aboutsummaryrefslogtreecommitdiff
path: root/op_guide
diff options
context:
space:
mode:
authorQuentin <quentin@deuxfleurs.fr>2020-09-12 10:03:48 +0200
committerQuentin <quentin@deuxfleurs.fr>2020-09-12 10:03:48 +0200
commitc4a6cf1534b864d3941c839d4a4dca7e505bd828 (patch)
tree3e866768cf39ae947def5b205f74fddfb435725d /op_guide
parent0550647b9348d1e36431400e0832b4340564c658 (diff)
downloadinfrastructure-c4a6cf1534b864d3941c839d4a4dca7e505bd828.tar.gz
infrastructure-c4a6cf1534b864d3941c839d4a4dca7e505bd828.zip
Rebase first step
Diffstat (limited to 'op_guide')
-rw-r--r--op_guide/create_database/README.md15
-rw-r--r--op_guide/init_stolon/README.md58
-rw-r--r--op_guide/nextcloud/README.md60
3 files changed, 133 insertions, 0 deletions
diff --git a/op_guide/create_database/README.md b/op_guide/create_database/README.md
new file mode 100644
index 0000000..7084a10
--- /dev/null
+++ b/op_guide/create_database/README.md
@@ -0,0 +1,15 @@
+```bash
+ssh root@<one node of the cluster>
+docker run -t -i superboum/amd64_postgres:v1
+psql -h psql-proxy.service.2.cluster.deuxfleurs.fr -p 25432 -U postgres -W postgres
+```
+
+```sql
+CREATE USER seafile;
+CREATE DATABASE seafile ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER seafile;
+-- GRANT ALL PRIVILEGES ON DATABASE seafile TO seafile;
+```
+
+```
+consul kv import @ldapkv_seafile.json
+```
diff --git a/op_guide/init_stolon/README.md b/op_guide/init_stolon/README.md
new file mode 100644
index 0000000..618530a
--- /dev/null
+++ b/op_guide/init_stolon/README.md
@@ -0,0 +1,58 @@
+Spawn container:
+
+```bash
+docker run -t -i superboum/arm32v7_postgres:v6
+# OR
+docker run -t -i superboum/amd64_postgres:v1
+```
+
+
+Init with:
+
+```
+stolonctl \
+ --cluster-name pissenlit \
+ --store-backend=consul \
+ --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 \
+ init \
+ '{ "initMode": "new", "pgHBA": [ "host all postgres all md5", "host replication replicator all md5", "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs, dc=fr\" ldapbinddn=\"<bind_dn>\" ldapbindpasswd=\"<bind_pwd>\" ldapsearchattribute=\"cn\"" ] }'
+
+```
+
+Then set appropriate permission on host:
+
+```
+chown -R 102:102 /mnt/storage/postgres/
+```
+
+(102 is the id of the postgres user used in Docker)
+It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command.
+Moreover it would enable the usage of the user namespace that shift the UIDs.
+
+
+
+## Upgrading the cluster
+
+To retreive the current stolon config:
+
+```
+stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500
+```
+
+The important part for the LDAP:
+
+```
+{
+ "pgHBA": [
+ "host all postgres all md5",
+ "host replication replicator all md5",
+ "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"<REDACTED>\" ldapsearchattribute=\"cn\""
+ ]
+}
+```
+
+Once a patch is writen:
+
+```
+stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json
+```
diff --git a/op_guide/nextcloud/README.md b/op_guide/nextcloud/README.md
new file mode 100644
index 0000000..f68520b
--- /dev/null
+++ b/op_guide/nextcloud/README.md
@@ -0,0 +1,60 @@
+# How to setup NextCloud
+
+## First setup
+
+It's complicated.
+
+First, create a service user `nextcloud` and a database `nextcloud` it owns. Also create a Garage access key and bucket `nextcloud` it is allowed to use.
+
+Fill in the following Consul keys with actual values:
+
+```
+secrets/nextcloud/db_user
+secrets/nextcloud/db_pass
+secrets/nextcloud/garage_access_key
+secrets/nextcloud/garage_secret_key
+```
+
+Create the following Consul keys with empty values:
+
+```
+secrets/nextcloud/instance_id
+secrets/nextcloud/password_salt
+secrets/nextcloud/secret
+```
+
+Start the nextcloud.hcl nomad service. Enter the container and call `occ maintenance:install` with the correct database parameters as user `www-data`.
+A possibility: call the admin user `nextcloud` and give it the same password as the `nextcloud` service user.
+
+Cat the newly generated `config.php` file and copy the instance id, password salt, and secret from there to Consul
+(they were generated by the install script and we want to keep them).
+
+Restart the Nextcloud Nomad server.
+
+You should now be able to log in to Nextcloud using the admin user (`nextcloud` if you called it that).
+
+Go to the apps settings and enable desired apps.
+
+## Configure LDAP login
+
+LDAP login has to be configured from the admin interface. First, enable the LDAP authentification application.
+
+Go to settings > LDAP/AD integration. Enter the following parameters:
+
+- ldap server: `bottin2.service.2.cluster.deuxfleurs.fr`
+- bind user: `cn=nextcloud,ou=services,ou=users,dc=deuxfleurs,dc=fr`
+- bind password: password of the nextcloud service user
+- base DN for users: `ou=users,dc=deuxfleurs,dc=fr`
+- check "manually enter LDAP filters"
+- in the users tab, edit LDAP query and set it to `(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))`
+- in the login attributes tab, edit LDAP query and set it to `(&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))(|(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid))))`
+- in the groups tab, edit the LDAP query and set it to `(|(objectclass=groupOfNames))`
+- in the advanced tab, enter the "directory setting" section and check/modify the following:
+ - user display name field: `displayname`
+ - base user tree: `ou=users,dc=deuxfleurs,dc=fr`
+ - user search attribute: `cn`
+ - groupe display name field: `displayname`
+ - **base group tree**: `ou=groups,dc=deuxfleurs,dc=fr`
+ - group search attribute: `cn`
+
+That should be it. Go to the login attributes tab and enter a username (which should have been added to the nextcloud group) to check that nextcloud is able to find it and allows it for login.