Add Kanboard app

00-install.sh

@@ -10,6 +10,7 @@ ${SOURCE_DIR}/02-sahana.sh
 ${SOURCE_DIR}/03-sambro.sh
 ${SOURCE_DIR}/10-seeddms.sh
 ${SOURCE_DIR}/50-pandora.sh
+${SOURCE_DIR}/60-kanboard.sh
 
 # Perform cleanup only if DEBUG environment variable is not set
 if [ ${DEBUG:-0} -eq 0 ]; then

60-kanboard.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+SOURCE_DIR=$(realpath $(dirname "${0}"))
+
+# Install dependencies for Kanboard
+apt-get -y --no-install-recommends install php7.0-gd php7.0-fpm php7.0-mbstring php7.0-pgsql php7.0-zip
+
+# Install Kanboard
+wget https://github.com/kanboard/kanboard/releases/download/v1.0.47/kanboard-1.0.47.zip -O /srv/kanboard.zip
+unzip /srv/kanboard.zip -d /srv
+rm -f /srv/kanboard.zip
+
+# Populate database
+export KANBOARD_PWD=$(head -c 18 /dev/urandom | base64)
+envsubst <${SOURCE_DIR}/kanboard/tmp/kanboard-createdb.sql >/tmp/kanboard-createdb.sql
+sudo -u postgres psql -f /tmp/kanboard-createdb.sql
+rm -f /tmp/kanboard-createdb.sql
+export PGPASSWORD=${KANBOARD_PWD}
+psql -f /srv/kanboard/app/Schema/Sql/postgres.sql kanboard kanboard
+
+# Configure Kanboard
+envsubst <${SOURCE_DIR}/kanboard/srv/kanboard/config.php >/srv/kanboard/config.php
+export KANBOARD_ADMIN_USER=admin
+export KANBOARD_ADMIN_PWD=$(head -c 12 /dev/urandom | base64)
+envsubst <${SOURCE_DIR}/kanboard/tmp/kanboard-adminpwd.sql >/tmp/kanboard-adminpwd.sql
+psql -f /tmp/kanboard-adminpwd.sql kanboard kanboard
+unset PGPASSWORD
+
+# Create OS user
+adduser --system --group --home /srv/kanboard --shell /bin/false kanboard
+chown -R kanboard:www-data /srv/kanboard/
+
+# Create PHP and nginx app definition
+cp ${SOURCE_DIR}/kanboard/etc/php/7.0/fpm/pool.d/kanboard.conf /etc/php/7.0/fpm/pool.d/kanboard.conf
+cp ${SOURCE_DIR}/kanboard/etc/nginx/apps-available/kanboard /etc/nginx/apps-available/kanboard
+ln -s /etc/nginx/apps-available/kanboard /etc/nginx/apps-enabled/kanboard
+
+# Restart services
+systemctl restart php7.0-fpm
+systemctl restart nginx
+
+# Install cron job
+cp ${SOURCE_DIR}/kanboard/etc/cron.d/kanboard /etc/cron.d/kanboard
+
+# Add portal application definition
+${SOURCE_DIR}/basic/portal-app-manager.py kanboard "/kanboard/" "${KANBOARD_ADMIN_USER}" "${KANBOARD_ADMIN_PWD}"
+
+# TODO: Admin pwd set
+# TODO: Portal card

kanboard/etc/cron.d/kanboard

@@ -0,0 +1 @@
+0 8 * * * kanboard /srv/kanboard/cli cronjob >/dev/null

kanboard/etc/nginx/apps-available/kanboard

@@ -0,0 +1,11 @@
+location /kanboard {
+    alias /srv/kanboard;
+    index index.php;
+    try_files = $uri $uri/ /kanboard/index.php;
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_param SCRIPT_FILENAME $request_filename;
+        fastcgi_pass unix:/run/php/kanboard.sock;
+    }
+}

kanboard/etc/php/7.0/fpm/pool.d/kanboard.conf

@@ -0,0 +1,12 @@
+[kanboard]
+user = kanboard
+group = kanboard
+
+listen = /run/php/kanboard.sock
+listen.owner = www-data
+listen.group = www-data
+
+pm = ondemand
+pm.max_children = 8
+
+php_admin_value[open_basedir] = /srv/kanboard:/tmp

