jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2022-03-07 14:00

Browse Source
This commit is contained in:
Daniel Berteaud
2022-03-07 14:00:06 +01:00
parent c55f851cbd
commit 8b7e505180
58 changed files with 1119 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
roles/unmaintained/wh_zimbra/tasks/cas.yml Normal file
View File

@@ -0,0 +1,116 @@
---
- name: Get or generate a pre authentication key
shell: |
KEY=$(/opt/zimbra/bin/zmprov getDomain {{ item }} zimbrapreauthkey | perl -ne '/^(?:zimbraP|p)reAuthKey: (.*)/ && print $1')
[ -z $KEY ] && KEY=$(/opt/zimbra/bin/zmprov generateDomainPreAuthKey {{ item }} | perl -ne '/^(?:zimbraP|p)reAuthKey: (.*)/ && print $1')
echo $KEY
become_user: zimbra
register: zcs_preauthkeys
changed_when: False
loop: "{{ wh_mail_domains }}"
tags: mail
- name: Install preauth pages
template: src=../zimbra/templates/cas_preauth.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbra/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
loop: "{{ zcs_preauthkeys.results }}"
notify: restart zmmailboxd
tags: mail
- name: Install admin preauth pages
template: src=../zimbra/templates/cas_preauth_admin.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
loop: "{{ zcs_preauthkeys.results }}"
notify: restart zmmailboxd
tags: mail
- name: Configure CAS filters
blockinfile:
path: /opt/zimbra/jetty/etc/zimbra.web.xml.in
block: |2
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://sso-cl.fws.fr/cas</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
{% for item in wh_clients | default([]) %}
{% if item.mail is defined and item.mail.enabled is defined and item.mail.enabled and item.mail.domain is defined %}
<!-- filters for {{ item.name }} -->
<filter>
<filter-name>CasAuthenticationFilter{{ item.name }}</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://sso-cl.fws.fr/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>{{ item.mail.vhosts | first }}</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CasAuthenticationFilter{{ item.name }}</filter-name>
<url-pattern>/public/preauth_{{ item.mail.domain }}.jsp</url-pattern>
</filter-mapping>
<filter>
<filter-name>CasValidationFilter{{ item.name }}</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://sso-cl.fws.fr/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>{{ item.mail.vhosts | first }}</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CasValidationFilter{{ item.name }}</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- End filter configuration for {{ item.name }} -->
{% else %}
<!-- Email not enabled for client {{ item.name }} -->
{% endif %}
{% endfor %}
<filter>
<filter-name>CasHttpServletRequestWrapperFilter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CasHttpServletRequestWrapperFilter</filter-name>
<url-pattern>/public/*</url-pattern>
</filter-mapping>
<!-- prevent Zimbra from adding ;jsessionid=XXXX in the URL, which the CAS server could reject
as it doesn't match the initial service anymore -->
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK (wh Zimbra CAS Auth)" -->'
insertafter: '</error-page>'
validate: xmllint %s
notify: restart zmmailboxd
tags: zcs

9
roles/unmaintained/wh_zimbra/tasks/dkim.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Ensure every domain has a dkim key
shell: /opt/zimbra/libexec/zmdkimkeyutil -q -d {{ item }} || /opt/zimbra/libexec/zmdkimkeyutil -a -d {{ item }}
become_user: zimbra
loop: "{{ wh_mail_domains + wh_mail_aliases }}"
changed_when: False
tags: mail

5
roles/unmaintained/wh_zimbra/tasks/facts.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: Build a list of Zimbra domains
set_fact: wh_mail_domains={{ wh_clients | selectattr('mail', 'defined') | selectattr('mail.enabled', 'equalto', True) | selectattr('mail.domain', 'defined') | map(attribute='mail.domain') | list }}
tags: mail

9
roles/unmaintained/wh_zimbra/tasks/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- include: facts.yml
- include: zmldapsync.yml
when: zcs_i_am_primary_ldap == True
- include: cas.yml
when: "'mailbox' in zcs_enabled_components"

22
roles/unmaintained/wh_zimbra/tasks/zmldapsync.yml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: Deploy LDAP sync configuration
template: src=zmldapsync-wh.yml.j2 dest=/opt/zimbra/conf/zmldapsync-wh.yml mode=600
notify: start zmldapsync-wh
tags: mail
- name: Deploy LDAP sync systemd units
template: src=zmldapsync-wh.{{ item }}.j2 dest=/etc/systemd/system/zmldapsync-wh.{{ item }}
loop:
- service
- timer
register: wh_zimbra_systemd_unit
tags: mail
- name: Reload systemd
systemd: daemon_reload=True
when: wh_zimbra_systemd_unit.results | selectattr('changed','equalto',True) | list | length > 0
tags: mail
- name: Enable LDAP sync services
systemd: name=zmldapsync-wh.timer state=started enabled=True
tags: mail