add nlm service conf

merge-requests/2/head
Matthew 2022-11-25 18:01:27 -05:00
parent d890404437
commit 3251c09fea
No known key found for this signature in database
GPG Key ID: 210AF32ADE3B5C4B
2 changed files with 384 additions and 0 deletions

372
Kimai/kamai.yaml Normal file
View File

@ -0,0 +1,372 @@
# ---------------------------------------------------------------------------------------------
# DO NOT EDIT THIS FILE, INSTEAD CREATE THE FILE "local.yaml" AND ADD YOUR SETTINGS IN THERE.
# See https://www.kimai.org/documentation/local-yaml.html
#
# Be aware that this file is YAML format and the indentation is important.
# Each config level needs to be indented with 4 additional spaces.
# ---------------------------------------------------------------------------------------------
kimai:
saml:
activate: true
title: Login with IAM
mapping:
- { saml: $email, kimai: email }
- { saml: $name, kimai: alias }
roles:
resetOnLogin: false
# attribute: Groups
# mapping:
# # Insert your role-mapping here (ROLE_USER is added automatically)
# - { saml: Admin, kimai: ROLE_SUPER_ADMIN }
# - { saml: Manager, kimai: ROLE_ADMIN }
# - { saml: Teamlead, kimai: ROLE_TEAMLEAD }
connection:
idp:
entityId: 'urn:auth.libraryofcode.org'
singleSignOnService:
url: 'https://auth.libraryofcode.org/samlp/1sEhaaFdWtinNdi6ov8eiNhGSenS7qmD'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
#singleLogoutService:
# url: 'https://www.example.com/logout'
# binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
x509cert: 'MIIDDzCCAfegAwIBAgIJUAAq4EwiXEPrMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNVBAMTGmxpYnJhcnlvZmNvZGUudXMuYXV0aDAuY29tMB4XDTIxMDUyMzIwNTQ0OVoXDTM1MDEzMDIwNTQ0OVowJTEjMCEGA1UEAxMabGlicmFyeW9mY29kZS51cy5hdXRoMC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQh2G5y3EkOHkELf9vESZrGPNBfTTR4C7QRclfqCDIPaxqkkH7JhivnyOUnpOE1+8ZC3Z6kvIjHE2tJSMd3JEV1r83NOv3Iowy5NLsd7iz9CctXdYH+cJSRAQMjLYIwZg04yX+mSAMn/hdCKbMjtlg1eUer6miPOzqIMGwVptUybYIX+a6LHDyAP39CxZtD5UsWCb15NYpKqXsOHtq7EWowLf2DaocFfEV7PvZCzSR9dIRKJf2yC/oSyX8/3zAVhaWJTxBMyuYseFSQcPNcAsWrxNuF3yh4u2R05aGBPJXF2ztx6M7Mv4bK2Uvzxv4mx7wSxKbcfC9h/1vtS9qapNLAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFImsV52lnWc99Meaj9/zPAALrOVMA4GA1UdDwEB/wQEAwIChDANBgkqhkiG9w0BAQsFAAOCAQEAlA8LCnFnUamt/PZBqHe22rPCUfeglPQlmx9OSJL9SA9J4OcTEtZOao0AwRFFjFIBR+9frD5laWzWcE63tTlLlN2y1EbUMIbH/WtCNEXrq+i750spMlCtwqiCY8dIQPfBl0gfbr3sCllx0FLcZVmUCR3wewIGdVM/Jg69NfOoDmSTYKtqnDpSKtTZxudoKx+ZRxBDJQiBlCxEFeE05g6MVaK6mXRnG0nyhoRxJD4di1uN9dHgr2JWMpbVNaD1ZN9j02CEBr6Qtg1mCuGeX4K1BIWI0dCZGOqXKWYbjeSgjvsZha6op6Gz2rLP1NR+RpLpND2/REysxCbYwok8IXKvNA=='
# Your Kimai: replace https://www.example.com with your base URL
sp:
entityId: 'https://time.libraryofcode.org/auth/saml/metadata'
assertionConsumerService:
url: 'https://time.libraryofcode.org/auth/saml/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
#singleLogoutService:
# url: 'https://auth.libraryofcode.org/auth/saml/logout'
# binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
#privateKey: ''
# only set baseurl, if auto-detection doesn't work
#baseurl: ''
strict: true
debug: true
security:
nameIdEncrypted: false
authnRequestsSigned: false
logoutRequestSigned: false
logoutResponseSigned: false
wantMessagesSigned: false
wantAssertionsSigned: false
wantNameIdEncrypted: false
requestedAuthnContext: true
signMetadata: false
wantXMLValidation: true
signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
contactPerson:
technical:
givenName: 'Kimai Admin'
emailAddress: 'admin@example.com'
support:
givenName: 'Kimai Support'
emailAddress: 'support@example.com'
organization:
en:
name: 'Kimai'
displayname: 'Kimai'
url: 'https://www.example.com'
# --------------------------------------------------------------------------------
# AUTHENTICATION
# --------------------------------------------------------------------------------
# user:
# registration: false
# password_reset: true
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# TIME-TRACKING
# --------------------------------------------------------------------------------
timesheet:
# Allows to render timesheet descriptions with markdown
# This setting can be changed through the Administration screen
# markdown_content: false
# Configures the duration drop-down select.
# null = use rounding rules, 0 = deactivate, every other number is used as minute/step increment
# duration_increment: ~
# Configures the minute select for begin and end date-time.
# null = use rounding rules, every number > 0 is used as minute/step increment
# time_increment: ~
# The time-tracking mode that should be used.
# mode: default
# The default time to pre-fill the "create timesheet" form (in some cases).
# This setting is only respected by some time-tracking modes and not in all situations.
#
# Accepted formats, see
# - https://www.php.net/manual/en/datetime.formats.php
# - https://www.php.net/manual/en/datetime.formats.time.php
# default_begin: now
# Rounding rules are used to round the begin & end dates and the duration for timesheet records.
# The "default" rule will round "begin" down and "end" up to the full minute, the "duration" will not be rounded.
# rounding:
# default:
# days: ['monday','tuesday','wednesday','thursday','friday','saturday','sunday']
# begin: 1
# end: 1
# duration: 0
# mode: default
# If you want to apply different hourly rates for specific weekdays, you can uncomment the "rates" configuration.
# The "weekend" rule will add 50% to each timesheet entry that will be recorded on "saturdays" or "sundays".
# rates:
# weekend:
# days: ['saturday','sunday']
# factor: 1.5
# If you want to limit the max. active entries per user, you can do it here.
# The hard_limit is used to detect how many active records are allowed per user:
# - by default a user can only have one active time-record: it is automatically stopped when a new one is started
# - when hard_limit is > 1 and the user is trying to start a new entry after reaching the limit, a warning is shown
# and the user has to stop an active entry first
# active_entries:
# hard_limit: 3
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# PERMISSIONS
# --------------------------------------------------------------------------------
permissions:
# mapping complex rule sets of single permissions to named "sets" ("set name" = [array of "permissions and @SETS"])
sets:
ACTIVITIES: ['view_activity','create_activity','edit_activity','budget_activity','time_activity','delete_activity','permissions_activity']
ACTIVITIES_ALL_TEAMLEAD: ['view_teamlead_activity','edit_teamlead_activity','budget_teamlead_activity','time_teamlead_activity','permissions_teamlead_activity']
ACTIVITIES_ALL_TEAM: ['view_team_activity','edit_team_activity','budget_team_activity','time_team_activity'] ACTIVITIES_TEAMLEAD: ['view_teamlead_activity','create_activity','edit_teamlead_activity','budget_teamlead_activity','time_teamlead_activity']
PROJECTS: ['view_project','create_project','edit_project','budget_project','time_project','delete_project','permissions_project','comments_project','comments_create_project','details_project']
PROJECTS_ALL_TEAMLEAD: ['view_teamlead_project','edit_teamlead_project','budget_teamlead_project','time_teamlead_project','permissions_teamlead_project','comments_teamlead_project','comments_create_teamlead_project','details_teamlead_project']
PROJECTS_ALL_TEAM: ['view_team_project','edit_team_project','budget_team_project','time_team_project','comments_team_project','comments_create_team_project','details_team_project']
PROJECTS_TEAMLEAD: ['view_teamlead_project','budget_teamlead_project','time_teamlead_project','comments_teamlead_project','comments_create_teamlead_project','details_teamlead_project']
CUSTOMERS: ['view_customer','create_customer','edit_customer','budget_customer','time_customer','delete_customer','permissions_customer','comments_customer','comments_create_customer','details_customer']
