paskao/erre
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Version 0.0.2

Browse source 
* Fixed credentials for OpenLDAP replication
    * Postfix binding on backends-backends ring
    * User UID like user@domain.org
    * Create default user for each backend
    * Fixed Postfix transport
    * Setup Dovecot proxy
    * Some fixes on frontends-backends ring
    * Removed iptables rule to force dns over tor
    * Add forgotten local_actions
This commit is contained in:
paskao 2016-05-15 13:02:07 +02:00
parent 52d321d5cb
commit d84ef5909a
25 changed files with 144 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
VERSION
View file

@ -1 +1 @@
0.0.1
0.0.2

2
group_vars/all
View file

@ -21,5 +21,5 @@ bs_cidr: 24
bs_port: 657
data_path: /opt/erre/data
credentials_path: "{{ data_path }}/password/{{ inventory_hostname }}/"
credentials_path: "{{ data_path }}/password/"
fetch_path: "{{ data_path }}/fetch/"

61
local_actions/generate-host-number.py Executable file
View file

@ -0,0 +1,61 @@
#!/usr/bin/env python
import os
import argparse
import sys
import yaml
BASE_DIR='generated_vars/networking'
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Generate local vars for networking.')
parser.add_argument('netname', metavar='netname', type=str, help='the netname')
parser.add_argument('hostname', metavar='hostname', type=str, help='the hostname')
args = parser.parse_args()
NET_DIR = os.path.join(BASE_DIR, args.netname)
HOST_PATH = os.path.join(NET_DIR, args.hostname)
if not os.path.exists(NET_DIR):
os.makedirs(NET_DIR)
if os.path.exists(HOST_PATH):
with open(HOST_PATH, 'r') as f:
host_number = int(f.read())
print host_number
f.close()
else:
host_number = 0
defined_hosts = [f for f in os.listdir(NET_DIR) if os.path.isfile(os.path.join(NET_DIR, f))]
for host in defined_hosts:
with open(os.path.join(NET_DIR, host), 'r') as f:
ip = int(f.read())
if ip > host_number:
host_number = ip
f.close()
host_number += 1
with open(HOST_PATH, 'w') as f:
f.write(str(host_number))
f.close()
print host_number
host_vars_dir = 'host_vars/'
if not os.path.exists(host_vars_dir):
os.makedirs(host_vars_dir)
host_file = os.path.join(host_vars_dir, args.hostname)
if os.path.exists(host_file):
with open(host_file, 'rw+') as f:
data = yaml.load(f)
f.close()
os.remove(host_file)
else:
data = {}
data[args.netname] = { 'host_number': host_number }
with open(host_file, 'w') as f:
f.write(yaml.dump(data, explicit_start=True, default_flow_style=False))
f.close()

46
local_actions/generate-openldap-server-id Executable file
View file

@ -0,0 +1,46 @@
#!/usr/bin/env python
import os
import argparse
import sys
BASE_DIR='generated_vars/openldap'
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Generate local vars for networking.')
parser.add_argument('replication', metavar='replication', type=str, help='the replication tag')
parser.add_argument('hostname', metavar='hostname', type=str, help='the hostname')
args = parser.parse_args()
REPLICATIOIN_DIR = os.path.join(BASE_DIR, args.replication)
HOST_PATH = os.path.join(REPLICATIOIN_DIR, args.hostname)
if not os.path.exists(REPLICATIOIN_DIR):
os.makedirs(REPLICATIOIN_DIR)
if os.path.exists(HOST_PATH):
with open(HOST_PATH, 'r') as f:
host_number = int(f.read())
print host_number
f.close()
sys.exit(0)
host_number = 0
defined_hosts = [f for f in os.listdir(REPLICATIOIN_DIR) if os.path.isfile(os.path.join(REPLICATIOIN_DIR, f))]
for host in defined_hosts:
with open(os.path.join(REPLICATIOIN_DIR, host), 'r') as f:
ip = int(f.read())
if ip > host_number:
host_number = ip
f.close()
host_number += 1
with open(HOST_PATH, 'w') as f:
f.write(str(host_number))
f.close()
print host_number
sys.exit(0)

