it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move kerberos integration to the end of tasks.

Browse source
This commit is contained in:
Andreas B. Mundt 2020-03-16 19:43:42 +01:00
parent 8ca41be45a
commit c78cff8200
2 changed files with 55 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/nextcloud/files/krb5-nextcloud.conf
View file

@ -7,5 +7,5 @@
GssapiUseSessions On GssapiUseSessions On
GssapiNegotiateOnce On GssapiNegotiateOnce On
GssapiBasicAuth On GssapiBasicAuth On
require valid-user Require valid-user
</Location> </Location>

70
roles/nextcloud/tasks/main.yml
View file

@ -101,26 +101,12 @@
dest: /etc/apache2/sites-available/nextcloud.conf dest: /etc/apache2/sites-available/nextcloud.conf
notify: "restart apache2" notify: "restart apache2"
- name: provide kerberos SSO config
copy:
src: krb5-nextcloud.conf
dest: /etc/apache2/sites-available/krb5-nextcloud.conf
when: "'kerberize' in role_names"
notify: "restart apache2"
- name: enable nextcloud site - name: enable nextcloud site
command: a2ensite nextcloud.conf command: a2ensite nextcloud.conf
args: args:
creates: /etc/apache2/sites-enabled/nextcloud.conf creates: /etc/apache2/sites-enabled/nextcloud.conf
notify: "restart apache2" notify: "restart apache2"
- name: enable kerberos access to nextcloud site
command: a2ensite krb5-nextcloud.conf
args:
creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
notify: "restart apache2"
when: "'kerberize' in role_names"
- name: enable https - name: enable https
shell: 'grep -q "VirtualHost .*:443" * || a2ensite default-ssl.conf' shell: 'grep -q "VirtualHost .*:443" * || a2ensite default-ssl.conf'
args: args:
@ -293,10 +279,62 @@
command: "firewall-offline-cmd --add-service=https" command: "firewall-offline-cmd --add-service=https"
when: run_in_installer|default(false)|bool when: run_in_installer|default(false)|bool
#################################################################
## kerberox integration:
- name: install libapache2-mod-auth-gssapi
apt:
name: libapache2-mod-auth-gssapi
state: latest
when: "'kerberize' in role_names"
notify: "restart apache2"
- name: copy keytab for www-data
copy:
src: /etc/krb5.keytab
dest: /etc/krb5.keytab.http
group: www-data
mode: "0640"
remote_src: yes
force: no
when: "'kerberize' in role_names"
notify: "restart apache2"
- name: provide kerberos SSO config
copy:
src: krb5-nextcloud.conf
dest: /etc/apache2/sites-available/krb5-nextcloud.conf
when: "'kerberize' in role_names"
notify: "restart apache2"
- name: enable kerberos access to nextcloud site
command: a2ensite krb5-nextcloud.conf
args:
creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
notify: "restart apache2"
when: "'kerberize' in role_names"
- name: allow https in firewalld
firewalld:
zone: internal
service: https
permanent: Yes
immediate: Yes
state: enabled
when: not run_in_installer|default(false)|bool and 'kerberize' in role_names
- name: allow https in firewalld, offline
command: "firewall-offline-cmd --add-service=https --zone=internal"
when: run_in_installer|default(false)|bool and 'kerberize' in role_names
- name: allow access from kerberized LAN
command: sudo -u www-data php ./occ config:system:set trusted_domains 2 --value='{{ ansible_hostname }}.{{ ansible_domain }}'
args:
chdir: "{{ nc_dir }}"
warn: False
when: not nextcloud.stat.exists and 'kerberize' in role_names
## ToDo kerberox integration:
# sudo -u www-data php ./occ app:enable user_ldap # sudo -u www-data php ./occ app:enable user_ldap
# sudo -u www-data php ./occ app:install user_saml # sudo -u www-data php ./occ app:install user_saml
# sudo -u www-data php ./occ ldap # sudo -u www-data php ./occ ldap