Page MenuHomeDevCentral

D3123.id7996.diff
No OneTemporary

D3123.id7996.diff

diff --git a/PORTS b/PORTS
--- a/PORTS
+++ b/PORTS
@@ -17,6 +17,7 @@
paas-docker
5000 Docker registry HTTP
9090 Openfire HTTP
+ 16080 Orbeon HTTP
17080 Penpot - back-end
17300 Penpot - exporter
19080 Nasqueron API - Datasources
diff --git a/_modules/tomcat.py b/_modules/tomcat.py
new file mode 100644
--- /dev/null
+++ b/_modules/tomcat.py
@@ -0,0 +1,16 @@
+# -------------------------------------------------------------
+# Salt — Tomcat execution module
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Tomcat users and roles
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def extract_roles_from_users(users):
+ return set(
+ role for _, args in users.items() if "roles" in args for role in args["roles"]
+ )
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -196,6 +196,10 @@
- ops/secrets/nasqueron/airflow/sentry
- ops/secrets/dbserver/cluster-A/users/airflow
+ - ops/secrets/nasqueron/orbeon/oxf.crypto.password
+ - ops/secrets/nasqueron/orbeon/users/dereckson
+ - ops/secrets/dbserver/cluster-A/users/orbeon
+
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
- ops/secrets/nasqueron/rabbitmq/orange-rabbit/root
diff --git a/pillar/paas/docker/dwellers/orbeon.sls b/pillar/paas/docker/dwellers/orbeon.sls
new file mode 100644
--- /dev/null
+++ b/pillar/paas/docker/dwellers/orbeon.sls
@@ -0,0 +1,41 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Service: Orbeon
+# -------------------------------------------------------------
+
+docker_networks:
+ orbeon:
+ subnet: 172.18.5.0/24
+
+docker_images:
+ - nasqueron/orbeon
+ - tianon/exim4
+
+docker_containers:
+ exim:
+ orbeon_smtp:
+ mailname: forms.nasqueron.org
+ network: orbeon
+
+ orbeon:
+ nasqueron_forms:
+ host: forms.nasqueron.org
+ app_port: 16080
+ network: orbeon
+ db:
+ service: db-A
+ database: forms
+ credential: dbserver/cluster-A/users/orbeon
+ secret_key: nasqueron/orbeon/oxf.crypto.password
+ tomcat:
+ users:
+ dereckson: nasqueron/orbeon/users/dereckson
+ smtp: orbeon_smtp
+
+ # Published forms are categorized by apps.
+ # List of forapps so nginx can proxy /<app>/
+ apps:
+ - nasqueron-join
diff --git a/roles/paas-docker/containers/files/_tomcat/tomcat-users.xml b/roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Tomcat :: Users configuration
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Project: Nasqueron
+ License: Trivial enough, not eligible to copyright
+ Source file: roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
+ _____________________________________________________________
+
+ <auto-generated>
+ This file is managed by our rOPS SaltStack repository.
+
+ Changes to this file may cause incorrect behavior
+ and will be lost if the state is redeployed.
+ </auto-generated>
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+ version="1.0">
+
+ {% if roles is defined %}
+ {% for role, role_args in roles.items() %}
+ <role rolename="{{ role }}" description="{{ role_args.description }}" />
+ {% endfor %}
+ {% else %}
+ {% for role in salt["tomcat.extract_roles_from_users"](users) %}
+ <role rolename="{{ role }}" />
+ {% endfor %}
+ {% endif %}
+
+ {% for username, user_args in users.items() %}
+ <user
+ username="{{ username }}"
+ password="{{ user_args.password }}"
+ roles="{{ user_args.roles | join(' ') }}"
+ />
+ {% endfor %}
+</tomcat-users>
diff --git a/roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Orbeon :: Configuration
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Project: Nasqueron
+ License: Trivial work, not eligible to copyright
+ Source file: roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml
+ _____________________________________________________________
+
+ <auto-generated>
+ This file is managed by our rOPS SaltStack repository.
+
+ Changes to this file may cause incorrect behavior
+ and will be lost if the state is redeployed.
