Przeglądaj źródła

ldap for dokuwiki, jitsi, kanboard.

Thomas Buck 3 lat temu
rodzic
commit
4dfdcdcea9

+ 48
- 44
README.md Wyświetl plik

@@ -1,30 +1,52 @@
1 1
 # Sovereign
2 2
 
3 3
 Forked from [Sovereign on GitHub](https://github.com/sovereign/sovereign).
4
+This is a set of ansible roles to setup your own little private Cloud on a VPS.
5
+
6
+I removed a bunch of roles from the upstream version, added new ones, and made it compatible with more recent versions of Debian.
7
+Ubuntu is no longer supported, simply because I just use Debian.
8
+
9
+I also added the ability for full-fledged user-management using OpenLDAP and FusionDirectory.
10
+This is optional, however.
11
+You can also use statically configured credentials, which is enough for single-user setups.
12
+
13
+| Program       | Domain     | Status | Debian 9 | Debian 10 | Debian 11 | LDAP Auth |
14
+| ------------- | ---------- | ------ | -------- | --------- | --------- | --------- |
15
+| Website       | www        | ✔️      | ✔️        | ✔️         | ✔️         | N/A       |
16
+| Lets Encrypt  | -          | ✔️      | ✔️        | ✔️         | ✔️         | N/A       |
17
+| Webmail       | mail       | ✔️      | ✔️        | ✔️         | ✔️         | ❓        |
18
+| E-Mail Config | autoconfig | ✔️      | ✔️        | ✔️         | ✔️         | N/A       |
19
+| monit         | status     | ✔️      | ✔️        | ✔️         | ✔️         | ❌        |
20
+| OpenVPN       | -          | ✔️      | ✔️        | ❓        | ❓        | ❓        |
21
+| Fathom        | stats      | ✔️      | ✔️        | ✔️         | ✔️         | ❌        |
22
+| commento      | comments   | ✔️      | ✔️        | ✔️         | ✔️         | ❓        |
23
+| ZNC           | -          | ✔️      | ✔️        | ❓        | ❓        | ❓        |
24
+| gitea         | git        | ✔️      | ✔️        | ✔️         | ✔️         | ❓        |
25
+| dokuwiki      | wiki       | ✔️      | ❓       | ✔️         | ✔️         | ✔️         |
26
+| kanboard      | kanboard   | ✔️      | ❓       | ✔️         | ✔️         | ✔️         |
27
+| jitsi         | jitsi      | ✔️      | ❓       | ✔️         | ✔️         | ✔️         |
28
+| rocket.chat   | chat       | ❓     | ❓       | ✔️         | ❓        | ❓        |
29
+| NextCloud     | cloud      | ✔️      | ✔️        | (❓)      | ✔️         | ✔️         |
30
+| LimeSurvey    | survey     | ✔️      | (❓)     | ✔️         | ✔️         | ❓        |
31
+| matrix / riot | matrix     | ❌     | ✔️        | ❓        | ❓        | ❓        |
32
+| mastodon      | social     | ❌     | ✔️        | ❓        | ❓        | ❓        |
33
+| LDAP          | users      | ❓     | ❓       | ❓        | ✔️         | ✔️         |
34
+| Self-Signed   | -          | ✔️      | ❓       | ✔️         | ❓        | N/A       |
35
+| grafana       | iot        | ✔️      | ❓       | ✔️         | ❓        | ❓        |
36
+| Selfoss       | news       | ❌     | ✔️        | ❓        | ❓        | ❓        |
37
+
38
+You don't have to setup all roles, simply select the subset you require.
39
+Please take a look inside the respective folders of the roles, they often contain a `DESIGN.md` file explaining the intricacies of the specific software or its configuration.
4 40
 
5 41
 # Usage
6 42
 
7
-## What You’ll Need
8
-
9
-1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
10
-2.  [64-bit Debian 9 or 10](http://www.debian.org/). (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
11
-
12
-You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
13
-
14 43
 ## Installation
15 44
 
