Update to 2020-09-30 00:00

master
Daniel Berteaud 4 years ago
parent 4e6ece362a
commit 06c89e7fb7
  1. 3
      roles/jitsi/defaults/main.yml
  2. 61
      roles/mayan_edms/defaults/main.yml
  3. 1
      roles/mayan_edms/meta/main.yml
  4. 3
      roles/mayan_edms/tasks/directories.yml
  5. 19
      roles/mayan_edms/tasks/install.yml
  6. 70
      roles/mayan_edms/templates/auth.py.j2
  7. 7
      roles/mayan_edms/templates/env.j2

@ -133,11 +133,11 @@ jitsi_meet_interface_conf_base:
- camera
- closedcaptions
- desktop
- embedmeeting
- fullscreen
- fodeviceselection
- hangup
- profile
- info
- chat
#- recording
#- livestreaming
@ -156,6 +156,7 @@ jitsi_meet_interface_conf_base:
- download
- help
- mute-everyone
- security
#- localrecording
SETTINGS_SECTIONS:
- devices

@ -32,3 +32,64 @@ mayan_from_mail: mayan-edsm@{{ ansible_domain }}
# Main language for document
mayan_doc_lang: fra
# LDAP Auth
# Most of these settings will try to detect system auth config
# and use them. But you can override if you want
#
# This is to turn on of off LDAP auth
mayan_ldap_auth: "{{ (ad_auth | default(False) or ldap_auth | default(False)) | ternary(True,False) }}"
# URI of your LDAP server, eg ldap://ldap.example.org:389
mayan_ldap_uri: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | default(ansible_domain) | lower,ldap_uri) }}"
# SHould Start TLS be used ?
mayan_ldap_start_tls: True
# Base of your LDAP tree. Eg DC=example,DC=org
mayan_ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), ldap_base) }}"
# If your directory only allow authenticated searches, you can define it here
# mayan_ldap_bind_dn:
# mayan_ldap_bind_pass:
#
# If set, will restrict user search in these OU. Default is to search from the base
# Eg
# mayan_ldap_user_ou:
# - OU=People,DC=example,DC=org
# - OU=Presta,DC=example,DC=org
mayan_ldap_user_ou: []
# Filter to search for users
mayan_ldap_user_filter: "{{ ad_auth | default(False) | ternary('(sAMAccountName=%(user)s)','(uid=%(user)s)') }}"
# Mapping of LDAP attributes into Django attributes
mayan_ldap_user_attr_map:
username: "{{ ad_auth | default(False) | ternary('sAMAccountName','uid') }}"
first_name: givenName
last_name: sn
email: mail
# Same for groups
mayan_ldap_group_ou: []
# How are group represented in your directory.
# See https://django-auth-ldap.readthedocs.io/en/latest/groups.html for a list of valid values
mayan_ldap_group_type: "{{ ad_auth | default(False) | ternary('NestedActiveDirectoryGroupType','PosixGroupType') }}"
# LDAP filter to search for groups
mayan_ldap_group_filter: "{{ ad_auth | default(False) | ternary('(objectClass=group)','(objectClass=posixGroup)') }}"
# If defined, will either require user to be part of one of those groups,
# or forbid access to membres of those groups
# mayan_ldap_require_group:
# - CN=Admins,OU=Groups,DC=example,DC=org
# - CN=Board,OU=Groups,DC=example,DC=org
#
# mayan_ldap_deny_group:
# - CN=Guests,OU=Groups,DC=example,DC=org
# Useful to debug LDAP related issues
mayan_ldap_debug: False
# Custom settings to set in the auth.py module
# Eg
# mayan_auth_custom_conf: |
# AUTH_LDAP_USER_FLAGS_BY_GROUP = {
# 'is_active': 'CN=Role_EDMS,OU=Roles,DC=example,DC=org',
# 'is_staff': 'CN=Role_Staff,OU=Roles,DC=example,DC=org',
# 'is_superuser': 'CN=Role_Infra_Admin,OU=Roles,DC=example,DC=org',
# }

@ -2,6 +2,7 @@
dependencies:
- role: mkdir
- role: repo_remi_safe # for gnupg1
- role: mysql_server
when: mayan_db_server == '127.0.0.1' or mayan_db_server == 'localhost'
- role: redis_server

@ -7,13 +7,12 @@
group: "{{ item.group | default(omit) }}"
mode: "{{ item.mode | default(omit) }}"
loop:
- path: "{{ mayan_root_dir }}/venv"
- path: "{{ mayan_root_dir }}/meta"
mode: 700
- path: "{{ mayan_root_dir }}/tmp"
mode: 700
owner: "{{ mayan_user }}"
- path: "{{ mayan_root_dir }}/data"
- path: "{{ mayan_root_dir }}/data/mayan_settings/"
mode: 700
owner: "{{ mayan_user }}"
- path: "{{ mayan_root_dir }}/archive"