CUSTOMERS_ALL_TEAMLEAD: ['view_teamlead_customer','edit_teamlead_customer','budget_teamlead_customer','time_teamlead_customer','permissions_teamlead_customer','comments_teamlead_customer','comments_create_teamlead_customer','details_teamlead_customer']
CUSTOMERS_ALL_TEAM: ['view_team_customer','edit_team_customer','budget_team_customer','time_team_customer','comments_team_customer','comments_create_team_customer','details_team_customer']
CUSTOMERS_TEAMLEAD: ['view_teamlead_customer','budget_teamlead_customer','time_teamlead_customer','comments_teamlead_customer','comments_create_teamlead_customer','details_teamlead_customer']
INVOICE: ['view_invoice','create_invoice']
INVOICE_ADMIN: ['manage_invoice_template']
INVOICE_ALL: ['delete_invoice']
TIMESHEET: ['view_own_timesheet','start_own_timesheet','stop_own_timesheet','create_own_timesheet','edit_own_timesheet','export_own_timesheet','delete_own_timesheet','weekly_own_timesheet']
TIMESHEET_OTHER: ['view_other_timesheet','start_other_timesheet','stop_other_timesheet','create_other_timesheet','edit_other_timesheet','export_other_timesheet','delete_other_timesheet']
PROFILE: ['view_own_profile','edit_own_profile','password_own_profile','preferences_own_profile','api-token_own_profile']
PROFILE_OTHER: ['view_other_profile','edit_other_profile','password_other_profile','roles_other_profile','preferences_other_profile','api-token_other_profile','teams_other_profile']
TAGS: ['view_tag','manage_tag','delete_tag']
USER: ['view_user','create_user','delete_user','role_permissions']
RATE: ['view_rate_own_timesheet','edit_rate_own_timesheet']
RATE_OTHER: ['view_rate_other_timesheet','edit_rate_other_timesheet']
EXPORT: ['create_export','edit_export_own_timesheet','edit_export_other_timesheet']
BILLABLE: ['edit_billable_own_timesheet','edit_billable_other_timesheet']
TEAMS: ['view_team','create_team','edit_team','delete_team']
LOCKDOWN: ['lockdown_grace_timesheet','lockdown_override_timesheet']
REPORTING: ['view_reporting','view_other_reporting']
# some single default definitions for roles
SINGLE_USER: ['view_team_member','time_team_project']
SINGLE_TEAMLEAD: ['view_rate_own_timesheet','view_rate_other_timesheet','hourly-rate_own_profile','view_team_member']
SINGLE_ADMIN: ['hourly-rate_own_profile','edit_exported_timesheet','teams_own_profile','view_team_member','view_all_data']
SINGLE_SUPER_ADMIN: ['hourly-rate_own_profile','hourly-rate_other_profile','roles_own_profile','system_information','system_configuration','plugins','edit_exported_timesheet','teams_own_profile','view_team_member','upload_invoice_template','view_all_data']
# link above sets to one complete set for each user role
ROLE_USER: ['@TIMESHEET','@PROFILE','@REPORTING','@SINGLE_USER']
ROLE_TEAMLEAD: ['@ACTIVITIES_TEAMLEAD','@PROJECTS_TEAMLEAD','@CUSTOMERS_TEAMLEAD','@TIMESHEET_OTHER','@INVOICE','@TIMESHEET','@PROFILE','@EXPORT','@BILLABLE','@TAGS','@REPORTING','@SINGLE_TEAMLEAD']
ROLE_ADMIN: ['@ACTIVITIES','@PROJECTS','@CUSTOMERS','@INVOICE','@INVOICE_ADMIN','@TIMESHEET','@TIMESHEET_OTHER','@PROFILE','@TEAMS','@RATE','@RATE_OTHER','@EXPORT','@BILLABLE','@TAGS','@LOCKDOWN','@REPORTING','@SINGLE_ADMIN']
ROLE_SUPER_ADMIN: ['@ACTIVITIES','@PROJECTS','@CUSTOMERS','@INVOICE','@INVOICE_ADMIN','@TIMESHEET','@TIMESHEET_OTHER','@PROFILE','@PROFILE_OTHER','@USER','@TEAMS','@RATE','@RATE_OTHER','@EXPORT','@BILLABLE','@TAGS','@LOCKDOWN','@REPORTING','@SINGLE_SUPER_ADMIN']
# mapping "sets" or permissions to user roles ("role name" = [array of "set names"])
maps:
ROLE_USER: ['ROLE_USER']
ROLE_TEAMLEAD: ['ROLE_TEAMLEAD']
ROLE_ADMIN: ['ROLE_ADMIN']
ROLE_SUPER_ADMIN: ['ROLE_SUPER_ADMIN']
# only here to register the (partially) unused permissions in the UI
ROLE_FAKE: ['CUSTOMERS_ALL_TEAMLEAD','CUSTOMERS_ALL_TEAM','PROJECTS_ALL_TEAMLEAD','PROJECTS_ALL_TEAM','ACTIVITIES_ALL_TEAMLEAD','ACTIVITIES_ALL_TEAM','INVOICE_ALL']
# add or remove single permissions
roles:
ROLE_USER: []
ROLE_TEAMLEAD: []
ROLE_ADMIN: []
ROLE_SUPER_ADMIN: []