16 45
 ### On the remote server
17 46
 
18
-The following steps are done on the remote server by `ssh`ing into it and running these commands.
19
-
20
-#### Install required packages
47
+Install dependencies and change the root password:
21 48
 
22 49
     apt-get install sudo python
23
-
24
-#### Prep the server
25
-
26
-For goodness sake, change the root password:
27
-
28 50
     passwd
29 51
 
30 52
 Create a user account for Ansible to do its thing through:
@@ -56,8 +78,6 @@ Or you can just add your `deploy` user to the sudo group.
56 78
 
57 79
 ### On your local machine
58 80
 
59
-Ansible (the tool setting up your server) runs locally on your computer and sends commands to the remote server.
60
-
61 81
 #### Software
62 82
 
63 83
 Download this repository somewhere on your machine, either through `Clone or Download > Download ZIP` above, `wget`, or `git` as below.
@@ -83,39 +103,17 @@ In that case you also need to add your custom port to the task `Set firewall rul
83 103
 
84 104
 #### Set up DNS
85 105
 
86
-If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar.
87
-Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge.
88
-If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
89
-
90
-Create `A` and `AAAA` or `CNAME` records which point to your server's IP address:
91
-
92
-* `example.com`
93
-* `mail.example.com`
94
-* `www.example.com` (for Web hosting)
95
-* `autoconfig.example.com` (for email client automatic configuration)
96
-* `stats.example.com` (for web stats)
97
-* `news.example.com` (for Selfoss)
98
-* `cloud.example.com` (for NextCloud)
99
-* `git.example.com` (for gitea)
100
-* `status.example.com` (for monit)
101
-* `matrix.example.com` (for riot)
102
-* `social.example.com` (for mastodon)
103
-* `comments.example.com` (for commento)
104
-* `iot.example.com` (for grafana)
105
-* `wiki.example.com` (for dokuwiki)
106
-* `jitsi.example.com` (for jitsi)
107
-* `kanboard.example.com` (for kanboard)
106
+Create `A` and `AAAA` or `CNAME` records which point to your server's IP address for the subdomains used with the programs you selected.
108 107
 
109 108
 #### Run the Ansible Playbooks
110 109
 
111
-First, make sure you’ve [got Ansible installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
112
-This should already be done by running the pip requirements.txt from above.
113
-
114
-To run the whole dang thing:
110
+To run the whole thing:
115 111
 
116
-    ansible-playbook -i ./hosts --ask-sudo-pass site.yml
112
+    ansible-playbook -i ./hosts --ask-sudo-pass --key-file KEY site.yml
117 113
     
118 114
 If you chose to make a passwordless sudo deploy user, you can omit the `--ask-sudo-pass` argument.
115
+If you don't need to specify an ssh key to connect to the host, leave out `--key-file KEY` part, otherwise replace `KEY` with the path to the key you want to use.
116
+Append eg. `-l testing` to only run for the hosts in the testing group.
119 117
 
120 118
 #### Finish DNS set-up
121 119
 
@@ -158,3 +156,9 @@ To re-new the LetsEncrypt certificates, for example after adding a new role that
158 156
     sudo certbot delete -c /etc/letsencrypt/cli.conf --cert-name DOMAIN
159 157
 
160 158
 Then re-run the whole sovereign playbook, or at least the letsencrypt part of it.
159
+
160
+To access your Postgres database, use:
161
+
162
+    sudo -u postgres psql
163
+
164
+Then use commands like `\l`, `\c database`, `\dt` or SQL statements.

+ 6
- 0
roles/dokuwiki/defaults/main.yml Wyświetl plik

@@ -5,6 +5,12 @@ dokuwiki_domain: "{{ dokuwiki_subdomain }}.{{ domain }}"
5 5
 dokuwiki_version: "stable_2020-07-29"
6 6
 dokuwiki_release: "https://github.com/splitbrain/dokuwiki/archive/refs/tags/release_{{ dokuwiki_version }}.tar.gz"
7 7
 
8
+dokuwiki_enable_ldap: false
9
+
8 10
 dokuwiki_admin_username: "{{ main_user_name }}"
9 11
 dokuwiki_admin_email: "{{ admin_email }}"
10 12
 dokuwiki_admin_password: "{{ lookup('password', secret + '/' + 'dokuwiki_admin_password length=32') }}"
13
+
14
+# TODO
15
+ldap_domain_string: "dc=shagohod,dc=de"
16
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

+ 1
- 1
roles/dokuwiki/tasks/dokuwiki.yml Wyświetl plik

@@ -75,7 +75,7 @@
75 75
     owner=www-data
76 76
     group=www-data
77 77
     mode=0644
78
-    force=no
78
+#    force=no
79 79
 
80 80
 - name: Add initial DokuWiki admin user
81 81
   template:

+ 13
- 0
roles/dokuwiki/templates/var_www_dokuwiki_conf_local.j2 Wyświetl plik

@@ -23,3 +23,16 @@ $conf['disableactions'] = 'register';
23 23
 
24 24
 $conf['userewrite'] = 1;
25 25
 $conf['useslash'] = 1;
26
+
27
+{% if dokuwiki_enable_ldap == true %}
28
+
29
+$conf['authtype'] = 'authldap';
30
+
31
+$conf['plugin']['authldap']['server']   = 'localhost';
32
+$conf['plugin']['authldap']['port']     = 389;
33
+$conf['plugin']['authldap']['version']  = 3;
34
+$conf['plugin']['authldap']['binddn']   = 'uid=admin,ou=people,{{ ldap_domain_string }}';
35
+$conf['plugin']['authldap']['bindpw']   = '{{ slapd_admin_password }}';
36
+$conf['plugin']['authldap']['usertree'] = 'uid=%{user},ou=people,{{ ldap_domain_string }}';
37
+
38
+{% endif %}

+ 3
- 0
roles/jitsi/DESIGN.md Wyświetl plik

@@ -10,3 +10,6 @@ https://jitsi.github.io/handbook/docs/devops-guide/secure-domain
10 10
 
11 11
 This was used for the Apache config:
12 12
 https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example-apache
13
+
14
+LDAP login setup as described in:
15
+https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication

+ 6
- 0
roles/jitsi/defaults/main.yml Wyświetl plik

@@ -4,3 +4,9 @@ jitsi_domain: "{{ jitsi_subdomain }}.{{ domain }}"
4 4
 jitsi_accounts:
5 5
   - name: "{{ main_user_name }}"
6 6
     password: "{{ lookup('password', secret + '/' + 'jitsi_main_user_password length=32') }}"
7
+
8
+jitsi_enable_ldap: false
9
+
10
+# TODO
11
+ldap_domain_string: "dc=shagohod,dc=de"
12
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

+ 19
- 0
roles/jitsi/tasks/jitsi.yml Wyświetl plik

@@ -75,6 +75,20 @@
75 75
   tags:
76 76
     - dependencies
77 77
 
78
+- name: Install Jitsi LDAP dependencies
79
+  apt:
80
+    name: "{{ packages }}"
81
+    state: present
82
+    update_cache: yes
83
+  vars:
84
+    packages:
85
+    - prosody-modules
86
+    - lua-ldap
87
+  tags:
88
+    - dependencies
89
+  when: jitsi_enable_ldap
90
+  notify: restart jitsi
91
+
78 92
 - name: Create the Jitsi Prosody Config
79 93
   template:
80 94
     src=etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2
@@ -99,6 +113,10 @@
99 113
     group=root
100 114
   notify: restart jitsi
101 115
 
116
+- name: Enable Apache include module
117
+  command: a2enmod include creates=/etc/apache2/mods-enabled/include.load
118
+  notify: restart apache
119
+
102 120
 - name: Create the Apache Jitsi sites config files
103 121
   template:
104 122
     src=etc_apache2_sites-available_jitsi.j2
@@ -117,3 +135,4 @@
117 135
   command: prosodyctl register {{ item.name }} {{ jitsi_domain }} {{ item.password }}
118 136
   with_items: "{{ jitsi_accounts }}"
119 137
   ignore_errors: True
138
+  when: not jitsi_enable_ldap

+ 24
- 0
roles/jitsi/templates/etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2 Wyświetl plik

@@ -20,10 +20,34 @@ ssl = {
20 20
     ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
21 21
 }
22 22
 
23
+{% if jitsi_enable_ldap == true %}
24
+-- https://modules.prosody.im/mod_lib_ldap.html
25
+-- https://modules.prosody.im/mod_auth_ldap2.html
26
+authentication = 'ldap2'
27
+
28
+ldap = {
29
+    hostname = 'localhost',
30
+    bind_dn = 'cn=admin,{{ ldap_domain_string }}',
31
+    bind_password = '{{ slapd_admin_password }}',
32
+    use_tls = false,
33
+    user = {
34
+        usernamefield = 'uid',
35
+        basedn = 'ou=people,{{ ldap_domain_string }}',
36
+        filter = '(objectClass=*)',
37
+        -- admin?
38
+        --namefield = 'cn',
39
+    },
40
+}
41
+{% endif %}
42
+
23 43
 VirtualHost "{{ jitsi_domain }}"
24 44
     -- enabled = false -- Remove this line to enable this host
25 45
     -- authentication = "anonymous"
46
+{% if jitsi_enable_ldap == true %}
47
+    authentication = "ldap2"
48
+{% else %}
26 49
     authentication = "internal_hashed"
50
+{% endif %}
27 51
     -- Properties below are modified by jitsi-meet-tokens package config
28 52
     -- and authentication above is switched to "token"
29 53
     --app_id="example_app_id"

+ 6
- 0
roles/kanboard/defaults/main.yml Wyświetl plik

@@ -4,6 +4,8 @@ kanboard_domain: "{{ kanboard_subdomain }}.{{ domain }}"
4 4
 kanboard_version: "1.2.20"
5 5
 kanboard_release: "https://github.com/kanboard/kanboard/archive/refs/tags/v{{ kanboard_version }}.tar.gz"
6 6
 
7
+kanboard_enable_ldap: false
8
+
7 9
 kanboard_db_username: kanboarduser
8 10
 kanboard_db_password: "{{ lookup('password', secret + '/' + 'kanboard_db_password length=32') }}"
9 11
 kanboard_db_database: kanboard
@@ -11,3 +13,7 @@ kanboard_db_database: kanboard
11 13
 # must match values in roles/common
12 14
 db_admin_username: 'postgres'
13 15
 db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
16
+
17
+# TODO
18
+ldap_domain_string: "dc=shagohod,dc=de"
19
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

+ 33
- 0
roles/kanboard/templates/var_www_kanboard_config.j2 Wyświetl plik

@@ -99,6 +99,37 @@ define('DB_VERIFY_SERVER_CERT', null);
99 99
 // Timeout value for PDO attribute
100 100
 define('DB_TIMEOUT', null);
101 101
 
102
+{% if kanboard_enable_ldap == true %}
103
+
104
+define('LDAP_AUTH', true);
105
+define('LDAP_SERVER', 'ldap://localhost:389');
106
+define('LDAP_SSL_VERIFY', true);
107
+define('LDAP_START_TLS', false);
108
+define('LDAP_USERNAME_CASE_SENSITIVE', false);
109
+define('LDAP_BIND_TYPE', 'proxy');
110
+define('LDAP_USERNAME', 'uid=admin,ou=people,{{ ldap_domain_string }}');
111
+define('LDAP_PASSWORD', '{{ slapd_admin_password }}');
112
+define('LDAP_USER_BASE_DN', 'ou=people,{{ ldap_domain_string }}');
113
+define('LDAP_USER_FILTER', 'uid=%s');
114
+define('LDAP_USER_ATTRIBUTE_USERNAME', 'uid');
115
+define('LDAP_USER_ATTRIBUTE_FULLNAME', 'cn');
116
+define('LDAP_USER_ATTRIBUTE_EMAIL', 'mail');
117
+define('LDAP_USER_ATTRIBUTE_GROUPS', 'memberof');
118
+define('LDAP_USER_ATTRIBUTE_PHOTO', '');
119
+define('LDAP_USER_ATTRIBUTE_LANGUAGE', '');
120
+define('LDAP_USER_CREATION', true);
121
+define('LDAP_USER_DEFAULT_ROLE_MANAGER', false);
122
+define('LDAP_GROUP_ADMIN_DN', '');
123
+define('LDAP_GROUP_MANAGER_DN', '');
124
+define('LDAP_GROUP_PROVIDER', false);
125
+define('LDAP_GROUP_BASE_DN', '');
126
+define('LDAP_GROUP_FILTER', '');
127
+define('LDAP_GROUP_USER_FILTER', '');
128
+define('LDAP_GROUP_USER_ATTRIBUTE', 'username');
129
+define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
130
+
131
+{% else %}
132
+
102 133
 // Enable LDAP authentication (false by default)
103 134
 define('LDAP_AUTH', false);
104 135
 
@@ -195,6 +226,8 @@ define('LDAP_GROUP_USER_ATTRIBUTE', 'username');
195 226
 // LDAP attribute for the group name
196 227
 define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
197 228
 
229
+{% endif %}
230
+
198 231
 // Enable/disable the reverse proxy authentication
199 232
 define('REVERSE_PROXY_AUTH', false);
200 233
 

+ 12
- 8
roles/ldap/DESIGN.md Wyświetl plik

@@ -15,10 +15,14 @@
15 15
 
16 16
 - You can now login as the admin user you created.
17 17
 
18
-To setup eg. Nextcloud LDAP login, give it the following credentials:
19
-Username: uid=admin,ou=people,dc=DOMAIN,dc=TLD
20
-Password: {{ slapd_admin_password }}
21
-Base DN: dc=DOMAIN,dc=TLD
18
+To setup Nextcloud LDAP login, give it the following credentials:
19
+
20
+    Username: uid=admin,ou=people,dc=DOMAIN,dc=TLD
21
+    Password: {{ slapd_admin_password }}
22
+    Base DN: dc=DOMAIN,dc=TLD
23
+
24
+Dokuwiki, Jitsi and Kanboard can be configured to use LDAP automatically.
25
+See their defaults.
22 26
 
23 27
 ## ToDo
24 28
 
@@ -29,7 +33,7 @@ These two steps are currently missing for full automation of the FusionDirectory
29 33
 Add required object classes to the LDAP base
30 34
 Current
31 35
 
32
-dn: dc=shagohod,dc=de
36
+dn: dc=DOMAIN,dc=TLD
33 37
 objectClass: top
34 38
 objectClass: dcObject
35 39
 objectClass: organization
@@ -37,13 +41,13 @@ objectClass: organization
37 41
 
38 42
 After migration
39 43
 
40
-dn: dc=shagohod,dc=de
44
+dn: dc=DOMAIN,dc=TLD
41 45
 objectClass: top
42 46
 objectClass: dcObject
43 47
 objectClass: organization
44 48
 xxx  objectClass: gosaDepartment
45
-xxx  ou: shagohod
46
-xxx  description: shagohod
49
+xxx  ou: DOMAIN
50
+xxx  description: DOMAIN
47 51
 
48 52
 -----
49 53
 

Ładowanie…
Anuluj
Zapisz