ldap for dokuwiki, jitsi, kanboard.

README.md

@@ -1,30 +1,52 @@
 # Sovereign
 
 Forked from [Sovereign on GitHub](https://github.com/sovereign/sovereign).
+This is a set of ansible roles to setup your own little private Cloud on a VPS.
+
+I removed a bunch of roles from the upstream version, added new ones, and made it compatible with more recent versions of Debian.
+Ubuntu is no longer supported, simply because I just use Debian.
+
+I also added the ability for full-fledged user-management using OpenLDAP and FusionDirectory.
+This is optional, however.
+You can also use statically configured credentials, which is enough for single-user setups.
+
+| Program       | Domain     | Status | Debian 9 | Debian 10 | Debian 11 | LDAP Auth |
+| ------------- | ---------- | ------ | -------- | --------- | --------- | --------- |
+| Website       | www        | ✔️      | ✔️        | ✔️         | ✔️         | N/A       |
+| Lets Encrypt  | -          | ✔️      | ✔️        | ✔️         | ✔️         | N/A       |
+| Webmail       | mail       | ✔️      | ✔️        | ✔️         | ✔️         | ❓        |
+| E-Mail Config | autoconfig | ✔️      | ✔️        | ✔️         | ✔️         | N/A       |
+| monit         | status     | ✔️      | ✔️        | ✔️         | ✔️         | ❌        |
+| OpenVPN       | -          | ✔️      | ✔️        | ❓        | ❓        | ❓        |
+| Fathom        | stats      | ✔️      | ✔️        | ✔️         | ✔️         | ❌        |
+| commento      | comments   | ✔️      | ✔️        | ✔️         | ✔️         | ❓        |
+| ZNC           | -          | ✔️      | ✔️        | ❓        | ❓        | ❓        |
+| gitea         | git        | ✔️      | ✔️        | ✔️         | ✔️         | ❓        |
+| dokuwiki      | wiki       | ✔️      | ❓       | ✔️         | ✔️         | ✔️         |
+| kanboard      | kanboard   | ✔️      | ❓       | ✔️         | ✔️         | ✔️         |
+| jitsi         | jitsi      | ✔️      | ❓       | ✔️         | ✔️         | ✔️         |
+| rocket.chat   | chat       | ❓     | ❓       | ✔️         | ❓        | ❓        |
+| NextCloud     | cloud      | ✔️      | ✔️        | (❓)      | ✔️         | ✔️         |
+| LimeSurvey    | survey     | ✔️      | (❓)     | ✔️         | ✔️         | ❓        |
+| matrix / riot | matrix     | ❌     | ✔️        | ❓        | ❓        | ❓        |
+| mastodon      | social     | ❌     | ✔️        | ❓        | ❓        | ❓        |
+| LDAP          | users      | ❓     | ❓       | ❓        | ✔️         | ✔️         |
+| Self-Signed   | -          | ✔️      | ❓       | ✔️         | ❓        | N/A       |
+| grafana       | iot        | ✔️      | ❓       | ✔️         | ❓        | ❓        |
+| Selfoss       | news       | ❌     | ✔️        | ❓        | ❓        | ❓        |
+
+You don't have to setup all roles, simply select the subset you require.
+Please take a look inside the respective folders of the roles, they often contain a `DESIGN.md` file explaining the intricacies of the specific software or its configuration.
 
 # Usage
 
-## What You’ll Need
-
-1.  A VPS (or bare-metal server if you wanna ball hard). My VPS is hosted at [Linode](http://www.linode.com/?r=45405878277aa04ee1f1d21394285da6b43f963b). You’ll probably want at least 512 MB of RAM between Apache, Solr, and PostgreSQL. Mine has 1024.
-2.  [64-bit Debian 9 or 10](http://www.debian.org/). (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible’s different [packaging](http://docs.ansible.com/ansible/list_of_packaging_modules.html) modules.)
-
-You do not need to acquire an SSL certificate.  The SSL certificates you need will be obtained from [Let's Encrypt](https://letsencrypt.org/) automatically when you deploy your server.
-
 ## Installation
 
 ### On the remote server
 
-The following steps are done on the remote server by `ssh`ing into it and running these commands.
-
-#### Install required packages
+Install dependencies and change the root password:
 
     apt-get install sudo python
-
-#### Prep the server
-
-For goodness sake, change the root password:
-
     passwd
 
 Create a user account for Ansible to do its thing through:
@@ -56,8 +78,6 @@ Or you can just add your `deploy` user to the sudo group.
 
 ### On your local machine
 
-Ansible (the tool setting up your server) runs locally on your computer and sends commands to the remote server.
-
 #### Software
 
 Download this repository somewhere on your machine, either through `Clone or Download > Download ZIP` above, `wget`, or `git` as below.
@@ -83,39 +103,17 @@ In that case you also need to add your custom port to the task `Set firewall rul
 
 #### Set up DNS
 
-If you’ve just bought a new domain name, point it at [Linode’s DNS Manager](https://library.linode.com/dns-manager) or similar.
-Most VPS services (and even some domain registrars) offer a managed DNS service that you can use for this at no charge.
-If you’re using an existing domain that’s already managed elsewhere, you can probably just modify a few records.
-
-Create `A` and `AAAA` or `CNAME` records which point to your server's IP address:
-
-* `example.com`
-* `mail.example.com`
-* `www.example.com` (for Web hosting)
-* `autoconfig.example.com` (for email client automatic configuration)
-* `stats.example.com` (for web stats)
-* `news.example.com` (for Selfoss)
-* `cloud.example.com` (for NextCloud)
-* `git.example.com` (for gitea)
-* `status.example.com` (for monit)
-* `matrix.example.com` (for riot)
-* `social.example.com` (for mastodon)
-* `comments.example.com` (for commento)
-* `iot.example.com` (for grafana)
-* `wiki.example.com` (for dokuwiki)
-* `jitsi.example.com` (for jitsi)
-* `kanboard.example.com` (for kanboard)
+Create `A` and `AAAA` or `CNAME` records which point to your server's IP address for the subdomains used with the programs you selected.
 
 #### Run the Ansible Playbooks
 
-First, make sure you’ve [got Ansible installed](http://docs.ansible.com/intro_installation.html#getting-ansible).
-This should already be done by running the pip requirements.txt from above.
-
-To run the whole dang thing:
+To run the whole thing:
 
-    ansible-playbook -i ./hosts --ask-sudo-pass site.yml
+    ansible-playbook -i ./hosts --ask-sudo-pass --key-file KEY site.yml
     
 If you chose to make a passwordless sudo deploy user, you can omit the `--ask-sudo-pass` argument.
+If you don't need to specify an ssh key to connect to the host, leave out `--key-file KEY` part, otherwise replace `KEY` with the path to the key you want to use.
+Append eg. `-l testing` to only run for the hosts in the testing group.
 
 #### Finish DNS set-up
 
@@ -158,3 +156,9 @@ To re-new the LetsEncrypt certificates, for example after adding a new role that
     sudo certbot delete -c /etc/letsencrypt/cli.conf --cert-name DOMAIN
 
 Then re-run the whole sovereign playbook, or at least the letsencrypt part of it.
+
+To access your Postgres database, use:
+
+    sudo -u postgres psql
+
+Then use commands like `\l`, `\c database`, `\dt` or SQL statements.

roles/dokuwiki/defaults/main.yml

@@ -5,6 +5,12 @@ dokuwiki_domain: "{{ dokuwiki_subdomain }}.{{ domain }}"
 dokuwiki_version: "stable_2020-07-29"
 dokuwiki_release: "https://github.com/splitbrain/dokuwiki/archive/refs/tags/release_{{ dokuwiki_version }}.tar.gz"
 
+dokuwiki_enable_ldap: false
+
 dokuwiki_admin_username: "{{ main_user_name }}"
 dokuwiki_admin_email: "{{ admin_email }}"
 dokuwiki_admin_password: "{{ lookup('password', secret + '/' + 'dokuwiki_admin_password length=32') }}"
+
+# TODO
+ldap_domain_string: "dc=shagohod,dc=de"
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

roles/dokuwiki/tasks/dokuwiki.yml

@@ -75,7 +75,7 @@
     owner=www-data
     group=www-data
     mode=0644
-    force=no
+#    force=no
 
 - name: Add initial DokuWiki admin user
   template:

roles/dokuwiki/templates/var_www_dokuwiki_conf_local.j2

@@ -23,3 +23,16 @@ $conf['disableactions'] = 'register';
 
 $conf['userewrite'] = 1;
 $conf['useslash'] = 1;
+
+{% if dokuwiki_enable_ldap == true %}
+
+$conf['authtype'] = 'authldap';
+
+$conf['plugin']['authldap']['server']   = 'localhost';
+$conf['plugin']['authldap']['port']     = 389;
+$conf['plugin']['authldap']['version']  = 3;
+$conf['plugin']['authldap']['binddn']   = 'uid=admin,ou=people,{{ ldap_domain_string }}';
+$conf['plugin']['authldap']['bindpw']   = '{{ slapd_admin_password }}';
+$conf['plugin']['authldap']['usertree'] = 'uid=%{user},ou=people,{{ ldap_domain_string }}';
+
+{% endif %}

roles/jitsi/DESIGN.md

@@ -10,3 +10,6 @@ https://jitsi.github.io/handbook/docs/devops-guide/secure-domain
 
 This was used for the Apache config:
 https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example-apache
+
+LDAP login setup as described in:
+https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication

roles/jitsi/defaults/main.yml

@@ -4,3 +4,9 @@ jitsi_domain: "{{ jitsi_subdomain }}.{{ domain }}"
 jitsi_accounts:
   - name: "{{ main_user_name }}"
     password: "{{ lookup('password', secret + '/' + 'jitsi_main_user_password length=32') }}"
+
+jitsi_enable_ldap: false
+
+# TODO
+ldap_domain_string: "dc=shagohod,dc=de"
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

roles/jitsi/tasks/jitsi.yml

@@ -75,6 +75,20 @@
   tags:
     - dependencies
 
+- name: Install Jitsi LDAP dependencies
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+    - prosody-modules
+    - lua-ldap
+  tags:
+    - dependencies
+  when: jitsi_enable_ldap
+  notify: restart jitsi
+
 - name: Create the Jitsi Prosody Config
   template:
     src=etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2
@@ -99,6 +113,10 @@
     group=root
   notify: restart jitsi
 
+- name: Enable Apache include module
+  command: a2enmod include creates=/etc/apache2/mods-enabled/include.load
+  notify: restart apache
+
 - name: Create the Apache Jitsi sites config files
   template:
     src=etc_apache2_sites-available_jitsi.j2
@@ -117,3 +135,4 @@
   command: prosodyctl register {{ item.name }} {{ jitsi_domain }} {{ item.password }}
   with_items: "{{ jitsi_accounts }}"
   ignore_errors: True
+  when: not jitsi_enable_ldap

roles/jitsi/templates/etc_prosody_conf.avail_jitsi_domain.cfg.lua.j2

@@ -20,10 +20,34 @@ ssl = {
     ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 }
 
+{% if jitsi_enable_ldap == true %}
+-- https://modules.prosody.im/mod_lib_ldap.html
+-- https://modules.prosody.im/mod_auth_ldap2.html
+authentication = 'ldap2'
+
+ldap = {
+    hostname = 'localhost',
+    bind_dn = 'cn=admin,{{ ldap_domain_string }}',
+    bind_password = '{{ slapd_admin_password }}',
+    use_tls = false,
+    user = {
+        usernamefield = 'uid',
+        basedn = 'ou=people,{{ ldap_domain_string }}',
+        filter = '(objectClass=*)',
+        -- admin?
+        --namefield = 'cn',
+    },
+}
+{% endif %}
+
 VirtualHost "{{ jitsi_domain }}"
     -- enabled = false -- Remove this line to enable this host
     -- authentication = "anonymous"
+{% if jitsi_enable_ldap == true %}
+    authentication = "ldap2"
+{% else %}
     authentication = "internal_hashed"
+{% endif %}
     -- Properties below are modified by jitsi-meet-tokens package config
     -- and authentication above is switched to "token"
     --app_id="example_app_id"

roles/kanboard/defaults/main.yml

@@ -4,6 +4,8 @@ kanboard_domain: "{{ kanboard_subdomain }}.{{ domain }}"
 kanboard_version: "1.2.20"
 kanboard_release: "https://github.com/kanboard/kanboard/archive/refs/tags/v{{ kanboard_version }}.tar.gz"
 
+kanboard_enable_ldap: false
+
 kanboard_db_username: kanboarduser
 kanboard_db_password: "{{ lookup('password', secret + '/' + 'kanboard_db_password length=32') }}"
 kanboard_db_database: kanboard
@@ -11,3 +13,7 @@ kanboard_db_database: kanboard
 # must match values in roles/common
 db_admin_username: 'postgres'
 db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
+
+# TODO
+ldap_domain_string: "dc=shagohod,dc=de"
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

roles/kanboard/templates/var_www_kanboard_config.j2

@@ -99,6 +99,37 @@ define('DB_VERIFY_SERVER_CERT', null);
 // Timeout value for PDO attribute
 define('DB_TIMEOUT', null);
 
+{% if kanboard_enable_ldap == true %}
+
+define('LDAP_AUTH', true);
+define('LDAP_SERVER', 'ldap://localhost:389');
+define('LDAP_SSL_VERIFY', true);
+define('LDAP_START_TLS', false);
+define('LDAP_USERNAME_CASE_SENSITIVE', false);
+define('LDAP_BIND_TYPE', 'proxy');
+define('LDAP_USERNAME', 'uid=admin,ou=people,{{ ldap_domain_string }}');
+define('LDAP_PASSWORD', '{{ slapd_admin_password }}');
+define('LDAP_USER_BASE_DN', 'ou=people,{{ ldap_domain_string }}');
+define('LDAP_USER_FILTER', 'uid=%s');
+define('LDAP_USER_ATTRIBUTE_USERNAME', 'uid');
+define('LDAP_USER_ATTRIBUTE_FULLNAME', 'cn');
+define('LDAP_USER_ATTRIBUTE_EMAIL', 'mail');
+define('LDAP_USER_ATTRIBUTE_GROUPS', 'memberof');
+define('LDAP_USER_ATTRIBUTE_PHOTO', '');
+define('LDAP_USER_ATTRIBUTE_LANGUAGE', '');
+define('LDAP_USER_CREATION', true);
+define('LDAP_USER_DEFAULT_ROLE_MANAGER', false);
+define('LDAP_GROUP_ADMIN_DN', '');
+define('LDAP_GROUP_MANAGER_DN', '');
+define('LDAP_GROUP_PROVIDER', false);
+define('LDAP_GROUP_BASE_DN', '');
+define('LDAP_GROUP_FILTER', '');
+define('LDAP_GROUP_USER_FILTER', '');
+define('LDAP_GROUP_USER_ATTRIBUTE', 'username');
+define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
+
+{% else %}
+
 // Enable LDAP authentication (false by default)
 define('LDAP_AUTH', false);
 
@@ -195,6 +226,8 @@ define('LDAP_GROUP_USER_ATTRIBUTE', 'username');
 // LDAP attribute for the group name
 define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
 
+{% endif %}
+
 // Enable/disable the reverse proxy authentication
 define('REVERSE_PROXY_AUTH', false);
 

roles/ldap/DESIGN.md

@@ -15,10 +15,14 @@
 
 - You can now login as the admin user you created.
 
-To setup eg. Nextcloud LDAP login, give it the following credentials:
-Username: uid=admin,ou=people,dc=DOMAIN,dc=TLD
-Password: {{ slapd_admin_password }}
-Base DN: dc=DOMAIN,dc=TLD
+To setup Nextcloud LDAP login, give it the following credentials:
+
+    Username: uid=admin,ou=people,dc=DOMAIN,dc=TLD
+    Password: {{ slapd_admin_password }}
+    Base DN: dc=DOMAIN,dc=TLD
+
+Dokuwiki, Jitsi and Kanboard can be configured to use LDAP automatically.
+See their defaults.
 
 ## ToDo
 
@@ -29,7 +33,7 @@ These two steps are currently missing for full automation of the FusionDirectory
 Add required object classes to the LDAP base
 Current
 
-dn: dc=shagohod,dc=de
+dn: dc=DOMAIN,dc=TLD
 objectClass: top
 objectClass: dcObject
 objectClass: organization
@@ -37,13 +41,13 @@ objectClass: organization
 
 After migration
 
-dn: dc=shagohod,dc=de
+dn: dc=DOMAIN,dc=TLD
 objectClass: top
 objectClass: dcObject
 objectClass: organization
 xxx  objectClass: gosaDepartment
-xxx  ou: shagohod
-xxx  description: shagohod
+xxx  ou: DOMAIN
+xxx  description: DOMAIN
 
 -----