Update to 2024-01-03 12:00

2025-04-12 00:03:17 +02:00 · 2024-01-03 12:00:34 +01:00 · 2024-01-03 12:00:34 +01:00 · 9946ec6561
commit 9946ec6561
parent a6b43a8034
9 changed files with 247 additions and 49 deletions
--- a/roles/lemonldap_ng/templates/nginx_portal.conf.j2
+++ b/roles/lemonldap_ng/templates/nginx_portal.conf.j2
@ -51,19 +51,19 @@ server {
    try_files $uri $uri/ =404;
  }

-  location /index.psgi/adminSessions {
+  location ~ ^/index.psgi/adminSessions {
    deny all;
  }

-  location /index.psgi/sessions {
+  location ~ ^/index.psgi/sessions {
    deny all;
  }

-  location /index.psgi/config {
+  location ~ ^/index.psgi/config {
    deny all;
  }

-  location /index.psgi/notification {
+  location ~ ^/index.psgi/notification {
    deny all;
  }
 }
@ -87,7 +87,7 @@ server {
 {% endif %}
 {% endif %}

-  location ~ /index.psgi/(adminSessions|sessions|config|notification) {
+  location ~ ^/index.psgi/config {
 {% if llng_engine == 'fastcgi' %}
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
@ -107,12 +107,39 @@ server {
 {% endfor %}
    deny all;
 {% if llng_api_pass is defined %}
-    auth_basic "Lemonldap::NG SOAP endpoint";
+    auth_basic "Lemonldap::NG API";
    auth_basic_user_file /etc/lemonldap-ng/api.htpasswd;
    satisfy all;
 {% endif %}
  }

+  location ~ ^/index.psgi/(adminSessions|sessions) {
+{% if llng_engine == 'fastcgi' %}
+    include /etc/nginx/fastcgi_params;
+    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+    fastcgi_param LLTYPE psgi;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+    fastcgi_param PATH_INFO  $fastcgi_path_info;
+{% elif llng_engine == 'uwsgi' %}
+    include /etc/nginx/uwsgi_params;
+    uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock;
+    uwsgi_param LLTYPE psgi;
+    uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    uwsgi_param SCRIPT_NAME $sc;
+{% endif %}
+{% for ip in llng_api_src_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+{% if llng_api_pass is defined %}
+    auth_basic "Lemonldap::NG API";
+    auth_basic_user_file /etc/lemonldap-ng/api.htpasswd;
+    satisfy all;
+    access_log off;
+{% endif %}
+  }
+
  location / {
    deny all;
  }
--- a/roles/seafile/defaults/main.yml
+++ b/roles/seafile/defaults/main.yml
@ -11,11 +11,11 @@
 #   MaxUsers = "9"
 #   Mode = "subscription"
 #   etc...
-seafile_version: "{{ seafile_license is defined | ternary('10.0.9','10.0.1') }}"
+seafile_version: "{{ seafile_license is defined | ternary('10.0.9','11.0.3') }}"

 # Archive URL and sha256 are only used for the community version
 seafile_archive_url: https://s3.eu-central-1.amazonaws.com/download.seadrive.org/seafile-server_{{ seafile_version }}_x86-64.tar.gz
-seafile_archive_sha256: 4ce8d51c464ccde8478dfb5f6c92a43b6beece210a939e799b647521ce5baf42
+seafile_archive_sha256: 72fced8581fcded3b63d64c2cc34ca22c30278e4a540d9321cb4727a566a3bf7

 seafile_root_dir: /opt/seafile
 seafile_data_dir: "{{ seafile_root_dir }}/data"
@ -80,6 +80,11 @@ seafile_ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | def
 # prevent seafevents from starting !
 # seafile_ldap_bind_pass: 
 seafile_ldap_login_attr: "{{ ad_auth | default(False) | ternary('userPrincipalName','mail') }}"
+seafile_ldap_email_attr: mail
+seafile_ldap_first_name_attr: givenName
+seafile_ldap_last_name_attr: sn
+seafile_ldap_dept_attr: department
+seafile_ldap_uid_attr: "{{ ad_auth | default(False) | ternary('sAMAccountName', 'uid') }}"
 seafile_ldap_filter: "{{ ad_auth | default(False) | ternary('&(objectClass=user)(objectCategory=person)(primaryGroupId=513)','objectClass=inetOrgPerson') }}"
 # seafile_ldap_group_filter: (mail=*)

