From a74ef0de9ae42debbddf2c360fddd3619f173369 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Wed, 30 Apr 2025 21:42:38 +0200 Subject: [PATCH 01/11] ldap van revspace, nog aanpassen --- ldapclient/files/lets-encrypt-x1.pem | 1 + .../files/lets-encrypt-x3-cross-signed.pem | 1 + .../files/sub.class1.server.sha2.ca.pem | 1 + ldapclient/handlers/main.yaml | 7 + ldapclient/tasks/main.yaml | 129 ++++++++++++++++++ ldapclient/templates/ldap.conf.j2 | 28 ++++ ldapclient/templates/nslcd.conf.j2 | 35 +++++ ldapclient/templates/ssh-getkey-ldap.j2 | 33 +++++ ldapclient/vars/main.yaml | 7 + roles/ldapclient/files/lets-encrypt-x1.pem | 1 + .../files/lets-encrypt-x3-cross-signed.pem | 1 + .../files/sub.class1.server.sha2.ca.pem | 1 + roles/ldapclient/handlers/main.yaml | 7 + roles/ldapclient/tasks/main.yaml | 129 ++++++++++++++++++ roles/ldapclient/templates/ldap.conf.j2 | 28 ++++ roles/ldapclient/templates/nslcd.conf.j2 | 35 +++++ roles/ldapclient/templates/ssh-getkey-ldap.j2 | 33 +++++ roles/ldapclient/vars/main.yaml | 7 + roles/ldapserver/files/cn={4}revspace.ldif | 49 +++++++ roles/ldapserver/files/cn={5}sudoers.ldif | 48 +++++++ roles/ldapserver/files/revspace.schema | 94 +++++++++++++ roles/ldapserver/files/ssl/cacert.pem | 1 + roles/ldapserver/files/ssl/server-cert.pem | 1 + roles/ldapserver/files/ssl/server-key.pem | 1 + roles/ldapserver/files/sudoers.ldif | 77 +++++++++++ roles/ldapserver/files/sudoers.schema | 73 ++++++++++ roles/ldapserver/handlers/main.yaml | 4 + roles/ldapserver/tasks/main.yaml | 99 ++++++++++++++ roles/ldapserver/templates/olcAccess.j2 | 8 ++ roles/ldapserver/templates/olcSSL.j2 | 15 ++ roles/ldapserver/vars/.gitignore | 1 + roles/ldapserver/vars/main.yaml | 9 ++ 32 files changed, 964 insertions(+) create mode 120000 ldapclient/files/lets-encrypt-x1.pem create mode 120000 ldapclient/files/lets-encrypt-x3-cross-signed.pem create mode 120000 ldapclient/files/sub.class1.server.sha2.ca.pem create mode 100644 ldapclient/handlers/main.yaml create mode 100644 ldapclient/tasks/main.yaml create mode 100644 ldapclient/templates/ldap.conf.j2 create mode 100644 ldapclient/templates/nslcd.conf.j2 create mode 100644 ldapclient/templates/ssh-getkey-ldap.j2 create mode 100644 ldapclient/vars/main.yaml create mode 120000 roles/ldapclient/files/lets-encrypt-x1.pem create mode 120000 roles/ldapclient/files/lets-encrypt-x3-cross-signed.pem create mode 120000 roles/ldapclient/files/sub.class1.server.sha2.ca.pem create mode 100644 roles/ldapclient/handlers/main.yaml create mode 100644 roles/ldapclient/tasks/main.yaml create mode 100644 roles/ldapclient/templates/ldap.conf.j2 create mode 100644 roles/ldapclient/templates/nslcd.conf.j2 create mode 100644 roles/ldapclient/templates/ssh-getkey-ldap.j2 create mode 100644 roles/ldapclient/vars/main.yaml create mode 100644 roles/ldapserver/files/cn={4}revspace.ldif create mode 100644 roles/ldapserver/files/cn={5}sudoers.ldif create mode 100644 roles/ldapserver/files/revspace.schema create mode 120000 roles/ldapserver/files/ssl/cacert.pem create mode 120000 roles/ldapserver/files/ssl/server-cert.pem create mode 120000 roles/ldapserver/files/ssl/server-key.pem create mode 100644 roles/ldapserver/files/sudoers.ldif create mode 100644 roles/ldapserver/files/sudoers.schema create mode 100644 roles/ldapserver/handlers/main.yaml create mode 100644 roles/ldapserver/tasks/main.yaml create mode 100644 roles/ldapserver/templates/olcAccess.j2 create mode 100644 roles/ldapserver/templates/olcSSL.j2 create mode 100644 roles/ldapserver/vars/.gitignore create mode 100644 roles/ldapserver/vars/main.yaml diff --git a/ldapclient/files/lets-encrypt-x1.pem b/ldapclient/files/lets-encrypt-x1.pem new file mode 120000 index 0000000..5ea8291 --- /dev/null +++ b/ldapclient/files/lets-encrypt-x1.pem @@ -0,0 +1 @@ +../../../certs/lets-encrypt-x1.pem \ No newline at end of file diff --git a/ldapclient/files/lets-encrypt-x3-cross-signed.pem b/ldapclient/files/lets-encrypt-x3-cross-signed.pem new file mode 120000 index 0000000..bcd25e8 --- /dev/null +++ b/ldapclient/files/lets-encrypt-x3-cross-signed.pem @@ -0,0 +1 @@ +../../../certs/lets-encrypt-x3-cross-signed.pem \ No newline at end of file diff --git a/ldapclient/files/sub.class1.server.sha2.ca.pem b/ldapclient/files/sub.class1.server.sha2.ca.pem new file mode 120000 index 0000000..9d232a0 --- /dev/null +++ b/ldapclient/files/sub.class1.server.sha2.ca.pem @@ -0,0 +1 @@ +../../../certs/sub.class1.server.sha2.ca.pem \ No newline at end of file diff --git a/ldapclient/handlers/main.yaml b/ldapclient/handlers/main.yaml new file mode 100644 index 0000000..056e3f8 --- /dev/null +++ b/ldapclient/handlers/main.yaml @@ -0,0 +1,7 @@ +--- + +- name: reload nslcd + service: name=nslcd state=restarted enabled=true + tags: + - ldapclient + - nslcd diff --git a/ldapclient/tasks/main.yaml b/ldapclient/tasks/main.yaml new file mode 100644 index 0000000..3a8d7bc --- /dev/null +++ b/ldapclient/tasks/main.yaml @@ -0,0 +1,129 @@ +# LDAP Client role for Revspace LDAP +# Tested on: Debian Stable + +--- + +- name: Install LDAP client software + apt: + state: present + pkg: + - libpam-ldapd + - python3-ldap3 + when: ansible_os_family == 'Debian' + tags: + - ldapclient + - apt + +- name: Enable pam_mkhomedir module + lineinfile: + dest: /etc/pam.d/common-account + line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" + regexp: "pam_mkhomedir.so" + insertafter: EOF + tags: + - ldapclient + - mkhomedir + +- name: Create login.group.allowed file + lineinfile: + dest: /etc/login.group.allowed + line: "board" + regexp: "^board$" + owner: "root" + group: "root" + mode: "0755" + create: true + with_items: + - "{{ login_groups | default('board') }}" + tags: + - ldapclient + - logingroups + when: + - logingroups is defined + +- name: Limit access to listed groups + lineinfile: + dest: /etc/pam.d/common-auth + line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed' + insertbefore: EOF + owner: "root" + group: "root" + mode: "0644" + regexp: "pam_listfile.