>@IP.AD.DR.ESS:8443/sipxconfig/rest/my/call/<%number%>
dial_command =
# If you need to dial something before the actual number then set
# external_prefix to it.
external_prefix = 0
# The prefix for international calls (numbers starting with +).
international_dialing_prefix = 00
# Our own country code
our_country_code = 49
ansible/config-files/postgresql/pg_hba.conf
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type:
# - "local" is a Unix-domain socket
# - "host" is a TCP/IP socket (encrypted or not)
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
#
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256
ansible/main.yml
---
- name: install Kivi dependencies
hosts: "{{ target }}"
tasks:
- name: update repos and install dependencies
ansible.builtin.apt:
name:
- git
- libalgorithm-checkdigits-perl
- libapache2-mod-fcgid
- libarchive-zip-perl
- libcam-pdf-perl
- libcgi-pm-perl
- libclone-perl
- libconfig-std-perl
- libcrypt-pbkdf2-perl
- libdaemon-generic-perl
- libdatetime-event-cron-perl
- libdatetime-perl
- libdatetime-set-perl
- libdbd-pg-perl
- libdbi-perl
- libemail-address-perl
- libemail-mime-perl
- libexception-class-perl
- libfcgi-perl
- libfile-copy-recursive-perl
- libfile-flock-perl
- libfile-mimeinfo-perl
- libfile-slurp-perl
- libgd-gd2-perl
- libhtml-restrict-perl
- libimage-info-perl
- libimager-perl
- libimager-qrcode-perl
- libipc-run-perl
- libjson-perl
- liblist-moreutils-perl
- liblist-utilsby-perl
- libmath-round-perl
- libnet-smtp-ssl-perl
- libnet-sslglue-perl
- libparams-validate-perl
- libpbkdf2-tiny-perl
- libpdf-api2-perl
- libregexp-ipv6-perl
- librest-client-perl
- librose-db-object-perl
- librose-db-perl
- librose-object-perl
- libset-infinite-perl
- libsort-naturally-perl
- libstring-shellquote-perl
- libtemplate-perl
- libtext-csv-xs-perl
- libtext-iconv-perl
- libtext-unidecode-perl
- libtry-tiny-perl
- liburi-perl
- libwww-perl
- libxml-libxml-perl
- libxml-writer-perl
- libyaml-perl
- poppler-utils
state: present
update_cache: yes
become: true
- name: postrgesql for kivi
hosts: "{{ target }}"
tasks:
- name: install postgresql
ansible.builtin.apt:
name:
- postgresql
- postgresql-contrib
state: present
become: true
- name: copy config files
ansible.builtin.copy:
src: config-files/postgresql/pg_hba.conf
dest: /etc/postgresql/14/main/pg_hba.conf
mode: '640'
become: true
- name: start postgresql
ansible.builtin.service:
name: postgresql
state: restarted
become: true
- name: apache server for kivi
hosts: "{{ target }}"
tasks:
- name: install apache server
ansible.builtin.apt:
name: apache2
state: present
become: true
- name: start apache if not running
ansible.builtin.service:
name: apache2
state: started
- name: copy config files
ansible.builtin.copy:
src: config-files/apache/000-default.conf
dest: /etc/apache2/sites-available/000-default.conf
mode: '640'
become: true
- name: activate fastcgi
ansible.builtin.shell:
cmd: a2enmod fcgid
become: true
- name: install Kivi
hosts: "{{ target }}"
tasks:
- name: ensure git is installed
ansible.builtin.apt:
name: git
state: present
become: true
- name: clone repo
ansible.builtin.git:
repo: 'https://github.com/kivitendo/kivitendo-erp.git'
dest: /var/www/kivitendo-erp
version: release-3.8.0
become: true
- name: copy config files
ansible.builtin.copy:
src: config-files/kivitendo.conf
dest: /var/www/kivitendo-erp/config/kivitendo.conf
become: true
- name: make webdav directory
ansible.builtin.file:
path: /var/www/kivitendo-erp/webdav
state: directory
become: true
- name: change permissions
ansible.builtin.shell:
cmd: chown -R www-data users spool webdav
chdir: /var/www/kivitendo-erp
become: true
- name: restart apache
ansible.builtin.shell:
cmd: systemctl restart apache2
become: true
scripts/ansible/config-files/apache/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
#erp
AddHandler fcgid-script .fpl
AliasMatch ^/kivitendo-erp/[^/]+\.pl /var/www/kivitendo-erp/dispatcher.fpl
Alias /kivitendo-erp/ /var/www/kivitendo-erp/
<Directory /var/www/kivitendo-erp>
AllowOverride All
Options ExecCGI Includes FollowSymlinks
Require all granted
</Directory>
<DirectoryMatch /var/www/kivitendo-erp/users>
Order Deny,Allow
Deny from All
</DirectoryMatch>
#erp end
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
scripts/ansible/config-files/kivitendo.conf
[authentication]
