From b168f3f3e267f17b6a435cec5c145e4a67caca12 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 1 Feb 2024 00:03:13 +0100 Subject: apps/whawty/auth: add ldap listener --- inventory/host_vars/ch-apps/whawty.yml | 27 +++++++++++++++++++++- roles/apps/whawty/auth/defaults/main.yml | 6 +++++ roles/apps/whawty/auth/instance/tasks/main.yml | 23 ++++++++++++++++++ .../whawty/auth/instance/templates/listener.yml.j2 | 16 +++++++++++++ .../whawty/auth/instance/templates/pod-spec.yml.j2 | 4 ++++ 5 files changed, 75 insertions(+), 1 deletion(-) diff --git a/inventory/host_vars/ch-apps/whawty.yml b/inventory/host_vars/ch-apps/whawty.yml index cbb08903..63d15eb9 100644 --- a/inventory/host_vars/ch-apps/whawty.yml +++ b/inventory/host_vars/ch-apps/whawty.yml @@ -5,7 +5,7 @@ _whawty_auth_zfs_base_: whawty_auth_instances: passwd.chaos-at-home.org: - version: 0.3-rc1 + version: 0.3-rc2 port: 3080 store: "{{ whawty_auth_store__chaos_at_home }}" sync: @@ -13,6 +13,31 @@ whawty_auth_instances: authorized_keys: - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsY3QIaN/S05EHZ9IF6GWgXG0wAh5qAxgQAq7ZLtNP8 whawty-auth-sync-chaos-at-home@ch-http-proxy - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHoyvg0McwpPFAT642lm9MIGG2/6Hi+hFe8IvmroDar whawty-auth-sync-chaos-at-home@ch-pan + ldap: + port: 3636 + hostnames: + - ldap.chaos-at-home.org + tls: + certificate_provider: static-ca + certificate_config: + ca: + key_content: "{{ chaos_at_home_internal_ca_key }}" + cert_content: "{{ chaos_at_home_internal_ca_cert }}" + key: + type: RSA + size: 4096 + cert: + key_usage: + - digitalSignature + - keyAgreement + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_before: +0h + not_after: +365d + renew_margin: +70d storage: type: zfs parent: "{{ _whawty_auth_zfs_base_ }}" diff --git a/roles/apps/whawty/auth/defaults/main.yml b/roles/apps/whawty/auth/defaults/main.yml index 8f203802..538ffbde 100644 --- a/roles/apps/whawty/auth/defaults/main.yml +++ b/roles/apps/whawty/auth/defaults/main.yml @@ -12,6 +12,12 @@ # memory: 65536 # threads: 4 # length: 32 +# ldap: +# port: 3636 +# hostnames: +# - ldap.example.com +# tls: +# certificate_provider: ... # sync: # port: 3022 # authorized_keys: diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml index 8bada57c..2c3fc175 100644 --- a/roles/apps/whawty/auth/instance/tasks/main.yml +++ b/roles/apps/whawty/auth/instance/tasks/main.yml @@ -62,6 +62,29 @@ include_role: name: "x509/{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_provider }}/cert" +- name: generate/install TLS certificates for ldap + when: + - "'ldap' in whawty_auth_instances[whawty_auth_instance]" + - "'tls' in whawty_auth_instances[whawty_auth_instance].ldap" + vars: + x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}_ldap" + x509_certificate_hostnames: "{{ whawty_auth_instances[whawty_auth_instance].ldap.hostnames }}" + x509_certificate_config: "{{ whawty_auth_instances[whawty_auth_instance].ldap.tls.certificate_config }}" + x509_certificate_renewal: + install: + - dest: "{{ whawty_auth_instance_basepath }}/tls/ldap-crt.pem" + src: + - fullchain + owner: app + mode: "0444" + - dest: "{{ whawty_auth_instance_basepath }}/tls/ldap-key.pem" + src: + - key + owner: app + mode: "0400" + include_role: + name: "x509/{{ whawty_auth_instances[whawty_auth_instance].ldap.tls.certificate_provider }}/cert" + - name: generate app listener config template: src: listener.yml.j2 diff --git a/roles/apps/whawty/auth/instance/templates/listener.yml.j2 b/roles/apps/whawty/auth/instance/templates/listener.yml.j2 index a69bdc58..12a83905 100644 --- a/roles/apps/whawty/auth/instance/templates/listener.yml.j2 +++ b/roles/apps/whawty/auth/instance/templates/listener.yml.j2 @@ -6,3 +6,19 @@ https: certificate-key: /tls/publish-key.pem min-protocol-version: "TLSv1.3" prefer-server-ciphers: true +{% if 'ldap' in whawty_auth_instances[whawty_auth_instance] %} +{% if 'tls' in whawty_auth_instances[whawty_auth_instance].ldap %} +ldaps: +{% else %} +ldap: +{% endif %} + listen: + - ":{{ whawty_auth_instances[whawty_auth_instance].ldap.port }}" +{% if 'tls' in whawty_auth_instances[whawty_auth_instance].ldap %} + tls: + certificate: /tls/ldap-crt.pem + certificate-key: /tls/ldap-key.pem + min-protocol-version: "TLSv1.3" + prefer-server-ciphers: true +{% endif %} +{% endif %} diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 index 01a956cc..4b75a346 100644 --- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 +++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 @@ -27,6 +27,10 @@ containers: {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %} hostIP: "127.0.0.1" {% endif %} +{% if 'ldap' in whawty_auth_instances[whawty_auth_instance] %} + - containerPort: {{ whawty_auth_instances[whawty_auth_instance].ldap.port }} + hostPort: {{ whawty_auth_instances[whawty_auth_instance].ldap.port }} +{% endif %} {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} - name: sync image: "ghcr.io/whawty/auth/sync:v{{ whawty_auth_instances[whawty_auth_instance].version }}" -- cgit v1.2.3