+ </auto-generated>
+-->
+
+<roles>
+ <role name="orbeon-admin" app="*" form="*"/>
+</roles>
diff --git a/roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Orbeon :: Configuration
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Project: Nasqueron
+ License: Trivial work, not eligible to copyright
+ Source file: roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
+ _____________________________________________________________
+
+ <auto-generated>
+ This file is managed by our rOPS SaltStack repository.
+
+ Changes to this file may cause incorrect behavior
+ and will be lost if the state is redeployed.
+ </auto-generated>
+-->
+
+<properties xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:oxf="http://www.orbeon.com/oxf/processors"
+ xmlns:fr="http://orbeon.org/oxf/xml/form-runner">
+
+ <!-- URL -->
+
+ <property as="xs:anyURI" name="oxf.url-rewriting.service.base-uri"
+ value="http://localhost:8080/orbeon"/>
+
+
+ <!-- Crypto -->
+
+ <property as="xs:string" name="oxf.crypto.password">
+ <![CDATA[{{ secret_key }}]]>
+ </property>
+
+ <property as="xs:integer" name="oxf.crypto.key-length"
+ value="256"/>
+
+ <property as="xs:string" name="oxf.crypto.hash-algorithm"
+ value="SHA-256"/>
+
+
+ <!-- Authentication -->
+
+ <property as="xs:string" name="oxf.fr.authentication.method"
+ value="container"/>
+
+ <property as="xs:string" name="oxf.fr.authentication.container.roles"
+ value="orbeon-admin"/>
+
+ <property as="xs:boolean" name="oxf.fr.authentication.user-menu.enable"
+ value="true"/>
+
+
+ <!-- Database configuration -->
+
+ <property as="xs:string" name="oxf.fr.persistence.provider.*.*.*"
+ value="postgresql"/>
+
+ <property as="xs:string" name="oxf.fr.persistence.postgresql.datasource"
+ value="postgresql" />
+
+ <property as="xs:boolean" name="oxf.fr.persistence.postgresql.create-flat-view"
+ value="true"/>
+
+ <property as="xs:boolean" name="oxf.fr.persistence.exist.active"
+ value="false"/>
+
+
+ <!-- SMTP -->
+
+ <property as="xs:string" name="oxf.fr.email.smtp.host.*.*"
+ value="{{ smtp }}" />
+
+ <property as="xs:string" name="oxf.fr.email.from.*.*"
+ value="no-reply@{{ host }}"/>
+
+
+ <!-- Static resources -->
+
+ <property as="xs:string" name="oxf.fr.css.custom.uri.*.*">
+ https://assets.nasqueron.org/css/forms/nasqueron-forms.css
+ </property>
+
+ <property as="xs:anyURI" name="oxf.fr.default-logo.uri.*.*">
+ https://assets.nasqueron.org/logos/logo-white-32px.png
+ </property>
+
+
+ <!-- Form properties :: nasqueron-join :: contact -->
+
+ <property as="xs:string" name="oxf.fr.detail.buttons.nasqueron-join.contact">
+ save-progress send
+ </property>
+
+ <property as="xs:string" name="oxf.fr.detail.process.send.nasqueron-join.contact"
+ value='require-valid
+ then email
+ then navigate("https://join.nasqueron.org/contact-success.html")
+ recover navigate("https://join.nasqueron.org/contact-failure.html")' />
+
+ <property as="xs:string" name="oxf.fr.email.to.nasqueron-join.*"
+ value="dereckson+nasqueron+join@espace-win.org" />
+
+
+</properties>
diff --git a/roles/paas-docker/containers/files/orbeon/nasqueron_forms/web.xml b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/web.xml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/web.xml
@@ -0,0 +1,409 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Orbeon :: Configuration
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Project: Nasqueron
+ License: Trivial work, not eligible to copyright
+ Source file: roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
+ _____________________________________________________________
+
+ <auto-generated>
+ This file is managed by our rOPS SaltStack repository.
+
+ Changes to this file may cause incorrect behavior
+ and will be lost if the state is redeployed.