# The cleartext password for access to the administrative part. It
# can only be changed in this file, not via the administrative
# interface.
admin_password = admin123
# Which modules to use for authentication. Valid values are 'DB' and
# 'LDAP'. You can use multiple modules separated by spaces.
#
# Multiple LDAP modules with different configurations can be used by
# postfixing 'LDAP' with the name of the configuration section to use:
# 'LDAP:ldap_fallback' would use the data from
# '[authentication/ldap_fallback]'. The name defaults to 'ldap' if it
# isn't given.
#
# Note that the LDAP module doesn't support changing the password.
module = DB
# The cookie name can be changed if desired.
cookie_name = kivitendo_session_id
# The number of minutes a session is valid. The default value is eight
# hours.
session_timeout = 480
# The number of seconds to penalize failed login attempts. 0 disables
# it.
failed_login_penalty = 5
[authentication/database]
# Connection information for the database with the user and group
# inforamtion. This information is always needed, even if LDAP is
# used for authentication, as the user information is stored in this
# database while LDAP is only used for password verification.
#
# If 'module' is set to 'DB' then this database also contains the
# users' passwords.
host = 127.0.0.1
port = 5432
db = kivitendo_auth
user = postgres
password =
[authentication/ldap]
# This section is only relevant if 'module' is set to 'LDAP'. It names
# the LDAP server the passwords are verified against by doing a LDAP
# bind operation.
#
# At least the parameters 'host', 'attribute' and 'base_dn' have to be
# specified.
#
# tls: Activate encryption via TLS
# verify: If 'tls' is used, how to verify the server's certificate.
# Can be one of 'require' or 'none'.
# attribute: Name of the LDAP attribute containing the user's login name
# base_dn: Base DN the LDAP searches start from
# filter: An optional LDAP filter specification. The string '<%login%>'
# is replaced by the user's login name before the search is started.
# bind_dn and bind_password:
# If searching the LDAP tree requires user credentials
# (e.g. ActiveDirectory) then these two parameters specify
# the user name and password to use.
# timeout: Timeout when connecting to the server in seconds.
#
# You can specify a fallback LDAP server to use in case the main one
# isn't reachable by duplicating this whole section as
# "[authentication/ldap_fallback]".
#
host = localhost
port = 389
tls = 0
attribute = uid
base_dn =
filter =
bind_dn =
bind_password =
timeout = 10
verify = require
[system]