*login.group.allowed" + tags: + - ldapclient + - logingroups + when: + - logingroups is defined + notify: + - reload nslcd + +- name: Copy CA certificate + copy: + src: "{{ ldap_cafile }}" + dest: "/etc/ldap/{{ ldap_cafile }}" + owner: "root" + group: "root" + mode: "0644" + +- name: Template ldap.conf + template: + src: "{{ item }}.j2" + dest: "/etc/ldap/{{ item }}" + owner: "root" + group: "root" + mode: "0644" + with_items: + - ldap.conf + notify: + - reload nslcd + +- name: Template nslcd.conf + template: + src: "{{ item }}.j2" + dest: "/etc/{{ item }}" + owner: "root" + group: "root" + mode: "0644" + with_items: + - nslcd.conf + notify: + - reload nslcd + +- name: Update /etc/nsswitch.conf + lineinfile: + dest: /etc/nsswitch.conf + line: "{{ item }}: compat ldap systemd" + regexp: "^{{ item }}" + with_items: + - passwd + - group + - shadow + +- name: Template nslcd.conf + template: + src: ssh-getkey-ldap.j2 + dest: /usr/sbin/ssh-getkey-ldap + owner: "root" + group: "root" + mode: "0755" + with_items: + - ssh-getkey-ldap + tags: + - ssh-getkey-ldap + +- name: Update /etc/nsswitch.conf + lineinfile: + dest: /etc/nsswitch.conf + line: 'sudoers: ldap' + regexp: '^sudoers' + insertbefore: EOF" + +- name: Disable nscd service + service: + name: nscd + state: stopped + enabled: false + tags: + - ldapclient + - nscd diff --git a/ldapclient/templates/ldap.conf.j2 b/ldapclient/templates/ldap.conf.j2 new file mode 100644 index 0000000..c4bbbe6 --- /dev/null +++ b/ldapclient/templates/ldap.conf.j2 @@ -0,0 +1,28 @@ +# {{ ansible_managed }} +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +BASE {{ldap_base}} +URI {{ldap_uri}} + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# TLS certificates (needed for GnuTLS) +TLS_CACERT /etc/ldap/{{ldap_cafile}} +#TLS_CIPHER_SUITE {{ldap_cipher_suite}} +TLS_PROTOCOL_MIN 3.3 +TLS_REQCERT demand +TLS_CRLCHECK none + +# Sudo settings +SUDOERS_BASE ou=SUDOers,{{ldap_base}} +#SUDOERS_SEARCH_FILTER objectClass=sudoRole +SUDOERS_TIMED yes +#SUDOERS_DEBUG 1 + diff --git a/ldapclient/templates/nslcd.conf.j2 b/ldapclient/templates/nslcd.conf.j2 new file mode 100644 index 0000000..46b780a --- /dev/null +++ b/ldapclient/templates/nslcd.conf.j2 @@ -0,0 +1,35 @@ +# {{ ansible_managed }} +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +#uri ldap://ldap.space.revspace.nl/ +uri {{ldap_uri}} + +# The search base that will be used for all queries. +base {{ldap_base}} + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +ssl on +tls_reqcert demand +tls_cacertfile /etc/ssl/certs/ca-certificates.crt +#tls_ciphers {{ldap_cipher_suite}} + +# The search scope. +#scope sub + diff --git a/ldapclient/templates/ssh-getkey-ldap.j2 b/ldapclient/templates/ssh-getkey-ldap.j2 new file mode 100644 index 0000000..8e19e3c --- /dev/null +++ b/ldapclient/templates/ssh-getkey-ldap.j2 @@ -0,0 +1,33 @@ +#!/usr/bin/python3 +# {{ansible_managed}} + +from ldap3 import Server, Connection, NONE, SUBTREE +import sys + +try: + uid=str(sys.argv[1]) +except: + print("No user specified") + exit(1) + +if ( uid == "root" ): + exit(0) + +s = Server('{{ ldap_uri }}', get_info=NONE) +c = Connection(s) +if not c.bind(): + print('error in bind', c.result) + exit(1) + +c.search(search_base = 'ou=People,{{ ldap_base }}', + search_filter = '(uid=' + uid + ')', + search_scope = SUBTREE, + attributes = ['sshPublicKey'], + time_limit = 2, + paged_size = 5) + +keys = c.response[0]['raw_attributes']['sshPublicKey'] + +for x in range(len(keys)): + print( keys[x].decode('ascii') ) + diff --git a/ldapclient/vars/main.yaml b/ldapclient/vars/main.yaml new file mode 100644 index 0000000..6ce2d65 --- /dev/null +++ b/ldapclient/vars/main.yaml @@ -0,0 +1,7 @@ +--- + +ldap_base: dc=space,dc=revspace,dc=nl +ldap_server: ldap.space.revspace.nl +ldap_uri: ldaps://{{ ldap_server }}:636 +ldap_cafile: lets-encrypt-x1.pem +ldap_cipher_suite: "SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC" diff --git a/roles/ldapclient/files/lets-encrypt-x1.pem b/roles/ldapclient/files/lets-encrypt-x1.pem new file mode 120000 index 0000000..5ea8291 --- /dev/null +++ b/roles/ldapclient/files/lets-encrypt-x1.pem @@ -0,0 +1 @@ +../../../certs/lets-encrypt-x1.pem \ No newline at end of file diff --git a/roles/ldapclient/files/lets-encrypt-x3-cross-signed.pem b/roles/ldapclient/files/lets-encrypt-x3-cross-signed.pem new file mode 120000 index 0000000..bcd25e8 --- /dev/null +++ b/roles/ldapclient/files/lets-encrypt-x3-cross-signed.pem @@ -0,0 +1 @@ +../../../certs/lets-encrypt-x3-cross-signed.pem \ No newline at end of file diff --git a/roles/ldapclient/files/sub.class1.server.sha2.ca.pem b/roles/ldapclient/files/sub.class1.server.sha2.ca.pem new file mode 120000 index 0000000..9d232a0 --- /dev/null +++ b/roles/ldapclient/files/sub.class1.server.sha2.ca.pem @@ -0,0 +1 @@ +../../../certs/sub.class1.server.sha2.ca.pem \ No newline at end of file diff --git a/roles/ldapclient/handlers/main.yaml b/roles/ldapclient/handlers/main.yaml new file mode 100644 index 0000000..056e3f8 --- /dev/null +++ b/roles/ldapclient/handlers/main.yaml @@ -0,0 +1,7 @@ +--- + +- name: reload nslcd + service: name=nslcd state=restarted enabled=true + tags: + - ldapclient + - nslcd diff --git a/roles/ldapclient/tasks/main.yaml b/roles/ldapclient/tasks/main.yaml new file mode 100644 index 0000000..3a8d7bc --- /dev/null +++ b/roles/ldapclient/tasks/main.yaml @@ -0,0 +1,129 @@ +# LDAP Client role for Revspace LDAP +# Tested on: Debian Stable + +--- + +- name: Install LDAP client software + apt: + state: present + pkg: + - libpam-ldapd + - python3-ldap3 + when: ansible_os_family == 'Debian' + tags: + - ldapclient + - apt + +- name: Enable pam_mkhomedir module + lineinfile: + dest: /etc/pam.d/common-account + line: "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" + regexp: "pam_mkhomedir.so" + insertafter: EOF + tags: + - ldapclient + - mkhomedir + +- name: Create login.group.allowed file + lineinfile: + dest: /etc/login.group.allowed + line: "board" + regexp: "^board$" + owner: "root" + group: "root" + mode: "0755" + create: true + with_items: + - "{{ login_groups | default('board') }}" + tags: + - ldapclient + - logingroups + when: + - logingroups is defined + +- name: Limit access to listed groups + lineinfile: + dest: /etc/pam.d/common-auth + line: 'auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed' + insertbefore: EOF + owner: "root" + group: "root" + mode: "0644" + regexp: "pam_listfile.