From: Ullli Date: Sat, 6 Jun 2026 07:13:36 +0000 (+0200) Subject: kivitendo mit ssl X-Git-Url: https://freie-schul-it.de/gitweb/fsit_smgt.git/commitdiff_plain/e90bfd594054020d79964adf4995614bf8579711 kivitendo mit ssl --- diff --git a/files/kivitendo.conf b/files/kivitendo.conf deleted file mode 100644 index 0e546b1..0000000 --- a/files/kivitendo.conf +++ /dev/null @@ -1,477 +0,0 @@ -[authentication] -# The cleartext password for access to the administrative part. It -# can only be changed in this file, not via the administrative -# interface. -admin_password = admin123 - -# Which modules to use for authentication. Valid values are 'DB', -# 'LDAP', 'HTTPHeaders'. You can use multiple modules separated by spaces. -# -# Multiple LDAP modules with different configurations can be used by -# postfixing 'LDAP' with the name of the configuration section to use: -# 'LDAP:ldap_fallback' would use the data from -# '[authentication/ldap_fallback]'. The name defaults to 'ldap' if it -# isn't given. -# -# Note that the LDAP module doesn't support changing the password. -module = DB - -# The cookie name can be changed if desired. -cookie_name = kivitendo_session_id - -# The number of minutes a session is valid. The default value is eight -# hours. -session_timeout = 480 - -# The number of seconds to penalize failed login attempts. 0 disables -# it. -failed_login_penalty = 5 - -[authentication/database] -# Connection information for the database with the user and group -# inforamtion. This information is always needed, even if LDAP is -# used for authentication, as the user information is stored in this -# database while LDAP is only used for password verification. -# -# If 'module' is set to 'DB' then this database also contains the -# users' passwords. -host = 127.0.0.1 -port = 5432 -db = kivitendo_auth -user = postgres -password = - -[authentication/ldap] -# This section is only relevant if 'module' is set to 'LDAP'. It names -# the LDAP server the passwords are verified against by doing a LDAP -# bind operation. -# -# At least the parameters 'host', 'attribute' and 'base_dn' have to be -# specified. -# -# tls: Activate encryption via TLS -# verify: If 'tls' is used, how to verify the server's certificate. -# Can be one of 'require' or 'none'. -# attribute: Name of the LDAP attribute containing the user's login name -# base_dn: Base DN the LDAP searches start from -# filter: An optional LDAP filter specification. The string '<%login%>' -# is replaced by the user's login name before the search is started. -# bind_dn and bind_password: -# If searching the LDAP tree requires user credentials -# (e.g. ActiveDirectory) then these two parameters specify -# the user name and password to use. -# timeout: Timeout when connecting to the server in seconds. -# -# You can specify a fallback LDAP server to use in case the main one -# isn't reachable by duplicating this whole section as -# "[authentication/ldap_fallback]". -# -host = localhost -port = 389 -tls = 0 -attribute = uid -base_dn = -filter = -bind_dn = -bind_password = -timeout = 10 -verify = require - -# For use with module 'HTTPHeaders': -[authentication/http_basic] -enabled = 1 - -# For use with module 'HTTPHeaders': -[authentication/http_headers] -enabled = 0 -client_id_header = X-Kivitendo-Client-ID -user_header = Auth-User -secret_header = X-Kivitendo-App-Secret -secret = ... - -[system] -# Set language for login and admin forms. Currently "de" (German) -# and "en" (English, not perfect) are available. -language = de - -# Set stylesheet for login and admin forms. Supported: -# design40 - default -stylesheet = design40 - -# MassPrint Timeout -# must be less than cgi timeout -# -massprint_timeout = 30 - -# Set default_manager for admin forms. Currently "german" -# and "swiss" are available. -default_manager = german - -# The memory limits given here determine the maximum process size -# (vsz, the total amount of memory this process uses including memory -# swapped out or shared with other processes) or resident set size -# (rss, the amount of memory not swapped out/shared with other -# processes). If either limit is reached at the end of the request -# then the kivitendo process will exit. -# -# This only applies for processes under FCGI and the task manager. -# For CGI configurations the process will be terminated after each request -# regardless of this setting. -# -# Note: this will only terminate processes with too high memory consumption. It -# is assumed that an external managing service will start new instances. For -# FCGI this will usually be apache or the wrapper scripts for nginx, for the -# task server this will have to be the system manager. -# -# Numbers can be postfixed with