Implement proper provisioning for gvaldap
- merge improvements from the internal saltstack repository - define dummy secrets in the pillars - use systemd to setup the gvaldap celery worker
This commit is contained in:
parent
8d78388915
commit
7381b5bfd8
21 changed files with 306 additions and 44 deletions
13
states/gnuviechadmin/gvaldap/celery-worker.env
Normal file
13
states/gnuviechadmin/gvaldap/celery-worker.env
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
DJANGO_SETTINGS_MODULE="gvaldap.settings"
|
||||
GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}"
|
||||
GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_name') }}"
|
||||
GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}"
|
||||
GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}"
|
||||
GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}"
|
||||
GVALDAP_BROKER_URL="{{ broker_url }}"
|
||||
GVALDAP_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}"
|
||||
GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}"
|
||||
GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}"
|
||||
GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}"
|
||||
GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin-gvaldap:django_secret_key') }}"
|
||||
GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}"
|
||||
|
|
@ -6,6 +6,7 @@ set -e
|
|||
{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %}
|
||||
{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %}
|
||||
{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %}
|
||||
{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:ldap_admin_password') %}
|
||||
|
||||
# setup password hashing for cleartext input
|
||||
ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif
|
||||
|
|
@ -48,7 +49,7 @@ olcAccess: {4}to *
|
|||
EOD
|
||||
|
||||
# add OUs, groups and ldapadmin user
|
||||
ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["grains.get_or_set_hash"]("slapd:password", 16) }}' <<EOD
|
||||
ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["pillar.get"]("slapd:admin_password") }}' <<EOD
|
||||
dn: ou={{ ldap_users_ou }},{{ base_dn }}
|
||||
changetype: add
|
||||
objectClass: top
|
||||
|
|
@ -87,5 +88,5 @@ objectClass: simpleSecurityObject
|
|||
objectClass: organizationalRole
|
||||
cn: {{ ldap_admin_user }}
|
||||
description: LDAP manager for celery worker
|
||||
userPassword:: {{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16).encode("base64") }}
|
||||
userPassword:: {{ salt['hashutil.base64_b64encode'](ldap_admin_password) }}
|
||||
EOD
|
||||
|
|
|
|||
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -ex
|
||||
|
||||
. {{ home }}/gvasettings.sh
|
||||
|
||||
unset LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \
|
||||
LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT \
|
||||
LC_IDENTIFICATION LC_ALL
|
||||
|
||||
cd {{ appdir }}
|
||||
{{ virtualenv }}/bin/celery worker -A gvaldap -Q ldap --loglevel=INFO
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
export DJANGO_SETTINGS_MODULE='gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}'
|
||||
export GVALDAP_ADMIN_NAME='Jan Dittberner'
|
||||
export GVALDAP_ADMIN_EMAIL='{{ salt['pillar.get']('gnuviechadmin:adminemail') }}'
|
||||
export GVALDAP_LDAP_URL='{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}'
|
||||
export GVALDAP_LDAP_USER='{{ 'cn=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_admin_user'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
|
||||
export GVALDAP_LDAP_PASSWORD='{{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16) }}'
|
||||
export GVALDAP_BASEDN_GROUP='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_groups_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
|
||||
export GVALDAP_BASEDN_USER='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_users_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
|
||||
export GVALDAP_SECRETKEY='{{ salt['grains.get_or_set_hash']('gnuviechadmin.secret_key', 50) }}'
|
||||
export GVALDAP_BROKER_URL='{{ broker_url }}'
|
||||
export GVALDAP_ALLOWED_HOSTS='{{ salt['pillar.get']('gnuviechadmin:allowed_hosts') }}'
|
||||
export GVALDAP_SERVER_EMAIL='{{ salt['pillar.get']('gnuviechadmin:mailfrom') }}'
|
||||
export GVALDAP_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0"
|
||||
Loading…
Add table
Add a link
Reference in a new issue