*login.group.allowed" + tags: + - ldapclient + - logingroups + when: + - logingroups is defined + notify: + - reload nslcd + +- name: Copy CA certificate + copy: + src: "{{ ldap_cafile }}" + dest: "/etc/ldap/{{ ldap_cafile }}" + owner: "root" + group: "root" + mode: "0644" + +- name: Template ldap.conf + template: + src: "{{ item }}.j2" + dest: "/etc/ldap/{{ item }}" + owner: "root" + group: "root" + mode: "0644" + with_items: + - ldap.conf + notify: + - reload nslcd + +- name: Template nslcd.conf + template: + src: "{{ item }}.j2" + dest: "/etc/{{ item }}" + owner: "root" + group: "root" + mode: "0644" + with_items: + - nslcd.conf + notify: + - reload nslcd + +- name: Update /etc/nsswitch.conf + lineinfile: + dest: /etc/nsswitch.conf + line: "{{ item }}: compat ldap systemd" + regexp: "^{{ item }}" + with_items: + - passwd + - group + - shadow + +- name: Template nslcd.conf + template: + src: ssh-getkey-ldap.j2 + dest: /usr/sbin/ssh-getkey-ldap + owner: "root" + group: "root" + mode: "0755" + with_items: + - ssh-getkey-ldap + tags: + - ssh-getkey-ldap + +- name: Update /etc/nsswitch.conf + lineinfile: + dest: /etc/nsswitch.conf + line: 'sudoers: ldap' + regexp: '^sudoers' + insertbefore: EOF" + +- name: Disable nscd service + service: + name: nscd + state: stopped + enabled: false + tags: + - ldapclient + - nscd diff --git a/roles/ldapclient/templates/ldap.conf.j2 b/roles/ldapclient/templates/ldap.conf.j2 new file mode 100644 index 0000000..c4bbbe6 --- /dev/null +++ b/roles/ldapclient/templates/ldap.conf.j2 @@ -0,0 +1,28 @@ +# {{ ansible_managed }} +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +BASE {{ldap_base}} +URI {{ldap_uri}} + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# TLS certificates (needed for GnuTLS) +TLS_CACERT /etc/ldap/{{ldap_cafile}} +#TLS_CIPHER_SUITE {{ldap_cipher_suite}} +TLS_PROTOCOL_MIN 3.3 +TLS_REQCERT demand +TLS_CRLCHECK none + +# Sudo settings +SUDOERS_BASE ou=SUDOers,{{ldap_base}} +#SUDOERS_SEARCH_FILTER objectClass=sudoRole +SUDOERS_TIMED yes +#SUDOERS_DEBUG 1 + diff --git a/roles/ldapclient/templates/nslcd.conf.j2 b/roles/ldapclient/templates/nslcd.conf.j2 new file mode 100644 index 0000000..46b780a --- /dev/null +++ b/roles/ldapclient/templates/nslcd.conf.j2 @@ -0,0 +1,35 @@ +# {{ ansible_managed }} +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +#uri ldap://ldap.space.revspace.nl/ +uri {{ldap_uri}} + +# The search base that will be used for all queries. +base {{ldap_base}} + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +ssl on +tls_reqcert demand +tls_cacertfile /etc/ssl/certs/ca-certificates.crt +#tls_ciphers {{ldap_cipher_suite}} + +# The search scope. +#scope sub + diff --git a/roles/ldapclient/templates/ssh-getkey-ldap.j2 b/roles/ldapclient/templates/ssh-getkey-ldap.j2 new file mode 100644 index 0000000..8e19e3c --- /dev/null +++ b/roles/ldapclient/templates/ssh-getkey-ldap.j2 @@ -0,0 +1,33 @@ +#!/usr/bin/python3 +# {{ansible_managed}} + +from ldap3 import Server, Connection, NONE, SUBTREE +import sys + +try: + uid=str(sys.argv[1]) +except: + print("No user specified") + exit(1) + +if ( uid == "root" ): + exit(0) + +s = Server('{{ ldap_uri }}', get_info=NONE) +c = Connection(s) +if not c.bind(): + print('error in bind', c.result) + exit(1) + +c.search(search_base = 'ou=People,{{ ldap_base }}', + search_filter = '(uid=' + uid + ')', + search_scope = SUBTREE, + attributes = ['sshPublicKey'], + time_limit = 2, + paged_size = 5) + +keys = c.response[0]['raw_attributes']['sshPublicKey'] + +for x in range(len(keys)): + print( keys[x].decode('ascii') ) + diff --git a/roles/ldapclient/vars/main.yaml b/roles/ldapclient/vars/main.yaml new file mode 100644 index 0000000..6ce2d65 --- /dev/null +++ b/roles/ldapclient/vars/main.yaml @@ -0,0 +1,7 @@ +--- + +ldap_base: dc=space,dc=revspace,dc=nl +ldap_server: ldap.space.revspace.nl +ldap_uri: ldaps://{{ ldap_server }}:636 +ldap_cafile: lets-encrypt-x1.pem +ldap_cipher_suite: "SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC" diff --git a/roles/ldapserver/files/cn={4}revspace.ldif b/roles/ldapserver/files/cn={4}revspace.ldif new file mode 100644 index 0000000..41d290b --- /dev/null +++ b/roles/ldapserver/files/cn={4}revspace.ldif @@ -0,0 +1,49 @@ +# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. +dn: cn={4}revspace +objectClass: olcSchemaConfig +cn: {4}revspace +olcObjectIdentifier: {0}revspaceOID 1.3.6.1.4.1.36206 +olcObjectIdentifier: {1}revspaceLDAP revspaceOID:1 +olcObjectIdentifier: {2}revspaceAttributeType revspaceLDAP:16 +olcObjectIdentifier: {3}revspaceObjectClass revspaceLDAP:17 +olcAttributeTypes: {0}( revspaceAttributeType:1 NAME 'accountBalance' DESC ' + RevSpace bank account balance in eurocent' EQUALITY integerMatch SYNTAX 1.3 + .6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {1}( revspaceAttributeType:2 NAME 'iButtonSerial' DESC 'i + Button serial' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SU + BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: {2}( revspaceAttributeType:7 NAME 'tweetEntry' DESC 'Twee + t entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) +olcAttributeTypes: {3}( revspaceAttributeType:8 NAME 'chanmsgEntry' DESC 'An + nounce entry on irc channel' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466. + 115.121.1.7 ) +olcAttributeTypes: {4}( revspaceAttributeType:9 NAME 'statusEntry' DESC 'Ann + ounce entry in JSON status' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1 + 15.121.1.7 ) +olcAttributeTypes: {5}( revspaceAttributeType:3 NAME 'articleName' DESC 'Rev + Space stock management item name' EQUALITY caseIgnoreMatch ORDERING caseIgn + oreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1 + 15.121.1.15 ) +olcAttributeTypes: {6}( revspaceAttributeType:6 NAME 