From 24b4917d8186551bcf987b72d1c3588e4705096a Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 28 Jan 2024 02:11:05 +0100 Subject: finalize whawty/auth roles for now --- chaos-at-home/ch-http-proxy.yml | 1 + chaos-at-home/group_vars/chaos-at-home.yml | 418 +++++++++++---------- chaos-at-home/host_vars/ch-apps.yml | 27 +- chaos-at-home/host_vars/ch-http-proxy.yml | 36 +- inventory/group_vars/chaos-at-home/vars.yml | 19 + inventory/host_vars/ch-apps/whawty.yml | 21 +- inventory/host_vars/ch-http-proxy.yml | 23 +- inventory/host_vars/ch-testvm-prometheus.yml | 26 -- roles/apps/whawty/auth/instance/tasks/main.yml | 1 - roles/whawty/auth/app/defaults/main.yml | 18 +- roles/whawty/auth/app/tasks/listeners.yml | 18 + roles/whawty/auth/app/tasks/main.yml | 18 +- roles/whawty/auth/app/templates/systemd.service.j2 | 32 ++ roles/whawty/auth/app/templates/systemd.socket.j2 | 22 ++ roles/whawty/auth/store/defaults/main.yml | 52 +-- roles/whawty/auth/store/tasks/main.yml | 37 +- roles/whawty/auth/store/tasks/sync-client.yml | 49 ++- .../whawty/auth/store/templates/systemd.service.j2 | 6 +- 18 files changed, 463 insertions(+), 361 deletions(-) create mode 100644 roles/whawty/auth/app/tasks/listeners.yml create mode 100644 roles/whawty/auth/app/templates/systemd.service.j2 create mode 100644 roles/whawty/auth/app/templates/systemd.socket.j2 diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index c92cd758..c742c219 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -14,6 +14,7 @@ - role: apt-repo/spreadspace - role: monitoring/prometheus/exporter - role: x509/acmetool/base + - role: whawty/auth/store - role: nginx/base - role: nginx/auth/whawty-sso/base - role: nginx/auth/whawty-sso/login diff --git a/chaos-at-home/group_vars/chaos-at-home.yml b/chaos-at-home/group_vars/chaos-at-home.yml index 835b35db..4db4e3f9 100644 --- a/chaos-at-home/group_vars/chaos-at-home.yml +++ b/chaos-at-home/group_vars/chaos-at-home.yml @@ -1,206 +1,214 @@ $ANSIBLE_VAULT;1.2;AES256;chaos-at-home -35353131306537663061333332303865623963646663393661663632343063316335373262353162 -3731326466333062613439373030356431653533373438310a646639306230663630343162633162 -34303965336235623062633637386535663861366364353965306130623866363366363961353336 -3538343063363233650a373739626639666562316135326339393638613863663662333064336237 -35386566343462343637323336393536306333383434616437306261633636306162393334313639 -30376232633835303863383231313262626436333433626465633437336564633265306632656532 -35656333336361376635623466656630393839643164363062356136666663656332326338363461 -65666634373265336664353437333231653639353761346533343730376434313563306464333639 -30306262666165363863306464306339346339333337623237356666376365633933353236663261 -65393738343132393661373739393664613038303261346665633638376533356136636264616130 -62393639343561626231636233646631383234323465626430313466383366663337646665326333 -39356361303130363038323665353262666263343266306136316164333262316434393666306566 -35656631353038356630636166323236663663333033383636666539366132346165333063623161 -62373037613537663939353265646436633131626164363735623830383332346136616663333762 -63373432376564613432663235616264616563656338636235373065386536353662623765383832 -32303932386432663235386230616634323238343466376433386365393763633364363066663736 -33653662623262343232393863613061366665363630656635663732653562616330663361623334 -33663961323830633835623165393830316333336336613134613830643131333035373739356463 -39363039363765653931353330383634663736336237626535616339373062333430353736623663 -37663134626130313832636535336263336536313336393139383537393731366631303262343131 -37383236393038393031366165623663643961363536383162613337336130666365353062376464 -38393362336561376661623861336364313438646364326164383038636138303739353238336663 -34643032343631663230623838343763626534646431303732663361356535336239653530376632 -38663261653164623339313666366464343532643832666437613635656533323864366264343936 -36366430666365623632353266336662313238306538323538326637396663383731666264653431 -34623538313136633330616264313430663537626661393031306664383336376230323364613964 -61393561303261653736636638656163663564316431336361333264643134613430666130306636 -66313436663739353838636164333964343936393661393433353838386566346630363064616134 -33656463656363353230613936663364616534636237646663343861336231613764613561653234 -36323132623166353564643566343138316364386239333861373066363138313034316661306164 -34303832663038303337633636376433303466663835613436333438306562643265663937366639 -35333366643836383534343036323736316433666534393838643234316433653531376339643462 -30363963356430613630633634656630646430666266376439393361386633666237356366393236 -38663763656662353837333262363266303662346233336230623761336239353735363437613764 -30343833366465616535646263393362626331313566326535386230383061313839343439643635 -62316439383066366431326234336661326361633537666336303431633633323362343864616537 -61363630613732643038653435623964333938363263326139346137313766633034356436333632 -63313035633165376330373735376139663935383964643665623362393131313933653862613066 -61373539383765346532616365323363653137386238633837326137353436336365393065336331 -63633836633830646439623931333766313763353438643637636336383834663064356363636336 -66396161306463343566363533613932326238386564636563396665653364323630346561656464 -32313863633539393965373930343434386336313933633237306133366163336164653965363736 -34633735343966393464393631376633333038353564363933313230396362633139363530303137 -36393862393761613534653138356336366334616162303435376661373132386135376435306264 -62636539316639383065656235616336656363613333626565363932636133343764383066323137 -36386631633366386235336361366165626338663036323363656135323233376263386266656663 -37316639656232306165323136383135383930643332393035663437306463386566363963656263 -36656638646435353738626665303761363664643435666137326465373839663062336338346462 -32323534656666343135393635633663393464653661356638343134636133653961633739396463 -33646432383762306263376638353535613937393638356461623363366630353239316137666633 -30663037363437313863396166376161316333383435323266643731363863373439326137373766 -62626632366336643862346662613866373133346436336163353065396664353437663939613362 -30343634653062663464353661333635353830616438306335646363393837363664306365613034 -64343134376231356435626334646461383133313839616166666266303433373438386437626662 -32383664323034323062353761646466376566656238353566613565666636353861663763346134 -30393839636433663533633536666639613263353838366461623961386665383735333463343232 -32626431633263616564383861393839383433393533623530646633353763346633386664333231 -35313939376339346633653237303533373132373565366233383432353161663164313531346161 -62353131353061666233656234313363666335616639343631613735646337646536663439346134 -38666136336535633036353534363438353461353730386630646264626662363938316163336566 -63613434643065386661333038313162663335326336323138346262326230653033636631303130 -39393839373164356566333963366163333931663838333065326639366137386137303635633639 -65343466313537393831383731666663336235386434316232643231626663313937316461663730 -30373137343038323037363230613762373565333166326234613232313363343362306631653563 -66353938626266646661353038643334376535303933663666396262346433353264383533316537 -36623463616364626234393334326330366566326432633034343631323137356362303461336330 -37323133646663363738643435653634353161623963383364643165643831333532643039383739 -32366364633731386532666638323833646664316536636561333530393134343233373163646635 -30623335646335393937626536633330363630366538393431393231313465616436613931653462 -32343839343333626432613935656431366664636566376538333539373435346662393264336239 -37633135333861383131316133343031623164303435376632663930353632323330353636616566 -35323764366430666662633661336432303564613163633866666235366165363835386462306266 -62636262643138376561393130633033336332643063646461636335633166316638313933336633 -36653031373964656564346631613033333830363330373234633332316434343439313838363439 -39633539346132336139626265356339393731616131316235636537393930633835396430653762 -34393738316566333464323661623530333131353438616538633961663664356237393437643164 -65343134633334616365333466306432643734626630376634323865636431613664303636623835 -61633563373133356266363637623539376438343537393332633866356566653035303463313364 -65636637303639363031666235306339653866636537353232333464343734393632383664663638 -64646635336130353137626236316233383765303465643635313861343338333565396135663237 -31616539643633643966343664633162326533333036316438643933313938616136613231643330 -35623563336462646562613533616664323963656166646530653936363330346532626237366662 -34366236616261363661366637636333376661623336663036656333616536316366356664386335 -61376238613139643833373565343562396161373231323531343533663935373836633139366330 -30343735353831303064373733623961373966333432363832613330393262616138623861653363 -31326132643364363865646632653235343164346463616665653039313237623732343439653365 -66363364616635633334393231376531393631353039643133636233313864623635653035616432 -39366239333766393936313331363263626336386432366538313035393762343031383266303338 -66363631303065323764616163326662336237376434333730356431373931623562376630663932 -64336432306366393539313834633230326333663561386263326564316538623063343532303836 -61623935343261643339343730613631366636346633663935303936306665643764373039656130 -37373762663236343739326164323933303064626165376436303965323737373064623163353633 -63326133646534636336346662646265626164343962383933396661303466393634346138333933 -33343733653865353161366635353432323738306537306463316638393962656564386439343637 -37663834396633316464613432376438633732353038623566653233653033323237396138613864 -65623239376536313536393366306665646234626233393230303266353631666632613463316138 -30366163333930636463353061363531376530646438636363396637313934623537623137396338 -34346434326333616263393266306261663937326232396237323964353163653030313630376333 -63356564626362383836633539656336393538386161666231373331646130306661636132313362 -30303436653861396531333636336462363864663764623061373466653061373133306630346337 -31653230396266373966643364366236643930383662646662376235396363336436656339383834 -62613435613963313730386164643037363431383531616165323838303737393662663932656132 -38646164353462393235303534303238623662663634646262303037643764393862666261363737 -31363133376562633230303235633764396530613335633336316539303662383266323338613366 -36386637303430656332623637326238623039613035663232346563363936656462653161386335 -30346665633265376565383466306639386532613632616563303339653134623464306235353535 -35373838626136386538613637303437633137376137626133383137376138636334616137663932 -33333666313636396661396231616366636563346538613335663063363337643866366137623565 -37626565396433323265363734333739366261653763636330383231383039393839346363373639 -66313437663163386530376130323061313561303463373236346561393835313436353463636565 -66383531613734633130396631303035303361336361623730343665333265336530373332343764 -36363864396636333439633233356337353330656130633439666138346332613835626466646236 -63633565653961343664626135333863396462303534646461373730633861323264626266346563 -63373633333637313438616665633665646533393237343236353336316537646338633461636236 -36363738313737393634613237613262383361623137353466383266303066663162306336623731 -32633430343961656664613330666562346131353561363337613864336430313135326437326566 -33376631336237303736623038353862363330626562313836393065333431613365393361666232 -33323264313366326536346435323138343965356437653737613731653530393633343934636362 -37626466313935316363633732633336376134623063366263333137616538653338393033356634 -38306238313236613863356436646230326532353235623836313363316539613562333463353336 -31396239306461613734353138366136333562393032643163323732353939646466373362613663 -63613936326566653765313935313564666236393738666438636662313063643266636331363661 -62376130303639303436363231336562356431343035613236376533643061333830343631396438 -39353231623730336435376366626531646131353663633365383738353639636163386463363766 -62303132643230316165383339653839326265653932303738663466323437633965636635366432 -37356162396136633831376438383432373166643762613634656436353135636332336539616465 -61633765333238303765353064663366616536376663383930623831393838623439383265643833 -30643366663730656636393835633237363530353666613134313431363566653864376432333533 -32353465623434643937613538656631646439666466336264636439623439363031616534396435 -64663166333138353631653163633734623538383631653530396364613632316535656532353065 -62333461363961613136366536393538343437653636343536376463383536386262343539316233 -30336236333237616665396432323663363363306433316134353265613233343132366230653066 -32383661656637386137623832623635363132343162303965363234653263303063343763336332 -30396338616236366661656438313766336663613930616566336364363066363266343235393138 -36346633383834323961386665626432663430376237393134343336346564306139383730323337 -38366632306432653931316332623764343935323630633238643163646463383039336362613435 -33323530666265663639646330633164623330653038323934383031393234623966346130353362 -30323030363162303263343066323432356264626565343533636633313637653737666661313339 -62313566333735326434326538336231336331626663646232326638353938633231613334656463 -33306432643733636133376362396635616536306461323839616638336661306138386130623837 -65333563306237346561643239343062643962326434653032636264376163386536336632356336 -36663336643165626364356632303633363037373032623664383864353331383533356630653538 -61376430366261343537343939653631353962376535343130363239666434343731376666346637 -33343832633565383961323039353538373437333436343633373562386266626236353964613532 -65373638333538306132623830323363666536313531353831616263656137323238666461616362 -61376262643161343263333538306434373536306230616138616133393532376661616535666565 -39666231316435323139393333633335373233613931626465383034313934646437373836613439 -64643861643366623438303034373833363565356434666431346564663439613964363731646263 -33366363393462386531663932386630373033653239636535356431623564643231613533323064 -62383163366362633135363236633130613061613339346136616339356563383035333134303432 -35656335656430376338643634396335636163346238336664653332313636643438303538313139 -36323565613861303962306662373966396431336630343263646162353263656237616235646234 -37373132373534643866643439386135336336623835303630616162623830616564373335313731 -38326236383866623633316236323166613263616334373863656136336438313332656534623466 -62383165373961313565343762313665373234313264356539373032306462633931363731323137 -64376537666162343134656538656238313330366633393834626138323531636135353736656535 -64376266613033613932316661643763326431366263363063306466316337613961336461313362 -65373538656133396266363664326638626464306264626433666134643330383437386237376362 -63396432316436326562356335396364303261383131313736343436343832306132623861366536 -66613731653539636561376563376237353131616639363563343632393033613465366633353961 -32313038313532356136633238636235626562383830353266636333613630326136383663633661 -32343361666135376161393161633566376666326235623131383432393132356638313466376362 -63623334353936663764393439373539373530336662383334393033393365316163623362653665 -32383437313963643835316434346366363965366161323733623365313366343262383239653630 -36336236323166363536643364383931383362633062303462303136333638376165343632376438 -39663836353638316466656331663430356264643330663533643764313035656235343333666534 -66663465616664653438393139656532616536363331376337383530366633643333633033343466 -65313734353136376330623534343632383762633031376565396236386165336531643637613634 -32633565646464383362366439326234626138653132623432373361383433336237613637613431 -63353565613036373836393237346239636131306261393065333763393236326562666264616262 -61396563623263386461616437306534373239623663613637343261356233393537373132653161 -63663830623762316532363764323136333661333137383735616463316262636339656434303432 -38303231333065643033613133323838653431376264313565656561306634636532626635346263 -36356536343666616436656166353365396437643335613635663134366434303236626434383535 -35386565613838633538373332323733316132376561663163353731333836363239366661623263 -64663737353430346435303563356465633635613433646337353238653132363139636237393438 -33366238366238623237386265336332613138653864616566663938393836636136396636643963 -61323634323737323631656664363764343732626164383238366532313564393566323330383462 -38333464663265376136656334316131653463636661343363396331306438396536303736353831 -30373639393034323032613334343632333233353262646336386434633432393964323031353563 -62336135393538316636613339616261636439356333376632616261623565656365353031333435 -38383161346539373765626534366530303432663865393461646332633032303631346437623032 -31313734343662363331386263656166396264626362616637356334323462663964656436663761 -37643031336262353962303537633663313437653436633331306632633839653432656437393361 -30666263616231353437653135343162313632353137373461356334386434343834356339636461 -39396339363664653562316434613566353465363734366331626262663262303531306637633630 -38306263666236323864616463613461653033313364613139363566356165336437353036663134 -36313162306165363265313739356536343965353538316166306331666631613533663635306261 -66616335373731393566366235643361633630623837613735653035386232333063336365646137 -39386335353464663533306231633532656561323566373961333934616464616465353662336635 -36663130363863656430666462646564366132633261353161313039353438616534653639316266 -37666566643031636266316435393535666534343534373934666332316332373966376264336532 -34386632396534646330636165616638393938663162313632363861386537646664383463383334 -64343838326232303864383231666164666364366565643264646537323130333137363865386262 -31666238666134333732313565386265303933353262646664353565353530363031646264626136 -36393262383731336233653331623762636335616634623137313162353365303634373134663636 -31363034396263373732646466323235316432613131313538363363643132313135663839653631 -63636561643834313037313834323738393631313436333034326634336631383030323261616335 -37646336616264663831383566343961306637643263343435383961356465366133366363306433 -38666130313765393237376535666663303336303834663231653430323239666531396434363764 -33633238333335633165656230393032306230616430643138646133303538646633313733386462 -30633661376636633466323133373263636165636535616539646536643930363262346231346339 -38653963383839643862396263373163393030306337306332613437396535353233613362623234 -62373036623132373337336635353764356538393636643038646331316664623034633632303965 -6632 +64623539323763626561613131396633613363653561313630313137663262373638666530346566 +3865613635663961306461333830316565636662383832350a653664666463633265383963316233 +61616133633532306166666535623965386433643861366633343431623865396132383861653765 +3738653065623464300a373435656664663665636363663061303636303834343935316364653665 +63653231336466643539393163653536386531303433666630353633393436663438373139383431 +61326438366265393636633134363866643965653062353432353937376137346437336134326632 +65393461616632336132346634623134643131626665636230363666643163663535383163363164 +61643964303238666563623264363730393061346435626665616537323531323735623464346137 +38353336396630663634633030303265353735336432326134663665363062373434383634363833 +36336562313939373038316331653161643561343430303033306339383336376230356430343835 +34313665313664646333383536316164646564613930303630303232373561396462383930353434 +34636239646535386331346566626432363764653861333163333266653635633937306336623363 +31663165616130383238313735663033303261633562666639643363323464333535313730623332 +35313562303133343865663938313738386132333666666131333164373062306435326232393635 +65333930393761363061386536363838383733363266326637323834613032373265303066346132 +62316166316366336530313238323533366135316436343731633064353463616438613132303364 +61313537646339633632616362616263303139356462326138633866323433326236346366316163 +62653730626635653438353736393739306236396264323930663861366432316135633566306663 +62303162303065323032656566343539336631363433616632373930313637386236653664613363 +31393334353836316561323130316535633836396235303839333063373837636166316136383561 +37663662396365356539613164363666386464393866383835633464623030616633653366373665 +63356561656437616464353931316362613162366131393239613134316163396633303930326636 +62376264383431663536326633306661336339383730663533353235303362383632623439303331 +32356339386361373663363765353333383236353631393135343134646533333466663034366236 +30336538336439343361343230373539623537303064346166323332633662306337373966636237 +63636261346636633832353338306132393436653336313634393838396663643536373463393539 +31633663356661386434663066303932653237633830366631313365666537623535303434383761 +36333539643166646361393237393331623838346338633736366331303839656364343937373039 +65653866663838613134336438396439666236363034343534373139353434633264646165646366 +32303339366266303038306433323834343530656330313438353861626339333365386238333162 +34346131373837613634323335336236346634616232393563646265376536316661356638663065 +30393234653761653630376433333339323963616162633434663339373137656662653565343437 +37303362383161333832313962616262303537393431653233653163653862633435646534346538 +36663630613732353138326263366136313439363432626234353163346333393330313061663634 +61323232303534636237343033383034613138646635386435313430663638646264663736646136 +36646437653034663936623166613134643437663235316631353037393137356335336536663934 +38656633613839643637626135653037623735346133336438353633373966383862333133393538 +66636165663061326437613766313933656337363231666132626135653462343938336433376230 +62323936643964386563623664373665646463333261626662346564393533346465363162363839 +64383935343630323539333738633833313733663234636363626166383238303537353530663431 +37343562633735653132353931343034666332356662386533363464643433633735353862396336 +61356463353166356334643237396231336438323566393032396265653564366461653432663162 +63313135323030396665383461366163353936653132663436313538363562376133633563386561 +65393664656430326563646661306634326437323737363831656365346633613462653933386136 +38316261646561663631376463363864386532303034306439396338633261396561373065613835 +66373933333163633565366432386535383932616431363963636231636361333565613532653239 +33326666633939333430333137396564643764353564646463363930666365643062663462383035 +38373761623735363635356631306131633166393663303163343237633362313162663863643830 +35633138643038643864356363346361633833613335376235313161373162666266653264633933 +64353234636231623162663938346131396361666232396262383236313132663939343435636665 +65313639613030303439633830393936623165396235383133663733343637643536326562626663 +31386535343538306464373061303734363363363830613539323537643037646239383437626461 +34653262386131643937656437653330353132316463393337373039656438346138613232396665 +63373463336162663531303930646266373033323635623132636431376330633235313636376562 +61653932326562373430656661646464336437613064363366326232653666356231383539383938 +30613730306536393332656561636435623635646632663135643766663164663564313430613931 +30656135326336633263656130623834353839346135303339666435376663333138303534303538 +38633731393438363766376664633635343333336430333638333232303166636261393731343237 +65363762626261333361653239623337383033373334336237643663346662373531616435386334 +61633463613834316361363039643636633831656466336366376537363939636638336434383739 +36303333333533396233333139613333663862323362396539626637623964616366386236343332 +64623564343766323238383430323237343861613164356637333037613739303963386433373464 +65623832326634303531663639396532653037366664396438636231363936616566393365643339 +39316431363663616132363636643439396136366533333032333934343131663735353663636263 +34303733353135396237653330663739633431323263346139386363313438366363666138333666 +37346634396663613637386436653735363166323362323661333033313362623434646466373264 +32656338623965326332663331666637396462386363623133663665633132323036313336356531 +35343832646530396364376162373537396335646139326537666632323564666536333662316164 +32303162363030663433363765366663393235323064316435366132393930313462373565343965 +36393037333666346335393432656361366366633362383565663362366630616436393633363961 +64383231323933346535326530643430343265636664663537653836326166323564386666356432 +66383834333036656633373630383839616462333061623530653461376539626163646633313339 +39663933633064356339396333366262333661313238346133636435323931303763313535396234 +63386137656565326561346135633364666238326336316264653133306130323638333064366338 +63376562333037383739646466316562613939666664616237636364643162343434376431653061 +66396661333338396162316264323230386331666264393465616235643633653033653863326664 +63353238336634306437326232353534383262383532323133303765646466313630656337343239 +66613765653830303461656230393839393663623461383932393663333830383164613036386230 +32383765376630333634363766363636623036306565633439313237396632666332613365636663 +34383465623065643062373537616163646465343033356632343037653235383431396338396463 +62616164323039626161333464663037356332356335323936613665643564393265623265303439 +31616336616133623831323034366631363532353834323338653764616630363232643536383764 +37313062653339663663626431316432626364306436313731313966353966303635376231656662 +66373435626161343266386134333061353661626635323632393531663431333833316564636466 +64393436396337356432656666326533373363303331613766393835343139333431643461636666 +36663539373162333035333832653532313862643332643865356432396635346164303765326162 +38383463653164333434376265353939336665613236306165326438363735306236346466306433 +32366561613162333565323733646332386233366630343864376137366439306232303133306335 +38343864363630333961366365336465383261343435663066643535333137353136653566386564 +30303566386565626636333532346262646230316661346436303735326236616633353965643463 +30383665303763633538663061623061303933306365303366656534663561373466303062336164 +31313934643737316538663933333565383134306233623238396161646665616663646438353163 +62373931643032393466623239663133383733623639303566316161343830626231383638373464 +65316535326162663133633934343839643939636566616165333864633461303839336461393337 +39386535666363363739303134396564663135393765333335366363623733343239656633633439 +63303535393435353938373237303861353737613830343132373030353766343538323365333262 +34646133636231356230643331616666636333393264353138346566376538356535393733306431 +34343566306661396333636563646532333863366161313333623236336235363033663162343934 +37376336323861626438303564356466346630623763633362303532323431643662373039333164 +38613834353736343431363534623463613734326134343062333237646635326230333462353462 +36663339306131326336343337646530356330633265653233633434613264303061323239653338 +61643933666664373138646565336564373435303339356632306366366562666162313434656439 +66646266356531316566363436656632386336333366333063303733366136613864336539306434 +39393764313037356639656265386235663561326132653532373134383861336262633535366464 +39343530363465643634383766623362373862613261356665386661343264653563623137303464 +33663334326531663235386335613138366461623766356565633638663830343336653439663135 +31356663616538623162323261646532633338373835373530346533663638396130646636356132 +30613831326337353833356230613061616438613234363833656635323962316666383438343838 +30336661373662323335356330613230613565636233646436323363643235626166343833353239 +33396238613630356639623364383239656338373162373034356635356362636266396138666261 +30326535643762313166663936613362333865393263343662636430393635303230613566633865 +32303361373466346536326330313565636536326331363135376632666130343333366434353233 +66313763643133643363643666376362646536313134363561333232353937326562666662353239 +34383439393862383636303535623561386136386565633731623162646464643230623165313130 +62656263643865643538323433343737613236393266646561613163333336373865613666633936 +32626565383437623864353236353430616332353464663431326366316532316261313765356166 +38346437343438636331646534663534396330353866363965656636653662383461636365626563 +32303737353335353161323530353931633531346665623861386330396165373633623436326132 +32623064346432363231333534643364646565346563366561393731373936366466623130656132 +35356435346134613565663834346234313938343332383563306335393333383235333765396231 +32313064393430346266323966306232663666333235366162363363653965306334303035353330 +30346138373736393830613765396333303837326635346466663661626237623630353036343566 +33356533333530636133393062336330306230663664333561373239356234303764343934343538 +63343334393530396163616164356161393661656263313231613830383339333832663830376434 +62656430316437663031333163633565643738653038646261613038643965653661613831316665 +33336132353839316466343633373764386238373031633638333430666135366636663664353838 +31376462393533323831383031646535346566343064643637656137613864353336363131383631 +39626533633166646665336138323833336135333561353064666262326565356263346436303331 +33383532663364356231613136633461323935316166393866636536313436396539623433336162 +32366165303761363736353134333933613230353362626161353161346464633731383233336635 +64363036313066613766313063363138346465396637343039646531306264363766643730393834 +61646133373638653231383835386266373233613463643133363233303933643533396632373166 +61653332323433353161376434323937623063386634373063666336323433333266333866343330 +65306661373532663433366531356439383231633565333861636439366365393537363830633536 +32343963373938353630373361366364626665343933313263353931353063323330353239663431 +30353538636562346638656433646234393337306432323163333931396362393938643861633339 +35633439366338393961353433646662316435343932666235323033383734643238613130313539 +65376635663738343863303336373237636666663838383837383838376331383830663039663837 +66643235633036663834313066363432316565393261643861313232633638346430646464303162 +34663864653231363636633637326434383337393039386237313936323065326566656331663435 +34663566626436643062653166363330393639323461346635316139636435623038316537643839 +64393034656539636164316438326362616637646566383661333433363334663438393237306666 +65333838626131333765366161353061333539333964626639313664376662663562353663326133 +39346439616230323139393435396664323961353831373232623761396130656132613662336434 +38303930626565633632633862623830306335363639393631646433336338663133353538356132 +61376562656330613437636237383039303038313134323335303061383139643963633033653038 +63366331336439613432383666613737646662303838653333323434323166373062656265666438 +62363561613035653736663431376561386162303737383965313261343664636538336661633831 +64366464303930646332346561626138636230323661336431393531343363636631663831303864 +62376661333837356638363839316231373330623537383730323631643433636338336237643530 +38343836396338356462663231646233633463363963396239376162613461396535373831316434 +62323463323831653965616434653966316333343463326533353939666234656265343534373636 +30323761643363626639303938373761333737326539356538373736663036373934633734393264 +35343132313831323236646532373934653239633062663537636666313031663035643266333539 +61396262363038663130333732616238626636393839323633646336383836613337303430313138 +31633236353031363935376165336139376361303834633865373265316334663261383531393937 +34633235326536336265393035653162636134343865623631346630636535353465656363303961 +34613532343965613437653766373664633830613437303138306139373438376338356235316438 +35393039386439323330623737306162353566313431643433333139303961356461616365303162 +61383362353236336437343531323132313466326265393062646530353430353535323031303563 +31653132373665323530326163353836353032316362373439643835623635643664363634336436 +65333364623266363834373863313565313866343130393765633261363462396632656530303563 +63653338326364336534303462383663643639313962353265356637636139626630336539363765 +36353831613233653633363636303338333766333437656338373535326365366264313138636664 +34633966643738326139346363613032366534626236336637383464376665396639306561316439 +64393538623632343065336233316434326261636438646137633662376263343166396533373131 +64393330333564643862333934623933343036623130383566653632633730383566646562643437 +32353866633430373232623230636132393538333534643038393865343736393532383733356434 +34663532333331326138333464336439326132393130663063623662343865623730383937386161 +63656466343061333064353735306163653964336630366362633766396462626136653633636162 +33633565343839386133666632623763396231646662623334366433313965353237393431316263 +36653337373261326165323232346332373162363663323335653237346361656166366133613432 +31613239333365663139616131313665373466343564306461343162393565653232346463393164 +62333334616461373164633666383830316664313466646632646465323562313234306562313839 +66303432663662353130353030306332366235326332393536383539643863336461353162313261 +64383130343761303931636135333537363934323161353965646335653930613763616630646563 +62393265346636666437643534626136343030663566306163613332366461393238633333303038 +63323833316636313530343232616533336430323332346636396137656234303664623530336465 +34336561626164386533383363363639386537333230333539393830316131306336333965396261 +33383639313065333862636264343762653236663164383932316434323632303133363163316637 +36363339303539323365663063303633306564353562336230386531316239663338383038633265 +62346437386231353562376337633937663335613934313437346231383732373665323363386438 +37643262653366363533386565663462663534353339316166303336666435656366306430313432 +34333333316435363932643265373039313439303935323838623862363937333661356466613039 +36393536626639313837383134326239663063383366613934636336373339336434666364386131 +34613232616335646161306561656532616239643435353833636135643034663134623364356332 +64376534313430396366316437633331626565326135313932386137613336316539323432646463 +37663161653461343039336633306436363733353065333065653338623362386465343138376236 +39393538363032333032653666663562313134326165643032303238383366633561393963633665 +39373866623238623230303832356337656136346131396464396637663962326235376461396437 +64663332353530396237343532346164386636346464623934363233643436623561356166306131 +64326265663630303339316365316133393830343062303230356131666166663831646666313432 +66323163643464343965333536393365306634643166333338633062343964663238386139653230 +35306634343664323830316231616262386563383966376133646361306134306234386634336239 +32313465616365623939623830666563656330376534636366663537333135363064653335386239 +32303135623830623661363162626434323238623566393236373232373531646166306338383231 +62653265653161626438336532376466663338303632313339313865663136666232633432383163 +37626438356339363330366230383261623666366133363038343334303238663164396662613362 +34636666306334633163363838323661313037313638356334643437623161366531333364363139 +34633538306230363962626139643164633036336165663330313366383261656163376164346535 +32666439393436383861653534383264336162343366663135306435303163393039396262636238 +38386135353033646661363138343265313864303566363362393636316435353533346162653863 +64643965653431353934363636663135623035336334666238393230396461633065653931636431 +62656662633839633962343666623762666661353731326462396332373530623838336339373437 +66656333383337393838666231333234336166623261393165363532356438383465313931383131 +62303035623332343031623937353661343038633133313162343830333732616237373165396263 +39393231633337303065376465303236656638353135633764356434633536343437663533383664 +61383065373864633564366433333862636665643138643862383866383532353837653361356262 +30313435656232643161303962633431306563316235323232363630363038623435663133353461 +37353939366332366165336231633637636164346363303763306232326530393564326266343765 +37616539326139646263313033626639343432306661323934346436666638313531303937333835 +33356263323233303438646662386337313966346135643137616539663237366630336162643639 +6532 diff --git a/chaos-at-home/host_vars/ch-apps.yml b/chaos-at-home/host_vars/ch-apps.yml index 9714ea90..77a65518 100644 --- a/chaos-at-home/host_vars/ch-apps.yml +++ b/chaos-at-home/host_vars/ch-apps.yml @@ -1,19 +1,10 @@ $ANSIBLE_VAULT;1.2;AES256;chaos-at-home -61393032643235616535363836343637626138393937353634373033386333386161306538643161 -6233336131646139353163366533326161623735623330340a643639353039633930623164336231 -63386230356630363435653031363631653836303537613062303030313865363362623232353666 -3838636163333566640a356461633961393238633762363234623133353832363834656562663939 -38376130303236653636636161616366393538656461346633613030396365313237373964343961 -36383632323764616465353332366165356332616134316537386565346536393362643232326637 -36376563653130396339323034336265393266663433306631363730646365663265626338613736 -66663261363961613835633739643362383261653634613137336663393937366336646632663766 -32633965313963396664623836623132613138646132333765616434316537623130643961643862 -65383262663263636565313165383837323766363461383533626334383033303533373038373765 -61313538346463626566303566363134336439306539313164386364316134336464363738346262 -30343035393566623336323761653266313732396635646263646539386666353266363439353737 -31656663656365333865626334343830346163313735343062616636383337613332626136313165 -37366666383264363863393836656266633031396535343462376261336439613038333932616333 -64656231396533666633303936333565316563613535343130386437343533336562663764666137 -61323836626261323165653738636330613531313765653438663434666432636330636137336562 -65373434353232653539666366643065323961366433366565646466636232636536303865393665 -6366663538373933616636366335313530656261373165633263 +38383864353635316235323036363263663166613039666163376437386461633431613636343032 +3039306237306336383764303966313838646335613533620a323831336133663261636539333961 +33623337393831616361666133373066646466643964303730393830316665626433316264666333 +6361383732323833390a343834353931653133663338373231363062666330623037306564613534 +37303738356233376233343461323636373233626233323265653234366663303236393134666162 +31636230366537363639336664326262623639646531633530623233363065626265613331353933 +39373537666332613562393562643937623636336536633937323439383165323563323837323961 +62613064393433626165373539386139636331303732613363386432363531613038346234303661 +61353965366535623961333966323361303664653763646163373030333637623132 diff --git a/chaos-at-home/host_vars/ch-http-proxy.yml b/chaos-at-home/host_vars/ch-http-proxy.yml index d9dfacf5..e5e89d08 100644 --- a/chaos-at-home/host_vars/ch-http-proxy.yml +++ b/chaos-at-home/host_vars/ch-http-proxy.yml @@ -1,22 +1,16 @@ $ANSIBLE_VAULT;1.2;AES256;chaos-at-home -32633366356337373362376131646632366132633165653261306332383965656338613066663863 -3432626533343330353433653765626364663837303166390a313638323061326161323862373335 -61383762303539313637663336303039323932323137333961386131656133353137333664653032 -3663356263613336340a386232393361623033653362333234353636313764343238323131353236 -65373662353138666337393039623331376237646362373134313061623863383431353031643765 -31356162663433383631366135383764623464356231616230643734313730663636663330633664 -35336264303931633839353864313739353666396666656462616335353334356630656132663131 -37313435346237313431656637663937623163646163623866636665643063306237343564623262 -65323430363133326631326234396466323535643830623031303530613133306334373733316430 -34643766386133303463313837363834623936343134613262386366343533323537303664653834 -63613265323931626134663866306262616366393063396365646365353166323365623232336466 -66346262323862373830666633363664373661643261353331343538383162613366623137396637 -65643834343333343138323234303739623266656232653663613439653832366561373166393366 -37656439653631383635646564656362326433373830323633633564656265353465366330623163 -66373235356235636636343336346337373631616232326562323262343734386539623336333935 -32333166333264383937396634386532366431323666316361306130656662666434613036303431 -37643266346436663266356433373931323166373039323239633164326363396261613836356562 -61623565373936396333353564326231653731623136303137623762323833353833393534636365 -33636332323537643964623163373331623534343133666130366638663133353639386238646637 -33343466653336396137366466363632616330626266306232366163326337613835626232383235 -37666137303862633862343838643464633662356439343666343039623231336462 +36333166333266633638313861343063656431326636313364363666363261386230633366336235 +6564383030396636353461656333373766366330316539360a373761383930333535393538386565 +38633038613137633132346139353133636633306330363366333964303431656233646265646337 +3463326335616539630a336235396232623966616164316538646136326436326266653531313233 +34343265623939323635313137393035613061366464366438613432656635313530636432363037 +66313336326330336132303461356639353138316565363338613765616431393733623534633131 +34306238633361613464376532366430373137666665646464343134653164366537336265383533 +63626237326664636134313936356665343531663434336139343936313031616635346439393365 +37383439623335303339306432373936333261663439313932303539366662626430306636626430 +32366535633436386664363036346335646235303932323435313030366636366638323436393264 +35353739313139646334663236323931316535336162326336643461363861623939643936393064 +36313837643061626364383235663964313633383937646265636563393132383962343135313733 +33363339373834353964366136356164393863386563663262613266646137626537353938373563 +38613236623964393963383965373531313962333035396366346130323433393161393963373266 +303033313637623663306438366634666338 diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml index 76b1fab7..9a6e5987 100644 --- a/inventory/group_vars/chaos-at-home/vars.yml +++ b/inventory/group_vars/chaos-at-home/vars.yml @@ -51,3 +51,22 @@ chaos_at_home_internal_ca_cert: | greenbone_target_user_ssh_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDk9vk5cRy4LYRViNnmNEQ+8YY3g3DwOG7m9drHJDB6a/l1OFKx1OeRFEUMN5FFVw8uehhhRZCg/9RiGzWL24YL5Rg1BgfFWqMaih0IDlzM2Od/AgU8rTCTZKaRAejvYDY0uYJUP4A4WBt5S7QxpJWVO0c67ldTI8XxuAm3WqsNdblC3Titiz7MVpzsF08KjgyDPIetBfV8bm9AXHRe3NzUGgeSzGu10QAxe3FoAevR/VmNUTsH9t0TEhMtnAG2rtYEVi7iZUYjBGWnZ/iuC3o5pKSvVUnSsraqxTjgp234na016RTkcHM2dwDHydIrXjWzocsV5mGQ0L4qKJZXpbqYX2e4hCLi4jy0x+QviPi6kL+plDOdBFMEeRtVfT9p/zcAs3VbA/hKB0W9vRNj+JLVgDgS4Hz9nDbS/8zAsGC6dPS4VPolsr0uVFgMizDOVc//9WkUA7iz4lBmtj/OLU5wKcUCQbo8NVevnHgqiZf68nHJB7VXuZz5z6WAAST0Cgc= + + +whawty_auth_store__chaos_at_home: + default: 2 + params: + - id: 1 + scryptauth: + hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys__chaos_at_home['1'] }}" + cost: 12 + - id: 2 + scryptauth: + hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys__chaos_at_home['2'] }}" + cost: 12 + - id: 3 + argon2id: + time: 1 + memory: 65536 + threads: 4 + length: 32 diff --git a/inventory/host_vars/ch-apps/whawty.yml b/inventory/host_vars/ch-apps/whawty.yml index f2ff0a4f..a0ea111f 100644 --- a/inventory/host_vars/ch-apps/whawty.yml +++ b/inventory/host_vars/ch-apps/whawty.yml @@ -7,26 +7,11 @@ whawty_auth_instances: passwd.chaos-at-home.org: version: 0.2-rc9 port: 3080 - store: - default: 2 - params: - - id: 1 - scryptauth: - hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['1'] }}" - cost: 12 - - id: 2 - scryptauth: - hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['2'] }}" - cost: 12 - - id: 3 - argon2id: - time: 1 - memory: 65536 - threads: 4 - length: 32 + store: "{{ whawty_auth_store__chaos_at_home }}" sync: port: 3022 - authorized_keys: "{{ users.equinox.ssh }}" + authorized_keys: + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsY3QIaN/S05EHZ9IF6GWgXG0wAh5qAxgQAq7ZLtNP8 whawty-auth-sync-chaos-at-home@ch-http-proxy storage: type: zfs parent: "{{ _whawty_auth_zfs_base_ }}" diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml index eabf7dbe..46e63c1d 100644 --- a/inventory/host_vars/ch-http-proxy.yml +++ b/inventory/host_vars/ch-http-proxy.yml @@ -54,6 +54,19 @@ prometheus_job_multitarget_blackbox__probe: hostname: "login.chaos-at-home.org" +whawty_auth_store_instances: + chaos-at-home: + config: "{{ whawty_auth_store__chaos_at_home | combine({'basedir': '/var/lib/whawty/auth/chaos-at-home'}) }}" + permissions: + file-mode: "0600" + dir-mode: "0700" + sync: + type: client + hostname: 192.168.32.1 + port: 3022 + user: sync + + whawty_nginx_sso_backends: chaos-at-home: port: 1234 @@ -81,8 +94,14 @@ whawty_nginx_sso_logins: backend: bolt: {} auth: - static: + whawty: + store: /etc/whawty/auth/store-chaos-at-home.yml autoreload: yes + remote-upgrades: + url: https://127.0.0.1/api/update + http-host: passwd.chaos-at-home.org + tls: + server-name: passwd.chaos-at-home.org web: listen: 127.0.0.1:1234 login: @@ -92,8 +111,6 @@ whawty_nginx_sso_logins: prometheus: listen: 127.0.0.1:1235 -whawty_nginx_sso_login_static_credentials__chaos-at-home: "{{ vault_whawty_nginx_sso_login_static_credentials['chaos-at-home'] }}" - prometheus_job_multitarget_whawty_nginx_sso: ch-http-proxy: - instance: "whawty-nginx-sso-{{ inventory_hostname }}-chaos-at-home" diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml index 91a55830..415e6774 100644 --- a/inventory/host_vars/ch-testvm-prometheus.yml +++ b/inventory/host_vars/ch-testvm-prometheus.yml @@ -35,29 +35,3 @@ network: - *_network_primary_ ntp_variant: systemd-timesyncd - - - -### -whawty_auth_store: - name: foo - config: - basedir: "/var/lib/whawty/auth/foo" - default: 1 - params: - - id: 1 - argon2id: - time: 1 - memory: 65536 ## 64 MB - threads: 4 - length: 32 - permissions: - owner: root - group: foo - file-mode: "0640" - dir-mode: "0750" - sync: - type: client - hostname: 192.168.32.1 - port: 3022 - user: sync diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml index 26ba63df..ece9fd14 100644 --- a/roles/apps/whawty/auth/instance/tasks/main.yml +++ b/roles/apps/whawty/auth/instance/tasks/main.yml @@ -108,7 +108,6 @@ - path: "{{ whawty_auth_instance_basepath }}/config/store.yml" - path: "{{ whawty_auth_instance_basepath }}/config/web.yml" {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} - - path: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys" - path: "{{ whawty_auth_instance_basepath }}/sync/group" - path: "{{ whawty_auth_instance_basepath }}/sync/passwd" - path: "{{ whawty_auth_instance_basepath }}/sync/rsyncd.conf" diff --git a/roles/whawty/auth/app/defaults/main.yml b/roles/whawty/auth/app/defaults/main.yml index fa188349..d1423a61 100644 --- a/roles/whawty/auth/app/defaults/main.yml +++ b/roles/whawty/auth/app/defaults/main.yml @@ -1,2 +1,18 @@ --- -whawty_install_pam_module: no +whawty_auth_app_install_pam_module: no + +## TODO: add support for web config (including TLS) + +# whawty_auth_app_instances: +# blub: +# store: foo +# listeners: +# saslauthd: +# sockets: +# - /var/run/whawty/auth.sock +# user: foo +# group: bar +# mode: 0600 +# web: +# sockets: +# - 127.0.0.1:1234 diff --git a/roles/whawty/auth/app/tasks/listeners.yml b/roles/whawty/auth/app/tasks/listeners.yml new file mode 100644 index 00000000..82944222 --- /dev/null +++ b/roles/whawty/auth/app/tasks/listeners.yml @@ -0,0 +1,18 @@ +--- +- name: generate systemd socket units + loop: "{{ whawty_auth_app.config.listeners | dict2items }}" + loop_control: + label: "{{ item.key }}" + template: + src: systemd.socket.j2 + dest: "/etc/systemd/system/whawty-auth-{{ whawty_auth_app.name }}_{{ item.key }}.socket" + +- name: make sure systemd socket units are enabled and started + loop: "{{ whawty_auth_app.config.listeners | dict2items }}" + loop_control: + label: "{{ item.key }}" + systemd: + daemon_reload: yes + name: "whawty-auth-{{ whawty_auth_app.name }}_{{ item.key }}.socket" + state: started + enabled: yes diff --git a/roles/whawty/auth/app/tasks/main.yml b/roles/whawty/auth/app/tasks/main.yml index 00a02c7e..cc19fd2e 100644 --- a/roles/whawty/auth/app/tasks/main.yml +++ b/roles/whawty/auth/app/tasks/main.yml @@ -1,5 +1,21 @@ --- - name: install whawty app apt: - name: "{{ ['whawty-auth'] | union(whawty_auth_install_pam_module | ternary(['libpam-whawty'], [])) }}" + name: "{{ ['whawty-auth'] | union(whawty_auth_app_install_pam_module | ternary(['libpam-whawty'], [])) }}" state: present + +- name: generate systemd service units + loop: "{{ whawty_auth_app_instances | dict2items(key_name='name', value_name='config') }}" + loop_control: + loop_var: whawty_auth_app + label: "{{ whawty_auth_app.name }}" + template: + src: systemd.service.j2 + dest: "/etc/systemd/system/whawty-auth-{{ whawty_auth_app.name }}.service" + +- name: generate, start and enable systemd socket units + loop: "{{ whawty_auth_app_instances | dict2items(key_name='name', value_name='config') }}" + loop_control: + loop_var: whawty_auth_app + label: "{{ whawty_auth_app.name }}" + include_tasks: listeners.yml diff --git a/roles/whawty/auth/app/templates/systemd.service.j2 b/roles/whawty/auth/app/templates/systemd.service.j2 new file mode 100644 index 00000000..875d692e --- /dev/null +++ b/roles/whawty/auth/app/templates/systemd.service.j2 @@ -0,0 +1,32 @@ +{% set whawty_auth_store = whawty_auth_store_instances[whawty_auth_app.config.store] %} +[Unit] +Description=whawty.auth authentication agent for {{ whawty_auth_app.name }} + +[Service] +Type=simple +ExecStart=/usr/bin/whawty-auth --store "/etc/whawty/auth/store-{{ whawty_auth_app.config.store }}.yml" runsa +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 + +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +{% if 'sync' not in whawty_auth_store or whawty_auth_store.sync.type != 'client' %} +ReadWritePaths={{ whawty_auth_store.config.basedir }} +{% endif %} +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native diff --git a/roles/whawty/auth/app/templates/systemd.socket.j2 b/roles/whawty/auth/app/templates/systemd.socket.j2 new file mode 100644 index 00000000..f0432e3b --- /dev/null +++ b/roles/whawty/auth/app/templates/systemd.socket.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=whawty.auth authentication agent for {{ whawty_auth_app.name }}/{{ item.key }} + +[Socket] +Service=whawty-auth-{{ whawty_auth_app.name }}.service +FileDescriptorName={{ item.key }} +{% for socket in item.value.sockets %} +ListenStream={{ socket }} +{% endfor %} +RemoveOnStop=true +{% if 'user' in item.value %} +SocketUser={{ item.value.user }} +{% endif %} +{% if 'group' in item.value %} +SocketGroup={{ item.value.group }} +{% endif %} +{% if 'mode' in item.value %} +SocketMode={{ item.value.mode }} +{% endif %} + +[Install] +WantedBy=sockets.target diff --git a/roles/whawty/auth/store/defaults/main.yml b/roles/whawty/auth/store/defaults/main.yml index b8cb08b7..c479c600 100644 --- a/roles/whawty/auth/store/defaults/main.yml +++ b/roles/whawty/auth/store/defaults/main.yml @@ -1,27 +1,27 @@ --- -# whawty_auth_store: -# name: foo -# config: -# basedir: "/var/lib/whawty/auth/foo" -# default: 2 -# params: -# - id: 1 -# scryptauth: -# hmackey: "<32bytes random secret data base64-encoded>" -# cost: 12 -# - id: 2 -# argon2id: -# time: 1 -# memory: 65536 ## 64 MB -# threads: 4 -# length: 32 -# permissions: -# owner: root -# group: foo -# file-mode: "0640" -# dir-mode: "0750" -# sync: -# type: client -# hostname: passwd.example.com -# port: 3022 -# user: sync +# whawty_auth_store_instances: +# foo: +# config: +# basedir: "/var/lib/whawty/auth/foo" +# default: 2 +# params: +# - id: 1 +# scryptauth: +# hmackey: "<32bytes random secret data base64-encoded>" +# cost: 12 +# - id: 2 +# argon2id: +# time: 1 +# memory: 65536 ## 64 MB +# threads: 4 +# length: 32 +# permissions: +# owner: root +# group: foo +# file-mode: "0640" +# dir-mode: "0750" +# sync: +# type: client +# hostname: passwd.example.com +# port: 3022 +# user: sync diff --git