# Set language for login and admin forms. Currently "de" (German)
# and "en" (English, not perfect) are available.
language = de
# Set stylesheet for login and admin forms. Supported:
# lx-office-erp
# kivitendo - default
# design40
stylesheet = kivitendo
# MassPrint Timeout
# must be less than cgi timeout
#
massprint_timeout = 30
# Set default_manager for admin forms. Currently "german"
# and "swiss" are available.
default_manager = german
# The memory limits given here determine the maximum process size
# (vsz, the total amount of memory this process uses including memory
# swapped out or shared with other processes) or resident set size
# (rss, the amount of memory not swapped out/shared with other
# processes). If either limit is reached at the end of the request
# then the kivitendo process will exit.
#
# This only applies for processes under FCGI and the task manager.
# For CGI configurations the process will be terminated after each request
# regardless of this setting.
#
# Note: this will only terminate processes with too high memory consumption. It
# is assumed that an external managing service will start new instances. For
# FCGI this will usually be apache or the wrapper scripts for nginx, for the
# task server this will have to be the system manager.
#
# Numbers can be postfixed with KB, MB, GB. If no number is given or
# the number is 0 then no checking will be performed.
memory_limit_rss =
memory_limit_vsz =
[paths]
# path to temporary files (must be writeable by the web server)
userspath = users
# spool directory for batch printing
spool = spool
# templates base directory
templates = templates
# Path to the old memberfile (ignored on new installations)
memberfile = users/members
# Path to ELSTER geierlein webserver path inside kivitendo
# (must be inside kivitendo but you can set an ALIAS for apache/oe
# if set the export to geierlein is enabled
# geierlein_path = geierlein
#
# document path for FileSystem FileManagement:
# (must be reachable read/write but not executable from webserver)
# document_path = /var/local/kivi_documents
#
[mail_delivery]
# Delivery method can be 'sendmail' or 'smtp'. For 'method = sendmail' the
# parameter 'mail_delivery.sendmail' is used as the executable to call. If
# 'applications.sendmail' still exists (backwards compatibility) then
# 'applications.sendmail' will be used instead of 'mail_delivery.sendmail'.
# If method is empty, mail delivery is disabled.
method = smtp
# Location of sendmail for 'method = sendmail'
sendmail = /usr/sbin/sendmail -t<%if myconfig_email%> -f <%myconfig_email%><%end%>
# Settings for 'method = smtp'. Only set 'port' if your SMTP server
# runs on a non-standard port (25 for 'security=none' or
# 'security=tls', 465 for 'security=ssl').
host = localhost
#port = 25
# Security can be 'tls', 'ssl' or 'none'. Unset equals 'none'. This
# determines whether or not encryption is used and which kind. For
# 'tls' the module 'Net::SSLGlue' is required; for 'ssl'
# 'Net::SMTP::SSL' is required and 'none' only uses 'Net::SMTP'.
security = none
# Authentication is only used if 'login' is set. You should only use
# that with 'tls' or 'ssl' encryption.
login =
password =
[applications]
# Location of OpenOffice.org/LibreOffice writer
openofficeorg_writer = lowriter
# Location of the html2ps binary
html2ps = html2ps
# Location of the Ghostscript binary
ghostscript = gs
# Location of the program to create PDFs from TeX documents
latex = latexmk --pdflatex
# Location of the Python interpreter to use when converting from
# OpenDocument to PDF. Some distributions compile UNO support only
# into binaries located in different locations than the main Python
# binary.
python_uno = python3
[environment]
# Add the following paths to the PATH environment variable.
path = /usr/local/bin:/usr/X11R6/bin:/usr/X11/bin
# Add the following paths to the PERL5LIB environment variable.
# "/sw/lib/perl5" is for Mac OS X with Fink's Perl.
lib = /sw/lib/perl5
# Add the following paths to the PYTHONPATH environment variable for
# locating Python modules. Python is used when converting OpenDocument
# files into PDF files.
python_uno_path =
[print_templates]
