diff options
| author | Alex <alex@adnab.me> | 2020-02-11 23:35:53 +0100 |
|---|---|---|
| committer | Gitea <gitea@fake.local> | 2020-02-11 23:35:53 +0100 |
| commit | 9e5839765a5578fb3ca63fbe55eeba96c14969b6 (patch) | |
| tree | 1a2b518ccd68cdd0fe2530041b28bfc910760eb0 | |
| parent | 535d1c3aba902ec644387cb41fc7cc0bcf86fae0 (diff) | |
| parent | 91032944ee47ed6b6eeb674266ec64bedeac37b7 (diff) | |
| download | infrastructure-9e5839765a5578fb3ca63fbe55eeba96c14969b6.tar.gz infrastructure-9e5839765a5578fb3ca63fbe55eeba96c14969b6.zip | |
Merge branch 'bottin2_upgrade' of Deuxfleurs/deuxfleurs.fr into master
| -rw-r--r-- | consul/configuration/chat/synapse/homeserver.yaml | 2 | ||||
| -rw-r--r-- | consul/configuration/directory/bottin/config.json | 3 | ||||
| -rw-r--r-- | consul/configuration/email/dovecot/dovecot-ldap.conf.tpl (renamed from consul/configuration/email/dovecot/dovecot-ldap.conf.sample) | 6 | ||||
| -rw-r--r-- | consul/configuration/email/postfix/ldap-account.cf.sample | 12 | ||||
| -rw-r--r-- | consul/configuration/email/postfix/ldap-account.cf.tpl | 12 | ||||
| -rw-r--r-- | consul/configuration/email/postfix/ldap-alias.cf.tpl (renamed from consul/configuration/email/postfix/ldap-alias.cf.sample) | 6 | ||||
| -rw-r--r-- | consul/configuration/email/sogo/sogo.conf.tpl | 2 | ||||
| -rw-r--r-- | man/init_stolon/README.md | 27 | ||||
| -rw-r--r-- | nomad/bottin2.hcl | 4 | ||||
| -rw-r--r-- | nomad/email.hcl | 45 |
10 files changed, 83 insertions, 36 deletions
diff --git a/consul/configuration/chat/synapse/homeserver.yaml b/consul/configuration/chat/synapse/homeserver.yaml index 9e0e97f..c54d4a0 100644 --- a/consul/configuration/chat/synapse/homeserver.yaml +++ b/consul/configuration/chat/synapse/homeserver.yaml @@ -378,7 +378,7 @@ password_providers: - module: "ldap_auth_provider.LdapAuthProvider" config: enabled: true - uri: "ldap://bottin.service.2.cluster.deuxfleurs.fr:389" + uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389" start_tls: false bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}' bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}' diff --git a/consul/configuration/directory/bottin/config.json b/consul/configuration/directory/bottin/config.json index ca49922..93d95c9 100644 --- a/consul/configuration/directory/bottin/config.json +++ b/consul/configuration/directory/bottin/config.json @@ -9,6 +9,7 @@ "cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*", "*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*", "ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:", - "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:" + "ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:", + "*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*" ] } diff --git a/consul/configuration/email/dovecot/dovecot-ldap.conf.sample b/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl index 4848d6e..9fb1ea6 100644 --- a/consul/configuration/email/dovecot/dovecot-ldap.conf.sample +++ b/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl @@ -1,6 +1,6 @@ -hosts = bottin.service.2.cluster.deuxfleurs.fr -dn = cn=<username>,dc=deuxfleurs,dc=fr -dnpass = <password> +hosts = bottin2.service.2.cluster.deuxfleurs.fr +dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }} +dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }} base = dc=deuxfleurs,dc=fr scope = subtree user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr))) diff --git a/consul/configuration/email/postfix/ldap-account.cf.sample b/consul/configuration/email/postfix/ldap-account.cf.sample deleted file mode 100644 index 1b90252..0000000 --- a/consul/configuration/email/postfix/ldap-account.cf.sample +++ /dev/null @@ -1,12 +0,0 @@ -bind = yes -bind_dn = cn=<user>,dc=deuxfleurs,dc=fr -bind_pw = <secret> -version = 3 -timeout = 20 -start_tls = no -tls_require_cert = no -server_host = ldap://bottin.service.2.cluster.deuxfleurs.fr -scope = sub -search_base = ou=users,dc=deuxfleurs,dc=fr -query_filter = mail=%s -result_attribute = mail diff --git a/consul/configuration/email/postfix/ldap-account.cf.tpl b/consul/configuration/email/postfix/ldap-account.cf.tpl new file mode 100644 index 0000000..2575f10 --- /dev/null +++ b/consul/configuration/email/postfix/ldap-account.cf.tpl @@ -0,0 +1,12 @@ +bind = yes +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} +version = 3 +timeout = 20 +start_tls = no +tls_require_cert = no +server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr +scope = sub +search_base = ou=users,dc=deuxfleurs,dc=fr +query_filter = mail=%s +result_attribute = mail diff --git a/consul/configuration/email/postfix/ldap-alias.cf.sample b/consul/configuration/email/postfix/ldap-alias.cf.tpl index 8ed3361..775c0ad 100644 --- a/consul/configuration/email/postfix/ldap-alias.cf.sample +++ b/consul/configuration/email/postfix/ldap-alias.cf.tpl @@ -1,9 +1,9 @@ -server_host = bottin.service.2.cluster.deuxfleurs.fr +server_host = bottin2.service.2.cluster.deuxfleurs.fr server_port = 389 search_base = dc=deuxfleurs,dc=fr query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr)) result_attribute = mail bind = yes -bind_dn = cn=<someone>,dc=deuxfleurs,dc=fr -bind_pw = <password> +bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }} +bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }} version = 3 diff --git a/consul/configuration/email/sogo/sogo.conf.tpl b/consul/configuration/email/sogo/sogo.conf.tpl index bb13a83..0b87db7 100644 --- a/consul/configuration/email/sogo/sogo.conf.tpl +++ b/consul/configuration/email/sogo/sogo.conf.tpl @@ -60,7 +60,7 @@ bindFields = (cn, mail); canAuthenticate = YES; displayName = "Bottin"; - hostname = "ldap://bottin.service.2.cluster.deuxfleurs.fr:389"; + hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"; id = bottin; isAddressBook = NO; } diff --git a/man/init_stolon/README.md b/man/init_stolon/README.md index fe3a912..618530a 100644 --- a/man/init_stolon/README.md +++ b/man/init_stolon/README.md @@ -29,3 +29,30 @@ chown -R 102:102 /mnt/storage/postgres/ It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command. Moreover it would enable the usage of the user namespace that shift the UIDs. + + +## Upgrading the cluster + +To retreive the current stolon config: + +``` +stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 +``` + +The important part for the LDAP: + +``` +{ + "pgHBA": [ + "host all postgres all md5", + "host replication replicator all md5", + "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"<REDACTED>\" ldapsearchattribute=\"cn\"" + ] +} +``` + +Once a patch is writen: + +``` +stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json +``` diff --git a/nomad/bottin2.hcl b/nomad/bottin2.hcl index 5a1fa12..6221d71 100644 --- a/nomad/bottin2.hcl +++ b/nomad/bottin2.hcl @@ -12,7 +12,7 @@ job "directory2" { task "bottin" { driver = "docker" config { - image = "lxpz/bottin_amd64:8" + image = "lxpz/bottin_amd64:10" readonly_rootfs = true port_map { ldap_port = 1389 @@ -61,7 +61,7 @@ job "directory2" { task "guichet" { driver = "docker" config { - image = "lxpz/guichet_amd64:2" + image = "lxpz/guichet_amd64:3" readonly_rootfs = true port_map { web_port = 9991 diff --git a/nomad/email.hcl b/nomad/email.hcl index 1d5c8c1..d5cdc83 100644 --- a/nomad/email.hcl +++ b/nomad/email.hcl @@ -131,6 +131,17 @@ job "email" { } } + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw" + destination = "secrets/conf/dovecot-ldap.conf.tpl" + mode = "file" + } + template { + source = "secrets/conf/dovecot-ldap.conf.tpl" + destination = "secrets/conf/dovecot-ldap.conf" + perms = "400" + } + template { data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}" destination = "secrets/ssl/certs/dovecot.crt" @@ -141,11 +152,6 @@ job "email" { destination = "secrets/ssl/private/dovecot.key" perms = "400" } - template { - data = "{{ key \"configuration/email/dovecot/dovecot-ldap.conf\" }}" - destination = "secrets/conf/dovecot-ldap.conf" - perms = "400" - } } } @@ -328,6 +334,27 @@ job "email" { } } + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw" + destination = "secrets/postfix/ldap-account.cf.tpl" + mode = "file" + } + template { + source = "secrets/postfix/ldap-account.cf.tpl" + destination = "secrets/postfix/ldap-account.cf" + } + + artifact { + source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw" + destination = "secrets/postfix/ldap-alias.cf.tpl" + mode = "file" + } + template { + source = "secrets/postfix/ldap-alias.cf.tpl" + destination = "secrets/postfix/ldap-alias.cf" + } + + template { data = "{{ key \"configuration/email/postfix/postfix.crt\" }}" destination = "secrets/ssl/certs/postfix.crt" @@ -347,14 +374,6 @@ job "email" { destination = "secrets/postfix/header_checks" } template { - data = "{{ key \"configuration/email/postfix/ldap-account.cf\" }}" - destination = "secrets/postfix/ldap-account.cf" - } - template { - data = "{{ key \"configuration/email/postfix/ldap-alias.cf\" }}" - destination = "secrets/postfix/ldap-alias.cf" - } - template { data = "{{ key \"configuration/email/postfix/main.cf\" }}" destination = "secrets/postfix/main.cf" } |