Commit 1cfc66ce authored by David Seaward's avatar David Seaward
Browse files

Merge branch 'master' of https://source.puri.sm/liberty/ldh_developer into improve_playbook_list


Signed-off-by: David Seaward's avatarDavid Seaward <david.seaward@puri.sm>
parents c7df56c4 8c76fdf8
# Replace the 'dc=example,dc=com' lines below by your domain name
# An organizational unit to store groups
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: just groups
# An organizational unit to store people
dn: ou=people,dc=example,dc=com
objectclass:organizationalunit
ou: people
description: just people
---
- name: Basic LDAP for Keel/LDH
hosts: all
become: yes
roles:
- role: ldh_ldap
vars:
# In a production environment this should be in the vault
ldh_ldap_admin_password: verystrongpassword
# If dont declare this variable ansible_domain will be used if
# available. If not example.com will be used instead.
ldh_ldap_domain: freedom.test
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
Role Name
=========
This role configures OpenLDAP server with basic functionality neede for Keel/LDH.
Requirements
------------
This role has only been tested with Ansible 2.7.1
Role Variables
--------------
* `ldh_ldap_admin_password`
The password that will be used by Debian package manager for the
LDAP adminstrator Default value: `verylongpassword`
* `ldh_ldap_domain`
A line that appears below the title line on the main page.
Default value: The value of `ansible_domain` or `example.com` if
`ansible_domain` is empty.
Dependencies
------------
This role does not depend on other roles.
License
-------
AGPL-3.0-or-later
Author Information
------------------
Purism SPC <liberty@puri.sm>
Homepage: https://source.puri.sm/liberty/ldh_developer
---
# defaults file for ldh_ldap
ldh_ldap_required_packages:
- slapd
- python-ldap
ldh_ldap_admin_password: verylongpassword
ldh_ldap_domain: "{{ ansible_domain | default('example.com', true) }}"
# base_dn is created spliting domain name by the dot and appending ',dc='
ldh_ldap_base_dn: "dc={{ ldh_ldap_domain.split('.') | join(',dc=') }}"
---
# handlers file for ldh_ldap
\ No newline at end of file
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 2.4
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
---
# tasks file for ldh_ldap
- name: Use debconf to configure slapd
debconf:
name: slapd
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "{{ item.vtype }}"
loop:
- { question: 'slapd/password1', value: "{{ ldh_ldap_admin_password }}", vtype: 'password' }
- { question: 'slapd/password2', value: "{{ ldh_ldap_admin_password }}", vtype: 'password' }
- { question: 'slapd/domain', value: "{{ ldh_ldap_domain }}", vtype: 'string' }
- { question: 'shared/organization', value: "{{ ldh_ldap_domain }}", vtype: 'string' }
loop_control:
label: "{{ item.question }}"
- name: Install required packages
apt:
name: "{{ ldh_ldap_required_packages }}"
update_cache: yes
cache_valid_time: 600
- name: Create organizational units to store groups and people
ldap_entry:
state: present
objectClass: organizationalunit
dn: "ou={{ item }},{{ ldh_ldap_base_dn }}"
server_uri: ldap://localhost/
bind_dn: "cn=admin,{{ ldh_ldap_base_dn }}"
bind_pw: "{{ ldh_ldap_admin_password }}"
loop:
- groups
- people
---
- hosts: localhost
remote_user: root
roles:
- ldh_ldap
\ No newline at end of file
---
# vars file for ldh_ldap
\ No newline at end of file
---
- name: Basic Matrix-Synapse for Keel/LDH
hosts: all
become: yes
roles:
- role: ldh_synapse
vars:
# In a production environment this should be in the vault
ldh_synapse_ldap_bind_pw: verystrongpassword
ldh_synapse_ldap_bind_dn: "cn=admin,dc=freedom,dc=test"
ldh_synapse_ldap_base: "ou=people,dc=freedom,dc=test"
ldh_synapse_server_name: synapse.freedom.test
ldh_synapse_ldap_uri: "ldap://ldap.freedom.test:389"
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
Role Name
=========
This role installs and configures an instance of
[Matrix-Synapse](https://matrix.org/docs/projects/server/synapse.html)
with very basic functionality:
* SQLite DB
* No registration
* Authenticates against LDH LDAP instance
* No TLS and/or SSL connection
The role intended use is for development only.
