diff --git a/common/nginx/includes/verwaltung-jameica.warpzone.ms b/common/nginx/includes/verwaltung-jameica.warpzone.ms
new file mode 100644
index 0000000000000000000000000000000000000000..963d120eb0eb5af6f233a940c5dbf4e72b4efd94
--- /dev/null
+++ b/common/nginx/includes/verwaltung-jameica.warpzone.ms
@@ -0,0 +1,48 @@
+
+
+
+ location = / {
+ return 301 https://$host/vnc.html;
+ }
+
+ location / {
+
+ # Enable Authentication
+ auth_request /auth-proxy;
+
+ # Enable websockets for the noVNC console to work
+ proxy_http_version 1.1;
+ proxy_set_header Connection $http_connection;
+ proxy_set_header Origin http://$host;
+ proxy_set_header Upgrade $http_upgrade;
+
+ # VNC connection timeout
+ proxy_read_timeout 61s;
+
+ # Disable cache
+ proxy_buffering off;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+
+ proxy_pass http://127.0.0.1:42005/;
+ proxy_redirect off;
+
+ }
+
+ location = /auth-proxy {
+ internal;
+
+ proxy_pass http://127.0.0.1:52005/auth;
+
+ proxy_pass_request_body off;
+ proxy_set_header Content-Length "";
+ proxy_cache_valid 202 10m;
+
+ # The following directive adds the cookie to the cache key
+ proxy_cache_key "$http_authorization";
+
+ proxy_set_header X-Ldap-Group "*";
+ }
diff --git a/common/nginx/tasks/config_site.yml b/common/nginx/tasks/config_site.yml
index a867aac369a572171d9995b61b076aae16745221..1dd25b6b4c56acab978599a78bf141337a776735 100644
--- a/common/nginx/tasks/config_site.yml
+++ b/common/nginx/tasks/config_site.yml
@@ -7,15 +7,16 @@
stat:
path: /etc/letsencrypt/live/{{ item }}/privkey.pem
register: cert
+ when: webserver_ssl == true
- name: Stop nginx
service: name=nginx state=stopped
notify: restart nginx
- when: cert.stat.exists == False
+ when: webserver_ssl == true and cert.stat.exists == False
- name: Get Certificate for {{ item }} via Certbot
command: "certbot certonly --non-interactive --agree-tos --standalone -m {{ letsencrypt_mail }} -w /var/www/html/ -d {{ item }}"
- when: cert.stat.exists == False
+ when: webserver_ssl == true and cert.stat.exists == False
- name: Create nginx config for {{ item }}
template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}
diff --git a/common/nginx/tasks/main.yml b/common/nginx/tasks/main.yml
index ef6e8b9db3ff18d25099bd92f2aa78fdc2421814..dc2c8d18efe2114f19d69c65e4bae880e4cea581 100644
--- a/common/nginx/tasks/main.yml
+++ b/common/nginx/tasks/main.yml
@@ -7,27 +7,34 @@
vars:
packages:
- nginx-light
- - libnginx-mod-http-lua
+
+# Pakete installieren (SSL)
+- name: openssl and certbot installieren
+ apt:
+ name: "{{ packages }}"
+ update_cache: yes
+ state: present
+ vars:
+ packages:
- ca-certificates
- openssl
- certbot
- - git
-
-
-# DH Parameter geneieriern
+ when: webserver_ssl == true
+# DH Parameter erzeugen
- name: check if DH Params exists
stat:
path: /etc/nginx/dhparams.pem
register: dhparams
+ when: webserver_ssl == true
+
- name: generate new DH Params
command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
- when: dhparams.stat.exists == False
+ when: webserver_ssl == true and dhparams.stat.exists == False
# NginX einrichten
-
- name: nginx default Konfig entfernen
file:
path: /etc/nginx/sites-enabled/default
@@ -35,22 +42,24 @@
# LetsEncrypt Script erstellen
-
- name: LetsEncrypt Script erstellen
template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x
notify: restart nginx
