chore: drop ldap realm and tls settings
This commit is contained in:
parent
2014726273
commit
b886c4bf3f
@ -2,10 +2,6 @@
|
|||||||
pve_nodes:
|
pve_nodes:
|
||||||
- node1
|
- node1
|
||||||
|
|
||||||
pve_tls_enabled: False
|
|
||||||
pve_tls_cert_source: mycert.pem
|
|
||||||
pve_tls_key_source: mykey.pem
|
|
||||||
|
|
||||||
pve_pamd_motd_enabled: True
|
pve_pamd_motd_enabled: True
|
||||||
|
|
||||||
pve_disk_mount: []
|
pve_disk_mount: []
|
||||||
@ -23,17 +19,3 @@ pve_auth_pam_description: Linux PAM standard authentication
|
|||||||
|
|
||||||
pve_auth_pve_is_default: False
|
pve_auth_pve_is_default: False
|
||||||
pve_auth_pve_description: Linux pve standard authentication
|
pve_auth_pve_description: Linux pve standard authentication
|
||||||
|
|
||||||
# Enable ldap auth against an external server
|
|
||||||
pve_auth_ldap_enabled: False
|
|
||||||
# pve_auth_ldap_is_default: False
|
|
||||||
# pve_auth_ldap_realm: ldap
|
|
||||||
# pve_auth_ldap_description: MyLDAP authentication server
|
|
||||||
# pve_auth_ldap_base_dn: dc=example,dc=com
|
|
||||||
# pve_auth_ldap_user_attr: uid
|
|
||||||
# pve_auth_ldap_primary_server: server1.example.com
|
|
||||||
# pve_auth_ldap_secondary_server: server2.example.com (defaults to not set)
|
|
||||||
# pve_auth_ldap_bind_dn: uid=proxy-user,cn=users,dc=example,dc=com (defaults to not set)
|
|
||||||
# pve_auth_ldap_bind_password: my_secret (defaults to not set)
|
|
||||||
# pve_auth_ldap_port: 389
|
|
||||||
# pve_auth_ldap_tls_enabled: False
|
|
||||||
|
@ -1,19 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Ensure path for auth file exists
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ __pve_base_dir }}/priv/ldap"
|
|
||||||
recurse: True
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Add passwd file for ldap bind
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: etc/pve/priv/ldap.pw.j2
|
|
||||||
dest: "{{ __pve_tmp_dir }}/{{ pve_auth_ldap_realm }}.pw"
|
|
||||||
owner: root
|
|
||||||
group: www-data
|
|
||||||
mode: "0640"
|
|
||||||
register: __pve_auth_copy
|
|
||||||
|
|
||||||
- name: Copy passwd file to pve filesystem
|
|
||||||
ansible.builtin.command: "/bin/cp -rf {{ __pve_tmp_dir }}/{{ pve_auth_ldap_realm }}.pw {{ __pve_base_dir }}/priv/ldap/{{ pve_auth_ldap_realm }}.pw"
|
|
||||||
changed_when: __pve_auth_copy.changed
|
|
@ -55,14 +55,3 @@
|
|||||||
- name: Copy auth provider to pve filesystem
|
- name: Copy auth provider to pve filesystem
|
||||||
ansible.builtin.command: "/bin/cp -rf {{ __pve_tmp_dir }}/domains.cfg {{ __pve_base_dir }}/domains.cfg"
|
ansible.builtin.command: "/bin/cp -rf {{ __pve_tmp_dir }}/domains.cfg {{ __pve_base_dir }}/domains.cfg"
|
||||||
changed_when: __pve_domains_copy.changed
|
changed_when: __pve_domains_copy.changed
|
||||||
|
|
||||||
- name: Configure LDAP auth
|
|
||||||
ansible.builtin.include_tasks: ldap.yml
|
|
||||||
when:
|
|
||||||
- pve_auth_ldap_enabled | bool
|
|
||||||
- pve_auth_ldap_bind_password is defined
|
|
||||||
|
|
||||||
- name: Configure pveproxy
|
|
||||||
ansible.builtin.import_tasks: tls.yml
|
|
||||||
when: pve_tls_enabled | bool
|
|
||||||
tags: tls_renewal
|
|
||||||
|
@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Deploy TLS certs
|
|
||||||
become: True
|
|
||||||
become_user: root
|
|
||||||
block:
|
|
||||||
- name: Create pki folder structure
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
recurse: True
|
|
||||||
loop:
|
|
||||||
- /etc/pki/tls/certs
|
|
||||||
- /etc/pki/tls/private
|
|
||||||
|
|
||||||
- name: Copy certs and private key
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
mode: "{{ item.mode }}"
|
|
||||||
loop:
|
|
||||||
- src: "{{ pve_tls_cert_source }}"
|
|
||||||
dest: "/etc/pki/tls/certs/pveproxy-ssl.pem"
|
|
||||||
mode: "0750"
|
|
||||||
- src: "{{ pve_tls_key_source }}"
|
|
||||||
dest: "/etc/pki/tls/private/pveproxy-ssl.key"
|
|
||||||
mode: "0600"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.dest }}"
|
|
||||||
register: __pve_tls_copy
|
|
||||||
|
|
||||||
- name: Copy cert/key to pve filesystem
|
|
||||||
ansible.builtin.command: "/bin/cp -rf {{ item[0].dest }} /etc/pve/nodes/{{ item[1] }}/{{ item[0].dest | basename }}"
|
|
||||||
changed_when: item[0].changed
|
|
||||||
loop: "{{ __pve_tls_copy.results | product(pve_nodes) | list }}"
|
|
||||||
loop_control:
|
|
||||||
label: "/etc/pve/nodes/{{ item[1] }}/{{ item[0].dest | basename }}"
|
|
||||||
notify: __pveproxy_restart
|
|
@ -6,20 +6,3 @@ pam: pam
|
|||||||
pve: pve
|
pve: pve
|
||||||
comment {{ pve_auth_pve_description }}
|
comment {{ pve_auth_pve_description }}
|
||||||
default {{ 1 if pve_auth_pve_is_default else 0 }}
|
default {{ 1 if pve_auth_pve_is_default else 0 }}
|
||||||
{% if pve_auth_ldap_enabled %}
|
|
||||||
|
|
||||||
ldap: {{ pve_auth_ldap_realm }}
|
|
||||||
comment {{ pve_auth_ldap_description }}
|
|
||||||
base_dn {{ pve_auth_ldap_base_dn }}
|
|
||||||
server1 {{ pve_auth_ldap_primary_server }}
|
|
||||||
{% if pve_auth_ldap_secondary_server is defined %}
|
|
||||||
server2 {{ pve_auth_ldap_secondary_server }}
|
|
||||||
{% endif %}
|
|
||||||
user_attr {{ pve_auth_ldap_user_attr }}
|
|
||||||
{% if pve_auth_ldap_bind_dn is defined %}
|
|
||||||
bind_dn {{ pve_auth_ldap_bind_dn }}
|
|
||||||
{% endif %}
|
|
||||||
default {{ 1 if pve_auth_ldap_is_default else 0 }}
|
|
||||||
port {{ pve_auth_ldap_port }}
|
|
||||||
secure {{ 1 if pve_auth_ldap_tls_enabled else 0 }}
|
|
||||||
{% endif %}
|
|
||||||
|
@ -1 +0,0 @@
|
|||||||
{{ pve_auth_ldap_bind_password }}
|
|
Loading…
Reference in New Issue
Block a user