Merge branch 'bottin2_upgrade' of Deuxfleurs/deuxfleurs.fr into master

This commit is contained in:
Alex 2020-02-11 23:35:53 +01:00 committed by Gitea
commit 9e5839765a
10 changed files with 83 additions and 36 deletions

View file

@ -378,7 +378,7 @@ password_providers:
- module: "ldap_auth_provider.LdapAuthProvider" - module: "ldap_auth_provider.LdapAuthProvider"
config: config:
enabled: true enabled: true
uri: "ldap://bottin.service.2.cluster.deuxfleurs.fr:389" uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"
start_tls: false start_tls: false
bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}'
bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}'

View file

@ -9,6 +9,7 @@
"cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
"*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*", "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*",
"ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:" "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*"
] ]
} }

View file

@ -1,6 +1,6 @@
hosts = bottin.service.2.cluster.deuxfleurs.fr hosts = bottin2.service.2.cluster.deuxfleurs.fr
dn = cn=<username>,dc=deuxfleurs,dc=fr dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }}
dnpass = <password> dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }}
base = dc=deuxfleurs,dc=fr base = dc=deuxfleurs,dc=fr
scope = subtree scope = subtree
user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))

View file

@ -1,12 +0,0 @@
bind = yes
bind_dn = cn=<user>,dc=deuxfleurs,dc=fr
bind_pw = <secret>
version = 3
timeout = 20
start_tls = no
tls_require_cert = no
server_host = ldap://bottin.service.2.cluster.deuxfleurs.fr
scope = sub
search_base = ou=users,dc=deuxfleurs,dc=fr
query_filter = mail=%s
result_attribute = mail

View file

@ -0,0 +1,12 @@
bind = yes
bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
version = 3
timeout = 20
start_tls = no
tls_require_cert = no
server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
scope = sub
search_base = ou=users,dc=deuxfleurs,dc=fr
query_filter = mail=%s
result_attribute = mail

View file

@ -1,9 +1,9 @@
server_host = bottin.service.2.cluster.deuxfleurs.fr server_host = bottin2.service.2.cluster.deuxfleurs.fr
server_port = 389 server_port = 389
search_base = dc=deuxfleurs,dc=fr search_base = dc=deuxfleurs,dc=fr
query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
result_attribute = mail result_attribute = mail
bind = yes bind = yes
bind_dn = cn=<someone>,dc=deuxfleurs,dc=fr bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
bind_pw = <password> bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
version = 3 version = 3

View file

@ -60,7 +60,7 @@
bindFields = (cn, mail); bindFields = (cn, mail);
canAuthenticate = YES; canAuthenticate = YES;
displayName = "Bottin"; displayName = "Bottin";
hostname = "ldap://bottin.service.2.cluster.deuxfleurs.fr:389"; hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389";
id = bottin; id = bottin;
isAddressBook = NO; isAddressBook = NO;
} }

View file

@ -29,3 +29,30 @@ chown -R 102:102 /mnt/storage/postgres/
It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command. It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command.
Moreover it would enable the usage of the user namespace that shift the UIDs. Moreover it would enable the usage of the user namespace that shift the UIDs.
## Upgrading the cluster
To retreive the current stolon config:
```
stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500
```
The important part for the LDAP:
```
{
"pgHBA": [
"host all postgres all md5",
"host replication replicator all md5",
"host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"<REDACTED>\" ldapsearchattribute=\"cn\""
]
}
```
Once a patch is writen:
```
stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json
```

View file

@ -12,7 +12,7 @@ job "directory2" {
task "bottin" { task "bottin" {
driver = "docker" driver = "docker"
config { config {
image = "lxpz/bottin_amd64:8" image = "lxpz/bottin_amd64:10"
readonly_rootfs = true readonly_rootfs = true
port_map { port_map {
ldap_port = 1389 ldap_port = 1389
@ -61,7 +61,7 @@ job "directory2" {
task "guichet" { task "guichet" {
driver = "docker" driver = "docker"
config { config {
image = "lxpz/guichet_amd64:2" image = "lxpz/guichet_amd64:3"
readonly_rootfs = true readonly_rootfs = true
port_map { port_map {
web_port = 9991 web_port = 9991

View file

@ -131,6 +131,17 @@ job "email" {
} }
} }
artifact {
source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw"
destination = "secrets/conf/dovecot-ldap.conf.tpl"
mode = "file"
}
template {
source = "secrets/conf/dovecot-ldap.conf.tpl"
destination = "secrets/conf/dovecot-ldap.conf"
perms = "400"
}
template { template {
data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}" data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}"
destination = "secrets/ssl/certs/dovecot.crt" destination = "secrets/ssl/certs/dovecot.crt"
@ -141,11 +152,6 @@ job "email" {
destination = "secrets/ssl/private/dovecot.key" destination = "secrets/ssl/private/dovecot.key"
perms = "400" perms = "400"
} }
template {
data = "{{ key \"configuration/email/dovecot/dovecot-ldap.conf\" }}"
destination = "secrets/conf/dovecot-ldap.conf"
perms = "400"
}
} }
} }
@ -328,6 +334,27 @@ job "email" {
} }
} }
artifact {
source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw"
destination = "secrets/postfix/ldap-account.cf.tpl"
mode = "file"
}
template {
source = "secrets/postfix/ldap-account.cf.tpl"
destination = "secrets/postfix/ldap-account.cf"
}
artifact {
source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw"
destination = "secrets/postfix/ldap-alias.cf.tpl"
mode = "file"
}
template {
source = "secrets/postfix/ldap-alias.cf.tpl"
destination = "secrets/postfix/ldap-alias.cf"
}
template { template {
data = "{{ key \"configuration/email/postfix/postfix.crt\" }}" data = "{{ key \"configuration/email/postfix/postfix.crt\" }}"
destination = "secrets/ssl/certs/postfix.crt" destination = "secrets/ssl/certs/postfix.crt"
@ -346,14 +373,6 @@ job "email" {
data = "{{ key \"configuration/email/postfix/header_checks\" }}" data = "{{ key \"configuration/email/postfix/header_checks\" }}"
destination = "secrets/postfix/header_checks" destination = "secrets/postfix/header_checks"
} }
template {
data = "{{ key \"configuration/email/postfix/ldap-account.cf\" }}"
destination = "secrets/postfix/ldap-account.cf"
}
template {
data = "{{ key \"configuration/email/postfix/ldap-alias.cf\" }}"
destination = "secrets/postfix/ldap-alias.cf"
}
template { template {
data = "{{ key \"configuration/email/postfix/main.cf\" }}" data = "{{ key \"configuration/email/postfix/main.cf\" }}"
destination = "secrets/postfix/main.cf" destination = "secrets/postfix/main.cf"