2
plays/networking/tinc.yml
View file

@ -12,7 +12,7 @@
cleaned_hostname: "{{ inventory_hostname.replace('.', '') }}"
has_gateway: true
gateway_hostnames: "{{ groups['frontend'] }}"
ports_to_gateway: [25, 587]
ports_to_gateway: [25, 110, 143, 587, 993, 995]
roles:
- tinc

3
plays/services/mail.yml
View file

@ -7,7 +7,8 @@
openldap_domain: "{{ domain }}"
postfix_type: backend
network_name: "{{ bb_network_name }}"
postfix_inet_interfaces: 127.0.0.1,{{ fb_network_prefix }}.{{ fb_subnet_number }}.{{ hostvars[inventory_hostname][fb_network_name].host_number }}
postfix_inet_interfaces: 127.0.0.1,{{ bb_network_prefix }}.{{ bb_subnet_number }}.{{ hostvars[inventory_hostname][bb_network_name].host_number }},{{ bb_network_prefix }}.{{ bb_subnet_number }}.{{ hostvars[inventory_hostname][bb_network_name].host_number }}
postfix_networks:
- 127.0.0.0/8
- "{{ bb_network_prefix }}.{{ bb_subnet_number }}.0/{{ bb_cidr }}"

2
plays/system/nss-pam-ldap.yml
View file

@ -8,6 +8,6 @@
openldap_base_dn: dc={{ openldap_domain.split('.')|join(',dc=') }}
nslcd_base: ou=domains,{{ openldap_base_dn }}
nslcd_binddn: ou=nslcd,ou=services,{{ openldap_base_dn }}
nslcd_bindpw: "{{ lookup('password', credentials_path + '/openldap/' + nslcd_binddn + ' chars=ascii_letters,digits') }}"
nslcd_bindpw: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + nslcd_binddn + ' chars=ascii_letters,digits') }}"
roles:
- nss-pam-ldap

10
roles/dovecot/defaults/main.yml
View file

@ -24,18 +24,16 @@ dovecot_ldap_hosts: 127.0.0.1
dovecot_ldap_domain: example.org
dovecot_ldap_base_dn: dc={{ openldap_domain.split('.')|join(',dc=') }}
dovecot_ldap_dn: ou=dovecot,ou=services,{{ dovecot_ldap_base_dn }}
dovecot_ldap_dnpass: "{{ lookup('password', credentials_path + '/openldap/' + dovecot_ldap_dn + ' chars=ascii_letters,digits') }}"
dovecot_ldap_dnpass: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + dovecot_ldap_dn + ' chars=ascii_letters,digits') }}"
dovecot_ldap_auth_bind: "yes"
dovecot_ldap_auth_bind_userdn: uid=%Ln,ou=users,o=%d,ou=domains,{{ dovecot_ldap_base_dn }}
dovecot_ldap_version: 3
dovecot_ldap_base: ou=users,o=%d,ou=domains,{{ dovecot_ldap_base_dn }}
dovecot_ldap_user_attrs: homeDirectory=home,uidNumber=uid,gidNumber=gid,mailQuota=quota_rule=*:bytes=%$
dovecot_ldap_user_filter: (&(objectClass=posixAccount)(uid=%Ln)(userService=mail)(host={{ inventory_hostname }}.{{ network_name }})
dovecot_ldap_pass_attrs: mail=user,userPassword=password
dovecot_ldap_pass_filter: (&(objectClass=posixAccount)(uid=%Ln))
dovecot_ldap_user_filter: (&(objectClass=posixAccount)(uid=%Lu)(userService=mail))
dovecot_ldap_pass_attrs: mail=user,userPassword=password,=proxy_maybe=1,host=host,=nodelay=1
dovecot_ldap_pass_filter: (&(objectClass=posixAccount)(uid=%Lu))
dovecot_ldap_default_pass_scheme: SSHA512
dovecot_sieve_before_dir: /etc/dovecot/sieve-before/
dovecot_sieve_before_list: []

