Move kerberos integration to the end of tasks.

2020-03-16 19:43:42 +01:00 · 2020-03-16 19:43:42 +01:00 · c78cff8200
commit c78cff8200
parent 8ca41be45a
2 changed files with 55 additions and 17 deletions
--- a/roles/nextcloud/files/krb5-nextcloud.conf
+++ b/roles/nextcloud/files/krb5-nextcloud.conf
@ -7,5 +7,5 @@
  GssapiUseSessions    On
  GssapiNegotiateOnce  On
  GssapiBasicAuth      On
-  require              valid-user
+  Require              valid-user
 </Location>
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -101,26 +101,12 @@
    dest: /etc/apache2/sites-available/nextcloud.conf
  notify: "restart apache2"

- name: provide kerberos SSO config
-  copy:
-    src: krb5-nextcloud.conf
-    dest: /etc/apache2/sites-available/krb5-nextcloud.conf
-  when: "'kerberize' in role_names"
-  notify: "restart apache2"
-
 - name: enable nextcloud site
  command: a2ensite nextcloud.conf
  args:
    creates: /etc/apache2/sites-enabled/nextcloud.conf
  notify: "restart apache2"

- name: enable kerberos access to nextcloud site
-  command: a2ensite krb5-nextcloud.conf
-  args:
-    creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
-  notify: "restart apache2"
-  when: "'kerberize' in role_names"
-
 - name: enable https
  shell: 'grep -q "VirtualHost .*:443" * || a2ensite default-ssl.conf'
  args:
@ -293,10 +279,62 @@
  command: "firewall-offline-cmd --add-service=https"
  when: run_in_installer|default(false)|bool

+#################################################################
+## kerberox integration:
+
+- name: install libapache2-mod-auth-gssapi
+  apt:
+    name: libapache2-mod-auth-gssapi
+    state: latest
+  when: "'kerberize' in role_names"
+  notify: "restart apache2"
+
+- name: copy keytab for www-data
+  copy:
+    src: /etc/krb5.keytab
+    dest: /etc/krb5.keytab.http
+    group: www-data
+    mode: "0640"
+    remote_src: yes
+    force: no
+  when: "'kerberize' in role_names"
+  notify: "restart apache2"
+
+- name: provide kerberos SSO config
+  copy:
+    src: krb5-nextcloud.conf
+    dest: /etc/apache2/sites-available/krb5-nextcloud.conf
+  when: "'kerberize' in role_names"
+  notify: "restart apache2"
+
+- name: enable kerberos access to nextcloud site
+  command: a2ensite krb5-nextcloud.conf
+  args:
+    creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
+  notify: "restart apache2"
+  when: "'kerberize' in role_names"
+
+- name: allow https in firewalld
+  firewalld:
+    zone: internal
+    service: https
+    permanent: Yes
+    immediate: Yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool and 'kerberize' in role_names
+
+- name: allow https in firewalld, offline
+  command: "firewall-offline-cmd --add-service=https --zone=internal"
+  when: run_in_installer|default(false)|bool and 'kerberize' in role_names
+
+- name: allow access from kerberized LAN
+  command: sudo -u www-data php ./occ config:system:set trusted_domains 2 --value='{{ ansible_hostname }}.{{ ansible_domain }}'
+  args:
+    chdir: "{{ nc_dir }}"
+    warn: False
+  when: not nextcloud.stat.exists and 'kerberize' in role_names


-## ToDo kerberox integration:
 # sudo -u www-data php ./occ app:enable user_ldap
 # sudo -u www-data php ./occ app:install user_saml
-
 # sudo -u www-data php ./occ ldap