jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-04-19 03:33:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2022-03-19 00:00

Browse Source
This commit is contained in:
Daniel Berteaud 2022-03-19 00:00:06 +01:00
parent 897e3c74b4
commit 9ddd7b99c0
4 changed files with 40 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
roles/postgresql_server/defaults/main.yml
View File

@ -80,3 +80,27 @@ pg_roles_to_remove: []
# If defined, a Let's Encrypt cert will be obtained and used # If defined, a Let's Encrypt cert will be obtained and used
# pg_letsencrypt_cert: postgres.example.org # pg_letsencrypt_cert: postgres.example.org
# LDAP authentication
# You can enable ldap auth, see https://www.postgresql.org/docs/current/auth-ldap.html
# Note that only the search+bind mode is supported
# Turn on or off ldap auth
pg_ldap_auth: False
# LDAP server to query. You can enter several servers separated by space
pg_ldap_host: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | join(' '), (ldap_uri is defined) | ternary(ldap_uri | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}"
# port of the ldap server
pg_ldap_port: 389
# Should starttls be used
pg_ldap_starttls: True
# Base DN where postgres will lookup your users
pg_ldap_basedn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base, (ldap_base is defined) | ternary(ldap_base, ansible_domain | regex_replace('\\.', ',DC='))) }}"
# Bind DN and bind password for postgres to lookup users. If not defined, the lookup will be done anonymously
# pg_ldap_binddn: postgres@{{ ansible_domain }}
# pg_ldap_bindpasswd: S3cr3t.
# The filter to search for user. $username will be replaced by the postgres user whose password is being verified
pg_ldap_searchfilter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(sAMAccountName=$username))', '(&(objectClass=inetOrgPerson)(uid=$username))') }}"
# Connection type for which ldap auth will be attempted. Note that for security reason you shouldn't set it to host as it'd allow LDAP password
# to be sent unencrypted over between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server)
pg_ldap_conn_type: hostssl
# Limit for which user / roles the ldap auth will be used (third field in pg_hba.conf)
pg_ldap_roles: '+ldap_roles'

2
roles/postgresql_server/tasks/main.yml
View File

@ -24,7 +24,7 @@
- cert_path: /var/lib/pgsql/ssl/server.crt - cert_path: /var/lib/pgsql/ssl/server.crt
- cert_key_path: /var/lib/pgsql/ssl/server.key - cert_key_path: /var/lib/pgsql/ssl/server.key
- cert_key_group: postgres - cert_key_group: postgres
- cert_key_mode: 0640 - cert_key_mode: '640'
tags: pg tags: pg
- name: Install dehydrated hook - name: Install dehydrated hook

11
roles/postgresql_server/templates/pg_hba.conf.j2
View File

@ -1,5 +1,8 @@
# {{ ansible_managed }} # {{ ansible_managed }}
local all all peer local all all peer
host all all 127.0.0.1/32 md5 host all all 127.0.0.1/32 md5
host all all ::1/128 md5 host all all ::1/128 md5
host all all 0.0.0.0/0 md5 {% if pg_ldap_auth %}
{{ pg_ldap_conn_type }} all {{ pg_ldap_roles }} 0.0.0.0/0 ldap ldapserver="{{ pg_ldap_host }}" ldapport={{ pg_ldap_port }} ldaptls={{ pg_ldap_starttls | ternary('1', '0') }} ldapbasedn="{{ pg_ldap_basedn }}" ldapbinddn="{{ pg_ldap_binddn }}" ldapbindpasswd="{{ pg_ldap_bindpasswd }}" ldapsearchfilter="{{ pg_ldap_searchfilter }}"
{% endif %}
host all all 0.0.0.0/0 md5

16
roles/sftpgo/tasks/conf.yml
View File

@ -27,8 +27,8 @@
vars: vars:
cert_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.crt" cert_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.crt"
cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.key" cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.key"
cert_group: "{{ sftpgo_user }}" cert_key_group: "{{ sftpgo_user }}"
cert_mode: 640 cert_key_mode: 640
tags: sftpgo tags: sftpgo
- name: Generate self-signed certificate for webdavd - name: Generate self-signed certificate for webdavd
@ -36,8 +36,8 @@
vars: vars:
cert_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.crt" cert_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.crt"
cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.key" cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.key"
cert_group: "{{ sftpgo_user }}" cert_key_group: "{{ sftpgo_user }}"
cert_mode: 640 cert_key_mode: 640
tags: sftpgo tags: sftpgo
- name: Generate self-signed certificate for httpd - name: Generate self-signed certificate for httpd
@ -45,8 +45,8 @@
vars: vars:
cert_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.crt" cert_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.crt"
cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.key" cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.key"
cert_group: "{{ sftpgo_user }}" cert_key_group: "{{ sftpgo_user }}"
cert_mode: 640 cert_key_mode: 640
tags: sftpgo tags: sftpgo
- name: Generate self-signed certificate for telemetry - name: Generate self-signed certificate for telemetry
@ -54,8 +54,8 @@
vars: vars:
cert_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.crt" cert_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.crt"
cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.key" cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.key"
cert_group: "{{ sftpgo_user }}" cert_key_group: "{{ sftpgo_user }}"
cert_mode: 640 cert_key_mode: 640
tags: sftpgo tags: sftpgo
- name: Set permissions on certificates - name: Set permissions on certificates