From 83380047bb923837868dd22dce055d814275af97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 29 Mar 2024 09:28:13 +0400 Subject: [PATCH] Configure LDAP integration for Mastodon --- data_bags/credentials/mastodon.json | 80 +++++++++++-------- nodes/mastodon-3.json | 3 + .../kosmos-mastodon/recipes/default.rb | 40 +++++++--- .../kosmos-mastodon/templates/default/env.erb | 17 ++++ 4 files changed, 95 insertions(+), 45 deletions(-) diff --git a/data_bags/credentials/mastodon.json b/data_bags/credentials/mastodon.json index 145f5c1..90af0ab 100644 --- a/data_bags/credentials/mastodon.json +++ b/data_bags/credentials/mastodon.json @@ -1,79 +1,93 @@ { "id": "mastodon", "paperclip_secret": { - "encrypted_data": "orOIbqFANPCkd4sUTCyyoh4z1o6SBudgH4wKJudTo9dANaHGhWcBUFKrhZi1\nMJTBQx/d0hiDI1P2XN3h+hROCg3JJ8OClUSJH9CfN5GlbWvXh0Nhq7hqy8L3\nLAPL+uigiXI6ObrnKQoD8LeJIB46233uwaCA/7zB6gah0ExJ2DXGH6qq9JSS\nqmTFiy+hT+VHGrUo\n", - "iv": "U4E4NLYLkP0/tTTs\n", - "auth_tag": "WKQ+pDPZp7B791lhC5j3iQ==\n", + "encrypted_data": "VJn4Yd2N7qFV+nWXPjPA8Y2KEXL/gZs2gK5E3DZZc9ogFXV7RtpDtq+NKGJU\ndpR8ohtEZvkyC+iBkMAlnS1sSVKiLdQ1xXvbzkj04mYgjnLvwsZ19uVpBGwR\nt/DON7Bhe5Fw+OyrBQksqNcZQSpB9sMBfgA1IgCpdVGHQ8PmkMbFTaZZYcoF\n7gg3yUw5/0t3vRdL\n", + "iv": "X5atp/KaIurfln/u\n", + "auth_tag": "mVnBoUb5HwhXNYUddJbq8Q==\n", "version": 3, "cipher": "aes-256-gcm" }, "secret_key_base": { - "encrypted_data": "vweClhdY8SqQkK+p0OYUL2B6Fsz5eQDpEYWCtd/eRJfwwYAObbLcMWRC6MwE\neQVMw59bOqYc3RBuv/+WPLtENazA1bYCXBXQr1J6xqjJAz0Mo6KbRyxy5n78\nv8q6RSiao1VVIUXohtFlQgWeV6x5sz34bJxjlHinKvKsgiGXiuVBxYUUfzWQ\nuzrGug09cpZBqfpc\n", - "iv": "Z0/csEBH5/X1+MR+\n", - "auth_tag": "fTvBN6eovi3JVEK0ZX97Nw==\n", + "encrypted_data": "d0sNREFhzQEJhkRzielbCNBJOVAdfThv7zcYTZ1vFZ20i/mzB9GWW2nb+1yn\nNFjAq8wCLpLXn9n3FClE+WOqnAw0jwTlyScRM5lzjKI5SxHKkBQHGyFs2AF8\nqFjEvpiqxhjsc4kNOJGO8DdcyHuulXyaO9fJg8HDnU1ov1vSSuTc0ABKgycY\nMq/Xt10UXnhP8cPw\n", + "iv": "HFT7fdGQ2KRJ2NFy\n", + "auth_tag": "C55JT2msLQCoI+09VKf+Jw==\n", "version": 