'barCode' DESC 'RevSpac + e stock management item barcode' EQUALITY caseIgnoreMatch ORDERING caseIgno + reOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.11 + 5.121.1.15 ) +olcAttributeTypes: {7}( revspaceAttributeType:4 NAME 'stock' DESC 'Amount of + items in stock' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: {8}( revspaceAttributeType:5 NAME 'price' DESC 'Price per + item in eurocent' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 27 SINGLE-VALUE ) +olcObjectClasses: {0}( revspaceObjectClass:1 NAME 'revspaceAccount' DESC 'mi + xin RevSpace account details' AUXILIARY MAY ( accountBalance $ iButtonSeria + l $ tweetEntry $ chanmsgEntry $ statusEntry ) ) +olcObjectClasses: {1}( revspaceObjectClass:2 NAME 'revspaceProduct' DESC 'mi + xin RevSpace product details' STRUCTURAL MUST ( articleName $ price ) MAY ( + stock $ barCode ) ) +structuralObjectClass: olcSchemaConfig +entryUUID: 2d92bbae-fbff-1034-865e-79a954a03d07 +creatorsName: cn=config +createTimestamp: 20150930204006Z +entryCSN: 20150930204006.374158Z#000000#000#000000 +modifiersName: cn=config +modifyTimestamp: 20150930204006Z diff --git a/roles/ldapserver/files/cn={5}sudoers.ldif b/roles/ldapserver/files/cn={5}sudoers.ldif new file mode 100644 index 0000000..2b4c2f9 --- /dev/null +++ b/roles/ldapserver/files/cn={5}sudoers.ldif @@ -0,0 +1,48 @@ +# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. +dn: cn={5}sudoers +objectClass: olcSchemaConfig +cn: {5}sudoers +olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s + ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin + gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s + ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring + sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com + mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 ) +olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User( + s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466 + .115.121.1.26 ) +olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti + ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466 + .115.121.1.26 ) +olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U + ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1. + 1466.115.121.1.26 ) +olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC ' + Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4. + 1.1466.115.121.1.26 ) +olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S + tart of time interval for which the entry is valid' EQUALITY generalizedTim + eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.24 ) +olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En + d of time interval for which the entry is valid' EQUALITY generalizedTimeMa + tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .24 ) +olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i + nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege + rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer + Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand + $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore + $ sudoNotAfter $ sudoOrder $ description ) ) +structuralObjectClass: olcSchemaConfig +entryUUID: 3a967b84-0248-1035-954b-037a0fbd2d2a +creatorsName: cn=config +createTimestamp: 20151008203808Z +entryCSN: 20151008203808.446725Z#000000#000#000000 +modifiersName: cn=config +modifyTimestamp: 20151008203808Z + diff --git a/roles/ldapserver/files/revspace.schema b/roles/ldapserver/files/revspace.schema new file mode 100644 index 0000000..ca79bfc --- /dev/null +++ b/roles/ldapserver/files/revspace.schema @@ -0,0 +1,94 @@ +# +# Author: "Koen Martens" +# Desc. : RevSpaceBank account balance field definition and +# mixin objectClass for RevSpace ldap directory +# RevSpace stock management object class and attributes + +# to be replaced with assigned PEN +objectIdentifier revspaceOID 1.3.6.1.4.1.36206 + +# some further derived short-hands +objectIdentifier revspaceLDAP revspaceOID:1 +objectIdentifier revspaceAttributeType revspaceLDAP:16 +objectIdentifier revspaceObjectClass revspaceLDAP:17 + +# the account balance, in eurocent +#attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributeType ( revspaceAttributeType:1 NAME 'accountBalance' + DESC 'RevSpace bank account balance in eurocent' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + EQUALITY integerMatch + SINGLE-VALUE ) + +attributeType ( revspaceAttributeType:2 NAME 'iButtonSerial' + DESC 'iButton serial' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + ORDERING caseIgnoreOrderingMatch ) + +attributeType ( revspaceAttributeType:7 NAME 'tweetEntry' + DESC 'Tweet entry' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + EQUALITY booleanMatch ) + +attributeType ( revspaceAttributeType:8 NAME 'chanmsgEntry' + DESC 'Announce entry on irc channel' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + EQUALITY booleanMatch ) + +attributeType ( revspaceAttributeType:9 NAME 'statusEntry' + DESC 'Announce entry in JSON status' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + EQUALITY booleanMatch ) + +#attributeType ( revspaceAttributeType:2 NAME 'iButtonSerial' +# DESC 'iButton serial' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.16 +# EQUALITY caseIgnoreMatch +# SUBSTR caseIgnoreSubstringsMatch +# ORDERING caseIgnoreOrderingMatch ) + +objectclass ( revspaceObjectClass:1 NAME 'revspaceAccount' + DESC 'mixin RevSpace account details' + AUXILIARY + MAY ( accountBalance $ iButtonSerial $ tweetEntry $ chanmsgEntry $ statusEntry ) ) + +# RevSpace stock management (bar items) +# + +attributeType ( revspaceAttributeType:3 NAME 'articleName' + DESC 'RevSpace stock management item name' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + ORDERING caseIgnoreOrderingMatch ) + +attributeType ( revspaceAttributeType:6 NAME 'barCode' + DESC 'RevSpace stock management item barcode' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + ORDERING caseIgnoreOrderingMatch ) + +attributeType ( revspaceAttributeType:4 NAME 'stock' + DESC 'Amount of items in stock' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + EQUALITY integerMatch + SINGLE-VALUE ) + +attributeType ( revspaceAttributeType:5 NAME 'price' + DESC 'Price per item in eurocent' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + EQUALITY integerMatch + SINGLE-VALUE ) + +objectclass ( revspaceObjectClass:2 NAME 'revspaceProduct' + DESC 'mixin RevSpace product details' + STRUCTURAL + MUST ( articleName $ price ) + MAY ( stock $ barCode ) ) + diff --git a/roles/ldapserver/files/ssl/cacert.pem b/roles/ldapserver/files/ssl/cacert.pem new file mode 120000 index 0000000..3ac3c86 --- /dev/null +++ b/roles/ldapserver/files/ssl/cacert.pem @@ -0,0 +1 @@ +../../../../certs/lets-encrypt-x1.pem \ No newline at end of file diff --git a/roles/ldapserver/files/ssl/server-cert.pem b/roles/ldapserver/files/ssl/server-cert.pem new file mode 120000 index 0000000..c6d1c8a --- /dev/null +++ b/roles/ldapserver/files/ssl/server-cert.pem @@ -0,0 +1 @@ +../../../../certs/ldap/ldap.space.revspace.nl.cert \ No newline at end of file diff --git a/roles/ldapserver/files/ssl/server-key.pem b/roles/ldapserver/files/ssl/server-key.pem new file mode 120000 index 0000000..715f768 --- /dev/null +++ b/roles/ldapserver/files/ssl/server-key.pem @@ -0,0 +1 @@ +../../../../certs/ldap/space.revspace.nl.key \ No newline at end of file diff --git a/roles/ldapserver/files/sudoers.ldif b/roles/ldapserver/files/sudoers.ldif new file mode 100644 index 0000000..63508d3 --- /dev/null +++ b/roles/ldapserver/files/sudoers.ldif @@ -0,0 +1,77 @@ +dn: cn=sudoers,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: sudoers + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) + diff --git a/roles/ldapserver/files/sudoers.schema b/roles/ldapserver/files/sudoers.schema new file mode 100644 index 0000000..10793ad --- /dev/null +++ b/roles/ldapserver/files/sudoers.schema @@ -0,0 +1,73 @@ +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) + diff --git a/roles/ldapserver/handlers/main.yaml b/roles/ldapserver/handlers/main.yaml new file mode 100644 index 0000000..9d9efb3 --- /dev/null +++ b/roles/ldapserver/handlers/main.yaml @@ -0,0 +1,4 @@ +--- + +- name: Restart slapd + service: name=slapd state=restarted diff --git a/roles/ldapserver/tasks/main.yaml b/roles/ldapserver/tasks/main.yaml new file mode 100644 index 0000000..df73a44 --- /dev/null +++ b/roles/ldapserver/tasks/main.yaml @@ -0,0 +1,99 @@ +--- + +- name: Configure debconf items for slapd + debconf: + name: slapd + question: "slapd/{{ item.q }}" + value: "{{ item.v }}" + vtype: "{{ item.t }}" + with_items: + - { q: 'domain', v: "{{ slapd_domain }}", t: 'string' } + - { q: 'backend', v: "MDB", t: 'select' } + notify: + - Restart slapd + +- name: Configure debconf items for slapd (passwords) + debconf: + name: slapd + question: "slapd/{{ item.q }}" + value: "{{ item.v }}" + vtype: "{{ item.t }}" + with_items: + - { q: 'password1', v: "{{ slapd_admin_pass }}", t: 'password' } + - { q: 'password2', v: "{{ slapd_admin_pass }}", t: 'password' } + changed_when: false + no_log: "{{ filter_logs|default('true') }}" + +- name: Install required software + apt: + pkg: + - slapd + - ldap-utils + state: present + +- name: Set ldap OLC password + lineinfile: + dest: "/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif" + line: "olcRootPW: {{ slapd_config_pass }}" + insertafter: "^modifyTimeStamp:" + regexp: "^olcRootPW" + notify: + - Restart slapd + +- name: Copy revspace schema and olcConfig + copy: + src: "{{ item.src }}" + dest: "/etc/ldap/{{ item.dst }}" + owner: "openldap" + group: "openldap" + mode: "0644" + with_items: + - { src: "revspace.schema", dst: "schema/revspace.schema" } + - { src: "sudoers.schema", dst: "schema/sudoers.schema" } + - { src: "cn={4}revspace.ldif", dst: "slapd.d/cn=config/cn=schema/cn={4}revspace.ldif" } + - { src: "cn={5}sudoers.ldif", dst: "slapd.d/cn=config/cn=schema/cn={5}sudoers.ldif" } + notify: + - Restart slapd + +#- name: Create directory for certificates +# file: path={{ slapd_certpath }} state=directory owner=openldap group=openldap mode=0700 +# +#- name: Copy TLS files +# copy: src=ssl/{{ item }} dest={{ slapd_certpath }}/{{ item }} owner=openldap group=openldap mode=0400 +# with_items: +# - cacert.pem +# - server-key.pem +# - server-cert.pem + +- name: Template olc edits + template: + src: "{{ item }}.j2" + dest: "/etc/ldap/{{ item }}.ldif" + owner: "openldap" + group: "openldap" + mode: "0600" + with_items: + - olcAccess + - olcSSL + register: olcedits + notify: + - Restart slapd + +- name: Update olcConfig + command: "ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/{{ item }}.ldif" + with_items: + - olcAccess + - olcSSL + when: olcedits is changed + ignore_errors: true + changed_when: false + notify: + - Restart slapd + +- name: Enable SSL listener + lineinfile: + dest: "/etc/default/slapd" + line: "SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\"" + regexp: "^SLAPD_SERVICES" + notify: + - Restart slapd diff --git a/roles/ldapserver/templates/olcAccess.j2 b/roles/ldapserver/templates/olcAccess.j2 new file mode 100644 index 0000000..5498319 --- /dev/null +++ b/roles/ldapserver/templates/olcAccess.j2 @@ -0,0 +1,8 @@ +dn: olcDatabase={1}mdb,cn=config +changetype: modify +add: olcAccess +olcAccess: {1}to attrs=loginShell,gecos + by dn="cn=admin,{{slapd_root}}" write + by self write + by * read + diff --git a/roles/ldapserver/templates/olcSSL.j2 b/roles/ldapserver/templates/olcSSL.j2 new file mode 100644 index 0000000..41f14af --- /dev/null +++ b/roles/ldapserver/templates/olcSSL.j2 @@ -0,0 +1,15 @@ +# {{ansible_managed }} +dn: cn=config +changetype: modify +replace: olcTLSCACertificateFile +olcTLSCACertificateFile: {{slapd_certpath}}/fullchain.pem +- +replace: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: {{slapd_certpath}}/privkey.pem +- +replace: olcTLSCertificateFile +olcTLSCertificateFile: {{slapd_certpath}}/cert.pem +- +replace: olcTLSCipherSuite +olcTLSCipherSuite: {{slapd_cipher_suite}} + diff --git a/roles/ldapserver/vars/.gitignore b/roles/ldapserver/vars/.gitignore new file mode 100644 index 0000000..4a424df --- /dev/null +++ b/roles/ldapserver/vars/.gitignore @@ -0,0 +1 @@ +secret.yaml diff --git a/roles/ldapserver/vars/main.yaml b/roles/ldapserver/vars/main.yaml new file mode 100644 index 0000000..a4024be --- /dev/null +++ b/roles/ldapserver/vars/main.yaml @@ -0,0 +1,9 @@ +--- + +slapd_config_pass: "{{ lookup('passwordstore', 'revspace/ldap/config') }}" +slapd_admin_pass: "{{ lookup('passwordstore', 'revspace/ldap/admin') }}" + +slapd_domain: "space.revspace.nl" +slapd_root: "dc=space,dc=revspace,dc=nl" +slapd_certpath: "/etc/dehydrated/certs/ldap.space.revspace.nl/" +slapd_cipher_suite: "SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC" From b186b43e3e15109439cfbef3dd34968486c4eca7 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Wed, 30 Apr 2025 21:43:33 +0200 Subject: [PATCH 02/11] ldap client playbook, untested --- ldapclient.