diff options
author | Quentin <quentin@deuxfleurs.fr> | 2020-09-12 10:03:48 +0200 |
---|---|---|
committer | Quentin <quentin@deuxfleurs.fr> | 2020-09-12 10:03:48 +0200 |
commit | c4a6cf1534b864d3941c839d4a4dca7e505bd828 (patch) | |
tree | 3e866768cf39ae947def5b205f74fddfb435725d /op_guide | |
parent | 0550647b9348d1e36431400e0832b4340564c658 (diff) | |
download | infrastructure-c4a6cf1534b864d3941c839d4a4dca7e505bd828.tar.gz infrastructure-c4a6cf1534b864d3941c839d4a4dca7e505bd828.zip |
Rebase first step
Diffstat (limited to 'op_guide')
-rw-r--r-- | op_guide/create_database/README.md | 15 | ||||
-rw-r--r-- | op_guide/init_stolon/README.md | 58 | ||||
-rw-r--r-- | op_guide/nextcloud/README.md | 60 |
3 files changed, 133 insertions, 0 deletions
diff --git a/op_guide/create_database/README.md b/op_guide/create_database/README.md new file mode 100644 index 0000000..7084a10 --- /dev/null +++ b/op_guide/create_database/README.md @@ -0,0 +1,15 @@ +```bash +ssh root@<one node of the cluster> +docker run -t -i superboum/amd64_postgres:v1 +psql -h psql-proxy.service.2.cluster.deuxfleurs.fr -p 25432 -U postgres -W postgres +``` + +```sql +CREATE USER seafile; +CREATE DATABASE seafile ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER seafile; +-- GRANT ALL PRIVILEGES ON DATABASE seafile TO seafile; +``` + +``` +consul kv import @ldapkv_seafile.json +``` diff --git a/op_guide/init_stolon/README.md b/op_guide/init_stolon/README.md new file mode 100644 index 0000000..618530a --- /dev/null +++ b/op_guide/init_stolon/README.md @@ -0,0 +1,58 @@ +Spawn container: + +```bash +docker run -t -i superboum/arm32v7_postgres:v6 +# OR +docker run -t -i superboum/amd64_postgres:v1 +``` + + +Init with: + +``` +stolonctl \ + --cluster-name pissenlit \ + --store-backend=consul \ + --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 \ + init \ + '{ "initMode": "new", "pgHBA": [ "host all postgres all md5", "host replication replicator all md5", "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs, dc=fr\" ldapbinddn=\"<bind_dn>\" ldapbindpasswd=\"<bind_pwd>\" ldapsearchattribute=\"cn\"" ] }' + +``` + +Then set appropriate permission on host: + +``` +chown -R 102:102 /mnt/storage/postgres/ +``` + +(102 is the id of the postgres user used in Docker) +It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command. +Moreover it would enable the usage of the user namespace that shift the UIDs. + + + +## Upgrading the cluster + +To retreive the current stolon config: + +``` +stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 +``` + +The important part for the LDAP: + +``` +{ + "pgHBA": [ + "host all postgres all md5", + "host replication replicator all md5", + "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"<REDACTED>\" ldapsearchattribute=\"cn\"" + ] +} +``` + +Once a patch is writen: + +``` +stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json +``` diff --git a/op_guide/nextcloud/README.md b/op_guide/nextcloud/README.md new file mode 100644 index 0000000..f68520b --- /dev/null +++ b/op_guide/nextcloud/README.md @@ -0,0 +1,60 @@ +# How to setup NextCloud + +## First setup + +It's complicated. + +First, create a service user `nextcloud` and a database `nextcloud` it owns. Also create a Garage access key and bucket `nextcloud` it is allowed to use. + +Fill in the following Consul keys with actual values: + +``` +secrets/nextcloud/db_user +secrets/nextcloud/db_pass +secrets/nextcloud/garage_access_key +secrets/nextcloud/garage_secret_key +``` + +Create the following Consul keys with empty values: + +``` +secrets/nextcloud/instance_id +secrets/nextcloud/password_salt +secrets/nextcloud/secret +``` + +Start the nextcloud.hcl nomad service. Enter the container and call `occ maintenance:install` with the correct database parameters as user `www-data`. +A possibility: call the admin user `nextcloud` and give it the same password as the `nextcloud` service user. + +Cat the newly generated `config.php` file and copy the instance id, password salt, and secret from there to Consul +(they were generated by the install script and we want to keep them). + +Restart the Nextcloud Nomad server. + +You should now be able to log in to Nextcloud using the admin user (`nextcloud` if you called it that). + +Go to the apps settings and enable desired apps. + +## Configure LDAP login + +LDAP login has to be configured from the admin interface. First, enable the LDAP authentification application. + +Go to settings > LDAP/AD integration. Enter the following parameters: + +- ldap server: `bottin2.service.2.cluster.deuxfleurs.fr` +- bind user: `cn=nextcloud,ou=services,ou=users,dc=deuxfleurs,dc=fr` +- bind password: password of the nextcloud service user +- base DN for users: `ou=users,dc=deuxfleurs,dc=fr` +- check "manually enter LDAP filters" +- in the users tab, edit LDAP query and set it to `(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))` +- in the login attributes tab, edit LDAP query and set it to `(&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))(|(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid))))` +- in the groups tab, edit the LDAP query and set it to `(|(objectclass=groupOfNames))` +- in the advanced tab, enter the "directory setting" section and check/modify the following: + - user display name field: `displayname` + - base user tree: `ou=users,dc=deuxfleurs,dc=fr` + - user search attribute: `cn` + - groupe display name field: `displayname` + - **base group tree**: `ou=groups,dc=deuxfleurs,dc=fr` + - group search attribute: `cn` + +That should be it. Go to the login attributes tab and enter a username (which should have been added to the nextcloud group) to check that nextcloud is able to find it and allows it for login. |