diff --git a/bitlair.yaml b/bitlair.yaml index b463ff7..950d555 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -58,6 +58,7 @@ - hosts: services roles: + - { role: "deb_forgejo", tags: [ "deb_forgejo" ] } - { role: "services", tags: ["services"] } - hosts: wiki diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 39de4c0..0169ce1 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -37,5 +37,7 @@ debian_repourl: "http://deb.debian.org/debian/" debian_securityurl: "http://security.debian.org/debian-security" deb_forgejo_repos: + - host: git.bitlair.nl + owner: bitlair - host: git.polyfloyd.net owner: polyfloyd diff --git a/ldapclient.yaml b/ldapclient.yaml deleted file mode 100644 index 3417a12..0000000 --- a/ldapclient.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- hosts: shell-jessie:shell-stretch:shell-sid:mediaserver:grafiekjes - become: no - user: root - roles: - - ldapclient diff --git a/ldapclient/files/lets-encrypt-x1.pem b/ldapclient/files/lets-encrypt-x1.pem deleted file mode 120000 index 5ea8291..0000000 --- a/ldapclient/files/lets-encrypt-x1.pem +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lets-encrypt-x1.pem \ No newline at end of file diff --git a/ldapclient/files/lets-encrypt-x3-cross-signed.pem b/ldapclient/files/lets-encrypt-x3-cross-signed.pem deleted file mode 120000 index bcd25e8..0000000 --- a/ldapclient/files/lets-encrypt-x3-cross-signed.pem +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lets-encrypt-x3-cross-signed.pem \ No newline at end of file diff --git a/ldapclient/files/sub.class1.server.sha2.ca.pem b/ldapclient/files/sub.class1.server.sha2.ca.pem deleted file mode 120000 index 9d232a0..0000000 --- a/ldapclient/files/sub.class1.server.sha2.ca.pem +++ /dev/null @@ -1 +0,0 @@ -../../../certs/sub.class1.server.sha2.ca.pem \ No newline at end of file diff --git a/ldapclient/handlers/main.yaml b/ldapclient/handlers/main.yaml deleted file mode 100644 index 056e3f8..0000000 --- a/ldapclient/handlers/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: reload nslcd - service: name=nslcd state=restarted enabled=true - tags: - - ldapclient - - nslcd diff --git a/ldapclient/tasks/main.yaml b/ldapclient/tasks/main.yaml deleted file mode 100644 index 3a8d7bc..0000000 --- a/ldapclient/tasks/main.yaml +++ /dev/null @@ -1,129 +0,0 @@ -# LDAP Client role for Revspace LDAP -# Tested on: Debian Stable - ---- - -- name: Install LDAP client software - apt: - state: present - pkg: - - libpam-ldapd - - python3-ldap3 - when: ansible_os_family == 'Debian' - tags: - - ldapclient - - apt - -- name: Enable pam_mkhomedir module - lineinfile: - dest: /etc/pam.d/common-account - line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" - regexp: "pam_mkhomedir.so" - insertafter: EOF - tags: - - ldapclient - - mkhomedir - -- name: Create login.group.allowed file - lineinfile: - dest: /etc/login.group.allowed - line: "board" - regexp: "^board$" - owner: "root" - group: "root" - mode: "0755" - create: true - with_items: - - "{{ login_groups | default('board') }}" - tags: - - ldapclient - - logingroups - when: - - logingroups is defined - -- name: Limit access to listed groups - lineinfile: - dest: /etc/pam.d/common-auth - line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed' - insertbefore: EOF - owner: "root" - group: "root" - mode: "0644" - regexp: "pam_listfile.*login.group.allowed" - tags: - - ldapclient - - logingroups - when: - - logingroups is defined - notify: - - reload nslcd - -- name: Copy CA certificate - copy: - src: "{{ ldap_cafile }}" - dest: "/etc/ldap/{{ ldap_cafile }}" - owner: "root" - group: "root" - mode: "0644" - -- name: Template ldap.conf - template: - src: "{{ item }}.j2" - dest: "/etc/ldap/{{ item }}" - owner: "root" - group: "root" - mode: "0644" - with_items: - - ldap.conf - notify: - - reload nslcd - -- name: Template nslcd.conf - template: - src: "{{ item }}.j2" - dest: "/etc/{{ item }}" - owner: "root" - group: "root" - mode: "0644" - with_items: - - nslcd.conf - notify: - - reload nslcd - -- name: Update /etc/nsswitch.conf - lineinfile: - dest: /etc/nsswitch.conf - line: "{{ item }}: compat ldap systemd" - regexp: "^{{ item }}" - with_items: - - passwd - - group - - shadow - -- name: Template nslcd.conf - template: - src: ssh-getkey-ldap.j2 - dest: /usr/sbin/ssh-getkey-ldap - owner: "root" - group: "root" - mode: "0755" - with_items: - - ssh-getkey-ldap - tags: - - ssh-getkey-ldap - -- name: Update /etc/nsswitch.conf - lineinfile: - dest: /etc/nsswitch.conf - line: 'sudoers: ldap' - regexp: '^sudoers' - insertbefore: EOF" - -- name: Disable nscd service - service: - name: nscd - state: stopped - enabled: false - tags: - - ldapclient - - nscd diff --git a/ldapclient/templates/ldap.conf.j2 b/ldapclient/templates/ldap.conf.j2 deleted file