+ when: webserver_ssl == true
+
- name: Cronjob für Zertifikatserneuerung
cron: name="letsencrypt" weekday="*" hour="6" minute="0" job="/opt/letsencrypt.sh"
+ when: webserver_ssl == true
# nginx konfigurieren
-
- include: config_site.yml
with_items:
- "{{ webserver_domains }}"
+# matrix config
- name: Konfig-Datei matrix erstellen
template: src=nginx-matrix dest=/etc/nginx/sites-enabled/matrix
notify: restart nginx
@@ -62,7 +71,6 @@
# telegraf konfigurieren
-
- name: Konfig-Datei status erstellen
template: src=telegraf.conf dest=/etc/telegraf/telegraf.d/nginx.conf
notify: restart telegraf
diff --git a/common/nginx/templates/nginx-site b/common/nginx/templates/nginx-site
index 6913ebdc86ae01728c526038b6e61706903cc58f..1a6b4df303b5b0f73ab700cc27454ec601fa27fe 100644
--- a/common/nginx/templates/nginx-site
+++ b/common/nginx/templates/nginx-site
@@ -14,16 +14,25 @@ server {
root /dev/null;
index index.html;
+ {% if webserver_ssl == true %}
+
location /.well-known/acme-challenge/ {
root /var/www/html/;
}
- location / {
+ location / {
rewrite ^(.*) https://{{ item }}$1 permanent;
}
+
+ {% else %}
+
+ {% include "includes/" + item ignore missing %}
+ {% endif %}
}
+{% if webserver_ssl == true %}
+
server {
listen 443 ssl http2;
@@ -47,4 +56,4 @@ server {
}
-
+{% endif %}
diff --git a/host_vars/develop b/host_vars/develop
index 6c2b19f148d13849b1eaf65d9706aeb13d958181..6208a291cf6b9fdce1412aebc9286da78136f232 100644
--- a/host_vars/develop
+++ b/host_vars/develop
@@ -27,9 +27,14 @@ int_ip4: 192.168.0.202
# Art des Hosts: physical, vm, docker
host_type: "physical"
+# SSL deaktivieren
+webserver_ssl: false
+# Liste der gehosteten Domänen
webserver_domains:
- - "test.warpzone"
+ - "boxoffice-test.warpzone"
+ - "infra-test.warpzone"
+ - "ldap-test.warpzone"
diff --git a/host_vars/verwaltung b/host_vars/verwaltung
index da407910ae9f0e13085b2042c5c3826269ff9641..794f37c8455e2dd5c1a814f53786e352c9bb9c0d 100644
--- a/host_vars/verwaltung
+++ b/host_vars/verwaltung
@@ -36,6 +36,7 @@ webserver_ssl: true
webserver_domains:
- "verwaltung.warpzone.ms"
- "verwaltung-git.warpzone.ms"
+ - "verwaltung-jameica.warpzone.ms"
- "verwaltung-ldap.warpzone.ms"
diff --git a/host_vars/webserver-test b/host_vars/webserver-test
index 348cdf10cb288ef19338f7efad018c0ccb5167a9..0a951ddfc371a894f14a97258933b340ecf9e5cb 100644
--- a/host_vars/webserver-test
+++ b/host_vars/webserver-test
@@ -21,8 +21,10 @@ debian_keys:
# Art des Hosts: physical, vm, docker
host_type: "vm"
+# SSL aktivieren
+webserver_ssl: true
-
+# Liste der gehosteten Domänen
webserver_domains:
- "infra-test.warpzone.ms"
- "jabber-test.warpzone.ms"
diff --git a/site.yml b/site.yml
index d4eddde552366502d6e46a0a996caf8162355533..7bfec3ac71c24ff3cc9ad79927fe20d04f568618 100644
--- a/site.yml
+++ b/site.yml
@@ -80,6 +80,7 @@
- { role: common/openvpn, tags: openvpn }
- { role: common/docker_ldap, tags: ldap }
- { role: verwaltung/docker_gitea, tags: gitea }
+ - { role: verwaltung/docker_jameica, tags: jameicavnc }
- { role: verwaltung/docker_nextcloud, tags: nextcloud }
- { role: verwaltung/docker_mysql, tags: mysql }
- { role: verwaltung/user, tags: user }
diff --git a/verwaltung/docker_jameica/tasks/main.yml b/verwaltung/docker_jameica/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a9483e2ad3f54210d0f86de21797cf506a5a47d8
--- /dev/null