a/roles/whawty/auth/store/tasks/main.yml b/roles/whawty/auth/store/tasks/main.yml index 86f2691b..9a0ea26b 100644 --- a/roles/whawty/auth/store/tasks/main.yml +++ b/roles/whawty/auth/store/tasks/main.yml @@ -5,21 +5,36 @@ state: directory - name: create store base directory + loop: "{{ whawty_auth_store_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" file: - path: "{{ whawty_auth_store.config.basedir }}" + path: "{{ item.value.config.basedir }}" state: directory - mode: "{{ whawty_auth_store.permissions['dir-mode'] | default(omit) }}" - owner: "{{ whawty_auth_store.permissions.owner | default(omit) }}" - group: "{{ whawty_auth_store.permissions.group | default(omit) }}" + mode: "{{ item.value.permissions['dir-mode'] | default(omit) }}" + owner: "{{ item.value.permissions.owner | default(omit) }}" + group: "{{ item.value.permissions.group | default(omit) }}" - name: generate store config file + loop: "{{ whawty_auth_store_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" copy: - content: "{{ whawty_auth_store.config | to_nice_yaml(indent=2) }}" - dest: "/etc/whawty/auth/store-{{ whawty_auth_store.name }}.yml" - mode: "{{ whawty_auth_store.permissions['file-mode'] | default(omit) }}" - owner: "{{ whawty_auth_store.permissions.owner | default(omit) }}" - group: "{{ whawty_auth_store.permissions.group | default(omit) }}" + content: "{{ item.value.config | to_nice_yaml(indent=2) }}" + dest: "/etc/whawty/auth/store-{{ item.key }}.yml" + mode: "{{ item.value.permissions['file-mode'] | default(omit) }}" + owner: "{{ item.value.permissions.owner | default(omit) }}" + group: "{{ item.value.permissions.group | default(omit) }}" + +- name: install rsync + when: "(whawty_auth_store_instances | dict2items | selectattr('value.sync', 'defined') | length) > 0" + apt: + name: rsync + state: present - name: configure sync - when: "'sync' in whawty_auth_store" - include_tasks: "sync-{{ whawty_auth_store.sync.type }}.yml" + loop: "{{ whawty_auth_store_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" + when: "'sync' in item.value" + include_tasks: "sync-{{ item.value.sync.type }}.yml" diff --git a/roles/whawty/auth/store/tasks/sync-client.yml b/roles/whawty/auth/store/tasks/sync-client.yml index 77dce1d1..a45e4727 100644 --- a/roles/whawty/auth/store/tasks/sync-client.yml +++ b/roles/whawty/auth/store/tasks/sync-client.yml @@ -1,70 +1,65 @@ --- -- name: install rsync - apt: - name: rsync - state: present - - name: make sure sync client config directory exists file: - path: "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync" + path: "/etc/whawty/auth/.store-{{ item.key }}-sync" state: directory - name: generate ssh config for whawty-auth store sync client copy: content: | Host whawty-auth-server - Hostname {{ whawty_auth_store.sync.hostname }} - {% if 'port' in whawty_auth_store.sync %} - Port {{ whawty_auth_store.sync.port }} + Hostname {{ item.value.sync.hostname }} + {% if 'port' in item.value.sync %} + Port {{ item.value.sync.port }} {% endif %} - User {{ whawty_auth_store.sync.user }} - IdentityFile /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/id_ed25519 + User {{ item.value.sync.user }} + IdentityFile /etc/whawty/auth/.store-{{ item.key }}-sync/id_ed25519 IdentitiesOnly yes - UserKnownHostsFile /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/known_hosts + UserKnownHostsFile /etc/whawty/auth/.store-{{ item.key }}-sync/known_hosts ControlMaster auto - ControlPath /run/ssh-master.whawty-auth-store-sync-{{ whawty_auth_store.name }} + ControlPath /run/ssh-master.whawty-auth-store-sync-{{ item.key }} ControlPersist 300 - dest: "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config" + dest: "/etc/whawty/auth/.store-{{ item.key }}-sync/ssh_config" - name: generate ssh keypair for sync client openssh_keypair: - path: /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/id_ed25519 + path: /etc/whawty/auth/.store-{{ item.key }}-sync/id_ed25519 type: ed25519 - comment: "whawty-auth-sync-{{ whawty_auth_store.name }}@{{ inventory_hostname }}" + comment: "whawty-auth-sync-{{ item.key }}@{{ inventory_hostname }}" - name: generate sync script copy: content: | #!/bin/bash {% set rsync_args = [] %} - {% if 'permissions' in whawty_auth_store %} - {% if 'file-mode' in whawty_auth_store.permissions %} - {% set _dummy = rsync_args.append(" --chmod=F"~whawty_auth_store.permissions['file-mode']) %} + {% if 'permissions' in item.value %} + {% if 'file-mode' in item.value.permissions %} + {% set _dummy = rsync_args.append(" --chmod=F"~item.value.permissions['file-mode']) %} {% endif %} - {% if 'owner' in whawty_auth_store.permissions %} - {% set _dummy = rsync_args.append(" --chown="~whawty_auth_store.permissions.owner~":"~whawty_auth_store.permissions.group) %} + {% if 'owner' in item.value.permissions %} + {% set _dummy = rsync_args.append(" --chown="~item.value.permissions.owner~":"~item.value.permissions.group) %} {% endif %} {% endif %} while true; do - /usr/bin/rsync -rtW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ whawty_auth_store.config.basedir }}' + /usr/bin/rsync -rtW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ item.key }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ item.value.config.basedir }}' sleep 60 done - dest: /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/run.sh + dest: /etc/whawty/auth/.store-{{ item.key }}-sync/run.sh mode: 0755 - name: generate known_hosts file - shell: "ssh-keyscan{% if 'port' in whawty_auth_store.sync %} -p {{ whawty_auth_store.sync.port }}{% endif %} {{ whawty_auth_store.sync.hostname }} > /etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/known_hosts" + shell: "ssh-keyscan{% if 'port' in item.value.sync %} -p {{ item.value.sync.port }}{% endif %} {{ item.value.sync.hostname }} > /etc/whawty/auth/.store-{{ item.key }}-sync/known_hosts" args: - creates: "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/known_hosts" + creates: "/etc/whawty/auth/.store-{{ item.key }}-sync/known_hosts" - name: install systemd units for whawty-auth store sync client template: src: "systemd.service.j2" - dest: "/etc/systemd/system/whawty-auth-store-sync-{{ whawty_auth_store.name }}.service" + dest: "/etc/systemd/system/whawty-auth-store-sync-{{ item.key }}.service" - name: make sure whawty-auth store sync client is enabled and started systemd: daemon_reload: yes - name: "whawty-auth-store-sync-{{ whawty_auth_store.name }}.service" + name: "whawty-auth-store-sync-{{ item.key }}.service" state: started enabled: yes diff --git a/roles/whawty/auth/store/templates/systemd.service.j2 b/roles/whawty/auth/store/templates/systemd.service.j2 index 2fe45642..7e066901 100644 --- a/roles/whawty/auth/store/templates/systemd.service.j2 +++ b/roles/whawty/auth/store/templates/systemd.service.j2 @@ -1,9 +1,9 @@ [Unit] -Description=sync for whawty-auth store {{ whawty_auth_store.name }} +Description=sync for whawty-auth store {{ item.key }} [Service] Type=simple -ExecStart=/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/run.sh +ExecStart=/etc/whawty/auth/.store-{{ item.key }}-sync/run.sh # systemd hardening-options AmbientCapabilities=CAP_CHOWN CAP_FOWNER @@ -20,7 +20,7 @@ ProtectHome=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=strict -ReadWritePaths={{ whawty_auth_store.config.basedir }} +ReadWritePaths={{ item.value.config.basedir }} RemoveIPC=true RestrictNamespaces=true RestrictRealtime=true -- cgit v1.2.3