Merge branch 'bottin2_upgrade' of Deuxfleurs/deuxfleurs.fr into master
This commit is contained in:
commit
9e5839765a
10 changed files with 83 additions and 36 deletions
|
@ -378,7 +378,7 @@ password_providers:
|
|||
- module: "ldap_auth_provider.LdapAuthProvider"
|
||||
config:
|
||||
enabled: true
|
||||
uri: "ldap://bottin.service.2.cluster.deuxfleurs.fr:389"
|
||||
uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"
|
||||
start_tls: false
|
||||
bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}'
|
||||
bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}'
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
"cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
|
||||
"*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*",
|
||||
"ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
|
||||
"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:"
|
||||
"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
|
||||
"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*"
|
||||
]
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
hosts = bottin.service.2.cluster.deuxfleurs.fr
|
||||
dn = cn=<username>,dc=deuxfleurs,dc=fr
|
||||
dnpass = <password>
|
||||
hosts = bottin2.service.2.cluster.deuxfleurs.fr
|
||||
dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }}
|
||||
dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }}
|
||||
base = dc=deuxfleurs,dc=fr
|
||||
scope = subtree
|
||||
user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
|
|
@ -1,12 +0,0 @@
|
|||
bind = yes
|
||||
bind_dn = cn=<user>,dc=deuxfleurs,dc=fr
|
||||
bind_pw = <secret>
|
||||
version = 3
|
||||
timeout = 20
|
||||
start_tls = no
|
||||
tls_require_cert = no
|
||||
server_host = ldap://bottin.service.2.cluster.deuxfleurs.fr
|
||||
scope = sub
|
||||
search_base = ou=users,dc=deuxfleurs,dc=fr
|
||||
query_filter = mail=%s
|
||||
result_attribute = mail
|
12
consul/configuration/email/postfix/ldap-account.cf.tpl
Normal file
12
consul/configuration/email/postfix/ldap-account.cf.tpl
Normal file
|
@ -0,0 +1,12 @@
|
|||
bind = yes
|
||||
bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
|
||||
bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
|
||||
version = 3
|
||||
timeout = 20
|
||||
start_tls = no
|
||||
tls_require_cert = no
|
||||
server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
|
||||
scope = sub
|
||||
search_base = ou=users,dc=deuxfleurs,dc=fr
|
||||
query_filter = mail=%s
|
||||
result_attribute = mail
|
|
@ -1,9 +1,9 @@
|
|||
server_host = bottin.service.2.cluster.deuxfleurs.fr
|
||||
server_host = bottin2.service.2.cluster.deuxfleurs.fr
|
||||
server_port = 389
|
||||
search_base = dc=deuxfleurs,dc=fr
|
||||
query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
|
||||
result_attribute = mail
|
||||
bind = yes
|
||||
bind_dn = cn=<someone>,dc=deuxfleurs,dc=fr
|
||||
bind_pw = <password>
|
||||
bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
|
||||
bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
|
||||
version = 3
|
|
@ -60,7 +60,7 @@
|
|||
bindFields = (cn, mail);
|
||||
canAuthenticate = YES;
|
||||
displayName = "Bottin";
|
||||
hostname = "ldap://bottin.service.2.cluster.deuxfleurs.fr:389";
|
||||
hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389";
|
||||
id = bottin;
|
||||
isAddressBook = NO;
|
||||
}
|
||||
|
|
|
@ -29,3 +29,30 @@ chown -R 102:102 /mnt/storage/postgres/
|
|||
It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command.
|
||||
Moreover it would enable the usage of the user namespace that shift the UIDs.
|
||||
|
||||
|
||||
|
||||
## Upgrading the cluster
|
||||
|
||||
To retreive the current stolon config:
|
||||
|
||||
```
|
||||
stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500
|
||||
```
|
||||
|
||||
The important part for the LDAP:
|
||||
|
||||
```
|
||||
{
|
||||
"pgHBA": [
|
||||
"host all postgres all md5",
|
||||
"host replication replicator all md5",
|
||||
"host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"<REDACTED>\" ldapsearchattribute=\"cn\""
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
Once a patch is writen:
|
||||
|
||||
```
|
||||
stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json
|
||||
```
|
||||
|
|
|
@ -12,7 +12,7 @@ job "directory2" {
|
|||
task "bottin" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "lxpz/bottin_amd64:8"
|
||||
image = "lxpz/bottin_amd64:10"
|
||||
readonly_rootfs = true
|
||||
port_map {
|
||||
ldap_port = 1389
|
||||
|
@ -61,7 +61,7 @@ job "directory2" {
|
|||
task "guichet" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "lxpz/guichet_amd64:2"
|
||||
image = "lxpz/guichet_amd64:3"
|
||||
readonly_rootfs = true
|
||||
port_map {
|
||||
web_port = 9991
|
||||
|
|
|
@ -131,6 +131,17 @@ job "email" {
|
|||
}
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw"
|
||||
destination = "secrets/conf/dovecot-ldap.conf.tpl"
|
||||
mode = "file"
|
||||
}
|
||||
template {
|
||||
source = "secrets/conf/dovecot-ldap.conf.tpl"
|
||||
destination = "secrets/conf/dovecot-ldap.conf"
|
||||
perms = "400"
|
||||
}
|
||||
|
||||
template {
|
||||
data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}"
|
||||
destination = "secrets/ssl/certs/dovecot.crt"
|
||||
|
@ -141,11 +152,6 @@ job "email" {
|
|||
destination = "secrets/ssl/private/dovecot.key"
|
||||
perms = "400"
|
||||
}
|
||||
template {
|
||||
data = "{{ key \"configuration/email/dovecot/dovecot-ldap.conf\" }}"
|
||||
destination = "secrets/conf/dovecot-ldap.conf"
|
||||
perms = "400"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -328,6 +334,27 @@ job "email" {
|
|||
}
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw"
|
||||
destination = "secrets/postfix/ldap-account.cf.tpl"
|
||||
mode = "file"
|
||||
}
|
||||
template {
|
||||
source = "secrets/postfix/ldap-account.cf.tpl"
|
||||
destination = "secrets/postfix/ldap-account.cf"
|
||||
}
|
||||
|
||||
artifact {
|
||||
source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw"
|
||||
destination = "secrets/postfix/ldap-alias.cf.tpl"
|
||||
mode = "file"
|
||||
}
|
||||
template {
|
||||
source = "secrets/postfix/ldap-alias.cf.tpl"
|
||||
destination = "secrets/postfix/ldap-alias.cf"
|
||||
}
|
||||
|
||||
|
||||
template {
|
||||
data = "{{ key \"configuration/email/postfix/postfix.crt\" }}"
|
||||
destination = "secrets/ssl/certs/postfix.crt"
|
||||
|
@ -346,14 +373,6 @@ job "email" {
|
|||
data = "{{ key \"configuration/email/postfix/header_checks\" }}"
|
||||
destination = "secrets/postfix/header_checks"
|
||||
}
|
||||
template {
|
||||
data = "{{ key \"configuration/email/postfix/ldap-account.cf\" }}"
|
||||
destination = "secrets/postfix/ldap-account.cf"
|
||||
}
|
||||
template {
|
||||
data = "{{ key \"configuration/email/postfix/ldap-alias.cf\" }}"
|
||||
destination = "secrets/postfix/ldap-alias.cf"
|
||||
}
|
||||
template {
|
||||
data = "{{ key \"configuration/email/postfix/main.cf\" }}"
|
||||
destination = "secrets/postfix/main.cf"
|
||||
|
|
Reference in a new issue