Requirements
------------
This role has only been tested with Ansible 2.7.1.
Role Variables
--------------
* `ldh_synapse_ldap_bind_pw`
Password that will be used by Synapse to bind to the LDAP
server. Default value: `verystrongpassword`.
* `ldh_synapse_ldap_bind_dn`
LDAP binding value used by Synapse when querying the LDAP
server. Default value: `cn=admin,dc=freedom,dc=test`.
* `ldh_synapse_ldap_base`
Search starting point used by Synapse when querying the
LDAP. Default value: `ou=people,dc=freedom,dc=test`.
* `ldh_synapse_server_name`
Server name used by synapse. Default value:
`synapse.freedom.test`.
* `ldh_synapse_ldap_uri`
URI used by Synapse to connect to the LDAP server. Default value:
`ldap://ldap.freedom.test:389`.
Dependencies
------------
This role does not depend on other roles.
License
-------
AGPL-3.0-or-later
Author Information
------------------
Purism SPC <liberty@puri.sm>
Homepage: https://source.puri.sm/liberty/ldh_developer
---
# defaults file for ldh_synapse
# LDAP variables
ldh_synapse_ldap_bind_pw: verylongpassword
ldh_synapse_ldap_uri: "ldap://ldap.example.com:389"
ldh_synapse_ldap_tls: false
ldh_synapse_ldap_base: "ou=people,dc=example,dc=com"
ldh_synapse_ldap_attr:
uid: "cn"
mail: "mail"
name: "sn"
ldh_synapse_ldap_bind_dn: "cn=admin,dc=example,dc=com"
ldh_synapse_server_name: "synapse.example.com"
ldh_synapse_required_pkgs:
- matrix-synapse-py3
- python-matrix-synapse-ldap3
- nginx
---
# handlers file for ldh_synapse
- name: restart matrix-synapse
service:
name: matrix-synapse
state: restarted
- name: restart nginx
service:
name: nginx
state: restarted
galaxy_info:
author: Purism SPC
description: Basic Matrix-Synapse for LDH development.
company: Purism SPC
license: AGPL-3.0-or-later
min_ansible_version: 2.7.1
galaxy_tags:
- synapse
- matrix
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
---
# tasks file for ldh_synapse
- name: Install apt-transport-https
apt:
name: apt-transport-https
update_cache: yes
cache_valid_time: 600
state: present
- name: Add Matrix repositories key
apt_key:
url: https://matrix.org/packages/debian/repo-key.asc
state: present
- name: Add Matrix repositories
apt_repository:
repo: deb https://matrix.org/packages/debian/ stretch main
state: present
- name: User debconf to configure matrix-synapse-py3 install
debconf:
name: matrix-synapse-py3
question: "matrix-synapse/server-name"
value: "{{ ldh_synapse_server_name }}"
vtype: "string"
- name: Install required Matrix-Synapse packages
apt:
name: "{{ ldh_synapse_required_pkgs }}"
update_cache: yes
cache_valid_time: 600
state: present
- name: Copy and set values for homeserver.yaml
template:
src: templates/matrix-synapse/homeserver.yaml.j2
dest: /etc/matrix-synapse/homeserver.yaml
notify: "restart matrix-synapse"
- name: Copy and set config values for nginx
template:
src: templates/nginx/matrix.j2
dest: /etc/nginx/sites-available/matrix
- name: enable matrix web for nginx
file:
src: /etc/nginx/sites-available/matrix
dest: /etc/nginx/sites-enabled/matrix
state: link
notify: "restart nginx"
# vim:ft=yaml
# PEM encoded X509 certificate for TLS.
# You can replace the self-signed certificate that synapse
# autogenerates on launch with your own SSL certificate + key pair
# if you like. Any required intermediary certificates can be
# appended after the primary certificate in hierarchical order.
tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt"
# PEM encoded private key for TLS
tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key"
# PEM dh parameters for ephemeral keys
tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh"
# Don't bind to the https port
no_tls: False
# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
# certificates returned by this server match one of the fingerprints.
#
# Synapse automatically adds the fingerprint of its own certificate
# to the list. So if federation traffic is handled directly by synapse
# then no modification to the list is required.
#
# If synapse is run behind a load balancer that handles the TLS then it
# will be necessary to add the fingerprints of the certificates used by
# the loadbalancers to this list if they are different to the one
# synapse is using.
#
# Homeservers are permitted to cache the list of TLS fingerprints
# returned in the key responses up to the "valid_until_ts" returned in
# key. It may be necessary to publish the fingerprints of a new
# certificate and wait until the "valid_until_ts" of the previous key
# responses have passed before deploying it.
#
# You can calculate a fingerprint from a given TLS listener via:
# openssl s_client -connect $host:$port < /dev/null 2> /dev/null |
# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '='
# or by checking matrix.org/federationtester/api/report?server_name=$host
#
tls_fingerprints: []
# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
## Server ##
# When running as a daemon, the file to store the pid in
pid_file: "/var/run/matrix-synapse.pid"
# CPU affinity mask. Setting this restricts the CPUs on which the
# process will be scheduled. It is represented as a bitmask, with the
# lowest order bit corresponding to the first logical CPU and the
# highest order bit corresponding to the last logical CPU. Not all CPUs
# may exist on a given system but a mask may specify more CPUs than are
# present.
#
# For example:
# 0x00000001 is processor #0,
# 0x00000003 is processors #0 and #1,
# 0xFFFFFFFF is all processors (#0 through #31).
#
# Pinning a Python process to a single CPU is desirable, because Python
# is inherently single-threaded due to the GIL, and can suffer a
# 30-40% slowdown due to cache blow-out and thread context switching
# if the scheduler happens to schedule the underlying threads across
# different cores. See
# https://www.mirantis.com/blog/improve-performance-python-programs-restricting-single-cpu/.
#
# cpu_affinity: 0xFFFFFFFF
# The path to the web client which will be served at /_matrix/client/
# if 'webclient' is configured under the 'listeners' configuration.
#
# web_client_location: "/path/to/web/root"
# The public-facing base URL for the client API (not including _matrix/...)
# public_baseurl: https://example.com:8448/
# Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the
# hard limit.
soft_file_limit: 0
# The GC threshold parameters to pass to `gc.set_threshold`, if defined
# gc_thresholds: [700, 10, 10]
# Set the limit on the returned events in the timeline in the get
# and sync operations. The default value is -1, means no upper limit.
# filter_timeline_limit: 5000
# Whether room invites to users on this server should be blocked
# (except those sent by local server admins). The default is False.
# block_non_admin_invites: True
# Restrict federation to the following whitelist of domains.
# N.B. we recommend also firewalling your federation listener to limit
# inbound federation traffic as early as possible, rather than relying
# purely on this application-layer restriction. If not specified, the
# default is to whitelist everything.
#
# federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
# List of ports that Synapse should listen on, their purpose and their
# configuration.
listeners:
# Main HTTPS listener
# For when matrix traffic is sent directly to synapse.
-
# The port to listen for HTTPS requests on.
port: 8448
# Local addresses to listen on.
# On Linux and Mac OS, `::` will listen on all IPv4 and IPv6
# addresses by default. For most other OSes, this will only listen
# on IPv6.
bind_addresses:
- '::'
- '0.0.0.0'
# This is a 'http' listener, allows us to specify 'resources'.
type: http
tls: true
# Use the X-Forwarded-For (XFF) header as the client IP and not the
# actual client IP.
x_forwarded: false
# List of HTTP resources to serve on this listener.
resources:
-
# List of resources to host on this listener.
names:
- client # The client-server APIs, both v1 and v2
- webclient # The bundled webclient.
# Should synapse compress HTTP responses to clients that support it?
# This should be disabled if running synapse behind a load balancer
# that can do automatic compression.
compress: true
- names: [federation] # Federation APIs
compress: false
# optional list of additional endpoints which can be loaded via
# dynamic modules
# additional_resources:
# "/_matrix/my/custom/endpoint":
# module: my_module.CustomRequestHandler
# config: {}
# Unsecure HTTP listener,
# For when matrix traffic passes through loadbalancer that unwraps TLS.
- port: 8008
tls: false
bind_addresses: ['::', '0.0.0.0']
type: http
x_forwarded: false
resources:
- names: [client, webclient]
compress: true
- names: [federation]
compress: false
# Turn on the twisted ssh manhole service on localhost on the given
# port.
# - port: 9000