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# CALENDAR Configuration
# --------------------------------------------------------------------------------
# calendar:
# week_numbers: true
# weekends: true
# day_limit: 4
# slot_duration: '00:30:00'
# businessHours:
# days: [1, 2, 3, 4, 5]
# begin: '08:00'
# end: '18:00'
# visibleHours:
# begin: '00:00'
# end: '24:00'
#
# # You can configure unlimited google calendars to display events for your company (e.g. holidays)
# google:
# api_key: 'your-restricted-google-api-key'
# sources:
# holidays:
# id: 'de.german#holiday@group.v.calendar.google.com'
# color: '#ccc'
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# INVOICES
# --------------------------------------------------------------------------------
# invoice:
# # all files in these directories will be used as invoice documents (if supported by a renderer)
# documents:
# - 'var/invoices/'
# - 'templates/invoice/renderer/'
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# DASHBOARD
# --------------------------------------------------------------------------------
dashboard:
user_duration:
title: ~
order: 10
permission: view_own_timesheet
widgets: [PaginatedWorkingTimeChart]
user_teams:
title: ~
order: 15
permission: ROLE_USER
widgets: [UserTeams, UserTeamProjects]
user_rates:
title: ~
order: 20
permission: view_rate_own_timesheet
widgets: [userAmountToday, userAmountWeek, userAmountMonth, userAmountYear]
duration:
title: dashboard.all
order: 30
permission: ROLE_TEAMLEAD
widgets: [durationToday, durationWeek, durationMonth, durationYear]
active_users:
title: ~
order: 40
permission: ROLE_TEAMLEAD
widgets: [activeUsersToday, activeUsersWeek, activeUsersMonth, activeUsersYear]
rates:
title: ~
order: 50
permission: view_all_data
widgets: [amountToday, amountWeek, amountMonth, amountYear]
totals:
title: ~
order: 100
permission: ROLE_USER
widgets: [TotalsUser, TotalsCustomer, TotalsProject, TotalsActivity]
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# LANGUAGES
# --------------------------------------------------------------------------------
languages:
cs:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m H:i'
da:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
de:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
de_AT:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
de_CH:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
el:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
en:
date_type: 'yyyy-MM-dd'
date: 'Y-m-d'
date_time: 'm-d H:i'
duration: '%%h:%%m h'
en_GB:
date_type: 'dd/MM/yyyy'
date: 'd/m/Y'
date_time: 'd/m H:i'
es:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
fi:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
fr:
date_type: 'dd/MM/yyyy'
date: 'd/m/Y'
date_time: 'd/m H:i'
duration: '%%h h %%m'
he:
date_type: 'dd/MM/yyyy'
date: 'd/m/Y'
date_time: 'd/m H:i'
duration: '%%h:%%m'
hr:
date_type: 'dd. MM. yyyy.'
date: 'd. m. Y.'
date_time: 'd. m. H:i'
duration: '%%h:%%m'
hu:
date_type: 'yyyy.MM.dd.'
date: 'Y.m.d.'
date_time: 'm.d. H:i'
it:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
nl:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
duration: '%%hu%%m'
pt:
date_type: 'dd/MM/yyyy'
date: 'd/m/Y'
date_time: 'd-m H:i'
pt_BR:
date_type: 'dd-MM-yyyy'
date: 'd-m-Y'
date_time: 'd-m H:i'
ru:
date_type: 'dd.MM.yyyy'
date: 'd.m.Y'
date_time: 'd.m. H:i'
sk:
date_type: 'dd. MM. yyyy'
date: 'd. m. Y'
date_time: 'd. m. H:i'
sv:
duration: '%%h:%%m tim'
date_time: 'd/m H:i'
pl:
date_type: 'dd. MM. yyyy'
date: 'd. m. Y'
date_time: 'd. m. H:i'
# --------------------------------------------------------------------------------

View File

@ -0,0 +1,12 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nlm.libraryofcode.org;
ssl_certificate /etc/nginx/ssl/org.chain.crt;
ssl_certificate_key /etc/nginx/ssl/org.key.pem;
location / {
proxy_pass http://localhost:9000;
}
}