KB, MB, GB. If no number is given or -# the number is 0 then no checking will be performed. -memory_limit_rss = -memory_limit_vsz = - -[paths] -# path to temporary files (must be writeable by the web server) -userspath = users -# spool directory for batch printing -spool = spool -# templates base directory -templates = templates -# Path to the old memberfile (ignored on new installations) -memberfile = users/members -# Path to ELSTER geierlein webserver path inside kivitendo -# (must be inside kivitendo but you can set an ALIAS for apache/oe -# if set the export to geierlein is enabled -# geierlein_path = geierlein - -# -# document path for FileSystem FileManagement: -# (must be reachable read/write but not executable from webserver) -document_path = /var/www/kivitendo-erp/kivi_documents -# - -[mail_delivery] -# Delivery method can be 'sendmail' or 'smtp'. For 'method = sendmail' the -# parameter 'mail_delivery.sendmail' is used as the executable to call. If -# 'applications.sendmail' still exists (backwards compatibility) then -# 'applications.sendmail' will be used instead of 'mail_delivery.sendmail'. -# If method is empty, mail delivery is disabled. -method = smtp -# Location of sendmail for 'method = sendmail' -sendmail = /usr/sbin/sendmail -t<%if myconfig_email%> -f <%myconfig_email%><%end%> -# Settings for 'method = smtp'. Only set 'port' if your SMTP server -# runs on a non-standard port (25 for 'security=none' or -# 'security=tls', 465 for 'security=ssl'). -host = localhost -#port = 25 -# Security can be 'tls', 'ssl' or 'none'. Unset equals 'none'. This -# determines whether or not encryption is used and which kind. For -# 'tls' the module 'Net::SSLGlue' is required; for 'ssl' -# 'Net::SMTP::SSL' is required and 'none' only uses 'Net::SMTP'. -security = none -# Authentication is only used if 'login' is set. You should only use -# that with 'tls' or 'ssl' encryption. -login = -password = - -[imap_client] -enabled = 0 -hostname = localhost -username = -password = -# This folder can be managed with kivitendo through the background jobs -# CleanUpEmailSubfolders and SyncEmailFolder. Create no subfolder in the -# base folder by hand. Use / for subfolders. -base_folder = INBOX -# Port only needs to be changed if it is not the default port. -# port = 993 -# If SSL is to be used, then set port to 993 or leave empty -ssl = 1 - -# Define a server for a specific email (e.g. info@test.de) with -# '[sent_emails_in_imap/email/info@test.de]' -[sent_emails_in_imap] -enabled = 0 -hostname = localhost -username = -password = -# This folder must exist. Use / for subfolders. -folder = Sent/Kivitendo -# Port only needs to be changed if it is not the default port. -# port = 143 -# If SSL is used, default port is 993 -ssl = 1 - -[applications] -# Location of OpenOffice.org/LibreOffice writer -openofficeorg_writer = lowriter -# Location of the html2ps binary -html2ps = html2ps -# Location of the Ghostscript binary -ghostscript = gs -# Location of the program to create PDFs from TeX documents -latex = latexmk --pdflatex -# Location of the Python interpreter to use when converting from -# OpenDocument to PDF. Some distributions compile UNO support only -# into binaries located in different locations than the main Python -# binary. -python_uno = python3 - -[environment] -# Add the following paths to the PATH environment variable. -path = /usr/local/bin:/usr/X11R6/bin:/usr/X11/bin -# Add the following paths to the PERL5LIB environment variable. -# "/sw/lib/perl5" is for Mac OS X with Fink's Perl. -lib = /sw/lib/perl5 -# Add the following paths to the PYTHONPATH environment variable for -# locating Python modules. Python is used when converting OpenDocument -# files into PDF files. -python_uno_path = - -[print_templates] -# If you have LaTeX installed set to 1 -latex = 1 -# Minimal support for Excel print templates -excel = 0 -# Enable or disable support for OpenDocument print templates -opendocument = 1 -# Chose whether or not OpenOffice/LibreOffice should remain running after a -# conversion. If yes then the conversion of subsequent documents will -# be a bit faster. You need to have Python and the Python UNO bindings -# (part of OpenOffice/LibreOffice) installed. -openofficeorg_daemon = 0 -openofficeorg_daemon_port = 2002 - -[task_server] -# Set to 1 for debug messages in users/kivitendo-debug.log -debug = 0 -# Chose a system user the daemon should run under when started as root. -run_as = -# Task servers can run on multiple machines. Each needs its own unique -# ID. If unset, it defaults to the host name. All but one task server -# must have 'only_run_tasks_for_this_node' set to 1. -node_id = -only_run_tasks_for_this_node = 0 - -[task_server/notify_on_failure] -# If