kanboard/srv/kanboard/config.php

@@ -0,0 +1,239 @@
+<?php
+
+/*******************************************************************/
+/* Rename this file to config.php if you want to change the values */
+/*******************************************************************/
+
+// Data folder (must be writeable by the web server user and absolute)
+define('DATA_DIR', __DIR__.DIRECTORY_SEPARATOR.'data');
+
+// Enable/Disable debug
+define('DEBUG', false);
+
+// Available log drivers: syslog, stderr, stdout or file
+define('LOG_DRIVER', '');
+
+// Log filename if the log driver is "file"
+define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');
+
+// Plugins directory
+define('PLUGINS_DIR', 'plugins');
+
+// Plugins directory URL
+define('PLUGIN_API_URL', 'https://kanboard.net/plugins.json');
+
+// Enable/Disable plugin installer
+define('PLUGIN_INSTALLER', true);
+
+// Available cache drivers are "file" and "memory"
+define('CACHE_DRIVER', 'memory');
+
+// Cache folder to use if cache driver is "file" (must be writeable by the web server user)
+define('CACHE_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'cache');
+
+// Folder for uploaded files (must be writeable by the web server user)
+define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files');
+
+// Enable/disable email configuration from the user interface
+define('MAIL_CONFIGURATION', true);
+
+// E-mail address used for the "From" header (notifications)
+define('MAIL_FROM', 'kanboard@spotter.ngo');
+
+// Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid"
+define('MAIL_TRANSPORT', 'sendmail');
+
+// SMTP configuration to use when the "smtp" transport is chosen
+define('MAIL_SMTP_HOSTNAME', '');
+define('MAIL_SMTP_PORT', 25);
+define('MAIL_SMTP_USERNAME', '');
+define('MAIL_SMTP_PASSWORD', '');
+define('MAIL_SMTP_ENCRYPTION', null); // Valid values are "null", "ssl" or "tls"
+
+// Sendmail command to use when the transport is "sendmail"
+define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs');
+
+// Run automatically database migrations
+// If set to false, you will have to run manually the SQL migrations from the CLI during the next Kanboard upgrade
+// Do not run the migrations from multiple processes at the same time (example: web page + background worker)
+define('DB_RUN_MIGRATIONS', true);
+
+// Database driver: sqlite, mysql or postgres (sqlite by default)
+define('DB_DRIVER', 'postgres');
+
+// Mysql/Postgres username
+define('DB_USERNAME', 'kanboard');
+
+// Mysql/Postgres password
+define('DB_PASSWORD', '${KANBOARD_PWD}');
+
+// Mysql/Postgres hostname
+define('DB_HOSTNAME', 'localhost');
+
+// Mysql/Postgres database name
+define('DB_NAME', 'kanboard');
+
+// Mysql/Postgres custom port (null = default port)
+define('DB_PORT', null);
+
+// Mysql SSL key
+define('DB_SSL_KEY', null);
+
+// Mysql SSL certificate
+define('DB_SSL_CERT', null);
+
+// Mysql SSL CA
+define('DB_SSL_CA', null);
+
+// Enable LDAP authentication (false by default)
+define('LDAP_AUTH', false);
+
+// LDAP server hostname
+define('LDAP_SERVER', '');
+
+// LDAP server port (389 by default)
+define('LDAP_PORT', 389);
+
+// By default, require certificate to be verified for ldaps:// style URL. Set to false to skip the verification
+define('LDAP_SSL_VERIFY', true);
+
+// Enable LDAP START_TLS
+define('LDAP_START_TLS', false);
+
+// By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
+// Set to true if you want to preserve the case
+define('LDAP_USERNAME_CASE_SENSITIVE', false);
+
+// LDAP bind type: "anonymous", "user" or "proxy"
+define('LDAP_BIND_TYPE', 'anonymous');
+
+// LDAP username to use with proxy mode
+// LDAP username pattern to use with user mode
+define('LDAP_USERNAME', null);
+
+// LDAP password to use for proxy mode
+define('LDAP_PASSWORD', null);
+
+// LDAP DN for users
+// Example for ActiveDirectory: CN=Users,DC=kanboard,DC=local
+// Example for OpenLDAP: ou=People,dc=example,dc=com
+define('LDAP_USER_BASE_DN', '');
+
+// LDAP pattern to use when searching for a user account
+// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))'
+// Example for OpenLDAP: 'uid=%s'
+define('LDAP_USER_FILTER', '');
+
+// LDAP attribute for username
+// Example for ActiveDirectory: 'samaccountname'
+// Example for OpenLDAP: 'uid'
+define('LDAP_USER_ATTRIBUTE_USERNAME', 'uid');
