Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • infrastruktur/ansible-warpzone
  • specki/ansible-warpzone
2 results
Show changes
Commits on Source (13)
Showing
with 140 additions and 189 deletions
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by self read by * search
#!/bin/bash
ldapmodify -Y EXTERNAL -H ldapi:// -f /opt/helper/acl-allow-user-self-read.ldif
ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config" "olcDatabase={1}hdb"
#!/bin/bash
# Usage: sh search_admin.sh "(objectClass=*)"
ldapsearch -h {{ int_ip4 }} -b "{{ ldap_base_dn }}" -D "{{ ldap_admin_bind_dn }}" -w "{{ ldap_admin_pass }}" -s sub "$1"
#!/bin/bash
# Usage: sh search_user.sh "testuser" "(objectClass=*)"
ldapsearch -h {{ int_ip4 }} -b "{{ ldap_base_dn }}" -D "uid=$1,ou=users,{{ ldap_base_dn }}" -W -s sub "$2"
---
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/ldap/secret/ldap_admin_pass, length: 24 }
- { path: /srv/ldap/secret/ldap_readonly_pass, length: 24 }
- name: create folder struct for ldap
file:
path: "/srv/ldap/{{ item.path }}"
state: "directory"
recurse: yes
with_items:
- { path: 'database' }
- { path: 'config' }
- name: Docker Compose Konfig-Datei erstellen
template:
src: "{{ item }}"
dest: "/srv/ldap/{{ item }}"
with_items:
- docker-compose.yml
- Dockerfile
- syncrepl_exporter.yml
register: config
- name: "stop {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: absent
when: config.changed
- name: "start {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: present
FROM golang:1.21.6
RUN go get github.com/ThoreKr/syncrepl_exporter
EXPOSE 9328
CMD ["/go/bin/syncrepl_exporter","--path.config=/syncrepl_exporter.yml"]
services:
openldap:
image: osixia/openldap:1.3.0
restart: always
command: --loglevel debug
volumes:
- /srv/ldap/database:/var/lib/ldap
- /srv/ldap/config:/etc/ldap/slapd.d
ports:
- {{ int_ip4 }}:389:389
- {{ int_ip4 }}:636:636
environment:
- HOSTNAME={{ inventory_hostname }}-sync
- LDAP_BACKEND=hdb
- LDAP_ORGANISATION={{ ldap_org }}
- LDAP_DOMAIN={{ ldap_domain }}
- LDAP_ADMIN_PASSWORD={{ ldap_admin_pass }}
- LDAP_CONFIG_PASSWORD={{ ldap_admin_pass }}
- LDAP_READONLY_USER=true
- LDAP_READONLY_USER_USERNAME=readonly
- LDAP_READONLY_USER_PASSWORD={{ ldap_readonly_pass }}
- LDAP_TLS_VERIFY_CLIENT=never
networks:
- default
phpldapadmin:
image: osixia/phpldapadmin:0.9.0
restart: always
depends_on:
- openldap
environment:
- PHPLDAPADMIN_LDAP_HOSTS=openldap
- PHPLDAPADMIN_HTTPS=false
- PHPLDAPADMIN_TRUST_PROXY_SSL=true
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
- traefik.http.routers.{{ servicename }}.entrypoints=websecure
- traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
networks:
- default
- web
networks:
web:
external: true
---
ldap:
host: 'openldap'
port: '636'
basedn: '{{ ldap_base_dn }}'
starttls: false
bind: true
bindcn: '{{ ldap_readonly_bind_dn }}'
bindpass: '{{ ldap_readonly_pass }}'
# Globale Variablen für alle produktiven Server
# Ports des LDAP Servers
ldap_port_default: 389
ldap_port_secure: 636
# IP Adresse des LDAP Servers
# Extern läuft auf dem webserver
ldap_ip_ext: 10.42.1.1
# Basis-Informationen der LDAP Konfiguration
ldap_org: Warpzone
ldap_domain: warpzone.ms
ldap_base_dn: dc=warpzone,dc=ms
ldap_admin_bind_dn: cn=admin,dc=warpzone,dc=ms
ldap_readonly_bind_dn: cn=readonly,dc=warpzone,dc=ms
ldap_group_dn: ou=groups,dc=warpzone,dc=ms
ldap_group_active_dn: cn=active,ou=groups,dc=warpzone,dc=ms
# SMTP Settings
smtp_domain: warpzone.ms
......
# SMTP Settings
smtp_domain: test-warpzone.de
smtp_host: mailserver.test-warpzone.de
......
......@@ -36,8 +36,6 @@ webserver_domains:
- "gitlab.warpzone.ms"
- "matrix.warpzone.ms"
- "mailserver.warpzone.ms"
- "ldap.warpzone.ms"
- "keycloak.warpzone.ms"
- "md.warpzone.ms"
- "privatebin.warpzone.ms"
# - "turn.warpzone.ms"
......@@ -81,10 +79,9 @@ alert:
- { name: "hackmd-app-1" }
- { name: "hackmd-db-1" }
- { name: "icinga-app-1" }
- { name: "icinga-auth-1" }
- { name: "icinga-db-1" }
- { name: "icinga-graphite-1" }
- { name: "ldap-openldap-1" }
- { name: "ldap-phpldapadmin-1" }
- { name: "mail-admin-1" }
- { name: "mail-antispam-1" }
- { name: "mail-certdumper-1" }
......@@ -99,8 +96,8 @@ alert:
- { name: "mail-mailman-core-1" }
- { name: "mail-mailman-web-1" }
- { name: "mail-mailman-nginx-1" }
- { name: "matrix-ma1sd-1" }
- { name: "matrix-db-1" }
- { name: "matrix-ldap-1" }
- { name: "matrix-purgemediacache-1" }
- { name: "matrix-synapse-1" }
- { name: "matterbridge-cw-1" }
......
......@@ -801,12 +801,6 @@ automation ansible:
triggers: []
conditions: []
actions:
- action: light.turn_on
metadata: {}
data:
brightness_pct: 50
target:
device_id: c4f8f83fb287ba7b1d66b674a1564c75
- delay:
hours: 0
minutes: 3
......
......@@ -291,12 +291,6 @@
basedir: "/srv/{{ servicename }}",
domain: "uffd.warpzone.ms",
}
- {
role: common/docker_ldap, tags: [ ldap, docker_services ],
servicename: ldap,
basedir: /srv/ldap,
domain: "ldap.warpzone.ms"
}
- {
role: common/docker_traefik, tags: [ traefik, docker_services ],
servicename: traefik,
......@@ -342,12 +336,6 @@
basedir: /srv/hackmd,
domain: "md.warpzone.ms"
}
- {
role: webserver/docker_keycloak, tags: [ keycloak, docker_services ],
servicename: "keycloak",
basedir: /srv/keycloak,
domain: "keycloak.warpzone.ms"
}
- {
role: webserver/docker_mail, tags: [ mail, docker_services ],
servicename: mail,
......
# Gitlab Access with uffd as Access Provider
Redirect URL: https://gitlab.warpzone.ms/users/auth/openid_connect/callback
## Browsing without login
https://gitlab.warpzone.ms/explore
## Features not supported in Community edition
- Set Admin Flag
- Manage Groups
......@@ -2,9 +2,9 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/shared/noreply_email_pass, length: -1 }
- { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
- { path: /srv/gitlab/runner_registration_token, length: -1 }
- { path: /srv/shared/noreply_email_pass, length: -1 }
- { path: /srv/gitlab/secret/oidc_client_secret, length: 32 }
- { path: /srv/gitlab/secret/runner_registration_token, length: -1 }
# Benötigte Verzeichnisstrukturen erstellen
......
......@@ -455,7 +455,7 @@ gitlab_rails['object_store']['objects']['pages']['bucket'] = nil
# gitlab_rails['ldap_enabled'] = false
# gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_enabled'] = true
# gitlab_rails['ldap_enabled'] = true
###! **remember to close this block with 'EOS' below**
......@@ -503,24 +503,24 @@ gitlab_rails['ldap_enabled'] = true
# sync_ssh_keys: false
# EOS
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'LDAP'
host: '{{ ldap_ip_ext }}'
port: 389
uid: 'uid'
method: 'plain'
bind_dn: '{{ ldap_readonly_bind_dn }}'
password: '{{ ldap_readonly_pass }}'
base: '{{ ldap_base_dn }}'
user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
attributes:
username: ['uid', 'cn']
email: ['mail', 'email']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
EOS
# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
# main:
# label: 'LDAP'
# host: '{{ ldap_ip_ext }}'
# port: 389
# uid: 'uid'
# method: 'plain'
# bind_dn: '{{ ldap_readonly_bind_dn }}'
# password: '{ { ldap_readonly_pass } }'
# base: '{{ ldap_base_dn }}'
# user_filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
# attributes:
# username: ['uid', 'cn']
# email: ['mail', 'email']
# name: 'cn'
# first_name: 'givenName'
# last_name: 'sn'
# EOS
### Smartcard authentication settings
......@@ -555,6 +555,45 @@ EOS
# }
# ]
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
label: "uffd",
args: {
name: "openid_connect",
scope: ["openid", "profile", "email", "groups"],
response_type: "code",
issuer: "{{ oidc_global.provider_url }}",
discovery: true,
uid_field: "preferred_username",
gitlab_username_claim: "name",
send_scope_to_token_endpoint: "true",
client_options: {
identifier: "gitlab",
secret: "{{ oidc_client_secret }}",
redirect_uri: "https://{{ domain }}/users/auth/openid_connect/callback",
gitlab: {
groups_attribute: "groups",
required_groups: ["gitlab_access"],
admin_groups: ["gitlab_admin"]
}
}
}
}
]
### Backup Settings
###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
......@@ -757,6 +796,9 @@ registry_external_url 'https://{{ domain_registry }}'
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
gitlab_rails['registry_enabled'] = true
#gitlab_rails['registry_host'] = "{{ domain_registry }}"
#gitlab_rails['registry_port'] = ""
#gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
# Notification secret, it's used to authenticate notification requests to GitLab application
# You only need to change this when you use external Registry service, otherwise
......@@ -765,12 +807,15 @@ gitlab_rails['registry_enabled'] = true
###! **Do not change the following 3 settings unless you know what you are
###! doing**
# gitlab_rails['registry_api_url'] = "http://localhost:5000"
gitlab_rails['registry_api_url'] = "http://localhost:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
### Settings used by Registry application
registry['enable'] = true
registry['registry_http_addr'] = "0.0.0.0:5000"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
......@@ -807,6 +852,19 @@ registry['enable'] = true
# }
# }
# registry['storage'] = {
# 'filesystem' => {
# 'rootdirectory' => "/var/opt/gitlab/gitlab-rails/shared/registry"
# },
# 'delete' => {
# 'enabled' => true
# },
# 'cache' => {
# 'blobdescriptor' => 'inmemory'
# }
# }
### Registry notifications endpoints
# registry['notifications'] = [
# {
......@@ -1300,6 +1358,10 @@ registry['enable'] = true
# nginx['redirect_http_to_https'] = false
# nginx['redirect_http_to_https_port'] = 80
# Increase maximal header size, needed for registry to work
nginx['client_max_body_size'] = "500m"
nginx['large_client_header_buffers'] = "8 32k"
##! Most root CA's are included by default
# nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt"
......@@ -1755,6 +1817,7 @@ registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5005
registry_nginx['listen_https'] = false
registry_nginx['proxy_pass'] = "http://localhost:5000"
registry_nginx['proxy_set_headers'] = {
"Host" => "$http_host",
......@@ -1764,6 +1827,20 @@ registry_nginx['proxy_set_headers'] = {
"X-Forwarded-Ssl" => "on"
}
# Increase maximal header size, needed for registry to work
registry_nginx['client_max_body_size'] = "500m"
registry_nginx['large_client_header_buffers'] = "8 32k"
# Konfiguriere zusätzliche Nginx-Parameter für Registry
registry_nginx['custom_gitlab_server_config'] = "
client_header_buffer_size 64k;
proxy_buffer_size 64k;
proxy_buffers 8 64k;
proxy_busy_buffers_size 64k;
proxy_connect_timeout 300s;
proxy_read_timeout 300s;
"
################################################################################
## Prometheus
##! Docs: https://docs.gitlab.com/ee/administration/monitoring/prometheus/
......
......@@ -2,7 +2,8 @@ services:
app:
image: gitlab/gitlab-ce:latest
# Version pinned due to upgrade problems with 17.9.x
image: gitlab/gitlab-ce:17.8.7-ce.0
restart: always
ports:
- "444:22"
......@@ -24,6 +25,8 @@ services:
- traefik.http.routers.{{ servicename }}_registry.entrypoints=websecure
- traefik.http.routers.{{ servicename }}_registry.service={{ servicename }}_registry
- traefik.http.services.{{ servicename }}_registry.loadbalancer.server.port=5005
- traefik.http.middlewares.registry-headers.headers.customRequestHeaders.Host={{ domain_registry }}
- traefik.http.routers.{{ servicename }}_registry.middlewares=registry-headers
networks:
- default
- web
......
Authentication via uffd
Client-ID: icinga
Redirect-URIs: https://icinga.warpzone.ms/_oauth
......@@ -2,12 +2,13 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
- { path: "{{ basedir }}/icinga_admin_pass", length: 12 }
- { path: "{{ basedir }}/icinga_api_user", length: 8 }
- { path: "{{ basedir }}/icinga_api_pass", length: 8 }
- { path: "{{ basedir }}/mysql_admin_pass", length: 12 }
- { path: "{{ basedir }}/mysql_user_pass", length: 12 }
- { path: "{{ basedir }}/forward_auth_secret", type: create, length: 64 }
- { path: "{{ basedir }}/oauth_client_secret", type: create, length: 64 }
- { path: "{{ basedir }}/icinga_admin_pass", type: create, length: 12 }
- { path: "{{ basedir }}/icinga_api_user", type: create, length: 8 }
- { path: "{{ basedir }}/icinga_api_pass", type: create, length: 8 }
- { path: "{{ basedir }}/mysql_admin_pass", type: create, length: 12 }
- { path: "{{ basedir }}/mysql_user_pass", type: create, length: 12 }
- { path: "{{ basedir }}/matrix_notification_access_token", length: -1 }
......@@ -18,6 +19,7 @@
name:
- logrotate
- name: icinga LogRotate config erstellen
template:
src: logrotate
......@@ -48,25 +50,30 @@
- check_rbl_helper.sh
- notify_by_pushover.sh
- etc/locale.gen
- etc/oauth_header.conf
- graphite-conf/storage-schemas.conf
notify: restart icinga docker
register: dockerconfig
- stat:
path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
register: configured
- name: "start {{ servicename }} docker (init)"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: present
when: configured.stat.exists == False
- name: "wait for {{ servicename }} docker (init)"
wait_for:
path: "{{ basedir }}/etc/icingaweb2/CONFIGURED"
when: configured.stat.exists == False
- name: "stop {{ servicename }} docker (init)"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
......
FROM jordan/icinga2:2.14.0
FROM jordan/icinga2:2.14.3
# Install additional Packages
RUN apt-get update \
......