From f38450f9f2037244300082f3e4211b790ac87058 Mon Sep 17 00:00:00 2001 From: Christian Franke Date: Mon, 26 Oct 2015 20:38:25 +0100 Subject: Assorted changes - add hooks between webserver and gitserver: git->website and wiki->git work now, git->wiki is still missing, https://ikiwiki.info/tips/Hosting_Ikiwiki_and_master_git_repository_on_different_machines/ should contain the right info for that - actually configure repo_service - replace LDAP auth with dummy password auth for now --- roles/sublab_web/defaults/main.yaml | 116 ++++++++++++++++++++++- roles/sublab_web/files/htpasswd | 1 + roles/sublab_web/meta/main.yaml | 1 + roles/sublab_web/tasks/as_webuser.yaml | 2 +- roles/sublab_web/tasks/as_wikiuser.yaml | 29 +++++- roles/sublab_web/tasks/main.yaml | 4 + roles/sublab_web/templates/subdap-ssl.conf.j2 | 5 + roles/sublab_web/templates/website-rebuild.sh.j2 | 4 + roles/sublab_web/templates/wiki.conf.j2 | 23 +++-- 9 files changed, 174 insertions(+), 11 deletions(-) create mode 100644 roles/sublab_web/files/htpasswd (limited to 'roles/sublab_web') diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml index 55f5b5f..2122383 100644 --- a/roles/sublab_web/defaults/main.yaml +++ b/roles/sublab_web/defaults/main.yaml @@ -1,2 +1,114 @@ ---- -sublab_web_server_name: "{{inventory_hostname}}" +$ANSIBLE_VAULT;1.1;AES256 +33643763303764333037643462663530636364373132666663353165383739636563393636346136 +6634613765343031363935363233663833373238346431360a316133303361313631373732643665 +37343631363437643663306537323039363835636135363537323063386566383832323933646535 +6163623431306139320a343161356565613665623834396465353530383265313565663962333131 +62363737633463303736313034373639383661373566386264303938353532393436366564316262 +64353137316639313464663230346663313639636365663434643637303336373836623865343633 +30623530383761636462326335363635386434313830393130613366386161333230383531646139 +37336631326137663332353930616665623265643835356433343137383334393961356664366366 +66396430396366383133613130616231306333636631376366633137356535373339373539383865 +34626561326331613831636362313563353264336466366161376634363236653638396632343930 +61363531333166336131323133613662373933393665316365633536333864623737616333363161 +63616433393437656438633636663635653433396330313730333437316337363839383935393561 +33343166616161626464623837643262653934643032653563653632653933343764336161356364 +30333261393134373062616561363762616262306661373264333762643039613966323539326233 +30386564316330633565393865663561323036356163313430616235386661373465383039663631 +31316461346339323263363830373438653430333830656332346437626436633333333864356461 +61363532636134306335363936316331663930626462353738656535613736373364626233656436 +38333535326631336165363263663565656537333363303638356632306430363563383031636661 +34346436366539306236653264383731393430313765376161613234633162376634656563316339 +62633832643738643733323165323262613466353332353661616634303037623935616235383233 +37653735633564373739656538633563393265316663303132623139663439613964613738346366 +35376131376537303038613135653938396133626338306137346331356463373361343065633431 +36616462386666656566346230303235393634666261316262663939306338393635333338346435 +61393834623835393065366563323932653539623439626662633032306165636565393337313038 +37346237393435383232343236653836323666333838623132383537376230646666643338366564 +34306461663434626562303435313532613565643935356361616332383661306633356435653564 +62363332643639336430326161663663303038633364356237373265623433333062386135366161 +31633236373664383939393162326638316533663334366431393930333337626336353539393364 +64356366666366383962346138333436353232383563373332306339306532613532613337376335 +62383235373635316161656166616433633761626462316136613861643161313237316239353164 +30666637653039306431353737336635356532336662363361386538306563333432303461303235 +35316362643765353433306464393764313863303230656631323864363736653636356134373537 +31363339343137373536363134333761616133656339373263373866666333643262336331303838 +38633265366662643966616262653736626339393566343938646638323862333461393366623936 +66343964323137653238336661333039323334366135383837333038393336373332613937623633 +35383835643737306366623831653838323433353763653866393532623165633634366238383731 +37643930666462666434646336383631646135353436363161306335643064353730616462653537 +62303838323839333163653038303238353738336337363461396635373439333139376636353034 +62323832356538613664346239623533383564363264373464326433623065396239316334633332 +37336364363362343832633063626236666661303464303631653733393539386330656361346334 +36616131353336353062353934393234376633633138383332663130343230626536353465356264 +35356266646165303638663837656230373839396137646366636330323735366466623061333030 +37346162336538363130303839346561363336613266623738353065383263626433326433643937 +35656162636531363364313337666635333261343539636432333763653033363839356562653331 +32396536343630366538343764623561363461643431663861613139343965303664376631636432 +33306330373538383038373966343839383737326535333136316565623737373630323265326666 +30386533373637343538313734333361353766656536306638373633326236643038326432386563 +30616437343465323531663737343833373336663366313839616238653065386137306434396232 +36383435623434353035313161363730306533386533366234626531306131613862343463613936 +66303664333434623932333764633063353236303364353166303036333439666630323137343365 +36663831633131383438336639353833613439623434613164613066653361613330366164336233 +63656139373630316639326561386233653634333564616432613063383930376232656264323363 +39353934386335373532623463663637346466393636346131356631343830343931663064326138 +31323236396162323335643036343936633332393966396662303530663535313366353061653831 +34613536333462646463326461643463396162393934666433376136373933363465643866643939 +66356135653038316137666264306666623464306664323530316334663236306262623338663262 +30313636623434646366356632643566376333353633653232643130666561643663386661663336 +62316366626261636534313962373832383661623937313864383031363032623761353139316637 +32323035653964623961363766383966643964653365316530393339363264363133663833396466 +33633834396565326634366364313062336630646666653537623066626137343537653031396630 +35666463633264376664623765666536663630613338356236373133336365316432353362633731 +34373531373764343064346562346461366436336433313764393964356665323337316435353932 +66633734323035313835366439343763336565303833623830366439333432663837373262643030 +61633039313565313761653466383066346231666333323662336132313165666531356637383031 +37313962313965623665313436306430376637666334626335643366653935313336323632636433 +36643863613764653161613432633436313535333436336565383932393034656231633031623564 +35633865666139336337336535663464303437636161323566633839643263396138376636623636 +39633636363133336430383962313765636463316532633238653366653637636561323064303466 +61356664313035643935383734623462386439393562626161383130656238343734636134653564 +35353430316133373433393235313261303434363364303563383839386137646465616464393366 +34323962373036646530313362383766316464336461343935333166303630653133333561316265 +36366531326465323839633434656363383563343138373862666666653865376637333932343136 +62383439396231306133353833663738333462383766666337366566343136313731623437323530 +39306165636564336338616635666239346661373831386437663066343664326438313135616230 +63353062636133656566666364343630316564316233393664353938356434356332346631386163 +35663334356235346539393966616663303163323033653330343335323762353637333965366262 +39346136613635363831393734303832316234326536316165373235636531303562663762393766 +66376364323635623233666330663764616263366236393032393138643038353634316132663166 +37343163386164663233356237346561656665363638373835333763666537613939393434393364 +36353763306635353239346566613966343836336236653432313833393631616161303330656531 +36386264383234303135386137633166323438386435346337393032393865613038303264393435 +62363663343064336362623532383262373231616133396164643032653161646639613030623833 +61336436363666356236396533356666656463333536386335346330613263316636303561396433 +62653236393432376135663565633431656437333266343264323435653030363262633439633434 +34333931393465313831346434373837373138626538633262306464366634626234363963396165 +36663862626634626634623330643830646235323334636139633564646139353336653962366537 +33303764323034663630306265636136363838393630653731323137313964386463643563383662 +34393030326361373138356161303363383637343162646331326133336138313038326664623338 +65326466343131323538333661346538333338646433366365663637303832323265363939373434 +30623264373934313538646334633766363731663163633633386565336335653261663533363839 +65393638613430623938356131323837653739363066306566613065653330343064666163306563 +64356363653337343733343239336635643634303532353034353434333935336662386139643261 +33376365613065306566626135306235393938316337343464636333623165373931633038616133 +64636266393538663361353632303433616562393266346266613831346431306464666633383834 +37366330663561303164373937613064386566643164383433333539356534346136356339623265 +63323431626264366431336435316562623735633131633033313335616231616663346231656363 +30393931376635393366376464366135626339663461306663353037376566616365343066386235 +39613236316663363639613630333939326231643135373362666432666535663630353033616235 +65616435316464326134623666313632373932636439653334366235656461623532613037393430 +35393537316264313963386334646539383038326664643064366430326261383335646638616238 +62653633633838643366323533666165353631666339323036373733333438663863306337306464 +39643337616431363164393433356264616132666665373464383966306135636634623064633166 +32316334363134323932663763366638373234356230333139393535353266373530343065623361 +62313363663233323132643163663163326639303436336165363132633766356237333638336162 +66323232366538656330336463663132323832343737386665353063323163323030643032313162 +30323039346337613834356361616237323166303430363638623863323238653630313630633331 +38643035363464313034626537653061633339613665363539323566663039633130303130376365 +30633665346463656133306465343463383832626562663638343365353338643937306161653762 +37363634343165383333656461396636353963323166383362663036633431373733313963303930 +38346663393431363330396433386462353332353634313336313436386465613830333632333234 +33346361396563616163356333653661613861623863346537313136343865323638313065656333 +66393236323339646633663433396166636537323232323238666635356464623031313139623432 +34656237366633646464306163373230383864316565663438343262343333393765 diff --git a/roles/sublab_web/files/htpasswd b/roles/sublab_web/files/htpasswd new file mode 100644 index 0000000..4ba5edb --- /dev/null +++ b/roles/sublab_web/files/htpasswd @@ -0,0 +1 @@ +webuser:$apr1$CTQ3rSnN$MTEV4h/Y.9HBT1Apjey1t0 diff --git a/roles/sublab_web/meta/main.yaml b/roles/sublab_web/meta/main.yaml index f185875..3d84cbe 100644 --- a/roles/sublab_web/meta/main.yaml +++ b/roles/sublab_web/meta/main.yaml @@ -2,3 +2,4 @@ dependencies: - role: apache - role: subdap + - role: git_server_rpc diff --git a/roles/sublab_web/tasks/as_webuser.yaml b/roles/sublab_web/tasks/as_webuser.yaml index 859c1bf..c6725aa 100644 --- a/roles/sublab_web/tasks/as_webuser.yaml +++ b/roles/sublab_web/tasks/as_webuser.yaml @@ -11,7 +11,7 @@ - name: Clone sublab website git: dest="/var/www/{{sublab_web_server_name}}/htdocs" - repo=git://git.sublab.org/website + repo="git://{{ groups['gitservers'][0] }}/website" accept_hostkey=yes update=no notify: Rebuild subweb website diff --git a/roles/sublab_web/tasks/as_wikiuser.yaml b/roles/sublab_web/tasks/as_wikiuser.yaml index adfa473..bd30e9d 100644 --- a/roles/sublab_web/tasks/as_wikiuser.yaml +++ b/roles/sublab_web/tasks/as_wikiuser.yaml @@ -22,12 +22,39 @@ src=ikiwiki-editpage.tmpl dest="/home/wiki-{{sublab_web_server_name}}/templates/editpage.tmpl" +- name: Create .ssh dir + file: + path="/home/wiki-{{sublab_web_server_name}}/.ssh" + state=directory + mode=0700 + +# This ssh keypair is authorized to push to the git-server wiki repo +- name: Put ssh pubkey + copy: + dest="/home/wiki-{{sublab_web_server_name}}/.ssh/id_rsa.pub" + content="{{wiki_user_pubkey}}" + mode=0644 + +- name: Put ssh privkey + copy: + dest="/home/wiki-{{sublab_web_server_name}}/.ssh/id_rsa" + content="{{wiki_user_privkey}}" + mode=0600 + +# Configure git +- name: Configure git push for wikiuser + command: git config --global push.default simple +- name: Configure git name + command: git config --global user.name "Wiki User {{ansible_hostname}}" +- name: + command: git config --global user.email "nobody@nowhere.ws" + # Updates to git are pushed automatically and should not # go through ansible - this is for initial deployment only - name: Clone wiki git git: dest="/home/wiki-{{sublab_web_server_name}}/wiki" - repo=git://git.sublab.org/ikiwiki + repo=git+ssh://git@{{groups['gitservers'][0]}}/ikiwiki accept_hostkey=yes update=no notify: Rebuild ikiwiki diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml index 7416cba..145c549 100644 --- a/roles/sublab_web/tasks/main.yaml +++ b/roles/sublab_web/tasks/main.yaml @@ -31,6 +31,10 @@ - wiki.conf notify: Reload apache +- name: Place wiki htpasswd + copy: dest=/etc/apache2/sites/{{ sublab_web_server_name }}/htpasswd + src=htpasswd + - include: ../../apache/tasks/ssl.yaml vars: ssl_server_name: "{{sublab_web_server_name}}" diff --git a/roles/sublab_web/templates/subdap-ssl.conf.j2 b/roles/sublab_web/templates/subdap-ssl.conf.j2 index bec8c54..2e543b8 100644 --- a/roles/sublab_web/templates/subdap-ssl.conf.j2 +++ b/roles/sublab_web/templates/subdap-ssl.conf.j2 @@ -1,3 +1,4 @@ +{% if 0 %} ProxyPass "http://127.0.0.1:8001/" @@ -11,3 +12,7 @@ Alias /subdap/static /var/subdap/src/static AllowOverride None Require all granted +{% else %} +RedirectMatch temp ^/(subdap(/?|/.*))$ https://{{ sublab_web_server_name }}/account-creation-suspended +{% endif %} + diff --git a/roles/sublab_web/templates/website-rebuild.sh.j2 b/roles/sublab_web/templates/website-rebuild.sh.j2 index ac29e3d..5cd3964 100644 --- a/roles/sublab_web/templates/website-rebuild.sh.j2 +++ b/roles/sublab_web/templates/website-rebuild.sh.j2 @@ -3,6 +3,10 @@ # {{ ansible_managed }} # +if [ "$USER" != "sublab_web" ]; then + exec sudo -u sublab_web /var/www/{{sublab_web_server_name}}/website-rebuild.sh +fi + cd /var/www/{{sublab_web_server_name}}/htdocs if [ x"$1" != x"-l" ]; then diff --git a/roles/sublab_web/templates/wiki.conf.j2 b/roles/sublab_web/templates/wiki.conf.j2 index 5328335..a5c47ba 100644 --- a/roles/sublab_web/templates/wiki.conf.j2 +++ b/roles/sublab_web/templates/wiki.conf.j2 @@ -6,14 +6,23 @@ Alias /wiki/ /home/wiki-{{ sublab_web_server_name }}/wiki-html/ Options +ExecCGI +# +# Disable LDAP auth for now :/ +# +# AuthType basic +# AuthBasicProvider ldap +# AuthName "LDAP Login" +# AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org" +# AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}" +# AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org" +# # AuthzLDAPAuthoritative on +# # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org +# Require valid-user + +# And use basic auth instead AuthType basic - AuthBasicProvider ldap - AuthName "LDAP Login" - AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org" - AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}" - AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org" - # AuthzLDAPAuthoritative on - # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org + AuthName "Wiki Login" + AuthUserFile "/etc/apache2/sites/{{ sublab_web_server_name }}/htpasswd" Require valid-user LDAPTrustedMode TLS -- cgit v1.2.1