+ </auto-generated>
+-->
+
+<web-app
+ xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+ version="3.1">
+
+ <display-name>Nasqueron Forms</display-name>
+ <description>
+ Nasqueron Forms is an Orbeon Forms, a XForms web forms solutions
+ to create and fill complex forms.
+ </description>
+ <distributable/>
+ <!--Initialize main resource manager-->
+ <context-param>
+ <param-name>oxf.resources.factory</param-name>
+ <param-value>org.orbeon.oxf.resources.PriorityResourceManagerFactory</param-value>
+ </context-param>
+ <!--Web application resource manager for resources-->
+ <context-param>
+ <param-name>oxf.resources.priority.2</param-name>
+ <param-value>org.orbeon.oxf.resources.WebAppResourceManagerFactory</param-value>
+ </context-param>
+ <context-param>
+ <param-name>oxf.resources.priority.2.oxf.resources.webapp.rootdir</param-name>
+ <param-value>/WEB-INF/resources</param-value>
+ </context-param>
+ <!--Classloader resource manager-->
+ <context-param>
+ <param-name>oxf.resources.priority.6</param-name>
+ <param-value>org.orbeon.oxf.resources.ClassLoaderResourceManagerFactory</param-value>
+ </context-param>
+ <!--Set run mode ("dev" or "prod")-->
+ <context-param>
+ <param-name>oxf.run-mode</param-name>
+ <param-value>prod</param-value>
+ </context-param>
+ <!--Set location of properties.xml-->
+ <context-param>
+ <param-name>oxf.properties</param-name>
+ <param-value>oxf:/config/properties-${oxf.run-mode}.xml</param-value>
+ </context-param>
+ <!--Determine whether logging initialization must take place-->
+ <context-param>
+ <param-name>oxf.initialize-logging</param-name>
+ <param-value>true</param-value>
+ </context-param>
+ <!--Set context listener processors-->
+ <!-- Uncomment this for the context listener processors -->
+ <!--
+ <context-param>
+ <param-name>oxf.context-initialized-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </context-param>
+ <context-param>
+ <param-name>oxf.context-initialized-processor.input.config</param-name>
+ <param-value>oxf:/apps/context/context-initialized.xpl</param-value>
+ </context-param>
+ <context-param>
+ <param-name>oxf.context-destroyed-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </context-param>
+ <context-param>
+ <param-name>oxf.context-destroyed-processor.input.config</param-name>
+ <param-value>oxf:/apps/context/context-destroyed.xpl</param-value>
+ </context-param>-->
+ <!-- End context listener processors -->
+ <!--Set session listener processors-->
+ <!-- Uncomment this for the session listener processors -->
+ <!--
+ <context-param>
+ <param-name>oxf.session-created-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </context-param>
+ <context-param>
+ <param-name>oxf.session-created-processor.input.config</param-name>
+ <param-value>oxf:/apps/context/session-created.xpl</param-value>
+ </context-param>
+ <context-param>
+ <param-name>oxf.session-destroyed-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </context-param>
+ <context-param>
+ <param-name>oxf.session-destroyed-processor.input.config</param-name>
+ <param-value>oxf:/apps/context/session-destroyed.xpl</param-value>
+ </context-param>-->
+ <!-- End session listener processors -->
+ <!--Security filter for eXist-->
+ <filter>
+ <filter-name>orbeon-exist-filter</filter-name>
+ <filter-class>org.orbeon.oxf.servlet.TokenSecurityFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>orbeon-exist-filter</filter-name>
+ <url-pattern>/exist/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ <dispatcher>FORWARD</dispatcher>
+ </filter-mapping>
+ <!--Limit concurrent access to Form Runner-->
+ <filter>
+ <filter-name>orbeon-limiter-filter</filter-name>
+ <filter-class>org.orbeon.oxf.servlet.LimiterFilter</filter-class>
+ <!--Include Form Runner pages and XForms Ajax requests-->
+ <init-param>
+ <param-name>include</param-name>
+ <param-value>(/fr/.*)|(/xforms-server)</param-value>
+ </init-param>