1
roles/dovecot/templates/dovecot-ldap.conf.ext
View file

@ -9,4 +9,3 @@ pass_attrs = {{ dovecot_ldap_pass_attrs }}
pass_filter = {{ dovecot_ldap_pass_filter }}
default_pass_scheme = {{ dovecot_ldap_default_pass_scheme }}
auth_bind = {{ dovecot_ldap_auth_bind }}
auth_bind_userdn = {{ dovecot_ldap_auth_bind_userdn }}

2
roles/ejabberd/defaults/main.yml
View file

@ -29,7 +29,7 @@ openldap_base_dn: dc={{ openldap_domain.split('.')|join(',dc=') }}
ejabberd_ldap_servers:
- "localhost"
ejabberd_ldap_rootdn: ou=ejabberd,ou=services,{{ openldap_base_dn }}
ejabberd_ldap_password: "{{ lookup('password', credentials_path + '/openldap/' + ejabberd_ldap_rootdn + ' chars=ascii_letters,digits') }}"
ejabberd_ldap_password: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + ejabberd_ldap_rootdn + ' chars=ascii_letters,digits') }}"
ejabberd_ldap_base: ou=domains,{{ openldap_base_dn }}
ejabberd_ldap_uids:
- { key: mail, value: "%u@%d" }

2
roles/nss-pam-ldap/templates/nslcd.conf
View file

@ -35,4 +35,4 @@ tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
#scope sub
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host={{ inventory_hostname }}.{{ bb_network_name }})(host=\\*)))

2
roles/openldap-database/defaults/main.yml
View file

@ -2,7 +2,7 @@
openldap_base_dn: dc={{ openldap_domain.split('.')|join(',dc=') }}
openldap_dn_admin: cn=admin,{{ openldap_base_dn }}
openldap_admin_password: "{{ lookup('password', credentials_path + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
openldap_admin_password: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
openldap_services:
- ejabberd

7
roles/openldap-database/tasks/main.yml
View file

@ -51,7 +51,7 @@
objectClass: organizationalUnit
ou: "{{ item }}"
description: Service units
userPassword: "{{ lookup('password', credentials_path + '/openldap/' + dn + ' chars=ascii_letters,digits') }}"
userPassword: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + dn + ' chars=ascii_letters,digits') }}"
bind_dn: "{{ openldap_dn_admin }}"
bind_pw: "{{ openldap_admin_password }}"
state: present
@ -101,10 +101,11 @@
- openldap
- openldap-database
- name: Create test user
- name: Create test users
become: yes
command: singuasa user-add -d {{ openldap_domain }} -u test -p {{ lookup('password', credentials_path + 'test-user') }} -H {{ play_hosts[0] }}
command: singuasa user-add -d {{ openldap_domain }} -u {{ item }} -p {{ lookup('password', credentials_path + 'users/' + openldap_domain + '/' + item) }} -H {{ item }}.{{ bb_network_name }}
when: inventory_hostname == play_hosts[0]
with_items: "{{ play_hosts }}"
tags:
- openldap
- openldap-database

2
roles/openldap-helpers/defaults/main.yml
View file

@ -3,5 +3,5 @@
openldap_domain: example.org
openldap_base_dn: dc={{ openldap_domain.split('.')|join(',dc=') }}
openldap_dn_admin: cn=admin,{{ openldap_base_dn }}
openldap_admin_password: "{{ lookup('password', credentials_path + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
openldap_admin_password: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
openldap_uri: ldap://127.0.0.1:389/

4
roles/openldap-helpers/files/singuasa
View file

@ -54,7 +54,7 @@ def get_groups_dn(domain):
def get_user_dn(user, domain):
users_dn = get_users_dn(domain)
return "uid={},{}".format(user, users_dn)
return "uid={}@{},{}".format(user, domain, users_dn)
def get_group_dn(group, domain):
@ -108,7 +108,7 @@ def user_add(ldap_connection, user, domain, host, password):
pass
attrs = {}
attrs['uid'] = user
attrs['uid'] = '{}@{}'.format(user, domain)
attrs['cn'] = user
attrs['uidNumber'] = str(uid)
attrs['gidNumber'] = str(gid)