--- a/roles/seafile/tasks/facts.yml
+++ b/roles/seafile/tasks/facts.yml
@ -8,6 +8,14 @@
    - vars/{{ ansible_os_family }}.yml
  tags: seafile

+- set_fact: seafile_edition='pro'
+  when: seafile_licence is defined
+  tags: seafile
+
+- set_fact: seafile_edition='community'
+  when: seafile_licence is not defined
+  tags: seafile
+
 - name: Set default install mode
  set_fact: seafile_install_mode='none'
  tags: seafile
--- a/roles/seafile/tasks/install.yml
+++ b/roles/seafile/tasks/install.yml
@ -37,7 +37,7 @@
  pip:
    virtualenv: "{{ seafile_root_dir }}"
    virtualenv_command: /bin/python3.9 -m venv
-    name: "{{ seafile_python_libs }}"
+    name: "{{ seafile_python_libs[seafile_edition] }}"
  notify:
    - restart seafile
    - restart seahub
@ -150,7 +150,7 @@
  # Needed since CentOS 7.5 so ldaps can be used
 - name: Remove bundled libs
  file: path={{ seafile_root_dir }}/seafile-server/seafile/lib/{{ item }} state=absent
-  loop: "{{ seafile_rm_libs }}"
+  loop: "{{ seafile_rm_libs[seafile_edition] }}"
  notify: restart seafile
  tags: seafile

--- a/roles/seafile/templates/ccnet.conf.j2
+++ b/roles/seafile/templates/ccnet.conf.j2
@ -15,7 +15,7 @@ PASSWD = {{ seafile_db_pass }}
 DB = {{ seafile_db_ccnet }}
 CONNECTION_CHARSET = utf8

-{% if seafile_ldap_auth is defined and seafile_ldap_auth %}
+{% if seafile_edition == 'pro' and seafile_ldap_auth is defined and seafile_ldap_auth %}
 [LDAP]
 HOST = {{ seafile_ldap_uri }}
 BASE = {{ seafile_ldap_base }}
--- a/roles/seafile/templates/seahub_settings.py.j2
+++ b/roles/seafile/templates/seahub_settings.py.j2
@ -122,6 +122,7 @@ OAUTH_ATTRIBUTE_MAP = {
    "name": (False, "name"),
 }
 {% endif %}
+{% endif %}
 {% if seafile_header_auth == True %}
 ENABLE_REMOTE_USER_AUTHENTICATION = True
 REMOTE_USER_HEADER = '{{ seafile_header_auth_name }}'
@ -169,3 +170,34 @@ ENABLE_UPLOAD_LINK_VIRUS_CHECK = True
 VIRUS_SCAN_NOTIFY_LIST = ['{{ system_admin_email }}']
 {% endif %}
 {% endif %}
+
+{% if seafile_edition == 'community' and seafile_ldap_auth is defined and seafile_ldap_auth %}
+ENABLE_LDAP = True
+LDAP_SERVER_URL = '{{ seafile_ldap_uri }}'
+LDAP_BASE_DN = '{{ seafile_ldap_base }}'
+{% if seafile_ldap_bind_dn is defined and seafile_ldap_bind_pass is defined %}
+LDAP_ADMIN_DN = '{{ seafile_ldap_bind_dn }}'
+LDAP_ADMIN_PASSWORD = '{{ seafile_ldap_bind_pass }}'
+{% endif %}
+LDAP_PROVIDER = 'ldap'
+LDAP_LOGIN_ATTR = '{{ seafile_ldap_login_attr }}'
+LDAP_FILTER = '{{ seafile_ldap_filter }}'
+LDAP_CONTACT_EMAIL_ATTR = '{{ seafile_ldap_email_attr }}'
+LDAP_USER_FIRST_NAME_ATTR = '{{ seafile_ldap_first_name_attr }}'
+LDAP_USER_LAST_NAME_ATTR = '{{ seafile_ldap_last_name_attr }}'
+
+{% if seafile_license is defined %}
+LDAP_SYNC_INTERVAL = 60
+ENABLE_LDAP_USER_SYNC = True
+{% if seafile_ldap_group_filter is defined %}
+ENABLE_LDAP_GROUP_SYNC = True
+{% endif %}
+DEACTIVE_USER_IF_NOTFOUND = True
+LDAP_USER_OBJECT_CLASS = 'person'
+ENABLE_EXTRA_USER_INFO_SYNC = True
+DEPT_ATTR = '{{ seafile_ldap_dept_attr }}'
+LDAP_UID_ATTR = '{{ seafile_ldap_uid_attr }}'
+ACTIVATE_USER_WHEN_IMPORT = False
+ACTIVATE_AFTER_FIRST_LOGIN = True
+{% endif %}
+{% endif %}
--- a/roles/seafile/vars/RedHat-7.yml
+++ b/roles/seafile/vars/RedHat-7.yml
@ -24,20 +24,44 @@ seafile_packages:
  - python-setuptools   # needed for ansible to create the venv