+
+// LDAP attribute for user full name
+// Example for ActiveDirectory: 'displayname'
+// Example for OpenLDAP: 'cn'
+define('LDAP_USER_ATTRIBUTE_FULLNAME', 'cn');
+
+// LDAP attribute for user email
+define('LDAP_USER_ATTRIBUTE_EMAIL', 'mail');
+
+// LDAP attribute to find groups in user profile
+define('LDAP_USER_ATTRIBUTE_GROUPS', 'memberof');
+
+// LDAP attribute for user avatar image: thumbnailPhoto or jpegPhoto
+define('LDAP_USER_ATTRIBUTE_PHOTO', '');
+
+// LDAP attribute for user language, example: 'preferredlanguage'
+// Put an empty string to disable language sync
+define('LDAP_USER_ATTRIBUTE_LANGUAGE', '');
+
+// Allow automatic LDAP user creation
+define('LDAP_USER_CREATION', true);
+
+// LDAP DN for administrators
+// Example: CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local
+define('LDAP_GROUP_ADMIN_DN', '');
+
+// LDAP DN for managers
+// Example: CN=Kanboard Managers,CN=Users,DC=kanboard,DC=local
+define('LDAP_GROUP_MANAGER_DN', '');
+
+// Enable LDAP group provider for project permissions
+// The end-user will be able to browse LDAP groups from the user interface and allow access to specified projects
+define('LDAP_GROUP_PROVIDER', false);
+
+// LDAP Base DN for groups
+define('LDAP_GROUP_BASE_DN', '');
+
+// LDAP group filter
+// Example for ActiveDirectory: (&(objectClass=group)(sAMAccountName=%s*))
+define('LDAP_GROUP_FILTER', '');
+
+// LDAP user group filter
+// If this filter is configured, Kanboard will search user groups in LDAP_GROUP_BASE_DN with this filter
+// Example for OpenLDAP: (&(objectClass=posixGroup)(memberUid=%s))
+define('LDAP_GROUP_USER_FILTER', '');
+
+// LDAP attribute for the group name
+define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
+
+// Enable/disable the reverse proxy authentication
+define('REVERSE_PROXY_AUTH', false);
+
+// Header name to use for the username
+define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
+
+// Username of the admin, by default blank
+define('REVERSE_PROXY_DEFAULT_ADMIN', '');
+
+// Default domain to use for setting the email address
+define('REVERSE_PROXY_DEFAULT_DOMAIN', '');
+
+// Enable/disable remember me authentication
+define('REMEMBER_ME_AUTH', true);
+
+// Enable or disable "Strict-Transport-Security" HTTP header
+define('ENABLE_HSTS', true);
+
+// Enable or disable "X-Frame-Options: DENY" HTTP header
+define('ENABLE_XFRAME', true);
+
+// Escape html inside markdown text
+define('MARKDOWN_ESCAPE_HTML', true);
+
+// API alternative authentication header, the default is HTTP Basic Authentication defined in RFC2617
+define('API_AUTHENTICATION_HEADER', '');
+
+// Enable/disable url rewrite
+define('ENABLE_URL_REWRITE', true);
+
+// Hide login form, useful if all your users use Google/Github/ReverseProxy authentication
+define('HIDE_LOGIN_FORM', false);
+
+// Disabling logout (useful for external SSO authentication)
+define('DISABLE_LOGOUT', false);
+
+// Enable captcha after 3 authentication failure
+define('BRUTEFORCE_CAPTCHA', 3);
+
+// Lock the account after 6 authentication failure
+define('BRUTEFORCE_LOCKDOWN', 6);
+
+// Lock account duration in minute
+define('BRUTEFORCE_LOCKDOWN_DURATION', 15);
+
+// Session duration in second (0 = until the browser is closed)
+// See http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
+define('SESSION_DURATION', 0);
+
+// HTTP client proxy
+define('HTTP_PROXY_HOSTNAME', '');
+define('HTTP_PROXY_PORT', '3128');
+define('HTTP_PROXY_USERNAME', '');
+define('HTTP_PROXY_PASSWORD', '');
+
+// Set to false to allow self-signed certificates
+define('HTTP_VERIFY_SSL_CERTIFICATE', true);
+
+// TOTP (2FA) issuer name
+define('TOTP_ISSUER', 'Kanboard');

kanboard/tmp/kanboard-adminpwd.sql

@@ -0,0 +1,5 @@
+UPDATE settings SET value = 'cs_CZ' WHERE option = 'application_language';
+UPDATE settings SET value = 'Europe/Prague' WHERE option = 'application_timezone';
+UPDATE settings SET value = 'd.m.Y' WHERE option = 'application_date_format';
+
+-- UPDATE users SET password = '${KANBOARD_ADMIN_PWD}' WHERE username = 'admin';

kanboard/tmp/kanboard-createdb.sql

@@ -0,0 +1,4 @@
+CREATE ROLE kanboard NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED PASSWORD '${KANBOARD_PWD}';
+CREATE DATABASE kanboard;
+REVOKE ALL ON DATABASE kanboard FROM public;
+ALTER DATABASE kanboard OWNER TO kanboard;