mode 100644 index c4bbbe6..0000000 --- a/ldapclient/templates/ldap.conf.j2 +++ /dev/null @@ -1,28 +0,0 @@ -# {{ ansible_managed }} -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -BASE {{ldap_base}} -URI {{ldap_uri}} - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -# TLS certificates (needed for GnuTLS) -TLS_CACERT /etc/ldap/{{ldap_cafile}} -#TLS_CIPHER_SUITE {{ldap_cipher_suite}} -TLS_PROTOCOL_MIN 3.3 -TLS_REQCERT demand -TLS_CRLCHECK none - -# Sudo settings -SUDOERS_BASE ou=SUDOers,{{ldap_base}} -#SUDOERS_SEARCH_FILTER objectClass=sudoRole -SUDOERS_TIMED yes -#SUDOERS_DEBUG 1 - diff --git a/ldapclient/templates/nslcd.conf.j2 b/ldapclient/templates/nslcd.conf.j2 deleted file mode 100644 index 46b780a..0000000 --- a/ldapclient/templates/nslcd.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -# {{ ansible_managed }} -# /etc/nslcd.conf -# nslcd configuration file. See nslcd.conf(5) -# for details. - -# The user and group nslcd should run as. -uid nslcd -gid nslcd - -# The location at which the LDAP server(s) should be reachable. -#uri ldap://ldap.space.revspace.nl/ -uri {{ldap_uri}} - -# The search base that will be used for all queries. -base {{ldap_base}} - -# The LDAP protocol version to use. -#ldap_version 3 - -# The DN to bind with for normal lookups. -#binddn cn=annonymous,dc=example,dc=net -#bindpw secret - -# The DN used for password modifications by root. -#rootpwmoddn cn=admin,dc=example,dc=com - -# SSL options -ssl on -tls_reqcert demand -tls_cacertfile /etc/ssl/certs/ca-certificates.crt -#tls_ciphers {{ldap_cipher_suite}} - -# The search scope. -#scope sub - diff --git a/ldapclient/templates/ssh-getkey-ldap.j2 b/ldapclient/templates/ssh-getkey-ldap.j2 deleted file mode 100644 index 8e19e3c..0000000 --- a/ldapclient/templates/ssh-getkey-ldap.j2 +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/python3 -# {{ansible_managed}} - -from ldap3 import Server, Connection, NONE, SUBTREE -import sys - -try: - uid=str(sys.argv[1]) -except: - print("No user specified") - exit(1) - -if ( uid == "root" ): - exit(0) - -s = Server('{{ ldap_uri }}', get_info=NONE) -c = Connection(s) -if not c.bind(): - print('error in bind', c.result) - exit(1) - -c.search(search_base = 'ou=People,{{ ldap_base }}', - search_filter = '(uid=' + uid + ')', - search_scope = SUBTREE, - attributes = ['sshPublicKey'], - time_limit = 2, - paged_size = 5) - -keys = c.response[0]['raw_attributes']['sshPublicKey'] - -for x in range(len(keys)): - print( keys[x].decode('ascii') ) - diff --git a/ldapclient/vars/main.yaml b/ldapclient/vars/main.yaml deleted file mode 100644 index 6ce2d65..0000000 --- a/ldapclient/vars/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -ldap_base: dc=space,dc=revspace,dc=nl -ldap_server: ldap.space.revspace.nl -ldap_uri: ldaps://{{ ldap_server }}:636 -ldap_cafile: lets-encrypt-x1.pem -ldap_cipher_suite: "SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC" diff --git a/roles/bank/defaults/main.yaml b/roles/bank/defaults/main.yaml index b0fea92..d0a5ca6 100644 --- a/roles/bank/defaults/main.yaml +++ b/roles/bank/defaults/main.yaml @@ -1,3 +1,3 @@ bank_user: bank -bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git bank_local_tty: no +bank_revbank_version: "10.3.0" diff --git a/roles/bank/tasks/login.yaml b/roles/bank/tasks/login.yaml index 7ed568e..f54bbfd 100644 --- a/roles/bank/tasks/login.yaml +++ b/roles/bank/tasks/login.yaml @@ -4,7 +4,7 @@ name: bank password: $6$idklol$QrOE/21LDR0vhZBAXwgA7AvnmR6Ju4ZqzAzgeazC08i2yw9kyQjgwu.uuV692iL/cyE7AteDYUxCpcorONXom. # "bank" home: /home/{{ bank_user }} - shell: /home/{{ bank_user }}/revbank.git/revbank + shell: /usr/local/share/revbank/revbank update_password: always - name: Allow password auth for bank user @@ -13,7 +13,7 @@ insertafter: EOF validate: "/usr/sbin/sshd -t -f %s" block: |- - Match User bank + Match User {{ bank_user }} PasswordAuthentication yes notify: reload sshd diff --git a/roles/bank/tasks/revbank.yaml b/roles/bank/tasks/revbank.yaml index ec283d1..3b2ec65 100644 --- a/roles/bank/tasks/revbank.yaml +++ b/roles/bank/tasks/revbank.yaml @@ -1,50 +1,22 @@ --- - name: Install dependencies ansible.builtin.apt: - name: [ git, libterm-readline-gnu-perl, libcurses-ui-perl, qrencode ] + name: [ git, libterm-readline-gnu-perl, libcurses-ui-perl ] state: present - name: Clone revbank source ansible.builtin.git: - repo: "{{ bank_revbank_git }}" - version: master - dest: /home/{{ bank_user }}/revbank.git + repo: https://github.com/revspace/revbank.git + version: "v{{ bank_revbank_version }}" + dest: /usr/local/share/revbank accept_hostkey: yes -- name: Create data files - ansible.builtin.command: cp /home/{{ bank_user }}/revbank.git/{{ item }} /home/{{ bank_user }}/{{ item }} - args: - creates: /home/{{ bank_user }}/{{ item }} - with_items: - - revbank.accounts - - revbank.market - - revbank.products - -- name: Ensure data file permissions - ansible.builtin.file: - path: /home/{{ bank_user }}/{{ item }} - state: touch - owner: "{{ bank_user }}" - group: "{{ bank_user }}" - mode: 0644 - with_items: - - revbank.accounts - - revbank.market - - revbank.products - -- name: Link plugins - ansible.builtin.file: - state: link - path: /home/{{ bank_user }}/{{ item }} - src: /home/{{ bank_user }}/revbank.git/{{ item }} - with_items: - - plugins - - revbank.plugins - -- name: Create git data dir - ansible.builtin.file: - path: /home/{{ bank_user }}/data.git - state: directory +- name: Clone revbank-plugin source + ansible.builtin.git: + repo: https://git.bitlair.nl/bitlair/revbank-plugins.git + version: main + dest: /usr/local/share/revbank-plugins + accept_hostkey: yes - name: Install git cronjob ansible.builtin.template: diff --git a/roles/bank/templates/git.cron b/roles/bank/templates/git.cron index b334260..32308cf 100644 --- a/roles/bank/templates/git.cron +++ b/roles/bank/templates/git.cron @@ -1,4 +1,4 @@ SHELL=/bin/bash #m h dom mon dow user command - */10 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto && cp revbank.products ../revbank.products) + */10 * * * * {{ bank_user }} git -C ~/.revbank pull -r && git -C ~/.revbank push diff --git a/roles/ldapclient/files/lets-encrypt-x1.pem b/roles/ldapclient/files/lets-encrypt-x1.pem deleted file mode 120000 index 5ea8291..0000000 --- a/roles/ldapclient/files/lets-encrypt-x1.pem +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lets-encrypt-x1.pem \ No newline at end of file diff --git a/roles/ldapclient/files/lets-encrypt-x3-cross-signed.pem b/roles/ldapclient/files/lets-encrypt-x3-cross-signed.pem deleted file mode 120000 index bcd25e8..0000000 --- a/roles/ldapclient/files/lets-encrypt-x3-cross-signed.pem +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lets-encrypt-x3-cross-signed.pem \ No newline at end of file diff --git a/roles/ldapclient/files/sub.class1.server.sha2.ca.pem b/roles/ldapclient/files/sub.class1.server.sha2.ca.pem deleted file mode 120000 index 9d232a0..0000000 --- a/roles/ldapclient/files/sub.class1.server.sha2.ca.pem +++ /dev/null @@ -1 +0,0 @@ -../../../certs/sub.class1.server.sha2.ca.pem \ No newline at end of file diff --git a/roles/ldapclient/handlers/main.yaml b/roles/ldapclient/handlers/main.yaml deleted file mode 100644 index 056e3f8..0000000 --- a/roles/ldapclient/handlers/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: reload nslcd - service: name=nslcd state=restarted enabled=true - tags: - - ldapclient - - nslcd diff --git a/roles/ldapclient/tasks/main.yaml b/roles/ldapclient/tasks/main.yaml deleted file mode 100644 index 3a8d7bc..0000000 --- a/roles/ldapclient/tasks/main.yaml +++ /dev/null @@ -1,129 +0,0 @@ -# LDAP Client role for Revspace LDAP -# Tested on: Debian Stable - ---- - -- name: Install LDAP client software - apt: - state: present - pkg: - - libpam-ldapd - - python3-ldap3 - when: ansible_os_family == 'Debian' - tags: - - ldapclient - - apt - -- name: Enable pam_mkhomedir module - lineinfile: - dest: /etc/pam.d/common-account - line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" - regexp: "pam_mkhomedir.so" - insertafter: EOF - tags: - - ldapclient - - mkhomedir - -- name: Create login.group.allowed file - lineinfile: - dest: /etc/login.group.allowed - line: "board" - regexp: "^board$" - owner: "root" - group: "root" - mode: "0755" - create: true - with_items: - - "{{ login_groups | default('board') }}" - tags: - - ldapclient - - logingroups - when: - - logingroups is defined - -- name: Limit access to listed groups - lineinfile: - dest: /etc/pam.d/common-auth - line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed' - insertbefore: EOF - owner: "root" - group: "root" - mode: "0644" - regexp: "pam_listfile.*login.group.allowed" - tags: - - ldapclient - - logingroups - when: - - logingroups is defined - notify: - - reload nslcd - -- name: Copy CA certificate - copy: - src: "{{ ldap_cafile }}" - dest: "/etc/ldap/{{ ldap_cafile }}" - owner: "root" - group: "root" - mode: "0644" - -- name: Template ldap.conf - template: - src: "{{ item }}.j2" - dest: "/etc/ldap/{{ item }}" - owner: "root" - group: "root" - mode: "0644" - with_items: - - ldap.conf - notify: - - reload nslcd - -- name: Template nslcd.conf - template: - src: "{{ item }}.j2" - dest: "/etc/{{ item }}" - owner: "root" - group: "root" - mode: "0644" - with_items: - - nslcd.conf - notify: - - reload nslcd - -- name: Update /etc/nsswitch.conf - lineinfile: - dest: /etc/nsswitch.conf - line: "{{ item }}: compat ldap systemd" - regexp: "^{{ item }}" - with_items: - - passwd - - group - - shadow - -- name: Template nslcd.conf - template: - src: ssh-getkey-ldap.j2 - dest: /usr/sbin/ssh-getkey-ldap - owner: "root" - group: "root" - mode: "0755" - with_items: - - ssh-getkey-ldap - tags: - - ssh-getkey-ldap - -- name: Update /etc/nsswitch.conf - lineinfile: - dest: /etc/nsswitch.conf - line: 'sudoers: ldap' - regexp: '^sudoers' - insertbefore: EOF" - -- name: Disable nscd service - service: - name: nscd - state: stopped - enabled: false - tags: - - ldapclient - - nscd diff --git a/roles/ldapclient/templates/ldap.conf.j2 b/roles/ldapclient/templates/ldap.conf.j2 deleted file mode 100644 index c4bbbe6..0000000 --- a/roles/ldapclient/templates/ldap.conf.j2 +++ /dev/null @@ -1,28 +0,0 @@ -# {{ ansible_managed }} -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -BASE {{ldap_base}} -URI {{ldap_uri}} - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -# TLS certificates (needed for GnuTLS) -TLS_CACERT /etc/ldap/{{ldap_cafile}} -#TLS_CIPHER_SUITE {{ldap_cipher_suite}} -TLS_PROTOCOL_MIN 3.3 -TLS_REQCERT demand -TLS_CRLCHECK none - -# Sudo settings -SUDOERS_BASE ou=SUDOers,{{ldap_base}} -#SUDOERS_SEARCH_FILTER objectClass=sudoRole -SUDOERS_TIMED yes -#SUDOERS_DEBUG 1 - diff --git a/roles/ldapclient/templates/nslcd.conf.j2 b/roles/ldapclient/templates/nslcd.conf.j2 deleted file mode 100644 index 46b780a..0000000 --- a/roles/ldapclient/templates/nslcd.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -# {{ ansible_managed }} -# /etc/nslcd.conf -# nslcd configuration file. See nslcd.conf(5) -# for details. - -# The user and group nslcd should run as. -uid nslcd -gid nslcd - -# The location at which the LDAP server(s) should be reachable. -#uri ldap://ldap.space.revspace.nl/ -uri {{ldap_uri}} - -# The search base that will be used for all queries. -base {{ldap_base}} - -# The LDAP protocol version to use. -#ldap_version 3 - -# The DN to bind with for normal lookups. -#binddn cn=annonymous,dc=example,dc=net -#bindpw secret - -# The DN used for password modifications by root. -#rootpwmoddn cn=admin,dc=example,dc=com - -# SSL options -ssl on -tls_reqcert demand -tls_cacertfile /etc/ssl/certs/ca-certificates.crt -#tls_ciphers {{ldap_cipher_suite}} - -# The search scope. -#scope sub - diff --git a/roles/ldapclient/templates/ssh-getkey-ldap.j2 b/roles/ldapclient/templates/ssh-getkey-ldap.j2 deleted file mode 100644 index 8e19e3c..0000000 --- a/roles/ldapclient/templates/ssh-getkey-ldap.j2 +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/python3 -# {{ansible_managed}} - -from ldap3 import Server, Connection, NONE, SUBTREE -import sys - -try: - uid=str(sys.argv[1]) -except: - print("No user specified") - exit(1) - -if ( uid == "root" ): - exit(0) - -s = Server('{{ ldap_uri }}', get_info=NONE) -c = Connection(s) -if not c.bind(): - print('error in bind', c.result) - exit(1) - -c.search(search_base = 'ou=People,{{ ldap_base }}', - search_filter = '(uid=' + uid + ')', - search_scope = SUBTREE, - attributes = ['sshPublicKey'], - time_limit = 2, - paged_size = 5) - -keys = c.response[0]['raw_attributes']['sshPublicKey'] - -for x in range(len(keys)): - print( keys[x].decode('ascii') ) - diff --git a/roles/ldapclient/vars/main.yaml b/roles/ldapclient/vars/main.yaml deleted file mode 100644 index 6ce2d65..0000000 --- a/roles/ldapclient/vars/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -ldap_base: dc=space,dc=revspace,dc=nl -ldap_server: ldap.space.revspace.nl -ldap_uri: ldaps://{{ ldap_server }}:636 -ldap_cafile: lets-encrypt-x1.pem -ldap_cipher_suite: "SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC" diff --git a/roles/ldapserver/files/cn={4}revspace.ldif b/roles/ldapserver/files/cn={4}revspace.ldif deleted file mode 100644 index 41d290b..0000000 --- a/roles/ldapserver/files/cn={4}revspace.ldif +++ /dev/null @@ -1,49 +0,0 @@ -# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. -dn: cn={4}revspace -objectClass: olcSchemaConfig -cn: {4}revspace -olcObjectIdentifier: {0}revspaceOID 1.3.6.1.4.1.36206 -olcObjectIdentifier: {1}revspaceLDAP revspaceOID:1 -olcObjectIdentifier: {2}revspaceAttributeType revspaceLDAP:16 -olcObjectIdentifier: {3}revspaceObjectClass revspaceLDAP:17 -olcAttributeTypes: {0}( revspaceAttributeType:1 NAME 'accountBalance' DESC ' - RevSpace bank account balance in eurocent' EQUALITY integerMatch SYNTAX 1.3 - .6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {1}( revspaceAttributeType:2 NAME 'iButtonSerial' DESC 'i - Button serial' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SU - BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: {2}( revspaceAttributeType:7 NAME 'tweetEntry' DESC 'Twee - t entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) -olcAttributeTypes: {3}( revspaceAttributeType:8 NAME 'chanmsgEntry' DESC 'An - nounce entry on irc channel' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466. - 