# If you have LaTeX installed set to 1
latex = 1
# Minimal support for Excel print templates
excel = 0
# Enable or disable support for OpenDocument print templates
opendocument = 1
# Chose whether or not OpenOffice/LibreOffice should remain running after a
# conversion. If yes then the conversion of subsequent documents will
# be a bit faster. You need to have Python and the Python UNO bindings
# (part of OpenOffice/LibreOffice) installed.
openofficeorg_daemon = 0
openofficeorg_daemon_port = 2002
[task_server]
# Set to 1 for debug messages in /tmp/kivitendo-debug.log
debug = 0
# Chose a system user the daemon should run under when started as root.
run_as =
# Task servers can run on multiple machines. Each needs its own unique
# ID. If unset, it defaults to the host name. All but one task server
# must have 'only_run_tasks_for_this_node' set to 1.
node_id =
only_run_tasks_for_this_node = 0
[task_server/notify_on_failure]
# If you want email notifications for failed jobs then set this to a
# kivitendo user (login) name. The subject can be changed as well.
send_email_to =
# The "From:" header for said email.
email_from = kivitendo Daemon <root@localhost>
# The subject for said email.
email_subject = kivitendo Task-Server: Hintergrundjob fehlgeschlagen
# The template file used for the email's body.
email_template = templates/webpages/task_server/failure_notification_email.txt
[periodic_invoices]
# The user name or email address a report about the posted and printed
# invoices is sent to.
send_email_to =
# The "From:" header for said email.
email_from = kivitendo Daemon <root@localhost>
# The subject for said email.
email_subject = Benachrichtigung: automatisch erstellte Rechnungen
# The template file used for the email's body.
email_template = templates/webpages/oe/periodic_invoices_email.txt
# Whether to always send the mail (0), or only if there were errors
# (1).
send_for_errors_only = 0
[self_test]
# modules to be tested
# Add without SL::BackgroundJob::SelfTest:: prefix
# Separate with space.
modules = Transactions
# you probably don't want to be spammed with "everything ok" every day. enable
# this when you add new tests to make sure they run correctly for a few days
send_email_on_success = 0
# will log into the standard logfile
log_to_file = 0
# user login (!) to send the email to.
send_email_to =
# will be used to send your report mail
email_from =
# The subject line for your report mail
email_subject = kivitendo self test report
# template. currently txt and html templates are recognized and correctly mime send.
email_template = templates/mail/self_test/status_mail.txt
[follow_up_reminder]
# Email notifications for due follow ups.
# The "From:" header for said email.
email_from = kivitendo Daemon <root@localhost>
# The subject for said email.
email_subject = kivitendo: fällige Wiedervorlagen
# The template file used for the email's body.
# If empty fu/follow_up_reminder_mail.html will be used.
email_template =
[console]
# Automatic login will only work if both "client" and "login" are
# given. "client" can be a client's database ID or its name. "login"
# is simply a user's login name.
client =
login =
# autorun lines will be executed after autologin.
# be warned that loading huge libraries will noticably lengthen startup time.
#autorun = require "bin/mozilla/common.pl";
# = use English qw(-no_match_vars);
# = use List::Util qw(min max);
# = sub take { my $max = shift; my $r = ref($_[0]) eq 'ARRAY' ? $_[0] : \@_; return @{$r}[0..List::Util::min($max, scalar(@{$r})) - 1]; }
# location of history file for permanent history
history_file = users/console_history
# location of a separate log file for the console. everything normally written
# to the kivitendo log will be put here if triggered from the console
log_file = /tmp/kivitendo_console_debug.log
[testing]
# Several tests need a database they can alter data in freely. This
# database will be dropped & created before any other test is run. The
# following parameters must be given:
[testing/database]
host = 127.0.0.1
port = 5432
db =
user = postgres
password =
template = template1
superuser_user = postgres
superuser_password =
[devel]