+++ b/verwaltung/docker_jameica/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- include_tasks: ../functions/get_secret.yml
+ with_items:
+ - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
+
+- name: create folder struct for jameica
+ file:
+ path: "{{item}}"
+ state: "directory"
+ with_items:
+ - "/srv/jameica-vnc/"
+ - "/srv/jameica-vnc/work"
+
+- name: Konfig-Dateien erstellen
+ template:
+ src: "{{item}}"
+ dest: "/srv/jameica-vnc/{{item}}"
+ with_items:
+ - "docker-compose.yml"
+ - "Dockerfile"
+ - "jameica.conf"
+ - "jameica.sh"
+
+- name: start jameica docker
+ docker_compose:
+ project_src: /srv/jameica-vnc/
+ state: present
+
diff --git a/verwaltung/docker_jameica/templates/Dockerfile b/verwaltung/docker_jameica/templates/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..e90149e7ebf9a3103dc126d4a828f80213c79714
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/Dockerfile
@@ -0,0 +1,19 @@
+FROM theasp/novnc:latest
+
+# Install java
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y \
+ openjdk-11-jre
+
+COPY jameica.conf /app/conf.d/
+COPY jameica.sh /app/
+
+RUN set -ex; \
+ mkdir /jameica/; \
+ mkdir /jameica-data/; \
+ mkdir /jameica-work/; \
+ usermod -U -s /bin/bash -d /jameica-work/ -G root www-data; \
+ chown www-data:www-data /app/jameica.sh; \
+ chown www-data:www-data /jameica-work/; \
+ chmod +x /app/jameica.sh;
diff --git a/verwaltung/docker_jameica/templates/docker-compose.yml b/verwaltung/docker_jameica/templates/docker-compose.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b5eda8e99d273ffc5fe6f1b3003eef5cf90423d2
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/docker-compose.yml
@@ -0,0 +1,33 @@
+version: '3'
+
+services:
+
+ vnc:
+ build: .
+ environment:
+ DISPLAY_WIDTH: 1440
+ DISPLAY_HEIGHT: 900
+ RUN_XTERM: "no"
+ ports:
+ - 127.0.0.1:42005:8080
+ volumes:
+ - /srv/jameica:/jameica/
+ - /srv/data-jameica:/jameica-data/
+ - /srv/jameica-vnc/work:/jameica-work/
+
+ ldap_auth:
+ image: pinepain/ldap-auth-proxy:0.2.0
+ ports:
+ - 127.0.0.1:52005:8888
+ environment:
+ LOG_LEVEL: "info"
+ LISTEN: ":8888"
+ LDAP_SERVER: "ldap://{{ int_ip4 }}"
+ LDAP_BASE: "{{ ldap_base_dn }}"
+ LDAP_BIND_DN: "{{ ldap_readonly_bind_dn }}"
+ LDAP_BIND_PASSWORD: "{{ ldap_readonly_pass }}"
+ #(&(uid=%s)(memberof=CN=verwaltung,OU=groups,DC=warpzone,DC=ms))
+ LDAP_USER_FILTER: "(&(uid=%s)(memberof=CN=vorstand,OU=groups,DC=warpzone,DC=ms))"
+ #LDAP_GROUP_FILTER: "(&(objectClass=groupOfUniqueNames)(member=uid=%s,ou=Users,o=${OID},dc=jumpcloud,dc=com))"
+ HEADERS_MAP: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn"
+
diff --git a/verwaltung/docker_jameica/templates/jameica.conf b/verwaltung/docker_jameica/templates/jameica.conf
new file mode 100644
index 0000000000000000000000000000000000000000..22912f67d59e6692ed34b96c9f1ab893b6b42229
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/jameica.conf
@@ -0,0 +1,4 @@
+[program:jameica]
+command=/app/jameica.sh
+autorestart=true
+user=www-data
diff --git a/verwaltung/docker_jameica/templates/jameica.sh b/verwaltung/docker_jameica/templates/jameica.sh
new file mode 100644
index 0000000000000000000000000000000000000000..5cea358fea7ba2de2e43a6b6cdb0ae9dc9c5e380
--- /dev/null
+++ b/verwaltung/docker_jameica/templates/jameica.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Linux Start-Script fuer regulaeren Standalone-Betrieb.
+# Jameica wird hierbei mit GUI gestartet.
+
+# Das Datenverzeichnis wird hierbei ohne Passwort geladen
+
+cd "/jameica/"
+archsuffix="64"
+
+LIBOVERLAY_SCROLLBAR=0 GDK_NATIVE_WINDOWS=1 SWT_GTK3=0 exec java -Djava.net.preferIPv4Stack=true -Xmx512m $_JCONSOLE -jar jameica-linux${archsuffix}.jar -f /jameica-data/ -p nopassword $@
diff --git a/verwaltung/docker_mysql/templates/docker-compose.yml b/verwaltung/docker_mysql/templates/docker-compose.yml
index c279af6c442ea4e7231b0309b627a2ceb477537f..b022107c4c2a1492edc79d05bd0748a5dc33669e 100644
--- a/verwaltung/docker_mysql/templates/docker-compose.yml
+++ b/verwaltung/docker_mysql/templates/docker-compose.yml
@@ -9,6 +9,7 @@ services:
restart: always
ports:
- 127.0.0.1:3306:3306
+ - 10.42.2.1:3306:3306
volumes:
- /srv/mysql/tuning.cnf:/etc/mysql/conf.d/tuning.cnf
- /srv/mysql/db/:/var/lib/mysql
diff --git a/verwaltung/docker_nextcloud/templates/docker-compose.yml b/verwaltung/docker_nextcloud/templates/docker-compose.yml
index 187c74567a76f5806e97e525bda4f29e9a88db3a..1f0591c902847f6e8e15139dd7639b26a4252ab9 100644
--- a/verwaltung/docker_nextcloud/templates/docker-compose.yml
+++ b/verwaltung/docker_nextcloud/templates/docker-compose.yml
@@ -29,6 +29,7 @@ services:
- /srv/nextcloud/data/:/var/www/html/
- /srv/nextcloud/tmp/:/tmp/nextcloudtemp/
- /srv/nextcloud/memory-limit.ini:/usr/local/etc/php/conf.d/memory-limit.ini:ro
+ - /srv/jameica-vnc/work/:/jameica-work/
environment:
REDIS_HOST: redis
MYSQL_DATABASE: nextcloud
diff --git a/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties b/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
index 3a67b89bf45b0f6c40c80b369986e02c3c43632e..661113d3aff11e306ca6c7c5a79bf6482baca337 100644
--- a/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
+++ b/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
@@ -1,4 +1,4 @@
database.driver=de.jost_net.JVerein.server.DBSupportMySqlImpl
-database.driver.mysql.jdbcurl=jdbc\:mysql\://localhost\:3306/jverein?useUnicode\=Yes&characterEncoding\=ISO8859_1
+database.driver.mysql.jdbcurl=jdbc\:mysql\://{{ int_ip4 }}\:3306/jverein?useUnicode\=Yes&characterEncoding\=ISO8859_1
database.driver.mysql.username=vorstand
database.driver.mysql.password={{mysql_user_pw}}
diff --git a/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties b/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
index cf96460344feca617317d4f013e5b31c9a98bf4c..329eeaec87712c0a138b0367afae6ca5bd7b0154 100644
--- a/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
+++ b/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
@@ -1,4 +1,4 @@
database.driver=de.willuhn.jameica.hbci.server.DBSupportMySqlImpl
-database.driver.mysql.jdbcurl=jdbc\:mysql\://localhost\:3306/hibiscus?useUnicode\=Yes&characterEncoding\=ISO8859_1
+database.driver.mysql.jdbcurl=jdbc\:mysql\://{{ int_ip4 }}\:3306/hibiscus?useUnicode\=Yes&characterEncoding\=ISO8859_1
database.driver.mysql.username=vorstand
database.driver.mysql.password={{mysql_user_pw}}
\ No newline at end of file