 seafile_python_libs:
-  - Pillow
-  - pylibmc
-  - captcha
-  - jinja2
-  - sqlalchemy
-  - psd-tools
-  - django-pylibmc
-  - django-simple-captcha
-  - python3-ldap
-  - requests_oauthlib
-  - future
-  - mysqlclient==2.0.1
-  - pycryptodome
-  - lxml
+  community:
+    - pillow==10.0.*
+    - pylibmc
+    - captcha==0.4
+    - jinja2
+    - SQLAlchemy==2.0.18
+    - psd-tools
+    - django-pylibmc
+    - django_simple_captcha==0.5.*
+    - djangosaml2==1.5.*
+    - pysaml2==7.2.*
+    - python-ldap==3.4.3
+    - requests_oauthlib
+    - future==0.18.*
+    - mysqlclient==2.1.*
+    - pycryptodome==3.16.*
+    - cffi==1.15.1
+    - lxml
+    - chardet
+  pro:
+    - pillow==9.3.*
+    - pylibmc
+    - captcha==0.4
+    - jinja2
+    - SQLAlchemy==1.4.3
+    - psd-tools
+    - django-pylibmc
+    - django_simple_captcha==0.5.*
+    - djangosaml2==1.5.*
+    - pysaml2==7.2.*
+    - python-ldap
+    - requests_oauthlib
+    - future==0.18.*
+    - mysqlclient==2.1.*
+    - pycryptodome==3.16.*
+    - cffi==1.15.1
+    - lxml
+    - chardet

 seafile_rm_libs:
  - libnssutil3.so
--- a/roles/seafile/vars/RedHat-8.yml
+++ b/roles/seafile/vars/RedHat-8.yml
@ -24,29 +24,54 @@ seafile_packages:
  - python3-setuptools   # needed for ansible to create the venv

 seafile_python_libs:
-  - pillow==9.3.*
-  - pylibmc
-  - captcha==0.4
-  - jinja2
-  - SQLAlchemy==1.4.3
-  - psd-tools
-  - django-pylibmc
-  - django_simple_captcha==0.5.*
-  - djangosaml2==1.5.*
-  - pysaml2==7.2.*
-  - python-ldap
-  - requests_oauthlib
-  - future==0.18.*
-  - mysqlclient==2.1.*
-  - pycryptodome==3.16.*
-  - cffi==1.15.1
-  - lxml
-  - chardet
+  community:
+    - pillow==10.0.*
+    - pylibmc
+    - captcha==0.4
+    - jinja2
+    - SQLAlchemy==2.0.18
+    - psd-tools
+    - django-pylibmc
+    - django_simple_captcha==0.5.*
+    - djangosaml2==1.5.*
+    - pysaml2==7.2.*
+    - python-ldap==3.4.3
+    - requests_oauthlib
+    - future==0.18.*
+    - mysqlclient==2.1.*
+    - pycryptodome==3.16.*
+    - cffi==1.15.1
+    - lxml
+    - chardet
+  pro:
+    - pillow==9.3.*
+    - pylibmc
+    - captcha==0.4
+    - jinja2
+    - SQLAlchemy==1.4.3
+    - psd-tools
+    - django-pylibmc
+    - django_simple_captcha==0.5.*
+    - djangosaml2==1.5.*
+    - pysaml2==7.2.*
+    - python-ldap
+    - requests_oauthlib
+    - future==0.18.*
+    - mysqlclient==2.1.*
+    - pycryptodome==3.16.*
+    - cffi==1.15.1
+    - lxml
+    - chardet