# Several settings related to the development of kivitendo.
# "client" is used by several scripts (e.g. rose_auto_create_model.pl)
# when they need access to the database. It can be either a client's
# database ID or its name.
client =
[debug]
# Use DBIx::Log4perl for logging DBI calls. The string LXDEBUGFILE
# will be replaced by the file name configured for $::lxdebug.
dbix_log4perl = 0
dbix_log4perl_config = log4perl.logger = FATAL, LOGFILE
= log4perl.appender.LOGFILE=Log::Log4perl::Appender::File
= log4perl.appender.LOGFILE.filename=LXDEBUGFILE
= log4perl.appender.LOGFILE.mode=append
= log4perl.appender.LOGFILE.Threshold = ERROR
= log4perl.appender.LOGFILE.layout=PatternLayout
= log4perl.appender.LOGFILE.layout.ConversionPattern=[%r] %F %L %c - %m%n
= log4perl.logger.DBIx.Log4perl=DEBUG, A1
= log4perl.appender.A1=Log::Log4perl::Appender::File
= log4perl.appender.A1.filename=LXDEBUGFILE
= log4perl.appender.A1.mode=append
= log4perl.appender.A1.layout=Log::Log4perl::Layout::PatternLayout
= log4perl.appender.A1.layout.ConversionPattern=%d %p> %F{1}:%L %M - %m%n
# Activate certain global debug messages. If you want to combine
# several options then list them separated by spaces.
#
# Possible values include:
# NONE - no debug output (default)
# INFO
# DEBUG1
# DEBUG2
# QUERY - Dump SQL queries (only in legacy code; see also "dbix_log4perl" above)
# TRACE - Track function calls and returns
# BACKTRACE_ON_ERROR - Print a function call backtrace when $form->error() is called
# REQUEST_TIMER - Log timing of HTTP requests
# REQUEST - Log each request. Careful! Passwords get filtered, but
# there may be confidential information being logged here
# WARN - warnings
# SHOW_CALLER - include the file name & line number from where a call
# to "message" or "dump" was called
# ALL - all possible debug messages
#
# DEVEL - sames as "INFO QUERY TRACE BACKTRACE_ON_ERROR REQUEST_TIMER"
#
# Example:
# global_level = TRACE QUERY
global_level = NONE
# Activate monitoring of the content of $form. If it is active then
# monitoring can be turned on for certain variables with the
# following:
# $form->{"Watchdog::<variable>"} = 1;
# Monitoring has a performance cost and is therefore deactivated by
# default.
watch_form = 0
# If you want to debug the creation of LaTeX files then set this to 1.
# That way the temporary LaTeX files created during PDF creation are
# not removed and remain in the "users" directory.
keep_temp_files = 0
# Restart the FastCGI process if changes to the program or template
# files have been detected. The restart will occur after the request
# in which the changes have been detected has completed.
restart_fcgi_process_on_changes = 0
# The file name where the debug messages are written to.
file_name = /tmp/kivitendo-debug.log
# If set to 1 then the installation will be kept unlocked even if a
# database upgrade fails.
keep_installation_unlocked = 0
# If set to 1 then all resource links (JavaScript, CSS files) output
# via $::request->{layout}->use_stylesheet() / use_javascript() will
# be made unique by appending a random GET parameter. This will cause
# the web browser to always reload the resources.
auto_reload_resources = 0
# If set to 1 each exception will include a full stack backtrace.
backtrace_on_die = 0
[cti]