2
roles/openldap-replication/defaults/main.yml
View file

@ -2,7 +2,7 @@
openldap_base_dn: dc={{ openldap_domain.split('.')|join(',dc=') }}
openldap_dn_admin: cn=admin,{{ openldap_base_dn }}
openldap_admin_password: "{{ lookup('password', credentials_path + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
openldap_admin_password: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
syncprov_checkpoint: 100 10
syncprov_type: refreshAndPersist

3
roles/openldap-replication/tasks/main.yml
View file

@ -95,7 +95,6 @@
- openldap
- openldap-replication
- name: Set replicator unit
become: yes
vars:
@ -106,7 +105,7 @@
objectClass: organizationalUnit
ou: "{{ item }}.{{ network_name }}"
description: "Login for {{ item }} consumer"
userPassword: "{{ lookup('password', credentials_path + '/openldap/' + dn + ' chars=ascii_letters,digits') }}"
userPassword: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + dn + ' chars=ascii_letters,digits') }}"
bind_dn: "{{ openldap_dn_admin }}"
bind_pw: "{{ openldap_admin_password }}"
when: item != inventory_hostname

2
roles/openldap-replication/templates/set-replication.ldif.j2
View file

@ -23,7 +23,7 @@ olcSyncrepl: rid={{ loop.index }}
attrs="{{ syncprov_attrs }}"
bindmethod="{{ syncprov_bindmethod }}"
binddn="{{ syncprov_bind_dn }}"
credentials="{{ lookup('password', credentials_path + '/openldap/' + syncprov_bind_dn + ' chars=ascii_letters,digits') }}"
credentials="{{ lookup('password', credentials_path + item + '/openldap/' + syncprov_bind_dn + ' chars=ascii_letters,digits') }}"
{% endif %}
{% endfor %}
-

2
roles/openldap/defaults/main.yml
View file

@ -3,5 +3,5 @@
openldap_domain: example.com
openldap_base_dn: dc={{ openldap_domain.split('.')|join(',dc=') }}
openldap_dn_admin: cn=admin,{{ openldap_base_dn }}
openldap_admin_password: "{{ lookup('password', credentials_path + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
openldap_admin_password: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + openldap_dn_admin + ' chars=ascii_letters,digits') }}"
openldap_backend: MDB

7
roles/postfix/defaults/main.yml
View file

@ -1,6 +1,7 @@
---
postfix_domain: mail.example.com
postfix_domain: example.com
postfix_myhostname: "{{ inventory_hostname }}.{{ postfix_domain }}"
postfix_networks:
- 127.0.0.0/8
@ -19,7 +20,7 @@ postfix_debconf:
postfix/rfc1035_violation: false
postfix/mydomain_warning:
postfix/mynetworks: 127.0.0.0/8
postfix/destinations: "{{ postfix_domain }}, localhost, localhost.localdomain, localhost"
postfix/destinations: "$myhostname, localhost, localhost.localdomain, localhost"
postfix/not_configured:
postfix/sqlite_warning:
postfix/mailbox_limit: 0
@ -47,7 +48,7 @@ postfix_ldap_aliases_base: ou=users,o=%d,ou=domains,{{ postfix_ldap_base }}
postfix_ldap_recipients_base: ou=users,o=%d,ou=domains,{{ postfix_ldap_base }}
postfix_ldap_bind_dn: ou=postfix,ou=services,{{ postfix_ldap_base }}
postfix_ldap_server_host: ldap:///
postfix_ldap_bind_pw: "{{ lookup('password', credentials_path + '/openldap/' + postfix_ldap_bind_dn + ' chars=ascii_letters,digits') }}"
postfix_ldap_bind_pw: "{{ lookup('password', credentials_path + inventory_hostname + '/openldap/' + postfix_ldap_bind_dn + ' chars=ascii_letters,digits') }}"
postfix_message_size_limit: 104857600

