From 131c569c034fab8a62a677ec248084338da7f529 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Thu, 10 Sep 2020 12:00:07 +0200 Subject: [PATCH] Update to 2020-09-10 12:00 --- roles/etherpad/defaults/main.yml | 4 ++-- roles/nas/defaults/main.yml | 5 +++++ roles/nas/tasks/main.yml | 15 ++++++++++++- roles/nas/templates/httpd.conf.j2 | 28 +++++++++++++++++++++++++ roles/nas/templates/mod_authnz_external.conf.j2 | 3 +++ roles/nas/templates/mod_dav.conf.j2 | 2 ++ roles/repo_zabbix/tasks/RedHat.yml | 2 +- roles/squid/files/acl/software_various.domains | 1 + 8 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 roles/nas/templates/mod_authnz_external.conf.j2 create mode 100644 roles/nas/templates/mod_dav.conf.j2 diff --git a/roles/etherpad/defaults/main.yml b/roles/etherpad/defaults/main.yml index 177c161..61a7bc0 100644 --- a/roles/etherpad/defaults/main.yml +++ b/roles/etherpad/defaults/main.yml @@ -3,9 +3,9 @@ etherpad_id: 1 etherpad_root_dir: /opt/etherpad_{{ etherpad_id }} etherpad_user: etherpad_{{ etherpad_id }} -etherpad_version: 1.8.4 +etherpad_version: 1.8.5 etherpad_archive_url: https://github.com/ether/etherpad-lite/archive/{{ etherpad_version }}.tar.gz -etherpad_archive_sha1: 193b7f335ca4f0fee48047914260d34b1148f407 +etherpad_archive_sha1: 975cfc046bb1159c96e6042cbc9429bb039e424c etherpad_port: 9003 etherpad_src_ip: [] diff --git a/roles/nas/defaults/main.yml b/roles/nas/defaults/main.yml index 8ba1b96..a19a3c4 100644 --- a/roles/nas/defaults/main.yml +++ b/roles/nas/defaults/main.yml @@ -72,3 +72,8 @@ nas_default_share: public: False force_ssl: True webdav: False + +nas_ad_http_auth: + ldap_url: ldap:// + bind_dn: XXX + bind_pass: XXX diff --git a/roles/nas/tasks/main.yml b/roles/nas/tasks/main.yml index d51c218..4fe1fa0 100644 --- a/roles/nas/tasks/main.yml +++ b/roles/nas/tasks/main.yml @@ -51,11 +51,24 @@ tags: nas - name: Deploy httpd conf - template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/50-shares.conf mode=640 + template: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode | default(omit) }} + loop: + - src: httpd.conf.j2 + dest: /etc/httpd/ansible_conf.d/50-shares.conf + mode: 640 + - src: mod_dav.conf.j2 + dest: /etc/httpd/ansible_conf.modules.d/30-mod_dav.conf + - src: mod_authnz_external.conf.j2 + dest: /etc/httpd/ansible_conf.modules.d/30-mod_authnz_external.conf notify: - reload httpd tags: nas +- name: Allow http to use PAM auth + seboolean: name=httpd_mod_auth_pam state=True persistent=True + when: ansible_selinux.status == 'enabled' + tags: nas + - name: Deploy setfacl script template: src=setfacl.sh.j2 dest={{ nas_root_dir }}/meta/{{ item.name }}/setfacl.sh mode=755 with_items: "{{ nas_shares }}" diff --git a/roles/nas/templates/httpd.conf.j2 b/roles/nas/templates/httpd.conf.j2 index 7f6c17e..c9cc973 100644 --- a/roles/nas/templates/httpd.conf.j2 +++ b/roles/nas/templates/httpd.conf.j2 @@ -16,6 +16,34 @@ RewriteRule ^/{{ share.name }}(/.*|$) https://%{HTTP_HOST}/{{ share.name }}$1 {% if share.protocols.http.indexes %} Options +Indexes {% endif %} +{% if share.protocols.http.webdav %} + Dav On +{% endif %} +{% if not share.protocols.http.public %} + AuthType Basic + AuthName "Authenicated zone" + AuthBasicProvider external + AuthExternal pwauth + + # Read only access + +{% for user in share.acl.read_users %} + Require user {{ user }} +{% endfor %} +{% for group in share.acl.read_groups %} + Require unix-group {{ group }} +{% endfor %} + + # Write access through webdav always requires authentication + +{% for user in share.acl.write_users %} + Require user {{ user }} +{% endfor %} +{% for group in share.acl.write_groups %} + Require unix-group {{ group }} +{% endfor %} + +{% endif %} diff --git a/roles/nas/templates/mod_authnz_external.conf.j2 b/roles/nas/templates/mod_authnz_external.conf.j2 new file mode 100644 index 0000000..1410452 --- /dev/null +++ b/roles/nas/templates/mod_authnz_external.conf.j2 @@ -0,0 +1,3 @@ +LoadModule authnz_external_module modules/mod_authnz_external.so +AddExternalAuth pwauth /usr/sbin/pwauth +SetExternalAuthMethod pwauth pipe diff --git a/roles/nas/templates/mod_dav.conf.j2 b/roles/nas/templates/mod_dav.conf.j2 new file mode 100644 index 0000000..0555bec --- /dev/null +++ b/roles/nas/templates/mod_dav.conf.j2 @@ -0,0 +1,2 @@ +LoadModule dav_module modules/mod_dav.so +LoadModule dav_fs_module modules/mod_dav_fs.so diff --git a/roles/repo_zabbix/tasks/RedHat.yml b/roles/repo_zabbix/tasks/RedHat.yml index 32219bc..e56f7c0 100644 --- a/roles/repo_zabbix/tasks/RedHat.yml +++ b/roles/repo_zabbix/tasks/RedHat.yml @@ -59,5 +59,5 @@ priority: 50 includepkgs: - zabbix* - state: "{{ (zabbix_major_version is version('5.0', '>=')) | ternary('present', 'absent') }}" + state: "{{ (zabbix_major_version is version('5.0', '>=') and ansible_distribution_major_version is version('8.0', '<')) | ternary('present', 'absent') }}" tags: repo diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains index f5e6ba1..3104728 100644 --- a/roles/squid/files/acl/software_various.domains +++ b/roles/squid/files/acl/software_various.domains @@ -74,6 +74,7 @@ archives.jenkins-ci.org ftp-chi.osuosl.org ftp-nyc.osuosl.org insights.cloudbees.com +mirror.gruenehoelle.nl # nux dextop li.nux.ro