Merge branch 'bottin2_upgrade' of Deuxfleurs/deuxfleurs.fr into master

consul/configuration/chat/synapse/homeserver.yaml

@@ -378,7 +378,7 @@ password_providers:
   - module: "ldap_auth_provider.LdapAuthProvider"
     config:
       enabled: true
-      uri: "ldap://bottin.service.2.cluster.deuxfleurs.fr:389"
+      uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"
       start_tls: false
       bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}'
       bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}'

consul/configuration/directory/bottin/config.json

@@ -9,6 +9,7 @@
 		"cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
 		"*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*",
 		"ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
-		"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:"
+		"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
+		"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*"
   ]
 }

consul/configuration/email/dovecot/dovecot-ldap.conf.tpl

@@ -1,6 +1,6 @@
-hosts = bottin.service.2.cluster.deuxfleurs.fr
+hosts = bottin2.service.2.cluster.deuxfleurs.fr
-dn = cn=<username>,dc=deuxfleurs,dc=fr
+dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }}
-dnpass = <password>
+dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }}
 base = dc=deuxfleurs,dc=fr
 scope = subtree
 user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))

consul/configuration/email/postfix/ldap-account.cf.sample

@@ -1,12 +0,0 @@
-bind = yes
-bind_dn = cn=<user>,dc=deuxfleurs,dc=fr
-bind_pw = <secret>
-version = 3
-timeout = 20
-start_tls = no
-tls_require_cert = no
-server_host = ldap://bottin.service.2.cluster.deuxfleurs.fr
-scope = sub
-search_base = ou=users,dc=deuxfleurs,dc=fr
-query_filter = mail=%s
-result_attribute = mail

consul/configuration/email/postfix/ldap-account.cf.tpl

@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
+scope = sub
+search_base = ou=users,dc=deuxfleurs,dc=fr
+query_filter = mail=%s
+result_attribute = mail

consul/configuration/email/postfix/ldap-alias.cf.tpl

@@ -1,9 +1,9 @@
-server_host = bottin.service.2.cluster.deuxfleurs.fr
+server_host = bottin2.service.2.cluster.deuxfleurs.fr
 server_port = 389
 search_base = dc=deuxfleurs,dc=fr
 query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
 result_attribute = mail
 bind = yes
-bind_dn = cn=<someone>,dc=deuxfleurs,dc=fr
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
-bind_pw = <password>
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
 version = 3

consul/configuration/email/sogo/sogo.conf.tpl

@@ -60,7 +60,7 @@
         bindFields = (cn, mail);
         canAuthenticate = YES;
         displayName = "Bottin";
-        hostname = "ldap://bottin.service.2.cluster.deuxfleurs.fr:389";
+        hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389";
         id = bottin;
         isAddressBook = NO;
     }

man/init_stolon/README.md

@@ -29,3 +29,30 @@ chown -R 102:102 /mnt/storage/postgres/
 It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command.
 Moreover it would enable the usage of the user namespace that shift the UIDs.
 
+
+
+## Upgrading the cluster
+
+To retreive the current stolon config:
+
+```
+stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500
+```
+
+The important part for the LDAP:
+
+```
+{
+	"pgHBA": [
+		"host all postgres all md5",
+		"host replication replicator all md5",
+		"host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"<REDACTED>\" ldapsearchattribute=\"cn\""
+	]
+}
+```
+
+Once a patch is writen:
+
+```
+stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json
+```

nomad/bottin2.hcl

@@ -12,7 +12,7 @@ job "directory2" {
     task "bottin" {
       driver = "docker"
       config {
-        image = "lxpz/bottin_amd64:8"
+        image = "lxpz/bottin_amd64:10"
         readonly_rootfs = true
         port_map {
           ldap_port = 1389
@@ -61,7 +61,7 @@ job "directory2" {
     task "guichet" {
       driver = "docker"
       config {
-        image = "lxpz/guichet_amd64:2"
+        image = "lxpz/guichet_amd64:3"
         readonly_rootfs = true
         port_map {
           web_port = 9991

nomad/email.hcl

@@ -131,6 +131,17 @@ job "email" {
         }
       }
 
+      artifact {
+        source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw"
+        destination = "secrets/conf/dovecot-ldap.conf.tpl"
+        mode = "file"
+      }
+      template {
+        source = "secrets/conf/dovecot-ldap.conf.tpl"
+        destination = "secrets/conf/dovecot-ldap.conf"
+        perms = "400"
+      }
+
       template {
         data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}"
         destination = "secrets/ssl/certs/dovecot.crt"
@@ -141,11 +152,6 @@ job "email" {
         destination = "secrets/ssl/private/dovecot.key"
         perms = "400"
       }
-      template {
-        data = "{{ key \"configuration/email/dovecot/dovecot-ldap.conf\" }}"
-        destination = "secrets/conf/dovecot-ldap.conf"
-        perms = "400"
-      }
     }
   }
 
@@ -328,6 +334,27 @@ job "email" {
         }
       }
 
+      artifact {
+        source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw"
+        destination = "secrets/postfix/ldap-account.cf.tpl"
+        mode = "file"
+      }
+      template {
+        source = "secrets/postfix/ldap-account.cf.tpl"
+        destination = "secrets/postfix/ldap-account.cf"
+      }
+
+      artifact {
+        source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw"
+        destination = "secrets/postfix/ldap-alias.cf.tpl"
+        mode = "file"
+      }
+      template {
+        source = "secrets/postfix/ldap-alias.cf.tpl"
+        destination = "secrets/postfix/ldap-alias.cf"
+      }
+
+
       template {
         data = "{{ key \"configuration/email/postfix/postfix.crt\" }}"
         destination = "secrets/ssl/certs/postfix.crt"
@@ -346,14 +373,6 @@ job "email" {
         data = "{{ key \"configuration/email/postfix/header_checks\" }}"
         destination = "secrets/postfix/header_checks"
       }
-      template {
-        data = "{{ key \"configuration/email/postfix/ldap-account.cf\" }}"
-        destination = "secrets/postfix/ldap-account.cf"
-      }
-      template {
-        data = "{{ key \"configuration/email/postfix/ldap-alias.cf\" }}"
-        destination = "secrets/postfix/ldap-alias.cf"
-      }
       template {
         data = "{{ key \"configuration/email/postfix/main.cf\" }}"
         destination = "secrets/postfix/main.cf"