From 22c1b0d46932f77565b4ec6944e32532c96652a5 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 15 Oct 2018 18:25:30 +0200 Subject: [PATCH] bk-dss: new role to be deployed on LDAP host --- group_vars/all/vars.yml | 2 ++ roles/bk-dss/defaults/main.yml | 3 ++ roles/bk-dss/handlers/main.yml | 10 +++++++ roles/bk-dss/meta/main.yml | 5 ++++ roles/bk-dss/tasks/main.yml | 43 ++++++++++++++++++++++++++++ roles/bk-dss/templates/certs.j2 | 15 ++++++++++ roles/bk-dss/templates/config.cfg.j2 | 34 ++++++++++++++++++++++ roles/bk-dss/templates/uwsgi.ini.j2 | 10 +++++++ roles/bk-dss/templates/vhost.j2 | 34 ++++++++++++++++++++++ site.yml | 1 + 10 files changed, 157 insertions(+) create mode 100644 roles/bk-dss/defaults/main.yml create mode 100644 roles/bk-dss/handlers/main.yml create mode 100644 roles/bk-dss/meta/main.yml create mode 100644 roles/bk-dss/tasks/main.yml create mode 100644 roles/bk-dss/templates/certs.j2 create mode 100644 roles/bk-dss/templates/config.cfg.j2 create mode 100644 roles/bk-dss/templates/uwsgi.ini.j2 create mode 100644 roles/bk-dss/templates/vhost.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index ec36a22..4f50fbc 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -2,6 +2,8 @@ certmgr_mode: webserver +dss_domain: dss.binary-kitchen.de + gogs_domain: git.binary-kitchen.de gogs_dbname: gogs gogs_dbuser: gogs diff --git a/roles/bk-dss/defaults/main.yml b/roles/bk-dss/defaults/main.yml new file mode 100644 index 0000000..1e4b52a --- /dev/null +++ b/roles/bk-dss/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +dss_uwsgi_port: 5001 diff --git a/roles/bk-dss/handlers/main.yml b/roles/bk-dss/handlers/main.yml new file mode 100644 index 0000000..61307b4 --- /dev/null +++ b/roles/bk-dss/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Run certmgr + command: /opt/acertmgr/acertmgr.py + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Restart uwsgi + service: name=uwsgi state=restarted diff --git a/roles/bk-dss/meta/main.yml b/roles/bk-dss/meta/main.yml new file mode 100644 index 0000000..8d2c010 --- /dev/null +++ b/roles/bk-dss/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: certmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/bk-dss/tasks/main.yml b/roles/bk-dss/tasks/main.yml new file mode 100644 index 0000000..a7de556 --- /dev/null +++ b/roles/bk-dss/tasks/main.yml @@ -0,0 +1,43 @@ +--- + +- name: Install dependencies + apt: name={{ item }} + with_items: + - git + - python3-flask + - python3-flaskext.wtf + - python3-passlib + - python3-pyldap + - python3-redis + - redis-server + - uwsgi + - uwsgi-plugin-python3 + +- name: Install bk-dss + git: repo=https://git.binary-kitchen.de/moepman/bk-dss.git dest=/opt/bk-dss depth=1 version=187bfe4f42f28f45e745ca4b1f8325d8622cec16 + +- name: Configure bk-dss + template: src=config.cfg.j2 dest=/opt/bk-dss/config.cfg + +- name: Configure uwsgi + template: src=uwsgi.ini.j2 dest=/etc/uwsgi/apps-available/dss.ini + +- name: Enable uwsgi + file: src=/etc/uwsgi/apps-available/dss.ini dest=/etc/uwsgi/apps-enabled/dss.ini state=link + notify: Restart uwsgi + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/dss.binary-kitchen.de.key -out /etc/nginx/ssl/dss.binary-kitchen.de.crt -days 730 -subj "/CN=dss.binary-kitchen.de" creates=/etc/nginx/ssl/dss.binary-kitchen.de.crt + notify: Restart nginx + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acme/domains.d/{{ dss_domain }}.conf + notify: Run certmgr + +- name: Configure vhosts + template: src=vhost.j2 dest=/etc/nginx/sites-available/dss + notify: Restart nginx + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link + notify: Restart nginx diff --git a/roles/bk-dss/templates/certs.j2 b/roles/bk-dss/templates/certs.j2 new file mode 100644 index 0000000..96715dc --- /dev/null +++ b/roles/bk-dss/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ dss_domain }}: +- path: /etc/nginx/ssl/{{ dss_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ dss_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/bk-dss/templates/config.cfg.j2 b/roles/bk-dss/templates/config.cfg.j2 new file mode 100644 index 0000000..d800f4e --- /dev/null +++ b/roles/bk-dss/templates/config.cfg.j2 @@ -0,0 +1,34 @@ +DEBUG = True +SECRET_KEY = "CHANGE!ME" +SESSION_TIMEOUT = 3600 + +LDAP_CA = "/etc/ldap/ssl/BKCA.crt" +LDAP_URI = "ldaps://{{ ldap_host }}" +LDAP_BASE = "{{ ldap_base }}" + +ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ] + +USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de" + +USER_ATTRS = { + 'objectClass' : ['top', 'inetOrgPerson', 'organizationalPerson', 'person', 'posixAccount', 'kitchenUser', 'radiusprofile', 'sambaSamAccount'], + 'cn' : '{user}', + 'gidNumber' : '20000', + 'givenName' : '{gn}', + 'homeDirectory' : '/home/{user}', + 'loginShell' : '/bin/bash', + 'mail' : '{user}@binary-kitchen.de', + 'radiusTunnelMediumType' : '802', + 'radiusTunnelPrivateGroupId' : '2303', + 'radiusTunnelType' : 'VLAN', + 'sambaSID' : 'S-1-0-0-{uid}', + 'sn' : '{sn}', + 'uid' : '{user}', + 'uidNumber' : '{uid}', + 'userPassword' : '{pass}' +} + +GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de' + +REDIS_HOST = "127.0.0.1" +REDIS_PASSWD = None diff --git a/roles/bk-dss/templates/uwsgi.ini.j2 b/roles/bk-dss/templates/uwsgi.ini.j2 new file mode 100644 index 0000000..ed7440e --- /dev/null +++ b/roles/bk-dss/templates/uwsgi.ini.j2 @@ -0,0 +1,10 @@ +[uwsgi] +socket = 127.0.0.1:{{ dss_uwsgi_port }} +chdir = /opt/bk-dss +plugin = python3 +wsgi-file = dss.py +callable = app +uid = www-data +gid = www-data +processess = 4 +threads = 2 diff --git a/roles/bk-dss/templates/vhost.j2 b/roles/bk-dss/templates/vhost.j2 new file mode 100644 index 0000000..f797488 --- /dev/null +++ b/roles/bk-dss/templates/vhost.j2 @@ -0,0 +1,34 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ dss_domain }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ dss_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ dss_domain }}; + + ssl_certificate_key /etc/nginx/ssl/dss.binary-kitchen.de.key; + ssl_certificate /etc/nginx/ssl/dss.binary-kitchen.de.crt; + + location / { + uwsgi_pass 127.0.0.1:{{ dss_uwsgi_port }}; + include uwsgi_params; + } + + location /static { + root /opt/bk-dss; + } +} diff --git a/site.yml b/site.yml index 941fa2b..a9301b0 100644 --- a/site.yml +++ b/site.yml @@ -40,6 +40,7 @@ hosts: helium.binary-kitchen.net roles: - slapd + - bk-dss - name: Setup mail server hosts: lithium.binary-kitchen.net