+ <!--Exclude resources not produced by services-->
+ <init-param>
+ <param-name>exclude</param-name>
+ <param-value>(?!/([^/]+)/service/).+\.(gif|css|pdf|json|js|coffee|map|png|jpg|xsd|htc|ico|swf|html|htm|txt)</param-value>
+ </init-param>
+ <!--Minimum, requested, and maximum number of concurrent threads allowed-->
+ <!--The `x` prefix specifies a multiple of the number of CPU cores reported by the JVM-->
+ <init-param>
+ <param-name>min-threads</param-name>
+ <param-value>1</param-value>
+ </init-param>
+ <init-param>
+ <param-name>num-threads</param-name>
+ <param-value>x1</param-value>
+ </init-param>
+ <init-param>
+ <param-name>max-threads</param-name>
+ <param-value>x1</param-value>
+ </init-param>
+ </filter>
+ <filter-mapping>
+ <filter-name>orbeon-limiter-filter</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ </filter-mapping>
+ <!--Add internal Orbeon-* headers for auth-->
+ <filter>
+ <filter-name>orbeon-form-runner-auth-servlet-filter</filter-name>
+ <filter-class>org.orbeon.oxf.servlet.FormRunnerAuthFilter</filter-class>
+ <!--
+ <init-param>
+ <param-name>content-security-policy</param-name>
+ <param-value>default-src 'self'; img-src 'self' data:</param-value>
+ </init-param>
+ -->
+ </filter>
+ <filter-mapping>
+ <filter-name>orbeon-form-runner-auth-servlet-filter</filter-name>
+ <url-pattern>/*</url-pattern>
+ <dispatcher>REQUEST</dispatcher>
+ <dispatcher>FORWARD</dispatcher>
+ </filter-mapping>
+ <!--All JSP files under /xforms-jsp go through the XForms filter-->
+ <filter>
+ <filter-name>orbeon-xforms-filter</filter-name>
+ <filter-class>org.orbeon.oxf.servlet.OrbeonXFormsFilter</filter-class>
+ <!-- Uncomment this for the separate WAR deployment -->
+ <!--
+ <init-param>
+ <param-name>oxf.xforms.renderer.context</param-name>
+ <param-value>/orbeon</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.xforms.renderer.default-encoding</param-name>
+ <param-value>UTF-8</param-value>
+ </init-param>-->
+ <!-- End separate WAR deployment -->
+ </filter>
+ <filter-mapping>
+ <filter-name>orbeon-xforms-filter</filter-name>
+ <url-pattern>/xforms-jsp/*</url-pattern>
+ <!--Servlet 2.4 configuration allowing the filter to run upon forward in addition to request-->
+ <dispatcher>REQUEST</dispatcher>
+ <dispatcher>FORWARD</dispatcher>
+ </filter-mapping>
+ <!--Orbeon context listener-->
+ <listener>
+ <listener-class>org.orbeon.oxf.webapp.OrbeonServletContextListener</listener-class>
+ </listener>
+ <!--Context listener for deployment with replication-->
+ <listener>
+ <listener-class>org.orbeon.oxf.xforms.ReplicationServletContextListener</listener-class>
+ </listener>
+ <!--XForms session listener-->
+ <listener>
+ <listener-class>org.orbeon.oxf.xforms.XFormsServletContextListener</listener-class>
+ </listener>
+ <!--General-purpose session listener-->
+ <listener>
+ <listener-class>org.orbeon.oxf.webapp.OrbeonSessionListener</listener-class>
+ </listener>
+ <!--Ehcache shutdown listener-->
+ <listener>
+ <listener-class>net.sf.ehcache.constructs.web.ShutdownListener</listener-class>
+ </listener>
+ <!--This is the main Orbeon Forms servlet-->
+ <servlet>
+ <servlet-name>orbeon-main-servlet</servlet-name>
+ <servlet-class>org.orbeon.oxf.servlet.OrbeonServlet</servlet-class>
+ <!--Set main processor-->
+ <init-param>
+ <param-name>oxf.main-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.main-processor.input.config</param-name>
+ <param-value>oxf:/config/prologue-servlet.xpl</param-value>
+ </init-param>
+ <!--Set error processor-->
+ <init-param>
+ <param-name>oxf.error-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}page-flow</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.error-processor.input.controller</param-name>
+ <param-value>oxf:/config/error-page-flow.xml</param-value>
+ </init-param>
+ <!--Set supported methods-->
+ <init-param>
+ <param-name>oxf.http.accept-methods</param-name>
+ <param-value>get,post,head,put,delete,lock,unlock</param-value>
+ </init-param>
+ <!--Set servlet initialization and destruction listeners-->
+ <!-- Uncomment this for the servlet listener processors -->
+ <!--
+ <init-param>
+ <param-name>oxf.servlet-initialized-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.servlet-initialized-processor.input.config</param-name>
+ <param-value>oxf:/apps/context/servlet-initialized.xpl</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.servlet-destroyed-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.servlet-destroyed-processor.input.config</param-name>
+ <param-value>oxf:/apps/context/servlet-destroyed.xpl</param-value>
+ </init-param>-->
+ <!-- End servlet listener processors -->
+ </servlet>
+ <!--This is the XForms Renderer servlet, used to deploy Orbeon Forms as a separate WAR-->
+ <servlet>
+ <servlet-name>orbeon-renderer-servlet</servlet-name>
+ <servlet-class>org.orbeon.oxf.servlet.OrbeonServlet</servlet-class>
+ <!--Set main processor-->
+ <init-param>
+ <param-name>oxf.main-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}page-flow</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.main-processor.input.controller</param-name>
+ <param-value>oxf:/ops/xforms/xforms-renderer-page-flow.xml</param-value>
+ </init-param>
+ <!--Set error processor-->
+ <init-param>
+ <param-name>oxf.error-processor.name</param-name>
+ <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+ </init-param>
+ <init-param>
+ <param-name>oxf.error-processor.input.config</param-name>
+ <param-value>oxf:/config/error.xpl</param-value>
+ </init-param>
+ </servlet>
+ <!-- Uncomment this for the eXist XMLRPC support -->
+ <!--
+ <servlet>
+ <servlet-name>exist-xmlrpc-servlet</servlet-name>
+ <servlet-class>org.exist.xmlrpc.RpcServlet</servlet-class>
+ </servlet>-->
+ <!-- End eXist XMLRPC support -->
+ <servlet>
+ <servlet-name>exist-rest-servlet</servlet-name>
+ <servlet-class>org.exist.http.servlets.EXistServlet</servlet-class>
+ <init-param>
+ <param-name>basedir</param-name>
+ <param-value>WEB-INF/</param-value>
+ </init-param>
+ <init-param>
+ <param-name>configuration</param-name>
+ <param-value>exist-conf.xml</param-value>
+ </init-param>
+ <init-param>
+ <param-name>start</param-name>
+ <param-value>true</param-value>
+ </init-param>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>orbeon-main-servlet</servlet-name>
+ <url-pattern>/</url-pattern>
+ </servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>orbeon-renderer-servlet</servlet-name>
+ <url-pattern>/xforms-renderer</url-pattern>
+ </servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>exist-rest-servlet</servlet-name>
+ <url-pattern>/exist/rest/*</url-pattern>
+ </servlet-mapping>
+ <!-- Uncomment this for the eXist XMLRPC support -->
+ <!--
+ <servlet-mapping>
+ <servlet-name>exist-xmlrpc-servlet</servlet-name>
+ <url-pattern>/exist/xmlrpc/*</url-pattern>
+ </servlet-mapping>-->
+ <!-- End eXist XMLRPC support -->
+ <!-- Uncomment this for the relational persistence, and change oracle if necessary -->
+ <!--
+ <resource-ref>
+ <description>DataSource</description>
+ <res-ref-name>jdbc/oracle</res-ref-name>
+ <res-type>javax.sql.DataSource</res-type>
+ <res-auth>Container</res-auth>
+ </resource-ref>-->
+ <!-- End relational persistence, and change oracle if necessary -->
+
+ <!-- Form Runner authentication -->
+ <!-- Require the security role on /fr/auth by default. To protect everything this must be changed. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Form Runner</web-resource-name>
+ <url-pattern>/fr/auth</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>orbeon-user</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <!-- The following pages and services are allowed without constraints by default -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Form Runner services and public pages and resources</web-resource-name>