 seafile_rm_libs:
-  - liblber-2.4.so.2
-  - libldap-2.4.so.2
-  - libsasl2.so.3
-  - libldap_r-2.4.so.2  # 9.0.0
-  - libcrypto.so.1.1    # 9.0.0
-  - libssl.so.1.1       # 9.0.0
+  community:
+    - libcrypto.so.1.1    # 9.0.0
+    - libssl.so.1.1       # 9.0.0
+
+  pro:
+    - liblber-2.4.so.2
+    - libldap-2.4.so.2
+    - libsasl2.so.3
+    - libldap_r-2.4.so.2  # 9.0.0
+    - libcrypto.so.1.1    # 9.0.0
+    - libssl.so.1.1       # 9.0.0
--- a/roles/seafile/vars/RedHat-9.yml
+++ b/roles/seafile/vars/RedHat-9.yml
@ -0,0 +1,77 @@
+---
+
+seafile_packages:
+  - python39
+  - python39-setuptools
+  - python39-pip
+  - python39-devel
+  - gcc
+  - gcc-c++
+  - ffmpeg
+  - ffmpeg-devel
+  - libmemcached-devel
+  - mysql-devel
+  - zlib-devel
+  - openldap-devel
+  - openssl-devel
+  - gcc
+  - tar
+  - mariadb
+  - fuse
+  - java-1.8.0-openjdk   # For seafile-pro
+  - poppler-utils        # For seafile-pro
+  - unoconv              # For seafile-pro
+  - python3-setuptools   # needed for ansible to create the venv
+
+seafile_python_libs:
+  community:
+    - pillow==10.0.*
+    - pylibmc
+    - captcha==0.4
+    - jinja2
+    - SQLAlchemy==2.0.18
+    - psd-tools
+    - django-pylibmc
+    - django_simple_captcha==0.5.*
+    - djangosaml2==1.5.*
+    - pysaml2==7.2.*
+    - python-ldap==3.4.3
+    - requests_oauthlib
+    - future==0.18.*
+    - mysqlclient==2.1.*
+    - pycryptodome==3.16.*
+    - cffi==1.15.1
+    - lxml
+    - chardet
+  pro:
+    - pillow==9.3.*
+    - pylibmc
+    - captcha==0.4
+    - jinja2
+    - SQLAlchemy==1.4.3
+    - psd-tools
+    - django-pylibmc
+    - django_simple_captcha==0.5.*
+    - djangosaml2==1.5.*
+    - pysaml2==7.2.*
+    - python-ldap
+    - requests_oauthlib
+    - future==0.18.*
+    - mysqlclient==2.1.*
+    - pycryptodome==3.16.*
+    - cffi==1.15.1
+    - lxml
+    - chardet
+
+seafile_rm_libs:
+  community:
+    - libcrypto.so.1.1    # 9.0.0
+    - libssl.so.1.1       # 9.0.0
+
+  pro:
+    - liblber-2.4.so.2
+    - libldap-2.4.so.2
+    - libsasl2.so.3
+    - libldap_r-2.4.so.2  # 9.0.0
+    - libcrypto.so.1.1    # 9.0.0
+    - libssl.so.1.1       # 9.0.0