add auth setup tasks
This commit is contained in:
parent
508aaf4ab3
commit
8b3db96d9a
|
@ -19,3 +19,56 @@ pve_nginx_iptables_enabled: False
|
|||
pve_nginx_tls_enabled: True
|
||||
pve_nginx_tls_cert_file: mycert.pem
|
||||
pve_nginx_tls_key_file: mykey.pem
|
||||
|
||||
# Enables pam authication
|
||||
pve_auth_pam_enabled: True
|
||||
pve_auth_pam_is_default: True
|
||||
pve_auth_pam_realm: pam
|
||||
pve_auth_pam_description: Linux PAM standard authentication
|
||||
|
||||
pve_auth_pam_tfa_oath_enabled: False
|
||||
# pve_auth_pam_tfa_oath_timestep: 30
|
||||
# pve_auth_pam_tfa_oath_pwlength: 6
|
||||
|
||||
pve_auth_pam_tfa_yubico_enabled: False
|
||||
# pve_auth_pam_tfa_yubico_api_id: 1a2b3c4d5e6f
|
||||
# pve_auth_pam_tfa_yubico_api_key: 123456
|
||||
# pve_auth_pam_tfa_yubico_url: http://127.0.0.1:8080
|
||||
|
||||
# Enables proxmox internal auth service
|
||||
pve_auth_pve_enabled: True
|
||||
pve_auth_pve_is_default: False
|
||||
pve_auth_pve_realm: pve
|
||||
pve_auth_pve_description: Linux pve standard authentication
|
||||
|
||||
pve_auth_pve_tfa_oath_enabled: False
|
||||
# pve_auth_pve_tfa_oath_timestep: 30
|
||||
# pve_auth_pve_tfa_oath_pwlength: 6
|
||||
|
||||
pve_auth_pve_tfa_yubico_enabled: False
|
||||
# pve_auth_pve_tfa_yubico_api_id: 1a2b3c4d5e6f
|
||||
# pve_auth_pve_tfa_yubico_api_key: 123456
|
||||
# pve_auth_pve_tfa_yubico_url: http://127.0.0.1:8080
|
||||
|
||||
# Enable ldap auth against an external server
|
||||
pve_auth_ldap_enabled: False
|
||||
# pve_auth_ldap_is_default: False
|
||||
# pve_auth_ldap_realm: ldap
|
||||
# pve_auth_ldap_description: MyLDAP authentication server
|
||||
# pve_auth_ldap_base_dn: dc=example,dc=com
|
||||
# pve_auth_ldap_user_attr: uid
|
||||
# pve_auth_ldap_primary_server: server1.example.com
|
||||
# pve_auth_ldap_secondary_server: server2.example.com (defaults to not set)
|
||||
# pve_auth_ldap_bind_dn: uid=proxy-user,cn=users,dc=example,dc=com (defaults to not set)
|
||||
# pve_auth_ldap_bind_password: my_secret (defaults to not set)
|
||||
# pve_auth_ldap_port: 389
|
||||
# pve_auth_ldap_tls_enabled: False
|
||||
|
||||
pve_auth_ldap_tfa_oath_enabled: False
|
||||
# pve_auth_ldap_tfa_oath_timestep: 30
|
||||
# pve_auth_ldap_tfa_oath_pwlength: 6
|
||||
|
||||
pve_auth_ldap_tfa_yubico_enabled: False
|
||||
# pve_auth_ldap_tfa_yubico_api_id: 1a2b3c4d5e6f
|
||||
# pve_auth_ldap_tfa_yubico_api_key: 123456
|
||||
# pve_auth_ldap_tfa_yubico_url: http://127.0.0.1:8080
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
- block:
|
||||
- name: Configure auth provider
|
||||
template:
|
||||
src: etc/pve/domains.cfg.j2
|
||||
dest: "{{ __pve_base_dir }}/domains.cfg"
|
||||
owner: root
|
||||
group: www-data
|
||||
mode: 0640
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- block:
|
||||
- name: Ensure path for auth file exists
|
||||
file:
|
||||
path: "{{ __pve_base_dir }}/priv/ldap"
|
||||
recurse: yes
|
||||
state: director
|
||||
|
||||
- name: Add passwd file for ldap bind
|
||||
template:
|
||||
src: etc/pve/priv/ldap.pw.j2
|
||||
dest: "{{ __pve_base_dir }}/priv/ldap/{{ pve_auth_ldap_realm }}.pw"
|
||||
owner: root
|
||||
group: www-data
|
||||
mode: 0600
|
||||
become: True
|
||||
become_user: root
|
||||
when:
|
||||
- pve_auth_ldap_enabled
|
||||
- pve_auth_ldap_bind_password is defined
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
- import_tasks: auth.yml
|
||||
- import_tasks: tls.yml
|
||||
when: pve_tls_enabled
|
||||
tags: tls_renewal
|
||||
- import_tasks: nginx.yml
|
||||
when: pve_nginx_vhost_enabled
|
||||
when: pve_nginx_vhost_enabled
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
pam: pam
|
||||
comment Linux PAM standard authentication
|
||||
|
||||
pve: pve
|
||||
comment Proxmox VE authentication server
|
||||
|
||||
{% if pve_auth_ldap_enabled %}
|
||||
ldap: {{ pve_auth_ldap_relam }}
|
||||
comment {{ pve_auth_ldap_description }}
|
||||
base_dn {{ pve_auth_ldap_base_dn }}
|
||||
server1 {{ pve_auth_ldap_primary_server }}
|
||||
{% if pve_auth_ldap_secondary_server is defined %}
|
||||
server2 {{ pve_auth_ldap_secondary_server }}
|
||||
{% endif %}
|
||||
user_attr {{ pve_auth_ldap_user_attr }}
|
||||
{% if pve_auth_ldap_bind_dn is defined %}
|
||||
bind_dn {{ pve_auth_ldap_bind_dn }}
|
||||
{% endif %}
|
||||
default {{ 1 if pve_auth_ldap_is_default else 0 }}
|
||||
port {{ pve_auth_ldap_port }}
|
||||
secure {{ 1 if pve_auth_ldap_tls_enabled else 0 }}
|
||||
{% if pve_auth_ldap_tfa_oath_enabled and not pve_auth_ldap_tfa_yubico_enabled %}
|
||||
tfa type=oath,step={{ pve_auth_ldap_tfa_oath_timestep }},digits={{ pve_auth_ldap_tfa_oath_pwlength }}
|
||||
{% elif pve_auth_ldap_tfa_yubico_enabled and not pve_auth_ldap_tfa_oath_enabled %}
|
||||
tfa type=yubico,id={{ pve_auth_ldap_tfa_yubico_api_id }},key={{ pve_auth_ldap_tfa_yubico_api_key }},url={{ pve_auth_ldap_tfa_yubico_url }}
|
||||
{% endif %}
|
||||
{% endif %}
|
|
@ -0,0 +1 @@
|
|||
{{ pve_auth_ldap_bind_password }}
|
|
@ -1,14 +1,15 @@
|
|||
---
|
||||
__pve_certificates:
|
||||
cert:
|
||||
name: pveproxy-ssl.pem
|
||||
path: /etc/pki/tls/certs
|
||||
source: "{{ pve_tls_cert_source }}"
|
||||
nodes: "{{ pve_nodes }}"
|
||||
mode: "0750"
|
||||
key:
|
||||
name: pveproxy-ssl.key
|
||||
path: /etc/pki/tls/private
|
||||
source: "{{ pve_tls_key_source }}"
|
||||
nodes: "{{ pve_nodes }}"
|
||||
mode: "0600"
|
||||
__pve_base_dir: /etc/pve
|
||||
# __pve_certificates:
|
||||
# cert:
|
||||
# name: pveproxy-ssl.pem
|
||||
# path: /etc/pki/tls/certs
|
||||
# source: "{{ pve_tls_cert_source }}"
|
||||
# nodes: "{{ pve_nodes }}"
|
||||
# mode: "0750"
|
||||
# key:
|
||||
# name: pveproxy-ssl.key
|
||||
# path: /etc/pki/tls/private
|
||||
# source: "{{ pve_tls_key_source }}"
|
||||
# nodes: "{{ pve_nodes }}"
|
||||
# mode: "0600"
|
||||
|
|
Loading…
Reference in New Issue