diff --git a/playbooks/ldap.yml b/playbooks/ldap.yml index e7d9df4..1de8d64 100644 --- a/playbooks/ldap.yml +++ b/playbooks/ldap.yml @@ -24,7 +24,6 @@ roles: - base - ldap-server - - kdc - role: ldap_netdb when: ldap_master is defined - role: ldap_gravatar diff --git a/playbooks/oci-node.yml b/playbooks/oci-node.yml index 5b10da9..a8aed2c 100644 --- a/playbooks/oci-node.yml +++ b/playbooks/oci-node.yml @@ -11,4 +11,4 @@ roles: - base - - podman + - kdc diff --git a/roles/kdc/files/kdc-container.service b/roles/kdc/files/kdc-container.service new file mode 100644 index 0000000..59c0c13 --- /dev/null +++ b/roles/kdc/files/kdc-container.service @@ -0,0 +1,13 @@ +[Unit] +Description=Kerberos KDC Container + +[Service] +User=kdc +EnvironmentFile=/etc/sysconfig/kdc-container +ExecStart=/usr/bin/podman run --rm -p 127.0.0.1:8001:8000 --name kdc \ + -e LDAP_BASEDN -e LDAP_BIND_PW -e KRB5_REALM -e KRB5_STASH_PW kdc +ExecStop=/usr/bin/podman stop kdc +KillMode=none + +[Install] +WantedBy=multi-user.target diff --git a/roles/kdc/handlers/main.yml b/roles/kdc/handlers/main.yml index e308f66..ab60dd4 100644 --- a/roles/kdc/handlers/main.yml +++ b/roles/kdc/handlers/main.yml @@ -1,5 +1,17 @@ --- -- name: restart kdc - service: - name: krb5kdc +- name: rebuild kdc-container + ansible.builtin.command: + argv: + - podman + - build + - -t + - kdc + - /usr/local/src/docker-kdc + become: true + become_user: kdc + notify: restart kdc-container + +- name: restart kdc-container + ansible.builtin.service: + name: kdc-container state: restarted diff --git a/roles/kdc/meta/main.yml b/roles/kdc/meta/main.yml index dfb9ccd..42768e8 100644 --- a/roles/kdc/meta/main.yml +++ b/roles/kdc/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - - {role: nginx/server} - - {role: gunicorn} + - {role: git} + - {role: podman} diff --git a/roles/kdc/tasks/main.yml b/roles/kdc/tasks/main.yml index 32657e4..b0a06d5 100644 --- a/roles/kdc/tasks/main.yml +++ b/roles/kdc/tasks/main.yml @@ -1,87 +1,51 @@ --- -- name: install packages - package: - name: "{{ item }}" - state: installed - with_items: - - krb5-server - - krb5-server-ldap - - python-kdcproxy +- name: create group + ansible.builtin.group: + name: kdc -- name: create kerberos config - template: - dest: /var/kerberos/krb5kdc/kdc.conf - src: kdc.conf.j2 +- name: create user + ansible.builtin.user: + name: kdc + comment: Podman KDC + group: kdc + shell: /sbin/nologin + +- name: get container source + ansible.builtin.git: + dest: /usr/local/src/docker-kdc + repo: https://github.com/foo-sh/docker-kdc.git + update: false + notify: rebuild kdc-container + +- name: create service config + ansible.builtin.template: + dest: /etc/sysconfig/kdc-container + src: kdc-container.sysconfig.j2 mode: 0600 owner: root group: "{{ ansible_wheel }}" - notify: restart kdc -- name: store kdc and kadmin ldap auth credentials - shell: "( echo '{{ kerberos_kdc_pass }}' ; echo '{{ kerberos_kdc_pass }}' ) | kdb5_ldap_util stashsrvpw uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }} ; ( echo '{{ kerberos_kadmin_pass }}' ; echo '{{ kerberos_kadmin_pass }}' ) | kdb5_ldap_util stashsrvpw uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" - args: - creates: "/var/kerberos/krb5kdc/.k5.ldap.{{ kerberos_realm|lower() }}" - no_log: true - -- name: store kdc master key - shell: "echo '{{ kerberos_master_pass }}' | kdb5_util stash" - args: - creates: "/var/kerberos/krb5kdc/.k5.