+ <url-pattern>/fr/service/*</url-pattern>
+ <url-pattern>/fr/style/*</url-pattern>
+ <url-pattern>/fr/not-found</url-pattern>
+ <url-pattern>/fr/error</url-pattern>
+ <url-pattern>/fr/login</url-pattern>
+ <url-pattern>/fr/login-error</url-pattern>
+ </web-resource-collection>
+ </security-constraint>
+
+ <!-- Form builder requires authentication -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Form Builder</web-resource-name>
+ <url-pattern>/fr/orbeon/builder/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>orbeon-admin</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <!-- Form admin requires authentication -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Form Administration</web-resource-name>
+ <url-pattern>/fr/admin</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>orbeon-admin</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <!-- Landing pages requires authentication -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Form landing pages</web-resource-name>
+ <url-pattern>/fr/</url-pattern>
+ <url-pattern>/fr/forms</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>orbeon-admin</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <!-- Default security role -->
+ <security-role>
+ <role-name>orbeon-user</role-name>
+ </security-role>
+
+ <!-- Use the form-based method by default -->
+ <login-config>
+ <auth-method>FORM</auth-method>
+ <form-login-config>
+ <form-login-page>/fr/login</form-login-page>
+ <form-error-page>/fr/login-error</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <session-config>
+ <session-timeout>60</session-timeout>
+ </session-config>
+</web-app>
diff --git a/roles/paas-docker/containers/files/orbeon/server.xml b/roles/paas-docker/containers/files/orbeon/server.xml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/server.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Tomcat :: Orbeon configuration
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Project: Nasqueron
+ License: Trivial enough, not eligible to copyright
+ Source file: roles/paas-docker/containers/files/orbeon/server.xml
+ _____________________________________________________________
+
+ <auto-generated>
+ This file is managed by our rOPS SaltStack repository.
+
+ Changes to this file may cause incorrect behavior
+ and will be lost if the state is redeployed.
+ </auto-generated>
+-->
+
+<Context path="/orbeon">
+ <Resource
+ name="jdbc/postgresql"
+ driverClassName="org.postgresql.Driver"
+
+ auth="Container"
+ type="javax.sql.DataSource"
+
+ initialSize="3"
+ maxActive="10"
+ maxIdle="10"
+ maxWait="30000"
+
+ poolPreparedStatements="true"
+
+ validationQuery="select 1"
+ testOnBorrow="true"
+
+ username="{{ db.user }}"
+ password="{{ db.pass }}"
+ url="jdbc:postgresql://{{ db.host }}:5432/{{ db.database }}?useUnicode=true&amp;characterEncoding=UTF8&amp;socketTimeout=30&amp;tcpKeepAlive=true"/>
+</Context>
diff --git a/roles/paas-docker/containers/orbeon.sls b/roles/paas-docker/containers/orbeon.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/containers/orbeon.sls
@@ -0,0 +1,103 @@
+# -------------------------------------------------------------
+# Salt — Provision Docker engine
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+
+{% for instance, container in pillar['docker_containers']['orbeon'].items() %}
+
+# -------------------------------------------------------------
+# Storage directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/orbeon/{{ instance }}:
+ file.directory:
+ - makedirs: True
+
+{% if has_selinux %}
+selinux_context_{{ instance }}_data:
+ selinux.fcontext_policy_present:
+ - name: /srv/orbeon/{{ instance }}
+ - sel_type: container_file_t
+
+selinux_context_{{ instance }}_data_applied:
+ selinux.fcontext_policy_applied:
+ - name: /srv/orbeon/{{ instance }}
+{% endif %}
+
+# -------------------------------------------------------------
+# Configuration files