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ldapclient.yaml diff --git a/ldapclient.yaml b/ldapclient.yaml new file mode 100644 index 0000000..3417a12 --- /dev/null +++ b/ldapclient.yaml @@ -0,0 +1,7 @@ +--- + +- hosts: shell-jessie:shell-stretch:shell-sid:mediaserver:grafiekjes + become: no + user: root + roles: + - ldapclient From eb0a72430908429308c283494406582b7e433abf Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 4 May 2025 23:05:15 +0200 Subject: [PATCH 03/11] bank: Changes required for RevBank 10.0 --- roles/bank/tasks/revbank.yaml | 36 ++++++----------------------------- roles/bank/templates/git.cron | 2 +- 2 files changed, 7 insertions(+), 31 deletions(-) diff --git a/roles/bank/tasks/revbank.yaml b/roles/bank/tasks/revbank.yaml index ec283d1..73e770a 100644 --- a/roles/bank/tasks/revbank.yaml +++ b/roles/bank/tasks/revbank.yaml @@ -11,40 +11,16 @@ dest: /home/{{ bank_user }}/revbank.git accept_hostkey: yes -- name: Create data files - ansible.builtin.command: cp /home/{{ bank_user }}/revbank.git/{{ item }} /home/{{ bank_user }}/{{ item }} - args: - creates: /home/{{ bank_user }}/{{ item }} - with_items: - - revbank.accounts - - revbank.market - - revbank.products - -- name: Ensure data file permissions - ansible.builtin.file: - path: /home/{{ bank_user }}/{{ item }} - state: touch - owner: "{{ bank_user }}" - group: "{{ bank_user }}" - mode: 0644 - with_items: - - revbank.accounts - - revbank.market - - revbank.products - - name: Link plugins ansible.builtin.file: state: link - path: /home/{{ bank_user }}/{{ item }} - src: /home/{{ bank_user }}/revbank.git/{{ item }} + src: "{{ item.src }}" + path: "{{ item.dest }}" with_items: - - plugins - - revbank.plugins - -- name: Create git data dir - ansible.builtin.file: - path: /home/{{ bank_user }}/data.git - state: directory + - src: /home/{{ bank_user }}/revbank.git/plugins + dest: /home/{{ bank_user }}/plugins + - src: /home/{{ bank_user }}/revbank.git/data/plugins + dest: /home/{{ bank_user }}/.revbank/plugins - name: Install git cronjob ansible.builtin.template: diff --git a/roles/bank/templates/git.cron b/roles/bank/templates/git.cron index b334260..32308cf 100644 --- a/roles/bank/templates/git.cron +++ b/roles/bank/templates/git.cron @@ -1,4 +1,4 @@ SHELL=/bin/bash #m h dom mon dow user command - */10 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto && cp revbank.products ../revbank.products) + */10 * * * * {{ bank_user }} git -C ~/.revbank pull -r && git -C ~/.revbank push From a5930bb1aa8a39cf7aea847309c7fab0068c5837 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 4 May 2025 23:12:44 +0200 Subject: [PATCH 04/11] bank: qrencode is no longer needed --- roles/bank/tasks/revbank.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bank/tasks/revbank.yaml b/roles/bank/tasks/revbank.yaml index 73e770a..5a0cf6c 100644 --- a/roles/bank/tasks/revbank.yaml +++ b/roles/bank/tasks/revbank.yaml @@ -1,7 +1,7 @@ --- - name: Install dependencies ansible.builtin.apt: - name: [ git, libterm-readline-gnu-perl, libcurses-ui-perl, qrencode ] + name: [ git, libterm-readline-gnu-perl, libcurses-ui-perl ] state: present - name: Clone revbank source From e65ffd5dc73fea19df70c43a1e2472156a84ae2e Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Mon, 5 May 2025 22:59:52 +0200 Subject: [PATCH 05/11] services/discord_bot: Some tweaks --- roles/services/tasks/discord_bot.yaml | 19 ++++++++----------- roles/services/templates/discord-bot.service | 3 ++- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml index 19a659f..4d742f6 100644 --- a/roles/services/tasks/discord_bot.yaml +++ b/roles/services/tasks/discord_bot.yaml @@ -2,23 +2,14 @@ - name: Install dependencies ansible.builtin.apt: - name: - - python3-paho-mqtt - - python3-tz - - virtualenv + name: virtualenv - name: Create virtualenv ansible.builtin.command: - cmd: virtualenv /opt/miflora_exporter/.venv + cmd: virtualenv /var/lib/discord-bot/.venv args: creates: /var/lib/discord-bot/.venv -- name: Install Python dependencies - ansible.builtin.shell: - cmd: . .venv/bin/activate && pip install -r requirements.txt - args: - chdir: /var/lib/discord-bot - - name: Clone source ansible.builtin.git: repo: https://git.bitlair.nl/bitlair/discord-bot.git @@ -28,6 +19,12 @@ notify: Restart discord-bot ignore_errors: true +- name: Install Python dependencies + ansible.builtin.shell: + cmd: . .venv/bin/activate && pip install -r requirements.txt + args: + chdir: /var/lib/discord-bot + - name: Install service file ansible.builtin.template: src: discord-bot.service diff --git a/roles/services/templates/discord-bot.service b/roles/services/templates/discord-bot.service index 2c73d05..ccac806 100644 --- a/roles/services/templates/discord-bot.service +++ b/roles/services/templates/discord-bot.service @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} [Unit] Description=HobbyBot @@ -13,6 +13,7 @@ DynamicUser=true Environment="MQTT_HOST={{ mqtt_internal_host }}" Environment="DISCORD_WEBHOOK_URL={{ lookup('passwordstore', 'services/discord', subkey='webhook_url') }}" Environment="DISCORD_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='token') }}" +Environment="BOTTLECLIP_GIT_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='bottleclip_git_token') }}" [Install] WantedBy=multi-user.target