{{ kerberos_realm }}" - no_log: true - -- name: enable kerberos service - service: - name: krb5kdc - state: started - enabled: true - -- name: create kdcproxy group - group: - name: kdcproxy - system: true - -- name: create kdcproxy user - user: - name: kdcproxy - comment: KDC Proxy - group: kdcproxy - groups: gunicorn - home: /var/empty - shell: /sbin/nologin - system: true - -- name: add nginx to kdcproxy group - user: - name: nginx - groups: kdcproxy - -- name: create kdcproxy config - template: - dest: /etc/kdcproxy.conf - src: kdcproxy.conf.j2 +- name: create service file + ansible.builtin.copy: + dest: /etc/systemd/system/kdc-container.service + src: kdc-container.service mode: 0644 owner: root group: "{{ ansible_wheel }}" -- name: create kdcproxy socket file - copy: - dest: /lib/systemd/system/gunicorn@kdcproxy.socket - src: /lib/systemd/system/gunicorn@.socket - mode: 0644 - owner: root - group: "{{ ansible_wheel }}" - remote_src: true - -- name: enable kdcproxy socket - systemd: - name: gunicorn@kdcproxy.socket - enabled: true +- name: enable service + ansible.builtin.service: + name: kdc-container state: started + enabled: true -- name: create kdcproxy config for nginx - template: - dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/kdcproxy.conf" - src: nginx-kdcproxy.conf.j2 +- name: copy nginx config + ansible.builtin.copy: + dest: /etc/nginx/conf.d/{{ inventory_hostname }}/kdc-container.conf + content: | + location /kdcProxy { + proxy_pass http://localhost:8001; + } mode: 0644 owner: root group: "{{ ansible_wheel }}" diff --git a/roles/kdc/templates/kdc-container.sysconfig.j2 b/roles/kdc/templates/kdc-container.sysconfig.j2 new file mode 100644 index 0000000..e8d1fc7 --- /dev/null +++ b/roles/kdc/templates/kdc-container.sysconfig.j2 @@ -0,0 +1,4 @@ +LDAP_BASEDN="{{ ldap_basedn }}" +LDAP_BIND_PW="{{ kerberos_kdc_pass }}" +KRB5_REALM="{{ kerberos_realm }}" +KRB5_STASH_PW="{{ kerberos_master_pass }}" diff --git a/roles/kdc/templates/kdc.conf.j2 b/roles/kdc/templates/kdc.conf.j2 deleted file mode 100644 index fb915a3..0000000 --- a/roles/kdc/templates/kdc.conf.j2 +++ /dev/null @@ -1,33 +0,0 @@ -[libdefaults] - default_realm = {{ kerberos_realm }} - -[logging] - kdc = SYSLOG - admin_server = SYSLOG - -[kdcdefaults] - # listen on localhost only - kdc_listen = 127.0.0.1:88 - kdc_tcp_listen = 127.0.0.1:88 - -[realms] - {{ kerberos_realm }} = { - database_module = ldap.{{ kerberos_realm|lower() }} - key_stash_file = "/var/kerberos/krb5kdc/.k5.{{ kerberos_realm }}" - max_lifetime = 24h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = aes256-cts-hmac-sha1-96 - supported_enctypes = aes256-cts-hmac-sha1-96:normal - } - -[dbmodules] - ldap.{{ kerberos_realm|lower() }} = { - db_library = kldap - disable_last_success = true - disable_lockout = true - ldap_kerberos_container_dn = "ou=System,{{ ldap_basedn }}" - ldap_kdc_dn = "uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" - ldap_kadmind_dn = "uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" - ldap_service_password_file = "/var/kerberos/krb5kdc/.k5.ldap.{{ kerberos_realm|lower() }}" - ldap_servers = "{% for item in ldap_server %}ldaps://{{ item }} {% endfor %}" - } diff --git a/roles/kdc/templates/kdcproxy.conf.j2 b/roles/kdc/templates/kdcproxy.conf.j2 deleted file mode 100644 index 34af5df..0000000 --- a/roles/kdc/templates/kdcproxy.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -[global] - -[{{ kerberos_realm }}] -kerberos = kerberos+tcp://localhost diff --git a/roles/kdc/templates/nginx-kdcproxy.conf.j2 b/roles/kdc/templates/nginx-kdcproxy.conf.j2 deleted file mode 100644 index 6745e46..0000000 --- a/roles/kdc/templates/nginx-kdcproxy.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ -location /KdcProxy { - proxy_pass http://unix:/run/gunicorn/gunicorn-kdcproxy.sock:/KdcProxy; -}