add auth setup tasks
This commit is contained in:
parent
508aaf4ab3
commit
8b3db96d9a
|
@ -19,3 +19,56 @@ pve_nginx_iptables_enabled: False
|
||||||
pve_nginx_tls_enabled: True
|
pve_nginx_tls_enabled: True
|
||||||
pve_nginx_tls_cert_file: mycert.pem
|
pve_nginx_tls_cert_file: mycert.pem
|
||||||
pve_nginx_tls_key_file: mykey.pem
|
pve_nginx_tls_key_file: mykey.pem
|
||||||
|
|
||||||
|
# Enables pam authication
|
||||||
|
pve_auth_pam_enabled: True
|
||||||
|
pve_auth_pam_is_default: True
|
||||||
|
pve_auth_pam_realm: pam
|
||||||
|
pve_auth_pam_description: Linux PAM standard authentication
|
||||||
|
|
||||||
|
pve_auth_pam_tfa_oath_enabled: False
|
||||||
|
# pve_auth_pam_tfa_oath_timestep: 30
|
||||||
|
# pve_auth_pam_tfa_oath_pwlength: 6
|
||||||
|
|
||||||
|
pve_auth_pam_tfa_yubico_enabled: False
|
||||||
|
# pve_auth_pam_tfa_yubico_api_id: 1a2b3c4d5e6f
|
||||||
|
# pve_auth_pam_tfa_yubico_api_key: 123456
|
||||||
|
# pve_auth_pam_tfa_yubico_url: http://127.0.0.1:8080
|
||||||
|
|
||||||
|
# Enables proxmox internal auth service
|
||||||
|
pve_auth_pve_enabled: True
|
||||||
|
pve_auth_pve_is_default: False
|
||||||
|
pve_auth_pve_realm: pve
|
||||||
|
pve_auth_pve_description: Linux pve standard authentication
|
||||||
|
|
||||||
|
pve_auth_pve_tfa_oath_enabled: False
|
||||||
|
# pve_auth_pve_tfa_oath_timestep: 30
|
||||||
|
# pve_auth_pve_tfa_oath_pwlength: 6
|
||||||
|
|
||||||
|
pve_auth_pve_tfa_yubico_enabled: False
|
||||||
|
# pve_auth_pve_tfa_yubico_api_id: 1a2b3c4d5e6f
|
||||||
|
# pve_auth_pve_tfa_yubico_api_key: 123456
|
||||||
|
# pve_auth_pve_tfa_yubico_url: http://127.0.0.1:8080
|
||||||
|
|
||||||
|
# Enable ldap auth against an external server
|
||||||
|
pve_auth_ldap_enabled: False
|
||||||
|
# pve_auth_ldap_is_default: False
|
||||||
|
# pve_auth_ldap_realm: ldap
|
||||||
|
# pve_auth_ldap_description: MyLDAP authentication server
|
||||||
|
# pve_auth_ldap_base_dn: dc=example,dc=com
|
||||||
|
# pve_auth_ldap_user_attr: uid
|
||||||
|
# pve_auth_ldap_primary_server: server1.example.com
|
||||||
|
# pve_auth_ldap_secondary_server: server2.example.com (defaults to not set)
|
||||||
|
# pve_auth_ldap_bind_dn: uid=proxy-user,cn=users,dc=example,dc=com (defaults to not set)
|
||||||
|
# pve_auth_ldap_bind_password: my_secret (defaults to not set)
|
||||||
|
# pve_auth_ldap_port: 389
|
||||||
|
# pve_auth_ldap_tls_enabled: False
|
||||||
|
|
||||||
|
pve_auth_ldap_tfa_oath_enabled: False
|
||||||
|
# pve_auth_ldap_tfa_oath_timestep: 30
|
||||||
|
# pve_auth_ldap_tfa_oath_pwlength: 6
|
||||||
|
|
||||||
|
pve_auth_ldap_tfa_yubico_enabled: False
|
||||||
|
# pve_auth_ldap_tfa_yubico_api_id: 1a2b3c4d5e6f
|
||||||
|
# pve_auth_ldap_tfa_yubico_api_key: 123456
|
||||||
|
# pve_auth_ldap_tfa_yubico_url: http://127.0.0.1:8080
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Configure auth provider
|
||||||
|
template:
|
||||||
|
src: etc/pve/domains.cfg.j2
|
||||||
|
dest: "{{ __pve_base_dir }}/domains.cfg"
|
||||||
|
owner: root
|
||||||
|
group: www-data
|
||||||
|
mode: 0640
|
||||||
|
become: True
|
||||||
|
become_user: root
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Ensure path for auth file exists
|
||||||
|
file:
|
||||||
|
path: "{{ __pve_base_dir }}/priv/ldap"
|
||||||
|
recurse: yes
|
||||||
|
state: director
|
||||||
|
|
||||||
|
- name: Add passwd file for ldap bind
|
||||||
|
template:
|
||||||
|
src: etc/pve/priv/ldap.pw.j2
|
||||||
|
dest: "{{ __pve_base_dir }}/priv/ldap/{{ pve_auth_ldap_realm }}.pw"
|
||||||
|
owner: root
|
||||||
|
group: www-data
|
||||||
|
mode: 0600
|
||||||
|
become: True
|
||||||
|
become_user: root
|
||||||
|
when:
|
||||||
|
- pve_auth_ldap_enabled
|
||||||
|
- pve_auth_ldap_bind_password is defined
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
|
- import_tasks: auth.yml
|
||||||
- import_tasks: tls.yml
|
- import_tasks: tls.yml
|
||||||
when: pve_tls_enabled
|
when: pve_tls_enabled
|
||||||
tags: tls_renewal
|
tags: tls_renewal
|
||||||
- import_tasks: nginx.yml
|
- import_tasks: nginx.yml
|
||||||
when: pve_nginx_vhost_enabled
|
when: pve_nginx_vhost_enabled
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
pam: pam
|
||||||
|
comment Linux PAM standard authentication
|
||||||
|
|
||||||
|
pve: pve
|
||||||
|
comment Proxmox VE authentication server
|
||||||
|
|
||||||
|
{% if pve_auth_ldap_enabled %}
|
||||||
|
ldap: {{ pve_auth_ldap_relam }}
|
||||||
|
comment {{ pve_auth_ldap_description }}
|
||||||
|
base_dn {{ pve_auth_ldap_base_dn }}
|
||||||
|
server1 {{ pve_auth_ldap_primary_server }}
|
||||||
|
{% if pve_auth_ldap_secondary_server is defined %}
|
||||||
|
server2 {{ pve_auth_ldap_secondary_server }}
|
||||||
|
{% endif %}
|
||||||
|
user_attr {{ pve_auth_ldap_user_attr }}
|
||||||
|
{% if pve_auth_ldap_bind_dn is defined %}
|
||||||
|
bind_dn {{ pve_auth_ldap_bind_dn }}
|
||||||
|
{% endif %}
|
||||||
|
default {{ 1 if pve_auth_ldap_is_default else 0 }}
|
||||||
|
port {{ pve_auth_ldap_port }}
|
||||||
|
secure {{ 1 if pve_auth_ldap_tls_enabled else 0 }}
|
||||||
|
{% if pve_auth_ldap_tfa_oath_enabled and not pve_auth_ldap_tfa_yubico_enabled %}
|
||||||
|
tfa type=oath,step={{ pve_auth_ldap_tfa_oath_timestep }},digits={{ pve_auth_ldap_tfa_oath_pwlength }}
|
||||||
|
{% elif pve_auth_ldap_tfa_yubico_enabled and not pve_auth_ldap_tfa_oath_enabled %}
|
||||||
|
tfa type=yubico,id={{ pve_auth_ldap_tfa_yubico_api_id }},key={{ pve_auth_ldap_tfa_yubico_api_key }},url={{ pve_auth_ldap_tfa_yubico_url }}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
|
@ -0,0 +1 @@
|
||||||
|
{{ pve_auth_ldap_bind_password }}
|
|
@ -1,14 +1,15 @@
|
||||||
---
|
---
|
||||||
__pve_certificates:
|
__pve_base_dir: /etc/pve
|
||||||
cert:
|
# __pve_certificates:
|
||||||
name: pveproxy-ssl.pem
|
# cert:
|
||||||
path: /etc/pki/tls/certs
|
# name: pveproxy-ssl.pem
|
||||||
source: "{{ pve_tls_cert_source }}"
|
# path: /etc/pki/tls/certs
|
||||||
nodes: "{{ pve_nodes }}"
|
# source: "{{ pve_tls_cert_source }}"
|
||||||
mode: "0750"
|
# nodes: "{{ pve_nodes }}"
|
||||||
key:
|
# mode: "0750"
|
||||||
name: pveproxy-ssl.key
|
# key:
|
||||||
path: /etc/pki/tls/private
|
# name: pveproxy-ssl.key
|
||||||
source: "{{ pve_tls_key_source }}"
|
# path: /etc/pki/tls/private
|
||||||
nodes: "{{ pve_nodes }}"
|
# source: "{{ pve_tls_key_source }}"
|
||||||
mode: "0600"
|
# nodes: "{{ pve_nodes }}"
|
||||||
|
# mode: "0600"
|
||||||
|
|
Loading…
Reference in New Issue