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/orbeon/{{ instance }}/conf/tomcat-users.xml:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
+ - mode: 400
+ - makedirs: True
+ - template: jinja
+ - show_changes: False
+ - context:
+ users:
+ {% for user, credential in container["tomcat"]["users"].items() %}
+ {{ user }}:
+ password: {{ salt["credentials.get_password"](credential) | yaml_dquote }}
+ roles:
+ - orbeon-admin
+ {% endfor %}
+
+/srv/orbeon/{{ instance }}/conf/properties-local.xml:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/orbeon/{{ instance }}/properties-local.xml
+ - mode: 400
+ - template: jinja
+ - show_changes: False
+ - context:
+ secret_key: {{ salt["credentials.get_password"](container["secret_key"]) | yaml_dquote }}
+ host: {{ container["host"] }}
+ smtp: {{ container["smtp"] }}
+
+/srv/orbeon/{{ instance }}/conf/orbeon.xml:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/orbeon/server.xml
+ - mode: 400
+ - template: jinja
+ - show_changes: False
+ - context:
+ db:
+ host: {{ pillar["nasqueron_services"][container["db"]["service"]] }}
+ database: {{ container["db"]["database"] }}
+ user: {{ salt["credentials.get_username"](container["db"]["credential"]) }}
+ pass: {{ salt["credentials.get_password"](container["db"]["credential"]) | yaml_dquote }}
+
+{% for config_file in ["web.xml", "form-builder-permissions.xml"] %}
+/srv/orbeon/{{ instance }}/conf/{{ config_file }}:
+ file.managed:
+ - source: salt://roles/paas-docker/containers/files/orbeon/{{ instance }}/{{ config_file }}
+{% endfor %}
+
+# -------------------------------------------------------------
+# Container
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+ docker_container.running:
+ - detach: True
+ - interactive: True
+ - image: nasqueron/orbeon
+ - binds:
+ - /srv/orbeon/{{ instance }}/conf/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml
+ - /srv/orbeon/{{ instance }}/conf/orbeon.xml:/usr/local/tomcat/conf/Catalina/localhost/orbeon.xml
+ - /srv/orbeon/{{ instance }}/conf/web.xml:/usr/local/tomcat/webapps/orbeon/WEB-INF/web.xml
+ - /srv/orbeon/{{ instance }}/conf/form-builder-permissions.xml:/usr/local/tomcat/webapps/orbeon/WEB-INF/resources/config/form-builder-permissions.xml
+ - /srv/orbeon/{{ instance }}/conf/properties-local.xml:/usr/local/tomcat/webapps/orbeon/WEB-INF/resources/config/properties-local.xml
+ - ports:
+ - 8080
+ - port_bindings:
+ - {{ container['app_port'] }}:8080
+ - networks:
+ - {{ container['network'] }}
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/orbeon.conf b/roles/paas-docker/nginx/files/vhosts/orbeon.conf
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/orbeon.conf
@@ -0,0 +1,53 @@
+# -------------------------------------------------------------
+# Configuration for Docker PaaS front-end nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Source file: roles/paas-docker/nginx/files/vhosts/orbeon.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ fqdn }};
+
+ include includes/letsencrypt;
+
+ return 301 https://$host$request_uri;
+}
+
+server {
+ server_name {{ fqdn }};
+
+ include includes/tls;
+ ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+ ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+ include includes/letsencrypt;
+
+ {% for app in args["apps"] %}
+ location /{{ app }}/ {
+ proxy_pass http://localhost:16080/orbeon/fr/{{ app }}/;
+ proxy_redirect http://localhost:16080/orbeon/fr/{{ app }}/ /{{ app }}/;
+
+ include includes/proxy_params;
+ }
+ {% endfor %}
+
+ location /orbeon {
+ proxy_pass http://localhost:{{ app_port }};
+ proxy_redirect off;
+
+ include includes/proxy_params;
+ }
+
+ root /var/wwwroot-502/$server_name;
+
+ error_page 502 /502.html;
+ location /502.html {}
+}

File Metadata

Mime Type
text/plain
Expires
Tue, Nov 26, 10:30 (21 h, 58 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2264369
Default Alt Text
D3123.id7996.diff (33 KB)

Event Timeline