From 8b3db96d9ac2724206cb9fbce895e6a8a95be2c6 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Mon, 12 Nov 2018 23:29:24 +0100
Subject: [PATCH] add auth setup tasks

---
 defaults/main.yml                 | 53 +++++++++++++++++++++++++++++++
 tasks/auth.yml                    | 31 ++++++++++++++++++
 tasks/main.yml                    |  3 +-
 templates/etc/pve/domains.cfg.j2  | 29 +++++++++++++++++
 templates/etc/pve/priv/ldap.pw.j2 |  1 +
 vars/main.yml                     | 27 ++++++++--------
 6 files changed, 130 insertions(+), 14 deletions(-)
 create mode 100644 tasks/auth.yml
 create mode 100644 templates/etc/pve/domains.cfg.j2
 create mode 100644 templates/etc/pve/priv/ldap.pw.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 21c7256..b50516d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -19,3 +19,56 @@ pve_nginx_iptables_enabled: False
 pve_nginx_tls_enabled: True
 pve_nginx_tls_cert_file: mycert.pem
 pve_nginx_tls_key_file: mykey.pem
+
+# Enables pam authication
+pve_auth_pam_enabled: True
+pve_auth_pam_is_default: True
+pve_auth_pam_realm: pam
+pve_auth_pam_description: Linux PAM standard authentication
+
+pve_auth_pam_tfa_oath_enabled: False
+# pve_auth_pam_tfa_oath_timestep: 30
+# pve_auth_pam_tfa_oath_pwlength: 6
+
+pve_auth_pam_tfa_yubico_enabled: False
+# pve_auth_pam_tfa_yubico_api_id: 1a2b3c4d5e6f
+# pve_auth_pam_tfa_yubico_api_key: 123456
+# pve_auth_pam_tfa_yubico_url: http://127.0.0.1:8080
+
+# Enables proxmox internal auth service
+pve_auth_pve_enabled: True
+pve_auth_pve_is_default: False
+pve_auth_pve_realm: pve
+pve_auth_pve_description: Linux pve standard authentication
+
+pve_auth_pve_tfa_oath_enabled: False
+# pve_auth_pve_tfa_oath_timestep: 30
+# pve_auth_pve_tfa_oath_pwlength: 6
+
+pve_auth_pve_tfa_yubico_enabled: False
+# pve_auth_pve_tfa_yubico_api_id: 1a2b3c4d5e6f
+# pve_auth_pve_tfa_yubico_api_key: 123456
+# pve_auth_pve_tfa_yubico_url: http://127.0.0.1:8080
+
+# Enable ldap auth against an external server
+pve_auth_ldap_enabled: False
+# pve_auth_ldap_is_default: False
+# pve_auth_ldap_realm: ldap
+# pve_auth_ldap_description: MyLDAP authentication server
+# pve_auth_ldap_base_dn: dc=example,dc=com
+# pve_auth_ldap_user_attr: uid
+# pve_auth_ldap_primary_server: server1.example.com
+# pve_auth_ldap_secondary_server: server2.example.com (defaults to not set)
+# pve_auth_ldap_bind_dn: uid=proxy-user,cn=users,dc=example,dc=com (defaults to not set)
+# pve_auth_ldap_bind_password: my_secret (defaults to not set)
+# pve_auth_ldap_port: 389
+# pve_auth_ldap_tls_enabled: False
+
+pve_auth_ldap_tfa_oath_enabled: False
+# pve_auth_ldap_tfa_oath_timestep: 30
+# pve_auth_ldap_tfa_oath_pwlength: 6
+
+pve_auth_ldap_tfa_yubico_enabled: False
+# pve_auth_ldap_tfa_yubico_api_id: 1a2b3c4d5e6f
+# pve_auth_ldap_tfa_yubico_api_key: 123456
+# pve_auth_ldap_tfa_yubico_url: http://127.0.0.1:8080
diff --git a/tasks/auth.yml b/tasks/auth.yml
new file mode 100644
index 0000000..5d58445
--- /dev/null
+++ b/tasks/auth.yml
@@ -0,0 +1,31 @@
+---
+- block:
+    - name: Configure auth provider
+      template:
+        src: etc/pve/domains.cfg.j2
+        dest: "{{ __pve_base_dir }}/domains.cfg"
+        owner: root
+        group: www-data
+        mode: 0640
+  become: True
+  become_user: root
+
+- block:
+    - name: Ensure path for auth file exists
+      file:
+        path: "{{ __pve_base_dir }}/priv/ldap"
+        recurse: yes
+        state: director
+
+    - name: Add passwd file for ldap bind
+      template:
+        src: etc/pve/priv/ldap.pw.j2
+        dest: "{{ __pve_base_dir }}/priv/ldap/{{ pve_auth_ldap_realm }}.pw"
+        owner: root
+        group: www-data
+        mode: 0600
+  become: True
+  become_user: root
+  when:
+    - pve_auth_ldap_enabled
+    - pve_auth_ldap_bind_password is defined
diff --git a/tasks/main.yml b/tasks/main.yml
index 495d33c..43a358a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
+- import_tasks: auth.yml
 - import_tasks: tls.yml
   when: pve_tls_enabled
   tags: tls_renewal
 - import_tasks: nginx.yml
-  when: pve_nginx_vhost_enabled
\ No newline at end of file
+  when: pve_nginx_vhost_enabled
diff --git a/templates/etc/pve/domains.cfg.j2 b/templates/etc/pve/domains.cfg.j2
new file mode 100644
index 0000000..9e4baee
--- /dev/null
+++ b/templates/etc/pve/domains.cfg.j2
@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+pam: pam
+    comment Linux PAM standard authentication
+
+pve: pve
+    comment Proxmox VE authentication server
+
+{% if pve_auth_ldap_enabled %}
+ldap: {{ pve_auth_ldap_relam }}
+    comment {{ pve_auth_ldap_description }}
+    base_dn {{ pve_auth_ldap_base_dn }}
+    server1 {{ pve_auth_ldap_primary_server }}
+    {% if pve_auth_ldap_secondary_server is defined %}
+    server2 {{ pve_auth_ldap_secondary_server }}
+    {% endif %}
+    user_attr {{ pve_auth_ldap_user_attr }}
+    {% if pve_auth_ldap_bind_dn is defined %}
+    bind_dn {{ pve_auth_ldap_bind_dn }}
+    {% endif %}
+    default {{ 1 if pve_auth_ldap_is_default else 0 }}
+    port {{ pve_auth_ldap_port }}
+    secure {{ 1 if pve_auth_ldap_tls_enabled else 0 }}
+    {% if pve_auth_ldap_tfa_oath_enabled and not pve_auth_ldap_tfa_yubico_enabled %}
+    tfa type=oath,step={{ pve_auth_ldap_tfa_oath_timestep }},digits={{ pve_auth_ldap_tfa_oath_pwlength }}
+    {% elif pve_auth_ldap_tfa_yubico_enabled and not pve_auth_ldap_tfa_oath_enabled %}
+    tfa type=yubico,id={{ pve_auth_ldap_tfa_yubico_api_id }},key={{ pve_auth_ldap_tfa_yubico_api_key }},url={{ pve_auth_ldap_tfa_yubico_url }}
+    {% endif %}
+{% endif %}
diff --git a/templates/etc/pve/priv/ldap.pw.j2 b/templates/etc/pve/priv/ldap.pw.j2
new file mode 100644
index 0000000..671ccef
--- /dev/null
+++ b/templates/etc/pve/priv/ldap.pw.j2
@@ -0,0 +1 @@
+{{ pve_auth_ldap_bind_password }}
diff --git a/vars/main.yml b/vars/main.yml
index aa40cc1..b08a774 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,14 +1,15 @@
 ---
-__pve_certificates:
-  cert:
-    name: pveproxy-ssl.pem
-    path: /etc/pki/tls/certs
-    source: "{{ pve_tls_cert_source }}"
-    nodes: "{{ pve_nodes }}"
-    mode: "0750"
-  key:
-    name: pveproxy-ssl.key
-    path: /etc/pki/tls/private
-    source: "{{ pve_tls_key_source }}"
-    nodes: "{{ pve_nodes }}"
-    mode: "0600"
+__pve_base_dir: /etc/pve
+# __pve_certificates:
+#   cert:
+#     name: pveproxy-ssl.pem
+#     path: /etc/pki/tls/certs
+#     source: "{{ pve_tls_cert_source }}"
+#     nodes: "{{ pve_nodes }}"
+#     mode: "0750"
+#   key:
+#     name: pveproxy-ssl.key
+#     path: /etc/pki/tls/private
+#     source: "{{ pve_tls_key_source }}"
+#     nodes: "{{ pve_nodes }}"
+#     mode: "0600"