From 2f9ca22e90d3f1ad558daafcd9e8be19162949d7 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Tue, 6 May 2025 18:25:31 +0200 Subject: [PATCH 06/11] bank: Use new REVBANK_PLUGINS env var --- roles/bank/tasks/login.yaml | 12 ++++++++++-- roles/bank/tasks/revbank.yaml | 13 +------------ roles/bank/templates/login.sh | 6 ++++++ 3 files changed, 17 insertions(+), 14 deletions(-) create mode 100644 roles/bank/templates/login.sh diff --git a/roles/bank/tasks/login.yaml b/roles/bank/tasks/login.yaml index 7ed568e..24fe3e0 100644 --- a/roles/bank/tasks/login.yaml +++ b/roles/bank/tasks/login.yaml @@ -1,10 +1,18 @@ --- +- name: Install revbank login shell + ansible.builtin.template: + src: login.sh + dest: /usr/local/bin/revbank-login + owner: root + group: root + mode: "0755" + - name: Add user ansible.builtin.user: name: bank password: $6$idklol$QrOE/21LDR0vhZBAXwgA7AvnmR6Ju4ZqzAzgeazC08i2yw9kyQjgwu.uuV692iL/cyE7AteDYUxCpcorONXom. # "bank" home: /home/{{ bank_user }} - shell: /home/{{ bank_user }}/revbank.git/revbank + shell: /usr/local/bin/revbank-login update_password: always - name: Allow password auth for bank user @@ -13,7 +21,7 @@ insertafter: EOF validate: "/usr/sbin/sshd -t -f %s" block: |- - Match User bank + Match User {{ bank_user }} PasswordAuthentication yes notify: reload sshd diff --git a/roles/bank/tasks/revbank.yaml b/roles/bank/tasks/revbank.yaml index 5a0cf6c..1870ff1 100644 --- a/roles/bank/tasks/revbank.yaml +++ b/roles/bank/tasks/revbank.yaml @@ -8,20 +8,9 @@ ansible.builtin.git: repo: "{{ bank_revbank_git }}" version: master - dest: /home/{{ bank_user }}/revbank.git + dest: /usr/local/share/revbank accept_hostkey: yes -- name: Link plugins - ansible.builtin.file: - state: link - src: "{{ item.src }}" - path: "{{ item.dest }}" - with_items: - - src: /home/{{ bank_user }}/revbank.git/plugins - dest: /home/{{ bank_user }}/plugins - - src: /home/{{ bank_user }}/revbank.git/data/plugins - dest: /home/{{ bank_user }}/.revbank/plugins - - name: Install git cronjob ansible.builtin.template: src: git.cron diff --git a/roles/bank/templates/login.sh b/roles/bank/templates/login.sh new file mode 100644 index 0000000..6deaf2b --- /dev/null +++ b/roles/bank/templates/login.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +export REVBANK_DIR=/usr/local/share/revbank +export REVBANK_PLUGINS="$(cat $REVBANK_DIR/data/plugins | sed 's/ *#.*$//g' | sed '/^$/d' | tr '\n' ' ')" + +$REVBANK_DIR/revbank From b9be1729b31ae22f3c96254893febf721002655a Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Wed, 7 May 2025 00:47:00 +0200 Subject: [PATCH 07/11] bank: RevBank 10.2 --- roles/bank/tasks/login.yaml | 10 +--------- roles/bank/tasks/revbank.yaml | 7 +++++++ roles/bank/templates/login.sh | 6 ------ 3 files changed, 8 insertions(+), 15 deletions(-) delete mode 100644 roles/bank/templates/login.sh diff --git a/roles/bank/tasks/login.yaml b/roles/bank/tasks/login.yaml index 24fe3e0..f54bbfd 100644 --- a/roles/bank/tasks/login.yaml +++ b/roles/bank/tasks/login.yaml @@ -1,18 +1,10 @@ --- -- name: Install revbank login shell - ansible.builtin.template: - src: login.sh - dest: /usr/local/bin/revbank-login - owner: root - group: root - mode: "0755" - - name: Add user ansible.builtin.user: name: bank password: $6$idklol$QrOE/21LDR0vhZBAXwgA7AvnmR6Ju4ZqzAzgeazC08i2yw9kyQjgwu.uuV692iL/cyE7AteDYUxCpcorONXom. # "bank" home: /home/{{ bank_user }} - shell: /usr/local/bin/revbank-login + shell: /usr/local/share/revbank/revbank update_password: always - name: Allow password auth for bank user diff --git a/roles/bank/tasks/revbank.yaml b/roles/bank/tasks/revbank.yaml index 1870ff1..e87f849 100644 --- a/roles/bank/tasks/revbank.yaml +++ b/roles/bank/tasks/revbank.yaml @@ -11,6 +11,13 @@ dest: /usr/local/share/revbank accept_hostkey: yes +- name: Clone revbank-plugin source + ansible.builtin.git: + repo: https://git.bitlair.nl/bitlair-bestuur/revbank-plugins.git + version: main + dest: /usr/local/share/revbank-plugins + accept_hostkey: yes + - name: Install git cronjob ansible.builtin.template: src: git.cron diff --git a/roles/bank/templates/login.sh b/roles/bank/templates/login.sh deleted file mode 100644 index 6deaf2b..0000000 --- a/roles/bank/templates/login.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -export REVBANK_DIR=/usr/local/share/revbank -export REVBANK_PLUGINS="$(cat $REVBANK_DIR/data/plugins | sed 's/ *#.*$//g' | sed '/^$/d' | tr '\n' ' ')" - -$REVBANK_DIR/revbank From 1b04d0f5c398627a53be6c1bdf7d73c4a8d9c0b1 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Wed, 7 May 2025 01:00:01 +0200 Subject: [PATCH 08/11] bank: RevBank 10.3 --- roles/bank/defaults/main.yaml | 2 +- roles/bank/tasks/revbank.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/bank/defaults/main.yaml b/roles/bank/defaults/main.yaml index b0fea92..d0a5ca6 100644 --- a/roles/bank/defaults/main.yaml +++ b/roles/bank/defaults/main.yaml @@ -1,3 +1,3 @@ bank_user: bank -bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git bank_local_tty: no +bank_revbank_version: "10.3.0" diff --git a/roles/bank/tasks/revbank.yaml b/roles/bank/tasks/revbank.yaml index e87f849..9f3f84c 100644 --- a/roles/bank/tasks/revbank.yaml +++ b/roles/bank/tasks/revbank.yaml @@ -6,8 +6,8 @@ - name: Clone revbank source ansible.builtin.git: - repo: "{{ bank_revbank_git }}" - version: master + repo: https://github.com/revspace/revbank.git + version: "v{{ bank_revbank_version }}" dest: /usr/local/share/revbank accept_hostkey: yes From 4f6025849f8215822c7e2be60cd3743126c71a49 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Wed, 7 May 2025 14:30:45 +0200 Subject: [PATCH 09/11] Update bitlair-plugin git upstream --- roles/bank/tasks/revbank.