4
roles/postfix/templates/ldap_transport_maps.cf
View file

@ -1,8 +1,8 @@
search_base = {{ postfix_ldap_recipients_base }}
bind = yes
query_filter = (&(mail=%u)(!(host={{ inventory_hostname }}.{{ network_name }})))
query_filter = (&(mail=%u@%d)(!(host={{ inventory_hostname }}.{{ network_name }})))
bind_dn = {{ postfix_ldap_bind_dn }}
server_host = {{ postfix_ldap_server_host }}
bind_pw = {{ postfix_ldap_bind_pw }}
result_attribute = host
result_format = smtp:[%s].{{ network_name }}
result_format = smtp:[%s]

2
roles/postfix/templates/main.cf
View file

@ -12,7 +12,7 @@ inet_protocols = {{ postfix_inet_protocols }}
smtpd_banner = $myhostname ESMTP $mail_name
# Fully-qualified hostname
myhostname = {{ postfix_domain }}
myhostname = {{ postfix_myhostname }}
# Do not append domain part to incomplete addresses (this is the MUA's job)
append_dot_mydomain = no

6
roles/tinc/templates/tinc-down.j2
View file

@ -9,11 +9,11 @@ iptables -D FORWARD -i $PUBLIC_INTERFACE -o $INTERFACE -m state --state ESTABLIS
iptables -t nat -D POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
{% for port in ports_to_gateway %}
{% set hosts_len = play_hosts|length -1 %}
{% set hosts_len = play_hosts|length - gateway_hostnames|length %}
{% set i = 0 %}
{% for host in play_hosts %}
{% if host != inventory_hostname %}
iptables -t nat -D PREROUTING -i {{ public_interface }} -p tcp --dport {{ port }} -m statistic --mode random --probability {{ 1.0/(hosts_len-i) }} -j DNAT --to-destination {{ network_prefix }}.{{ subnet_number }}.{{ hostvars[host][network_name].host_number }}:{{ port }}
{% if host not in gateway_hostnames %}
iptables -t nat -D PREROUTING -i {{ public_interface }} -p tcp --dport {{ port }} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -m statistic --mode random --probability {{ 1.0/(hosts_len-i) }} -j DNAT --to-destination {{ network_prefix }}.{{ subnet_number }}.{{ hostvars[host][network_name].host_number }}:{{ port }}
{% set i = i +1 %}
{% endif %}
{% endfor %}

6
roles/tinc/templates/tinc-up.j2
View file

@ -11,11 +11,11 @@ iptables -A FORWARD -i $PUBLIC_INTERFACE -o $INTERFACE -m state --state ESTABLIS
iptables -t nat -A POSTROUTING -o $PUBLIC_INTERFACE -j MASQUERADE
{% for port in ports_to_gateway %}
{% set hosts_len = play_hosts|length -1 %}
{% set hosts_len = play_hosts|length - gateway_hostnames|length %}
{% set i = 0 %}
{% for host in play_hosts %}
{% if host != inventory_hostname %}
iptables -t nat -A PREROUTING -i {{ public_interface }} -p tcp --dport {{ port }} -m statistic --mode random --probability {{ 1.0/(hosts_len-i) }} -j DNAT --to-destination {{ network_prefix }}.{{ subnet_number }}.{{ hostvars[host][network_name].host_number }}:{{ port }}
{% if host not in gateway_hostnames %}
iptables -t nat -A PREROUTING -i {{ public_interface }} -p tcp --dport {{ port }} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -m statistic --mode random --probability {{ 1.0/(hosts_len-i) }} -j DNAT --to-destination {{ network_prefix }}.{{ subnet_number }}.{{ hostvars[host][network_name].host_number }}:{{ port }}
{% set i = i + 1 %}
{% endif %}
{% endfor %}

7
roles/tor/tasks/main.yml
View file

@ -79,13 +79,6 @@
tags:
- tor
- name: Set iptables
become: yes
command: iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
when: tor_mode == 'dns'
tags:
- tor
- name: Set resolv.conf
become: yes
template: