feat: first stacks

2026-04-03 17:37:48 +02:00 · 2026-04-03 17:37:48 +02:00 · c15ad05c01
commit c15ad05c01
6 changed files with 337 additions and 0 deletions
--- a/stacks/lail-apps/collabora/README.md
+++ b/stacks/lail-apps/collabora/README.md
@ -0,0 +1,22 @@
+# Déploiement de l'application Collabora CODE
+
+Pour le moment, l'application a été déployée via une image Docker, il faudra la migrer sur un docker-compose complet.
+
+## Configuration
+
+- Domaine : `https://collabora1.apps.lopin.lail.cloud`
+- Docker image: `collabora/code`
+- Ports exposes: `9980`
+- Custom Docker Options : `--cap-add SYS_ADMIN --device=/dev/fuse --security-opt apparmor:unconfined --ulimit nofile=1024:1024`
+- Variable d'environnements
+```
+aliasgroup1=z.lail.cloud|a.lail.cloud
+server_name=collabora1.apps.lopin.lail.cloud
+ssl.enable=false
+ssl.termination=true
+extra_params=--o:ssl.enable=false --o:ssl.termination=true
+```
+
+## Configuration de Nextcloud
+
+TODO
--- a/stacks/lail-apps/forgejo/docker-compose.yml
+++ b/stacks/lail-apps/forgejo/docker-compose.yml
@ -0,0 +1,52 @@
+services:
+  forgejo:
+    image: 'codeberg.org/forgejo/forgejo:8'
+    environment:
+      - SERVICE_URL_FORGEJO_3000
+      - 'FORGEJO__server__ROOT_URL=${SERVICE_URL_FORGEJO}'
+      - 'FORGEJO__migrations__ALLOWED_DOMAINS=${FORGEJO__migrations__ALLOWED_DOMAINS}'
+      - 'FORGEJO__migrations__ALLOW_LOCALNETWORKS=${FORGEJO__migrations__ALLOW_LOCALNETWORKS-false}'
+      - USER_UID=1000
+      - USER_GID=1000
+      - FORGEJO__database__DB_TYPE=postgres
+      - FORGEJO__database__HOST=postgresql
+      - 'FORGEJO__database__NAME=${POSTGRESQL_DATABASE-forgejo}'
+      - FORGEJO__database__USER=$SERVICE_USER_POSTGRESQL
+      - FORGEJO__database__PASSWD=$SERVICE_PASSWORD_POSTGRESQL
+      - FORGEJO__service__DISABLE_REGISTRATION=false
+      - FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
+      - FORGEJO__service__SHOW_REGISTRATION_BUTTON=false
+      - FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION=true
+    volumes:
+      - '/data/lail-apps/lail-forgejo:/data'
+      - 'forgejo-timezone:/etc/timezone:ro'
+      - 'forgejo-localtime:/etc/localtime:ro'
+    ports:
+      - '22222:22'
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    healthcheck:
+      test:
+        - CMD
+        - curl
+        - '-f'
+        - 'http://127.0.0.1:3000'
+      interval: 2s
+      timeout: 10s
+      retries: 15
+  postgresql:
+    image: 'postgres:16-alpine'
+    volumes:
+      - 'forgejo-postgresql-data:/var/lib/postgresql/data'
+    environment:
+      - 'POSTGRES_USER=${SERVICE_USER_POSTGRESQL}'
+      - 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRESQL}'
+      - 'POSTGRES_DB=${POSTGRESQL_DATABASE}'
+    healthcheck:
+      test:
+        - CMD-SHELL
+        - 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}'
+      interval: 5s
+      timeout: 20s
+      retries: 10
--- a/stacks/lail-apps/outline/README.md
+++ b/stacks/lail-apps/outline/README.md
@ -0,0 +1,25 @@
+# Application Outline
+
+## Configuration
+- URL du container outline : https://wiki.lail.cloud:3000
+- Variables d'environnement :
+```
+OIDC_USERINFO_URI=https://sso.lail.cloud/application/o/userinfo/
+OIDC_LOGOUT_URI=https://sso.lail.cloud/application/o/lail-outline/end-session/
+OIDC_USERNAME_CLAIM=preferred_username
+OIDC_DISPLAY_NAME=Authentik
+OIDC_SCOPES=openid profile email
+SMTP_HOST=
+SMTP_PORT=
+SMTP_USERNAME=
+SMTP_PASSWORD=
+SMTP_FROM_EMAIL=
+OIDC_CLIENT_ID=[protected]
+OIDC_CLIENT_SECRET=[protected]
+OIDC_AUTH_URI=https://sso.lail.cloud/application/o/authorize/
+OIDC_TOKEN_URI=https://sso.lail.cloud/application/o/token/
+SMTP_REPLY_EMAIL=
+SMTP_TLS_CIPHERS=
+SMTP_SECURE=
+SMTP_NAME=
+```
--- a/stacks/lail-apps/outline/docker-compose.yml
+++ b/stacks/lail-apps/outline/docker-compose.yml
@ -0,0 +1,108 @@
+services:
+  outline:
+    image: 'docker.getoutline.com/outlinewiki/outline:latest'
+    volumes:
+      - '/data/lail-apps/lail-outline:/var/lib/outline/data'
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    environment:
+      - SERVICE_URL_OUTLINE_3000
+      - NODE_ENV=production
+      - 'SECRET_KEY=${SERVICE_HEX_32_OUTLINE}'
+      - 'UTILS_SECRET=${SERVICE_PASSWORD_64_OUTLINE}'
+      - 'DATABASE_URL=postgres://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_64_POSTGRES}@postgres:5432/${POSTGRES_DATABASE:-outline}'
+      - 'REDIS_URL=redis://:${SERVICE_PASSWORD_64_REDIS}@redis:6379'
+      - 'URL=${SERVICE_URL_OUTLINE}'
+      - 'PORT=${OUTLINE_PORT:-3000}'
+      - 'FILE_STORAGE=${FILE_STORAGE:-local}'
+      - 'FILE_STORAGE_LOCAL_ROOT_DIR=${FILE_STORAGE_LOCAL_ROOT_DIR:-/var/lib/outline/data}'
+      - 'FILE_STORAGE_UPLOAD_MAX_SIZE=${FILE_STORAGE_UPLOAD_MAX_SIZE:-2000}'
+      - 'FILE_STORAGE_IMPORT_MAX_SIZE=${FILE_STORAGE_IMPORT_MAX_SIZE:-100}'
+      - 'FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE=${FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE}'
+      - 'AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}'
+      - 'AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}'
+      - 'AWS_REGION=${AWS_REGION}'
+      - 'AWS_S3_ACCELERATE_URL=${AWS_S3_ACCELERATE_URL}'
+      - 'AWS_S3_UPLOAD_BUCKET_URL=${AWS_S3_UPLOAD_BUCKET_URL}'
+      - 'AWS_S3_UPLOAD_BUCKET_NAME=${AWS_S3_UPLOAD_BUCKET_NAME}'
+      - 'AWS_S3_FORCE_PATH_STYLE=${AWS_S3_FORCE_PATH_STYLE:-true}'
+      - 'AWS_S3_ACL=${AWS_S3_ACL:-private}'
+      - 'SLACK_CLIENT_ID=${SLACK_CLIENT_ID}'
+      - 'SLACK_CLIENT_SECRET=${SLACK_CLIENT_SECRET}'
+      - 'GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID}'
+      - 'GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET}'
+      - 'AZURE_CLIENT_ID=${AZURE_CLIENT_ID}'
+      - 'AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}'
+      - 'AZURE_RESOURCE_APP_ID=${AZURE_RESOURCE_APP_ID}'
+      - 'OIDC_CLIENT_ID=${OIDC_CLIENT_ID}'
+      - 'OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}'
+      - 'OIDC_AUTH_URI=${OIDC_AUTH_URI}'
+      - 'OIDC_TOKEN_URI=${OIDC_TOKEN_URI}'
+      - 'OIDC_USERINFO_URI=${OIDC_USERINFO_URI}'
+      - 'OIDC_LOGOUT_URI=${OIDC_LOGOUT_URI}'
+      - 'OIDC_USERNAME_CLAIM=${OIDC_USERNAME_CLAIM}'
+      - 'OIDC_DISPLAY_NAME=${OIDC_DISPLAY_NAME}'
+      - 'OIDC_SCOPES=${OIDC_SCOPES}'
+      - 'GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}'
+      - 'GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}'
+      - 'GITHUB_APP_NAME=${GITHUB_APP_NAME}'
+      - 'GITHUB_APP_ID=${GITHUB_APP_ID}'
+      - 'GITHUB_APP_PRIVATE_KEY=${GITHUB_APP_PRIVATE_KEY}'
+      - 'DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID}'
+      - 'DISCORD_CLIENT_SECRET=${DISCORD_CLIENT_SECRET}'
+      - 'DISCORD_SERVER_ID=${DISCORD_SERVER_ID}'
+      - 'DISCORD_SERVER_ROLES=${DISCORD_SERVER_ROLES}'
+      - 'PGSSLMODE=${PGSSLMODE:-disable}'
+      - 'FORCE_HTTPS=${FORCE_HTTPS:-true}'
+      - 'SMTP_HOST=${SMTP_HOST}'
+      - 'SMTP_PORT=${SMTP_PORT}'
+      - 'SMTP_USERNAME=${SMTP_USERNAME}'
+      - 'SMTP_PASSWORD=${SMTP_PASSWORD}'
+      - 'SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL}'
+      - 'SMTP_REPLY_EMAIL=${SMTP_REPLY_EMAIL}'
+      - 'SMTP_TLS_CIPHERS=${SMTP_TLS_CIPHERS}'
+      - 'SMTP_SECURE=${SMTP_SECURE}'
+      - 'SMTP_NAME=${SMTP_NAME}'
+    healthcheck:
+      disable: true
+  redis:
+    image: 'redis:alpine'
+    environment:
+      - 'REDIS_PASSWORD=${SERVICE_PASSWORD_64_REDIS}'
+    command:
+      - redis-server
+      - '--requirepass'
+      - '${SERVICE_PASSWORD_64_REDIS}'
+    healthcheck:
+      test:
+        - CMD
+        - redis-cli
+        - '-a'
+        - '${SERVICE_PASSWORD_64_REDIS}'
+        - PING
+      interval: 10s
+      timeout: 30s
+      retries: 3
+  postgres:
+    image: 'postgres:12-alpine'
+    volumes:
+      - 'database-data:/var/lib/postgresql/data'
+    environment:
+      - 'POSTGRES_USER=${SERVICE_USER_POSTGRES}'
+      - 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_64_POSTGRES}'
+      - 'POSTGRES_DB=${POSTGRES_DATABASE:-outline}'
+    healthcheck:
+      test:
+        - CMD
+        - pg_isready
+        - '-U'
+        - '${SERVICE_USER_POSTGRES}'
+        - '-d'
+        - '${POSTGRES_DATABASE:-outline}'
+      interval: 30s
+      timeout: 20s
+      retries: 3
+
--- a/stacks/lail-apps/paheko/config.local.php
+++ b/stacks/lail-apps/paheko/config.local.php
@ -0,0 +1,119 @@
+<?php
+
+namespace Paheko;
+
+// -----------------------------------------------------------------------
+// SÉCURITÉ
+// -----------------------------------------------------------------------
+
+// Clé secrète anti-CSRF - générée automatiquement par Paheko si absente
+// const SECRET_KEY = '...';
+
+// Désactiver les détails d'erreur en production
+const SHOW_ERRORS = false;
+
+// Mode journal SQLite - WAL est plus rapide (ok si pas de NFS)
+const SQLITE_JOURNAL_MODE = 'WAL';
+
+// -----------------------------------------------------------------------
+// SSO / OIDC
+// -----------------------------------------------------------------------
+
+// Libellé du bouton de connexion SSO
+// Si null : redirection automatique vers le SSO (pas de bouton affiché)
+const OIDC_CLIENT_BUTTON = getenv('PAHEKO_OIDC_CLIENT_BUTTON') ?: 'Se connecter avec le SSO LAIL';
+
+// URL de découverte du fournisseur OIDC (Authentik)
+// Exemple : https://sso.lail.cloud/application/o/paheko/
+const OIDC_CLIENT_URL = getenv('PAHEKO_OIDC_CLIENT_URL') ?: null;
+
+// Client ID fourni par Authentik
+const OIDC_CLIENT_ID = getenv('PAHEKO_OIDC_CLIENT_ID') ?: null;
+
+// Secret client fourni par Authentik
+const OIDC_CLIENT_SECRET = getenv('PAHEKO_OIDC_CLIENT_SECRET') ?: null;
+
+// Faire correspondre l'email SSO avec un membre existant dans Paheko
+// true  = l'utilisateur SSO doit exister comme membre dans Paheko
+// false = tout utilisateur SSO est accepté (avec les droits de OIDC_CLIENT_DEFAULT_PERMISSIONS)
+const OIDC_CLIENT_MATCH_EMAIL = true;
+
+// Droits accordés si OIDC_CLIENT_MATCH_EMAIL = false (ignoré sinon)
+// const OIDC_CLIENT_DEFAULT_PERMISSIONS = ['users' => 'read', 'accounting' => 'read'];
+
+// -----------------------------------------------------------------------
+// SMTP
+// -----------------------------------------------------------------------
+
+// Hôte SMTP (null = utiliser la fonction mail() de PHP)
+const SMTP_HOST = getenv('PAHEKO_SMTP_HOST') ?: null;
+
+// Port SMTP (587 = STARTTLS, 465 = SSL)
+const SMTP_PORT = getenv('PAHEKO_SMTP_PORT') ? (int) getenv('PAHEKO_SMTP_PORT') : 587;
+
+// Utilisateur SMTP
+const SMTP_USER = getenv('PAHEKO_SMTP_USER') ?: null;
+
+// Mot de passe SMTP
+const SMTP_PASSWORD = getenv('PAHEKO_SMTP_PASSWORD') ?: null;
+
+// Sécurité SMTP : NONE, SSL, TLS, STARTTLS
+const SMTP_SECURITY = getenv('PAHEKO_SMTP_SECURITY') ?: 'STARTTLS';
+
+// Nom d'hôte HELO SMTP
+const SMTP_HELO_HOSTNAME = getenv('PAHEKO_SMTP_HELO_HOSTNAME') ?: null;
+
+// Adresse expéditrice forcée (Return-Path / MAIL FROM)
+// Utile pour héberger plusieurs assos sur le même serveur mail
+const MAIL_RETURN_PATH = getenv('PAHEKO_MAIL_RETURN_PATH') ?: null;
+
+// Adresse From forcée (les réponses iront en Reply-To à l'adresse de l'asso)
+const MAIL_SENDER = getenv('PAHEKO_MAIL_SENDER') ?: null;
+
+// -----------------------------------------------------------------------
+// STOCKAGE ET DONNÉES
+// -----------------------------------------------------------------------
+
+// Répertoire des données (base SQLite, sauvegardes, cache)
+// Doit correspondre au volume monté dans Docker
+const DATA_ROOT = '/var/www/paheko/data';
+
+// -----------------------------------------------------------------------
+// INTÉGRATION COLLABORA (optionnel)
+// -----------------------------------------------------------------------
+
+// URL de découverte Collabora pour l'édition de documents en ligne
+// Pointer vers votre instance Collabora
+const WOPI_DISCOVERY_URL = getenv('PAHEKO_WOPI_DISCOVERY_URL') ?: null;
+
+// Outils de conversion (si Collabora est disponible)
+const CONVERSION_TOOLS = ['collabora'];
+
+// -----------------------------------------------------------------------
+// API (optionnel)
+// -----------------------------------------------------------------------
+
+// Accès API système (accès total en écriture)
+const API_USER = getenv('PAHEKO_API_USER') ?: null;
+const API_PASSWORD = getenv('PAHEKO_API_PASSWORD') ?: null;
+
+// -----------------------------------------------------------------------
+// HÉBERGEMENT
+// -----------------------------------------------------------------------
+
+// Mentions légales affichées en bas de la page légale
+const LEGAL_HOSTING_DETAILS = getenv('PAHEKO_LEGAL_HOSTING_DETAILS');
+
+// Désactiver le ping de télémétrie à l'installation/mise à jour
+const DISABLE_INSTALL_PING = true;
+
+// Désactiver les mises à jour automatiques depuis fossil.kd2.org
+// (les mises à jour se font via Docker)
+const ENABLE_UPGRADES = false;
+
+// Command line to use mupdf to generate thumbnails
+const DOCUMENT_THUMBNAIL_COMMANDS = ['mupdf'];
+// Command line to use chromium to generate PDF documents
+const PDF_COMMAND = 'chromium --no-sandbox --headless --disable-dev-shm-usage --autoplay-policy=no-user-gesture-required --no-first-run --disable-gpu --disable-features=DefaultPassthroughCommandDecoder --use-fake-ui-for-media-stream --use-fake-device-for-media-stream --disable-sync --print-to-pdf=%2$s %1$s';
+// I moved plugins outside of /var/www/paheko/data (could be standard with 1.4)
+const PLUGINS_ROOT = '/var/www/paheko/plugins';
--- a/stacks/lail-apps/paheko/docker-compose.yml
+++ b/stacks/lail-apps/paheko/docker-compose.yml
@ -0,0 +1,11 @@
+services:
+  paheko:
+    image: bololo/paheko:latest
+    restart: unless-stopped
+    volumes:
+      - ./config.local.php:/var/www/paheko/config.local.php:ro
+      - /data/lail-apps/lail-paheko/data:/var/www/paheko/data
+      - /data/lail-apps/lail-paheko/plugins:/var/www/paheko/plugins
+
+volumes:
+  paheko-data: