From e3531ad1b7ccb4e2589b8b6e6547842bbbe323e0 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 22:01:01 +0100 Subject: [PATCH 1/6] Add info about patching Stolon config to README --- man/init_stolon/README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/man/init_stolon/README.md b/man/init_stolon/README.md index fe3a912..618530a 100644 --- a/man/init_stolon/README.md +++ b/man/init_stolon/README.md @@ -29,3 +29,30 @@ chown -R 102:102 /mnt/storage/postgres/ It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command. Moreover it would enable the usage of the user namespace that shift the UIDs. + + +## Upgrading the cluster + +To retreive the current stolon config: + +``` +stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 +``` + +The important part for the LDAP: + +``` +{ + "pgHBA": [ + "host all postgres all md5", + "host replication replicator all md5", + "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"\" ldapsearchattribute=\"cn\"" + ] +} +``` + +Once a patch is writen: + +``` +stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json +``` From 348fac27bcacd395ed1420be258ca99674208e87 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 22:11:45 +0100 Subject: [PATCH 2/6] Switch Synapse to bottin2 --- consul/configuration/chat/synapse/homeserver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/consul/configuration/chat/synapse/homeserver.yaml b/consul/configuration/chat/synapse/homeserver.yaml index 9e0e97f..c54d4a0 100644 --- a/consul/configuration/chat/synapse/homeserver.yaml +++ b/consul/configuration/chat/synapse/homeserver.yaml @@ -378,7 +378,7 @@ password_providers: - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true - uri: "ldap://bottin.service.2.cluster.deuxfleurs.fr:389" + uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389" start_tls: false bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' From a552f67e9433a476c49db0b7166538f1d3d68f47 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 22:24:42 +0100 Subject: [PATCH 3/6] WIP (not tested) switch Postfix to bottin2 and use separate secrets --- .../email/postfix/ldap-account.cf.sample | 12 -------- .../email/postfix/ldap-account.cf.tpl | 12 ++++++++ ...ldap-alias.cf.sample => ldap-alias.cf.tpl} | 6 ++-- nomad/email.hcl | 29 ++++++++++++++----- 4 files changed, 36 insertions(+), 23 deletions(-) delete mode 100644 consul/configuration/email/postfix/ldap-account.cf.sample create mode 100644 consul/configuration/email/postfix/ldap-account.cf.tpl rename consul/configuration/email/postfix/{ldap-alias.cf.sample => ldap-alias.cf.tpl} (52%) diff --git a/consul/configuration/email/postfix/ldap-account.cf.sample b/consul/configuration/email/postfix/ldap-account.cf.sample deleted file mode 100644 index 1b90252..0000000 --- a/consul/configuration/email/postfix/ldap-account.cf.sample +++ /dev/null @@ -1,12 +0,0 @@ -bind = yes -bind_dn = cn=,dc=deuxfleurs,dc=fr -bind_pw = -version = 3 -timeout = 20 -start_tls = no -tls_require_cert = no -server_host = ldap://bottin.service.2.cluster.deuxfleurs.fr -scope = sub -search_base = ou=users,dc=deuxfleurs,dc=fr -query_filter = mail=%s -result_attribute = mail diff --git a/consul/configuration/email/postfix/ldap-account.cf.tpl b/consul/configuration/email/postfix/ldap-account.cf.tpl new file mode 100644 index 0000000..2575f10 --- /dev/null +++ b/consul/configuration/email/postfix/ldap-account.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=users,dc=deuxfleurs,dc=fr +query_filter = mail=%s +result_attribute = mail diff --git a/consul/configuration/email/postfix/ldap-alias.cf.sample b/consul/configuration/email/postfix/ldap-alias.cf.tpl similarity index 52% rename from consul/configuration/email/postfix/ldap-alias.cf.sample rename to consul/configuration/email/postfix/ldap-alias.cf.tpl index 8ed3361..775c0ad 100644 --- a/consul/configuration/email/postfix/ldap-alias.cf.sample +++ b/consul/configuration/email/postfix/ldap-alias.cf.tpl @@ -1,9 +1,9 @@ -server_host = bottin.service.2.cluster.deuxfleurs.fr +server_host = bottin2.service.2.cluster.deuxfleurs.fr server_port = 389 search_base = dc=deuxfleurs,dc=fr query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) result_attribute = mail bind = yes -bind_dn = cn=,dc=deuxfleurs,dc=fr -bind_pw = +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} version = 3 diff --git a/nomad/email.hcl b/nomad/email.hcl index 1d5c8c1..649231c 100644 --- a/nomad/email.hcl +++ b/nomad/email.hcl @@ -328,6 +328,27 @@ job "email" { } } + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw" + destination = "secrets/postfix/ldap-account.cf.tpl" + mode = "file" + } + template { + source = "secrets/postfix/ldap-account.cf.tpl" + destination = "secrets/postfix/ldap-account.cf" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw" + destination = "secrets/postfix/ldap-alias.cf.tpl" + mode = "file" + } + template { + source = "secrets/postfix/ldap-alias.cf.tpl" + destination = "secrets/postfix/ldap-alias.cf" + } + + template { data = "{{ key \"configuration/email/postfix/postfix.crt\" }}" destination = "secrets/ssl/certs/postfix.crt" @@ -346,14 +367,6 @@ job "email" { data = "{{ key \"configuration/email/postfix/header_checks\" }}" destination = "secrets/postfix/header_checks" } - template { - data = "{{ key \"configuration/email/postfix/ldap-account.cf\" }}" - destination = "secrets/postfix/ldap-account.cf" - } - template { - data = "{{ key \"configuration/email/postfix/ldap-alias.cf\" }}" - destination = "secrets/postfix/ldap-alias.cf" - } template { data = "{{ key \"configuration/email/postfix/main.cf\" }}" destination = "secrets/postfix/main.cf" From cd6da5d52f7e869c83e4a55bf762d9d6b0c96b09 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 22:42:28 +0100 Subject: [PATCH 4/6] Switch dovecot to bottin2 & put secret in own consul key --- ...ot-ldap.conf.sample => dovecot-ldap.conf.tpl} | 6 +++--- nomad/email.hcl | 16 +++++++++++----- 2 files changed, 14 insertions(+), 8 deletions(-) rename consul/configuration/email/dovecot/{dovecot-ldap.conf.sample => dovecot-ldap.conf.tpl} (62%) diff --git a/consul/configuration/email/dovecot/dovecot-ldap.conf.sample b/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl similarity index 62% rename from consul/configuration/email/dovecot/dovecot-ldap.conf.sample rename to consul/configuration/email/dovecot/dovecot-ldap.conf.tpl index 4848d6e..9fb1ea6 100644 --- a/consul/configuration/email/dovecot/dovecot-ldap.conf.sample +++ b/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl @@ -1,6 +1,6 @@ -hosts = bottin.service.2.cluster.deuxfleurs.fr -dn = cn=,dc=deuxfleurs,dc=fr -dnpass = +hosts = bottin2.service.2.cluster.deuxfleurs.fr +dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }} +dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }} base = dc=deuxfleurs,dc=fr scope = subtree user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) diff --git a/nomad/email.hcl b/nomad/email.hcl index 649231c..d5cdc83 100644 --- a/nomad/email.hcl +++ b/nomad/email.hcl @@ -131,6 +131,17 @@ job "email" { } } + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw" + destination = "secrets/conf/dovecot-ldap.conf.tpl" + mode = "file" + } + template { + source = "secrets/conf/dovecot-ldap.conf.tpl" + destination = "secrets/conf/dovecot-ldap.conf" + perms = "400" + } + template { data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}" destination = "secrets/ssl/certs/dovecot.crt" @@ -141,11 +152,6 @@ job "email" { destination = "secrets/ssl/private/dovecot.key" perms = "400" } - template { - data = "{{ key \"configuration/email/dovecot/dovecot-ldap.conf\" }}" - destination = "secrets/conf/dovecot-ldap.conf" - perms = "400" - } } } From 9815004324be1d2396ead81a7e8e02bffcfac47b Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 22:57:31 +0100 Subject: [PATCH 5/6] Switch sogo to bottin2 with bottin2 upgrade & ACL fix --- consul/configuration/directory/bottin/config.json | 3 ++- consul/configuration/email/sogo/sogo.conf.tpl | 2 +- nomad/bottin2.hcl | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/consul/configuration/directory/bottin/config.json b/consul/configuration/directory/bottin/config.json index ca49922..93d95c9 100644 --- a/consul/configuration/directory/bottin/config.json +++ b/consul/configuration/directory/bottin/config.json @@ -9,6 +9,7 @@ "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*", "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", - "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:" + "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*" ] } diff --git a/consul/configuration/email/sogo/sogo.conf.tpl b/consul/configuration/email/sogo/sogo.conf.tpl index bb13a83..0b87db7 100644 --- a/consul/configuration/email/sogo/sogo.conf.tpl +++ b/consul/configuration/email/sogo/sogo.conf.tpl @@ -60,7 +60,7 @@ bindFields = (cn, mail); canAuthenticate = YES; displayName = "Bottin"; - hostname = "ldap://bottin.service.2.cluster.deuxfleurs.fr:389"; + hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"; id = bottin; isAddressBook = NO; } diff --git a/nomad/bottin2.hcl b/nomad/bottin2.hcl index 5a1fa12..2851bc1 100644 --- a/nomad/bottin2.hcl +++ b/nomad/bottin2.hcl @@ -12,7 +12,7 @@ job "directory2" { task "bottin" { driver = "docker" config { - image = "lxpz/bottin_amd64:8" + image = "lxpz/bottin_amd64:10" readonly_rootfs = true port_map { ldap_port = 1389 From 91032944ee47ed6b6eeb674266ec64bedeac37b7 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 11 Feb 2020 23:27:57 +0100 Subject: [PATCH 6/6] Bump guichet to v3 (disable email edit) --- nomad/bottin2.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nomad/bottin2.hcl b/nomad/bottin2.hcl index 2851bc1..6221d71 100644 --- a/nomad/bottin2.hcl +++ b/nomad/bottin2.hcl @@ -61,7 +61,7 @@ job "directory2" { task "guichet" { driver = "docker" config { - image = "lxpz/guichet_amd64:2" + image = "lxpz/guichet_amd64:3" readonly_rootfs = true port_map { web_port = 9991