# If you want phone numbers to be clickable then this must be set to a
# command that does the actually dialing. Within this command three
# variables are replaced before it is executed:
#
# 1. <%phone_extension%> and <%phone_password%> are taken from the user
# configuration (changeable in the admin interface).
# 2. <%number%> is the number to dial. It has already been sanitized
# and formatted correctly regarding e.g. the international dialing
# prefix.
#
# The following is an example that works with the OpenUC telephony
# server:
# dial_command = curl --insecure -X PUT https://<%phone_extension%>:<%phone_password%>@IP.AD.DR.ESS:8443/sipxconfig/rest/my/call/<%number%>
dial_command =
# If you need to dial something before the actual number then set
# external_prefix to it.
external_prefix = 0
# The prefix for international calls (numbers starting with +).
international_dialing_prefix = 00
# Our own country code
our_country_code = 49
scripts/ansible/config-files/postgresql/pg_hba.conf
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type:
# - "local" is a Unix-domain socket
# - "host" is a TCP/IP socket (encrypted or not)
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
#
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256
scripts/ansible/main.yml
---
- name: install Kivi dependencies
hosts: "{{ target }}"
tasks:
- name: update repos and install dependencies
ansible.builtin.apt:
name:
- git
- libalgorithm-checkdigits-perl
- libapache2-mod-fcgid
- libarchive-zip-perl
- libcam-pdf-perl
- libcgi-pm-perl
- libclone-perl
- libconfig-std-perl
- libcrypt-pbkdf2-perl
- libdaemon-generic-perl
- libdatetime-event-cron-perl
- libdatetime-perl
- libdatetime-set-perl
- libdbd-pg-perl
- libdbi-perl
- libemail-address-perl
- libemail-mime-perl
- libexception-class-perl
- libfcgi-perl
- libfile-copy-recursive-perl
- libfile-flock-perl
- libfile-mimeinfo-perl
- libfile-slurp-perl
- libgd-gd2-perl
- libhtml-restrict-perl
- libimage-info-perl
- libimager-perl
- libimager-qrcode-perl
- libipc-run-perl
- libjson-perl
- liblist-moreutils-perl
- liblist-utilsby-perl
- libmath-round-perl
- libnet-smtp-ssl-perl
- libnet-sslglue-perl
- libparams-validate-perl
- libpbkdf2-tiny-perl
- libpdf-api2-perl
- libregexp-ipv6-perl
- librest-client-perl
- librose-db-object-perl
- librose-db-perl
- librose-object-perl
- libset-infinite-perl
- libsort-naturally-perl
- libstring-shellquote-perl
- libtemplate-perl
- libtext-csv-xs-perl
- libtext-iconv-perl
- libtext-unidecode-perl
- libtry-tiny-perl
- liburi-perl
- libwww-perl
- libxml-libxml-perl
- libxml-writer-perl
- libyaml-perl
- poppler-utils
state: present
update_cache: yes
become: true
- name: postrgesql for kivi
hosts: "{{ target }}"
tasks:
- name: install postgresql
ansible.builtin.apt:
name:
- postgresql
- postgresql-contrib
state: present
become: true
- name: copy config files
ansible.builtin.copy:
src: config-files/postgresql/pg_hba.conf
dest: /etc/postgresql/14/main/pg_hba.conf
mode: '640'
become: true
- name: start postgresql
ansible.builtin.service:
name: postgresql
state: restarted
become: true
- name: apache server for kivi
hosts: "{{ target }}"
tasks:
- name: install apache server
ansible.builtin.apt:
name: apache2
state: present
become: true
- name: start apache if not running
ansible.builtin.service:
name: apache2
state: started
- name: copy config files
ansible.builtin.copy:
src: config-files/apache/000-default.conf
dest: /etc/apache2/sites-available/000-default.conf
mode: '640'
become: true
- name: activate fastcgi
ansible.builtin.shell:
cmd: a2enmod fcgid
become: true
- name: install Kivi
hosts: "{{ target }}"
tasks:
- name: ensure git is installed
ansible.builtin.apt:
name: git
state: present
become: true
- name: clone repo
ansible.builtin.git:
repo: 'https://github.com/kivitendo/kivitendo-erp.git'
dest: /var/www/kivitendo-erp
version: release-3.8.0
become: true
- name: copy config files
ansible.builtin.copy:
src: config-files/kivitendo.conf
dest: /var/www/kivitendo-erp/config/kivitendo.conf
become: true
- name: make webdav directory
ansible.builtin.file:
path: /var/www/kivitendo-erp/webdav
state: directory
become: true
- name: change permissions
... Dieser Diff wurde abgeschnitten, weil er die maximale Anzahl anzuzeigender Zeilen überschreitet.

Auch abrufbar als: Unified diff