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bank/tasks/revbank.yaml b/roles/bank/tasks/revbank.yaml index 9f3f84c..3b2ec65 100644 --- a/roles/bank/tasks/revbank.yaml +++ b/roles/bank/tasks/revbank.yaml @@ -13,7 +13,7 @@ - name: Clone revbank-plugin source ansible.builtin.git: - repo: https://git.bitlair.nl/bitlair-bestuur/revbank-plugins.git + repo: https://git.bitlair.nl/bitlair/revbank-plugins.git version: main dest: /usr/local/share/revbank-plugins accept_hostkey: yes From 3a0071abfa921de398aa751b9cabedefe2915b2d Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Fri, 9 May 2025 14:34:44 +0200 Subject: [PATCH 10/11] services/siahsd: Install from Debian package --- bitlair.yaml | 1 + group_vars/all.yaml | 2 ++ roles/services/tasks/siahsd.yaml | 19 ++++--------------- roles/services/templates/siahsd.conf | 25 ++----------------------- roles/services/templates/siahsd.service | 17 ----------------- services.yaml | 1 + 6 files changed, 10 insertions(+), 55 deletions(-) delete mode 100644 roles/services/templates/siahsd.service diff --git a/bitlair.yaml b/bitlair.yaml index b463ff7..950d555 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -58,6 +58,7 @@ - hosts: services roles: + - { role: "deb_forgejo", tags: [ "deb_forgejo" ] } - { role: "services", tags: ["services"] } - hosts: wiki diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 39de4c0..0169ce1 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -37,5 +37,7 @@ debian_repourl: "http://deb.debian.org/debian/" debian_securityurl: "http://security.debian.org/debian-security" deb_forgejo_repos: + - host: git.bitlair.nl + owner: bitlair - host: git.polyfloyd.net owner: polyfloyd diff --git a/roles/services/tasks/siahsd.yaml b/roles/services/tasks/siahsd.yaml index c7c3b0b..fc7fef5 100644 --- a/roles/services/tasks/siahsd.yaml +++ b/roles/services/tasks/siahsd.yaml @@ -1,16 +1,15 @@ --- -# TODO: Install and build +- name: Install siahsd + apt: + name: siahsd - name: Create directories ansible.builtin.file: - path: "{{ item }}" + path: /var/log/siahsd state: directory owner: siahsd group: nogroup mode: "0750" - with_items: - - /var/log/siahsd - - /var/lib/siahsd - name: Install config file ansible.builtin.template: @@ -21,19 +20,9 @@ mode: "0644" notify: Restart siahsd -- name: Install service file - ansible.builtin.template: - src: siahsd.service - dest: /etc/systemd/system/siahsd.service - owner: root - group: root - mode: "0644" - notify: Restart siahsd - - name: Start siahsd ansible.builtin.systemd: name: siahsd state: started enabled: true daemon_reload: true - diff --git a/roles/services/templates/siahsd.conf b/roles/services/templates/siahsd.conf index 5d8e94f..ee18220 100644 --- a/roles/services/templates/siahsd.conf +++ b/roles/services/templates/siahsd.conf @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + [siahsd] pid file = /var/lib/siahsd/siahsd.pid log file = /var/log/siahsd/siahsd.log @@ -5,13 +7,6 @@ log level = 3 foreground = 0 event handlers = script -#[database] -#driver = mysql -#host = localhost -#name = siahsd -#username = siahsd -#password = MysbJxAaawmwKPqD - [siahs] port = 4000 @@ -19,21 +14,5 @@ port = 4000 port = 9000 rsa key file = something.sexp -#[jsonbot] -#address = 192.168.88.15 -#port = 5500 -#aes key = blablablablablaz -#password = mekker -#privmsg to = #bitlair - -#[spacestate] -#driver = mysql -#host = localhost -#name = bitwifi -#username = bitwifi -#password = aGWERQpLEQPUaXJV -#open script = /opt/alarm/disarmed.sh -#close script = /opt/alarm/armed.sh - [script] path = /opt/alarm/siahsd_handler.sh diff --git a/roles/services/templates/siahsd.service b/roles/services/templates/siahsd.service deleted file mode 100644 index 479324c..0000000 --- a/roles/services/templates/siahsd.service +++ /dev/null @@ -1,17 +0,0 @@ -# Managed by Ansible - -[Unit] -Description=Siahsd -After=network.target - -[Service] -Type=forking -PIDFile=/var/lib/siahsd/siahsd.pid -Restart=always -RestartSec=10s -ExecStartPre=-/bin/rm /var/lib/siahsd/siahsd.pid -ExecStart=/usr/local/src/siahsd/build/siahsd -User=siahsd - -[Install] -WantedBy=multi-user.target diff --git a/services.yaml b/services.yaml index e66fc11..52103e0 100644 --- a/services.yaml +++ b/services.yaml @@ -3,4 +3,5 @@ - hosts: services roles: - { role: "common", tags: [ "common" ] } + - { role: "deb_forgejo", tags: [ "deb_forgejo" ] } - { role: "services", tags: [ "services" ] } From 1d8e07bf0468a7440d4c2d26a5e68020983ea9d8 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Fri, 9 May 2025 17:40:10 +0200 Subject: [PATCH 11/11] services/discord_bot: New bottle-clip implementation --- roles/services/tasks/discord_bot.yaml | 15 ++++++++++++--- roles/services/templates/discord-bot.service | 2 +- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml index 4d742f6..3ce4308 100644 --- a/roles/services/tasks/discord_bot.yaml +++ b/roles/services/tasks/discord_bot.yaml @@ -2,7 +2,9 @@ - name: Install dependencies ansible.builtin.apt: - name: virtualenv + name: + - openscad + - virtualenv - name: Create virtualenv ansible.builtin.command: @@ -10,14 +12,21 @@ args: creates: /var/lib/discord-bot/.venv -- name: Clone source +- name: Clone bottleclip source + ansible.builtin.git: + repo: https://git.bitlair.nl/bitlair/bottle-clip.git + version: main + dest: /var/lib/bottle-clip + accept_hostkey: yes + notify: Restart discord-bot + +- name: Clone discord-bot source ansible.builtin.git: repo: https://git.bitlair.nl/bitlair/discord-bot.git version: main dest: /var/lib/discord-bot accept_hostkey: yes notify: Restart discord-bot - ignore_errors: true - name: Install Python dependencies ansible.builtin.shell: diff --git a/roles/services/templates/discord-bot.service b/roles/services/templates/discord-bot.service index ccac806..7522fd9 100644 --- a/roles/services/templates/discord-bot.service +++ b/roles/services/templates/discord-bot.service @@ -13,7 +13,7 @@ DynamicUser=true Environment="MQTT_HOST={{ mqtt_internal_host }}" Environment="DISCORD_WEBHOOK_URL={{ lookup('passwordstore', 'services/discord', subkey='webhook_url') }}" Environment="DISCORD_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='token') }}" -Environment="BOTTLECLIP_GIT_TOKEN={{ lookup('passwordstore', 'services/discord', subkey='bottleclip_git_token') }}" +Environment="BOTTLECLIP_RESOURCES=/var/lib/bottle-clip" [Install] WantedBy=multi-user.target