you want email notifications for failed jobs then set this to a -# kivitendo user (login) name. The subject can be changed as well. -send_email_to = -# The "From:" header for said email. -email_from = kivitendo Daemon -# The subject for said email. -email_subject = kivitendo Task-Server: Hintergrundjob fehlgeschlagen -# The template file used for the email's body. -email_template = templates/design40_webpages/task_server/failure_notification_email.txt - -[periodic_invoices] -# The user name or email address a report about the posted and printed -# invoices is sent to. -send_email_to = -# The "From:" header for said email. -email_from = kivitendo Daemon -# The subject for said email. -email_subject = Benachrichtigung: automatisch erstellte Rechnungen -# The template file used for the email's body. -email_template = templates/design40_webpages/oe/periodic_invoices_email.txt -# Whether to always send the mail (0), or only if there were errors -# (1). -send_for_errors_only = 0 - -[self_test] - -# modules to be tested -# Add without SL::BackgroundJob::SelfTest:: prefix -# Separate with space. -modules = Transactions - -# you probably don't want to be spammed with "everything ok" every day. enable -# this when you add new tests to make sure they run correctly for a few days -send_email_on_success = 0 - -# will log into the standard logfile -log_to_file = 0 - -# user login (!) to send the email to. -send_email_to = -# will be used to send your report mail -email_from = -# The subject line for your report mail -email_subject = kivitendo self test report -# template. currently txt and html templates are recognized and correctly mime send. -email_template = templates/mail/self_test/status_mail.txt - -[check_below_minimum_stock] -# The user name or email address a report about the under stock parts is sent -# to. -send_email_to = -# The "From:" header for said email. -email_from = kivitendo Daemon -# The subject for said email. -email_subject = Benachrichtigung: Artikel unter Mindestbestand -# The template file used for the email's body. -email_template = templates/mail/below_minimum_stock/error_email.html - -[follow_up_reminder] -# Email notifications for due follow ups. -# The "From:" header for said email. -email_from = kivitendo Daemon -# The subject for said email. -email_subject = kivitendo: fällige Wiedervorlagen -# The template file used for the email's body. -# If empty fu/follow_up_reminder_mail.html will be used. -email_template = - -[follow_up_notify] -# Email notification for new follow ups. -email_from = kivitendo Daemon -email_subject = kivitendo: neue Wiedervorlagen für Sie von <%creator_name%> -email_template = templates/mail/follow_up_notify/email_body.txt - -[secrets] -# Passphase used to encrypt/decrypt secrets stored in the kivitendo client database. -# While any length is allowed, it will get stretched into a 256bit AES key - more is better. -#master_key = - -[console] -# Automatic login will only work if both "client" and "login" are -# given. "client" can be a client's database ID or its name. "login" -# is simply a user's login name. -client = -login = - -# autorun lines will be executed after autologin. -# be warned that loading huge libraries will noticably lengthen startup time. -#autorun = require "bin/mozilla/common.pl"; -# = use English qw(-no_match_vars); -# = use List::Util qw(min max); -# = sub take { my $max = shift; my $r = ref($_[0]) eq 'ARRAY' ? $_[0] : \@_; return @{$r}[0..List::Util::min($max, scalar(@{$r})) - 1]; } - -# location of history file for permanent history -history_file = users/console_history - -# Location of a separate log file for the console. Everything normally written -# to the kivitendo log will be put here if triggered from the console. -log_file = users/kivitendo_console_debug.log - -[testing] - -# Several tests need a database they can alter data in freely. This -# database will be dropped & created before any other test is run. The -# following parameters must be given: -[testing/database] -host = 127.0.0.1 -port = 5432 -db = -user = postgres -password = -template = template1 -superuser_user = postgres -superuser_password = - -[devel] -# Several settings related to the development of kivitendo. - -# "client" is used by several scripts (e.g. rose_auto_create_model.pl) -# when they need access to the database. It can be either a client's -# database ID or its name. -client = - -[debug] -# Use DBIx::Log4perl for logging DBI calls. The string LXDEBUGFILE -# will be replaced by the file name configured for $::lxdebug. -dbix_log4perl = 0 -dbix_log4perl_config = log4perl.logger = FATAL, LOGFILE - = log4perl.appender.LOGFILE=Log::Log4perl::Appender::File - = log4perl.appender.LOGFILE.filename=LXDEBUGFILE - = log4perl.appender.LOGFILE.mode=append - = log4perl.appender.LOGFILE.Threshold = ERROR - = log4perl.appender.LOGFILE.layout=PatternLayout - = log4perl.appender.LOGFILE.layout.ConversionPattern=[%r] %F %L %c - %m%n - = log4perl.logger.DBIx.Log4perl=DEBUG, A1 - = log4perl.appender.A1=Log::Log4perl::Appender::File - = log4perl.appender.A1.filename=LXDEBUGFILE - = log4perl.appender.A1.mode=append - = log4perl.appender.A1.layout=Log::Log4perl::Layout::PatternLayout - = log4perl.appender.A1.layout.ConversionPattern=%d %p> %F{1}:%L %M - %m%n - -# Activate certain global debug messages. If you want to combine -# several options then list them separated by spaces. -# -# Possible values include: -# NONE - no debug output (default) -# INFO -# DEBUG1 -# DEBUG2 -# QUERY - Dump SQL queries (only in legacy code; see also "dbix_log4perl" above) -# TRACE - Track function calls and returns -# BACKTRACE_ON_ERROR - Print a function call backtrace when $form->error() is called -# REQUEST_TIMER - Log timing of HTTP requests -# REQUEST - Log each request. Careful! Passwords get filtered, but -# there may be confidential information being logged here -# WARN - warnings -# SHOW_CALLER - include the file name & line number from where a call -# to "message" or "dump" was called -# ALL - all possible debug messages -# -# DEVEL - sames as "INFO QUERY TRACE BACKTRACE_ON_ERROR REQUEST_TIMER" -# -# Example: -# global_level = TRACE QUERY -global_level = NONE - -# Activate monitoring of the content of $form. If it is active then -# monitoring can be turned on for certain variables with the -# following: -# $form->{"Watchdog::"} = 1; -# Monitoring has a performance cost and is therefore deactivated by -# default. -watch_form = 0 - -# If you want to debug the creation of LaTeX files then set this to 1. -# That way the temporary LaTeX files created during PDF creation are -# not removed and remain in the "users" directory. -keep_temp_files = 0 - -# Restart the FastCGI process if changes to the program or template -# files have been detected. The restart will occur after the request -# in which the changes have been detected has completed. -restart_fcgi_process_on_changes = 0 - -# The file name where the debug messages are written to. -file_name = users/kivitendo-debug.log - -# If set to 1 then the installation will be kept unlocked even if a -# database upgrade fails. -keep_installation_unlocked = 0 - -# If set to 1 then all resource links (JavaScript, CSS files) output -# via $::request->{layout}->use_stylesheet() / use_javascript() will -# be made unique by appending a random GET parameter. This will cause -# the web browser to always reload the resources. -auto_reload_resources = 0 - -# If set to 1 each exception will include a full stack backtrace. -backtrace_on_die = 0 - -[cti] -# If you want phone numbers to be clickable then this must be set to a -# command that does the actually dialing. Within this command three -# variables are replaced before it is executed: -# -# 1. <%phone_extension%> and <%phone_password%> are taken from the user -# configuration (changeable in the admin interface). -# 2. <%number%> is the number to dial. It has already been sanitized -# and formatted correctly regarding e.g. the international dialing -# prefix. -# -# The following is an example that works with the OpenUC telephony -# server: -# dial_command = curl --insecure -X PUT https://<%phone_extension%>:<%phone_password%>@IP.AD.DR.ESS:8443/sipxconfig/rest/my/call/<%number%> -dial_command = -# If you need to dial something before the actual number then set -# external_prefix to it. -external_prefix = 0 -# The prefix for international calls (numbers starting with +). -international_dialing_prefix = 00 -# Our own country code -our_country_code = 49 - diff --git a/tasks/kivitendo.yml b/tasks/kivitendo.yml index aa3dd78..a9019ad 100644 --- a/tasks/kivitendo.yml +++ b/tasks/kivitendo.yml @@ -89,7 +89,7 @@ - name: Copy over Kivitendo.conf. ansible.builtin.copy: - src: files/kivitendo.conf + src: files/kivitendo/kivitendo.conf dest: /var/www/kivitendo-erp/config/kivitendo.conf owner: www-data mode: 'u=rw,g=rw,o=' @@ -153,6 +153,21 @@ - socache_shmcb notify: Restart apache +- name: Copy over apacha ssl-conf + ansible.builtin.copy: + src: files/kivitendo/default-ssl.conf + dest: /etc/apache2/sites-available/default-ssl.conf + mode: '640' + notify: Restart apache + +- name: Disable 000-default.conf + ansible.builtin.command: a2dissite 000-default.conf + notify: Restart apache + +- name: Enable SSL + ansible.builtin.command: a2ensite default-ssl + notify: Restart apache + # Anleitung adaptiert # https://github.com/kivitendo/kivitendo-ansible/blob/master/main.yml #