115.121.1.7 ) -olcAttributeTypes: {4}( revspaceAttributeType:9 NAME 'statusEntry' DESC 'Ann - ounce entry in JSON status' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1 - 15.121.1.7 ) -olcAttributeTypes: {5}( revspaceAttributeType:3 NAME 'articleName' DESC 'Rev - Space stock management item name' EQUALITY caseIgnoreMatch ORDERING caseIgn - oreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1 - 15.121.1.15 ) -olcAttributeTypes: {6}( revspaceAttributeType:6 NAME 'barCode' DESC 'RevSpac - e stock management item barcode' EQUALITY caseIgnoreMatch ORDERING caseIgno - reOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.11 - 5.121.1.15 ) -olcAttributeTypes: {7}( revspaceAttributeType:4 NAME 'stock' DESC 'Amount of - items in stock' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) -olcAttributeTypes: {8}( revspaceAttributeType:5 NAME 'price' DESC 'Price per - item in eurocent' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. - 27 SINGLE-VALUE ) -olcObjectClasses: {0}( revspaceObjectClass:1 NAME 'revspaceAccount' DESC 'mi - xin RevSpace account details' AUXILIARY MAY ( accountBalance $ iButtonSeria - l $ tweetEntry $ chanmsgEntry $ statusEntry ) ) -olcObjectClasses: {1}( revspaceObjectClass:2 NAME 'revspaceProduct' DESC 'mi - xin RevSpace product details' STRUCTURAL MUST ( articleName $ price ) MAY ( - stock $ barCode ) ) -structuralObjectClass: olcSchemaConfig -entryUUID: 2d92bbae-fbff-1034-865e-79a954a03d07 -creatorsName: cn=config -createTimestamp: 20150930204006Z -entryCSN: 20150930204006.374158Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20150930204006Z diff --git a/roles/ldapserver/files/cn={5}sudoers.ldif b/roles/ldapserver/files/cn={5}sudoers.ldif deleted file mode 100644 index 2b4c2f9..0000000 --- a/roles/ldapserver/files/cn={5}sudoers.ldif +++ /dev/null @@ -1,48 +0,0 @@ -# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. -dn: cn={5}sudoers -objectClass: olcSchemaConfig -cn: {5}sudoers -olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s - ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin - gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s - ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring - sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com - mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 - .1.1466.115.121.1.26 ) -olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User( - s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466 - .115.121.1.26 ) -olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti - ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466 - .115.121.1.26 ) -olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U - ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1. - 1466.115.121.1.26 ) -olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC ' - Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4. - 1.1466.115.121.1.26 ) -olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S - tart of time interval for which the entry is valid' EQUALITY generalizedTim - eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 - 1.1.24 ) -olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En - d of time interval for which the entry is valid' EQUALITY generalizedTimeMa - tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 - .24 ) -olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i - nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege - rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) -olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer - Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand - $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore - $ sudoNotAfter $ sudoOrder $ description ) ) -structuralObjectClass: olcSchemaConfig -entryUUID: 3a967b84-0248-1035-954b-037a0fbd2d2a -creatorsName: cn=config -createTimestamp: 20151008203808Z -entryCSN: 20151008203808.446725Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20151008203808Z - diff --git a/roles/ldapserver/files/revspace.schema b/roles/ldapserver/files/revspace.schema deleted file mode 100644 index ca79bfc..0000000 --- a/roles/ldapserver/files/revspace.schema +++ /dev/null @@ -1,94 +0,0 @@ -# -# Author: "Koen Martens" -# Desc. : RevSpaceBank account balance field definition and -# mixin objectClass for RevSpace ldap directory -# RevSpace stock management object class and attributes - -# to be replaced with assigned PEN -objectIdentifier revspaceOID 1.3.6.1.4.1.36206 - -# some further derived short-hands -objectIdentifier revspaceLDAP revspaceOID:1 -objectIdentifier revspaceAttributeType revspaceLDAP:16 -objectIdentifier revspaceObjectClass revspaceLDAP:17 - -# the account balance, in eurocent -#attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' -# EQUALITY integerMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -attributeType ( revspaceAttributeType:1 NAME 'accountBalance' - DESC 'RevSpace bank account balance in eurocent' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - EQUALITY integerMatch - SINGLE-VALUE ) - -attributeType ( revspaceAttributeType:2 NAME 'iButtonSerial' - DESC 'iButton serial' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - ORDERING caseIgnoreOrderingMatch ) - -attributeType ( revspaceAttributeType:7 NAME 'tweetEntry' - DESC 'Tweet entry' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - EQUALITY booleanMatch ) - -attributeType ( revspaceAttributeType:8 NAME 'chanmsgEntry' - DESC 'Announce entry on irc channel' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - EQUALITY booleanMatch ) - -attributeType ( revspaceAttributeType:9 NAME 'statusEntry' - DESC 'Announce entry in JSON status' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - EQUALITY booleanMatch ) - -#attributeType ( revspaceAttributeType:2 NAME 'iButtonSerial' -# DESC 'iButton serial' -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.16 -# EQUALITY caseIgnoreMatch -# SUBSTR caseIgnoreSubstringsMatch -# ORDERING caseIgnoreOrderingMatch ) - -objectclass ( revspaceObjectClass:1 NAME 'revspaceAccount' - DESC 'mixin RevSpace account details' - AUXILIARY - MAY ( accountBalance $ iButtonSerial $ tweetEntry $ chanmsgEntry $ statusEntry ) ) - -# RevSpace stock management (bar items) -# - -attributeType ( revspaceAttributeType:3 NAME 'articleName' - DESC 'RevSpace stock management item name' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - ORDERING caseIgnoreOrderingMatch ) - -attributeType ( revspaceAttributeType:6 NAME 'barCode' - DESC 'RevSpace stock management item barcode' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - ORDERING caseIgnoreOrderingMatch ) - -attributeType ( revspaceAttributeType:4 NAME 'stock' - DESC 'Amount of items in stock' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - EQUALITY integerMatch - SINGLE-VALUE ) - -attributeType ( revspaceAttributeType:5 NAME 'price' - DESC 'Price per item in eurocent' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - EQUALITY integerMatch - SINGLE-VALUE ) - -objectclass ( revspaceObjectClass:2 NAME 'revspaceProduct' - DESC 'mixin RevSpace product details' - STRUCTURAL - MUST ( articleName $ price ) - MAY ( stock $ barCode ) ) - diff --git a/roles/ldapserver/files/ssl/cacert.pem b/roles/ldapserver/files/ssl/cacert.pem deleted file mode 120000 index 3ac3c86..0000000 --- a/roles/ldapserver/files/ssl/cacert.pem +++ /dev/null @@ -1 +0,0 @@ -../../../../certs/lets-encrypt-x1.pem \ No newline at end of file diff --git a/roles/ldapserver/files/ssl/server-cert.pem b/roles/ldapserver/files/ssl/server-cert.pem deleted file mode 120000 index c6d1c8a..0000000 --- a/roles/ldapserver/files/ssl/server-cert.pem +++ /dev/null @@ -1 +0,0 @@ -../../../../certs/ldap/ldap.space.revspace.nl.cert \ No newline at end of file diff --git a/roles/ldapserver/files/ssl/server-key.pem b/roles/ldapserver/files/ssl/server-key.pem deleted file mode 120000 index 715f768..0000000 --- a/roles/ldapserver/files/ssl/server-key.pem +++ /dev/null @@ -1 +0,0 @@ -../../../../certs/ldap/space.revspace.nl.key \ No newline at end of file diff --git a/roles/ldapserver/files/sudoers.ldif b/roles/ldapserver/files/sudoers.ldif deleted file mode 100644 index 63508d3..0000000 --- a/roles/ldapserver/files/sudoers.ldif +++ /dev/null @@ -1,77 +0,0 @@ -dn: cn=sudoers,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: sudoers - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' - DESC 'Start of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 - NAME 'sudoNotAfter' - DESC 'End of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - -olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 - NAME 'sudoOrder' - DESC 'an integer to order the sudoRole entries' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - -olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ - sudoOrder $ description ) - ) - diff --git a/roles/ldapserver/files/sudoers.schema b/roles/ldapserver/files/sudoers.schema deleted file mode 100644 index 10793ad..0000000 --- a/roles/ldapserver/files/sudoers.schema +++ /dev/null @@ -1,73 +0,0 @@ -attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' - DESC 'Start of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - -attributetype ( 1.3.6.1.4.1.15953.9.1.9 - NAME 'sudoNotAfter' - DESC 'End of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - -attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 - NAME 'sudoOrder' - DESC 'an integer to order the sudoRole entries' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - -objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ - sudoOrder $ description ) - ) - diff --git a/roles/ldapserver/handlers/main.yaml b/roles/ldapserver/handlers/main.yaml deleted file mode 100644 index 9d9efb3..0000000 --- a/roles/ldapserver/handlers/main.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- name: Restart slapd - service: name=slapd state=restarted diff --git a/roles/ldapserver/tasks/main.yaml b/roles/ldapserver/tasks/main.yaml deleted file mode 100644 index df73a44..0000000 --- a/roles/ldapserver/tasks/main.yaml +++ /dev/null @@ -1,99 +0,0 @@ ---- - -- name: Configure debconf items for slapd - debconf: - name: slapd - question: "slapd/{{ item.q }}" - value: "{{ item.v }}" - vtype: "{{ item.t }}" - with_items: - - { q: 'domain', v: "{{ slapd_domain }}", t: 'string' } - - { q: 'backend', v: "MDB", t: 'select' } - notify: - - Restart slapd - -- name: Configure debconf items for slapd (passwords) - debconf: - name: slapd - question: "slapd/{{ item.q }}" - value: "{{ item.v }}" - vtype: "{{ item.t }}" - with_items: - - { q: 'password1', v: "{{ slapd_admin_pass }}", t: 'password' } - - { q: 'password2', v: "{{ slapd_admin_pass }}", t: 'password' } - changed_when: false - no_log: "{{ filter_logs|default('true') }}" - -- name: Install required software - apt: - pkg: - - slapd - - ldap-utils - state: present - -- name: Set ldap OLC password - lineinfile: - dest: "/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif" - line: "olcRootPW: {{ slapd_config_pass }}" - insertafter: "^modifyTimeStamp:" - regexp: "^olcRootPW" - notify: - - Restart slapd - -- name: Copy revspace schema and olcConfig - copy: - src: "{{ item.src }}" - dest: "/etc/ldap/{{ item.dst }}" - owner: "openldap" - group: "openldap" - mode: "0644" - with_items: - - { src: "revspace.schema", dst: "schema/revspace.schema" } - - { src: "sudoers.schema", dst: "schema/sudoers.schema" } - - { src: "cn={4}revspace.ldif", dst: "slapd.d/cn=config/cn=schema/cn={4}revspace.ldif" } - - { src: "cn={5}sudoers.ldif", dst: "slapd.d/cn=config/cn=schema/cn={5}sudoers.ldif" } - notify: - - Restart slapd - -#- name: Create directory for certificates -# file: path={{ slapd_certpath }} state=directory owner=openldap group=openldap mode=0700 -# -#- name: Copy TLS files -# copy: src=ssl/{{ item }} dest={{ slapd_certpath }}/{{ item }} owner=openldap group=openldap mode=0400 -# with_items: -# - cacert.pem -# - server-key.pem -# - server-cert.pem - -- name: Template olc edits - template: - src: "{{ item }}.j2" - dest: "/etc/ldap/{{ item }}.ldif" - owner: "openldap" - group: "openldap" - mode: "0600" - with_items: - - olcAccess - - olcSSL - register: olcedits - notify: - - Restart slapd - -- name: Update olcConfig - command: "ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/{{ item }}.ldif" - with_items: - - olcAccess - - olcSSL - when: olcedits is changed - ignore_errors: true - changed_when: false - notify: - - Restart slapd - -- name: Enable SSL listener - lineinfile: - dest: "/etc/default/slapd" - line: "SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\"" - regexp: "^SLAPD_SERVICES" - notify: - - Restart slapd diff --git a/roles/ldapserver/templates/olcAccess.j2 b/roles/ldapserver/templates/olcAccess.j2 deleted file mode 100644 index 5498319..0000000 --- a/roles/ldapserver/templates/olcAccess.j2 +++ /dev/null @@ -1,8 +0,0 @@ -dn: olcDatabase={1}mdb,cn=config -changetype: modify -add: olcAccess -olcAccess: {1}to attrs=loginShell,gecos - by dn="cn=admin,{{slapd_root}}" write - by self write - by * read - diff --git a/roles/ldapserver/templates/olcSSL.j2 b/roles/ldapserver/templates/olcSSL.j2 deleted file mode 100644 index 41f14af..0000000 --- a/roles/ldapserver/templates/olcSSL.j2 +++ /dev/null @@ -1,15 +0,0 @@ -# {{ansible_managed }} -dn: cn=config -changetype: modify -replace: olcTLSCACertificateFile -olcTLSCACertificateFile: {{slapd_certpath}}/fullchain.pem -- -replace: olcTLSCertificateKeyFile -olcTLSCertificateKeyFile: {{slapd_certpath}}/privkey.pem -- -replace: olcTLSCertificateFile -olcTLSCertificateFile: {{slapd_certpath}}/cert.pem -- -replace: olcTLSCipherSuite -olcTLSCipherSuite: {{slapd_cipher_suite}} - diff --git a/roles/ldapserver/vars/.gitignore b/roles/ldapserver/vars/.gitignore deleted file mode 100644 index 4a424df..0000000 --- a/roles/ldapserver/vars/.gitignore +++ /dev/null @@ -1 +0,0 @@ -secret.yaml diff --git a/roles/ldapserver/vars/main.yaml b/roles/ldapserver/vars/main.yaml deleted file mode 100644 index a4024be..0000000 --- a/roles/ldapserver/vars/main.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -slapd_config_pass: "{{ lookup('passwordstore', 'revspace/ldap/config') }}" -slapd_admin_pass: "{{ lookup('passwordstore', 'revspace/ldap/admin') }}" - -slapd_domain: "space.revspace.nl" -slapd_root: "dc=space,dc=revspace,dc=nl" -slapd_certpath: "/etc/dehydrated/certs/ldap.space.revspace.nl/" -slapd_cipher_suite: "SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC" diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml index 19a659f..3ce4308 100644 --- a/roles/services/tasks/discord_bot.yaml +++ b/roles/services/tasks/discord_bot.yaml @@ -3,30 +3,36 @@ - name: Install dependencies ansible.builtin.apt: name: - - python3-paho-mqtt - - python3-tz + - openscad - virtualenv - name: Create virtualenv ansible.builtin.command: - cmd: virtualenv /opt/miflora_exporter/.venv + cmd: virtualenv /var/lib/discord-bot/.venv args: creates: /var/lib/discord-bot/.venv -- name: Install Python dependencies - ansible.builtin.shell: - cmd: . .venv/bin/activate && pip install -r requirements.txt - args: - chdir: /var/lib/discord-bot +- name: Clone bottleclip source + ansible.builtin.git: + repo: https://git.bitlair.nl/bitlair/bottle-clip.git + version: main + dest: /var/lib/bottle-clip + accept_hostkey: yes + notify: Restart discord-bot -- name: Clone source +- name: Clone discord-bot source ansible.builtin.git: repo: https://git.bitlair.nl/bitlair/discord-bot.git version: main dest: /var/lib/discord-bot accept_hostkey: yes notify: Restart discord-bot - ignore_errors: true + +- name: Install Python dependencies + ansible.builtin.shell: + cmd: . .venv/bin/activate && pip install -r requirements.txt + args: + chdir: /var/lib/discord-bot - name: Install service file ansible.builtin.template: diff --git a/roles/services/tasks/siahsd.yaml b/roles/services/tasks/siahsd.yaml index c7c3b0b..fc7fef5 100644 --- a/roles/services/tasks/siahsd.yaml +++ b/roles/services/tasks/siahsd.yaml @@ -1,16 +1,15 @@ --- -# TODO: Install and build +- name: Install siahsd + apt: + name: siahsd - name: Create directories ansible.builtin.file: - path: "{{ item }}" + path: /var/log/siahsd state: directory owner: siahsd group: nogroup mode: "0750" - with_items: - - /var/log/siahsd - - /var/lib/siahsd - name: Install config file ansible.builtin.template: @@ -21,19 +20,9 @@ mode: "0644" notify: Restart siahsd -- name: Install service file - ansible.builtin.template: - src: siahsd.service - dest: /etc/systemd/system/siahsd.service - owner: root - group: root - mode: "0644" - notify: Restart siahsd - - name: Start siahsd ansible.builtin.systemd: name: siahsd state: started enabled: true daemon_reload: true - diff --git a/roles/services/templates/discord-bot.service b/roles/services/templates/discord-bot.service index 2c73d05..7522fd9 100644 --- a/roles/services/templates/discord-bot.service +++ b/roles/services/templates/discord-bot.service @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} [Unit] Description=HobbyBot @@ -13,6 +13,7 @@ DynamicUser=true Environment="MQTT_HOST={{ mqtt_internal_host }}" Environment="DISCORD_WEBHOOK_URL={{ lookup('passwordstore', 'services/discord', subkey='webhook_url') }}" Environment="DISCORD_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='token') }}" +Environment="BOTTLECLIP_RESOURCES=/var/lib/bottle-clip" [Install] WantedBy=multi-user.target diff --git a/roles/services/templates/siahsd.conf b/roles/services/templates/siahsd.conf index 5d8e94f..ee18220 100644 --- a/roles/services/templates/siahsd.conf +++ b/roles/services/templates/siahsd.conf @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + [siahsd] pid file = /var/lib/siahsd/siahsd.pid log file = /var/log/siahsd/siahsd.log @@ -5,13 +7,6 @@ log level = 3 foreground = 0 event handlers = script -#[database] -#driver = mysql -#host = localhost -#name = siahsd -#username = siahsd -#password = MysbJxAaawmwKPqD - [siahs] port = 4000 @@ -19,21 +14,5 @@ port = 4000 port = 9000 rsa key file = something.sexp -#[jsonbot] -#address = 192.168.88.15 -#port = 5500 -#aes key = blablablablablaz -#password = mekker -#privmsg to = #bitlair - -#[spacestate] -#driver = mysql -#host = localhost -#name = bitwifi -#username = bitwifi -#password = aGWERQpLEQPUaXJV -#open script = /opt/alarm/disarmed.sh -#close script = /opt/alarm/armed.sh - [script] path = /opt/alarm/siahsd_handler.sh diff --git a/roles/services/templates/siahsd.service b/roles/services/templates/siahsd.service deleted file mode 100644 index 479324c..0000000 --- a/roles/services/templates/siahsd.service +++ /dev/null @@ -1,17 +0,0 @@ -# Managed by Ansible - -[Unit] -Description=Siahsd -After=network.target - -[Service] -Type=forking -PIDFile=/var/lib/siahsd/siahsd.pid -Restart=always -RestartSec=10s -ExecStartPre=-/bin/rm /var/lib/siahsd/siahsd.pid -ExecStart=/usr/local/src/siahsd/build/siahsd -User=siahsd - -[Install] -WantedBy=multi-user.target diff --git a/services.yaml b/services.yaml index e66fc11..52103e0 100644 --- a/services.yaml +++ b/services.yaml @@ -3,4 +3,5 @@ - hosts: services roles: - { role: "common", tags: [ "common" ] } + - { role: "deb_forgejo", tags: [ "deb_forgejo" ] } - { role: "services", tags: [ "services" ] }