@ -13,7 +13,7 @@
- mysql-devel
- libexif
- ghostscript
- gnupg
- gnupg1
- graphviz
- fuse-libs
- file-libs
@ -28,6 +28,14 @@
- python-setuptools
tags: mayan
# WHen using upstream MariaDB repo, we have to install MariaDB-shared
- name: Install MariaDB shared libs
yum:
name:
- MariaDB-shared
when: mysql_mariadb_version is defined and mysql_mariadb_version != 'default'
tags: mayan
- name: Wipe the venv on upgrades
file: path={{ mayan_root_dir }}/venv state=absent
when: mayan_install_mode=='upgrade'
@ -43,6 +51,8 @@
- pip
- redis
- mysql
- python-ldap
- django_auth_ldap
state: "{{ (mayan_install_mode == 'none') | ternary('present', 'latest') }}"
virtualenv: "{{ mayan_root_dir }}/venv"
virtualenv_command: /usr/bin/virtualenv-3
@ -90,6 +100,7 @@
- mayan-edms-worker-slow.service
- mayan-edms-beat.service
register: mayan_systemd_units
notify: restart mayan-edms
tags: mayan
- name: Reload systemd
@ -103,3 +114,9 @@
- pre
- post
tags: mayan
- name: Deploy auth configuration
template: src=auth.py.j2 dest={{ mayan_root_dir }}/data/mayan_settings/auth.py group={{ mayan_user }} mode=640
when: mayan_ldap_auth
notify: restart mayan-edms
tags: mayan

@ -0,0 +1,70 @@
import ldap
from django_auth_ldap.config import (
LDAPSearch, LDAPSearchUnion, {{ mayan_ldap_group_type }}
)
from mayan.settings.production import *
ldap.set_option(ldap.OPT_DEBUG_LEVEL, {{ mayan_ldap_debug | ternary('1','0') }})
AUTH_LDAP_ALWAYS_UPDATE_USER = True
LDAP_USER_AUTO_CREATION = True
AUTH_LDAP_START_TLS = {{ mayan_ldap_start_tls | ternary('True','False') }}
{% if mayan_ldap_bind_dn is defined and mayan_ldap_bind_pass is defined %}
AUTH_LDAP_BIND_DN = '{{ mayan_ldap_bind_dn }}'
AUTH_LDAP_BIND_PASSWORD = '{{ mayan_ldap_bind_pass }}'
{% endif %}
LDAP_BASE_DN = '{{ mayan_ldap_base }}'
AUTH_LDAP_SERVER_URI = '{{ mayan_ldap_uri }}'
{% if mayan_ldap_user_ou | length > 0 %}
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
{% for ou in mayan_ldap_user_ou %}
LDAPSearch(
'{{ ou }}', ldap.SCOPE_SUBTREE,
'{{ mayan_ldap_user_filter }}'
),
{% endfor %}
)
{% else %}
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'{{ mayan_ldap_base }}', ldap.SCOPE_SUBTREE,
'{{ mayan_ldap_user_filter }}'
)
{% endif %}
AUTH_LDAP_USER_ATTR_MAP = {
{% for attr in mayan_ldap_user_attr_map.keys() %}
'{{ attr }}': '{{ mayan_ldap_user_attr_map[attr] }}',
{% endfor %}
}
{% if mayan_ldap_group_ou | length > 0 %}
AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
{% for ou in mayan_ldap_group_ou %}
LDAPSearch(
'{{ ou }}', ldap.SCOPE_SUBTREE,
'{{ mayan_ldap_group_filter }}'
),
{% endfor %}
)
{% else %}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
'{{ mayan_ldap_base }}', ldap.SCOPE_SUBTREE,
'{{ mayan_ldap_group_filter }}'
)
{% endif %}
AUTH_LDAP_GROUP_TYPE = {{ mayan_ldap_group_type }}()
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend'
)
{% if mayan_auth_custom_conf is defined %}
{{ mayan_auth_custom_conf }}
{% endif %}

@ -1,10 +1,15 @@
MAYAN_ALLOWED_HOSTS="['*']"
PYTHONPATH="{{ mayan_root_dir }}/data/mayan_settings"
DJANGO_SETTINGS_MODULE=mayan.settings.production
DJANGO_SETTINGS_MODULE={{ mayan_ldap_auth | ternary('auth','mayan.settings.production') }}
MAYAN_MEDIA_ROOT="{{ mayan_root_dir }}/data"
MAYAN_CELERY_RESULT_BACKEND="{{ mayan_redis_url }}/{{ mayan_redis_db.result_backend }}"
MAYAN_CELERY_BROKER_URL="{{ mayan_redis_url }}/{{ mayan_redis_db.broker }}"
MAYAN_DATABASES="{default: {ENGINE: django.db.backends.mysql, HOST: '{{ mayan_db_server }}', NAME: '{{ mayan_db_user }}', PASSWORD: '{{ mayan_db_pass }}', USER: '{{ mayan_db_user }}'}}"
MAYAN_DATABASE_ENGINE="django.db.backends.mysql"
MAYAN_DATABASE_NAME={{ mayan_db_name | quote }}
MAYAN_DATABASE_PASSWORD={{ mayan_db_pass | quote }}
MAYAN_DATABASE_USER={{ mayan_db_user | quote }}
MAYAN_DATABASE_HOST={{ mayan_db_server | quote }}
MAYAN_DEFAULT_FROM_EMAIL={{ mayan_from_mail | quote }}
MAYAN_DOCUMENTS_LANGUAGE={{ mayan_doc_lang }}
MAYAN_SECURE_PROXY_SSL_HEADER="('HTTP_X_FORWARDED_PROTO', 'https')"

Loading…
Cancel
Save