3, "cipher": "aes-256-gcm" }, "otp_secret": { - "encrypted_data": "o1ts1bUgPIzFQXjJ2MpBMLntWkyPxDaJAaU1K3WzmNMXnw5MVlkKKCEFVccd\nPss/MwDuBkbNPhri3ZkH48m9SiayWETVYvw5GZzcVsw4TeMu915O44lfl9tX\nW3XHU+DBps1BVH9535R4X9M1aFW4W4XfwHtS5wcrZqtVhNhS3NSgE4JpN/Dz\nFdcFAOhflnt8fIAN\n", - "iv": "QLsxmIlX1NpxMyHz\n", - "auth_tag": "j1h/PvIoqshTBN5c5IaAsA==\n", + "encrypted_data": "1iH7mUkaUzyn9dfDwMdiJ8X059qWSUO3DqivsOFfI1f44nMnzllaYPu6nh8O\nNLNCOzvsSAonhhaq1X+foOdyPIG2mGhE/juKveDD57/AdZAayHWsbsQlPC4l\nwdShz/ANrq0YZ/zOhpT2sZj1TZavW+S+JlxJFX2kP24D4dUzwG0vNj7522+Q\n9NAApJdUte1ZYF/b\n", + "iv": "00/vs5zTdoC19+pS\n", + "auth_tag": "3cjYqebMshnmWkQ3SdRcCQ==\n", "version": 3, "cipher": "aes-256-gcm" }, "aws_access_key_id": { - "encrypted_data": "YQHUx0GugKu0AtlbGLRGocFEhTGAghWA0DUs1Nxs4Hd3bTIp4lyM\n", - "iv": "54zt2tkQhHtpY7sO\n", - "auth_tag": "ofBJx3QDsjHe66ga3nji8g==\n", + "encrypted_data": "krcfpxOrAkwZR2GP4glTaFg2dw/COw8BO8I+KICqyl4bvpL5NrB9\n", + "iv": "paoDKp6EIU8bjxzF\n", + "auth_tag": "p6Pt/tz5dgGXzW5cO06nBg==\n", "version": 3, "cipher": "aes-256-gcm" }, "aws_secret_access_key": { - "encrypted_data": "FAz6xZ+wsCz/KFA+DK6f4V04rxJt+9U/yXUGF9tvce0VqB3scH+T0KDDn1/n\nZ/0G0Tbxt2urRPbPUdI=\n", - "iv": "iapSpeM6lfDMIfNk\n", - "auth_tag": "HlkwUnNeJlOUrZ3ieN5xAQ==\n", + "encrypted_data": "aQySCT7gxeNiMMocq81KtIi+YzrZwMBeTd4LrRSN8iNEikWReJrrfagBwozy\n+Gfdw4bMGzY1dhF1Sl4=\n", + "iv": "R/hvvOvmqq/uoKbx\n", + "auth_tag": "QBJY/3+OprBXO/FSNwv2OQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "ldap_bind_dn": { + "encrypted_data": "wDPABdL+DlXz2WWV4XwW20kM4EWPSwc/ajBmbdYMnjFau6c76CIBpbFhrFoj\n3mwDbHz8cgOnLNvozXSV4w6N7URCN/mWWTBHNhd3ppw=\n", + "iv": "8rQ0M4LT1HbCNpq9\n", + "auth_tag": "AuO5R6WCtd75TGJNfgFSCg==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "ldap_password": { + "encrypted_data": "y0t8RuptVYiTKmUhaAWsC4c2ZzhQsYeVLeMPiQBn+Q==\n", + "iv": "mixYzDKkPSIDQ/l+\n", + "auth_tag": "DbLlZG7rlgBmyCdJ3nhSYA==\n", "version": 3, "cipher": "aes-256-gcm" }, "smtp_user_name": { - "encrypted_data": "ivB09/mCRrUaz9X4NFRBiqytjgy/vxN5Nha7gopFq5eSu9v4K9MkaLRqHh1I\nYw==\n", - "iv": "a8WKhRKsUjqBtfmn\n", - "auth_tag": "ib5WJNNaO7bRIspdACmOLw==\n", + "encrypted_data": "Ugc29HUFcirv6jOOlYNs9uvmhfwa2rG41im/MusCx0Vu0AZKcdy0krGi/kCZ\nKg==\n", + "iv": "ZlDK854w+vTNmeJe\n", + "auth_tag": "Nj95g0JMxrT419OLQIX26g==\n", "version": 3, "cipher": "aes-256-gcm" }, "smtp_password": { - "encrypted_data": "FxPz2e7fUNqcAu+DDJKlqn8rcSBLmnzigTFf5moZlQ1zz4YVl6pqHisa22Qz\nbfUx9rjU\n", - "iv": "GvRlNDV/b1WawtOP\n", - "auth_tag": "kyRCGfSJQelIwThDT4iQQQ==\n", + "encrypted_data": "D1TGjRfmM1ZeUmzwewlKXfQvvqTSzpzNlK5MKIU8dxbAH175UKn5qiemDEWe\nRYPe1LWT\n", + "iv": "D1OVfD5bMcefM5DP\n", + "auth_tag": "2E/q2gTbdXiLVnOMDeJv9w==\n", "version": 3, "cipher": "aes-256-gcm" }, "vapid_private_key": { - "encrypted_data": "DlbEAhd+SkSJoOSuwGhd5bdFlJADnT0w4u0+6m8AJoWJjoSCGAnzzmdHWT/k\nVUDkwiBCkqmEPK0oTvxnl/a8\n", - "iv": "6e0Gay7GVrQad1rI\n", - "auth_tag": "jjVundJ/ITxP/oYgEgzElg==\n", + "encrypted_data": "+87bVrbd/XvWhZH1IYusc4Hla7ZZmylptAyJf48CMG/F3SMEO33OqW2I+UWh\nSkqbxai5+GaMhvZHB8U2Clod\n", + "iv": "HVhNdFQl0TvCcjsa\n", + "auth_tag": "EEQXuQ5keOHXmchhBh+Ixw==\n", "version": 3, "cipher": "aes-256-gcm" }, "vapid_public_key": { - "encrypted_data": "+m37w/eWYqdEjsEYQw27FvQC+37ucruOFjZAjo0OgCwA0SoVz4VHX2eSA2AK\njX4CnM91cY4e/WG/ZHKlOMN1PftyQn2bdGaw35nXDanep8z0ROa01JEEi5DE\nUFRKvBmPInTeR6xvemuj7GM=\n", - "iv": "loYbGrAsWGLUZ+BK\n", - "auth_tag": "lAfpEEVQq+n7MLLm/kpmIA==\n", + "encrypted_data": "nBm1lXbn1+Kzol95+QSEjsUI/n7ObhdEqEyfYcVSP/LiLy57KOBQDu6CjSMz\n+PN9yEP4lOjtscqHS29jTC2vi3PSui9XpOFHRxFBnDuyKxczrnID2KlLCNRQ\n228G3VRgFIMAWMYKACgzUk0=\n", + "iv": "xHrVl+4JGkQbfUW3\n", + "auth_tag": "rfFoBMocq17YiDSlOCvWqw==\n", "version": 3, "cipher": "aes-256-gcm" }, "s3_key_id": { - "encrypted_data": "4B8OQ0iVCCna4FvC+EuS5prEUWaHRm1+tzXGmFoCQ4WZfhUA1HwT3x651e/R\n", - "iv": "1/zGwcQPQQQCiXIs\n", - "auth_tag": "siK9ph1q3/VVEycy91wkqQ==\n", + "encrypted_data": "pq0+VZhjoxzLuyY34f23wOmuks9Wevt8Wu6muKZAsZMSuU0iJvlRoK/65Qa0\n", + "iv": "QTxO+IfYcpI170ON\n", + "auth_tag": "4ZHva2iBYgDv6DyhMRRXzA==\n", "version": 3, "cipher": "aes-256-gcm" }, "s3_secret_key": { - "encrypted_data": "BSAc8dE/rQUiVvTGV6Ee/ZUDpq4HZlpoaCZ+lbQAbcnxui4ib0OTLPFwhVJ9\n4OQWahtSzkqxMc6MKWpadLT1a3oTnvnae9b3u40X5b2P3VyZYCM=\n", - "iv": "bqw8GTqLMTs5vD5n\n", - "auth_tag": "+e48L1lYVNda7VE3uLOAHA==\n", + "encrypted_data": "YMZqKtOXDPAME8IWWC+lO8TsxHMzawlbTju9z/Hcb5DnQAOy82QufTN90m73\n/xikUboAdKcA5YGn0mkm+Rt/ygVR6DFirYV3kwi2M3qyGVJifug=\n", + "iv": "9AwabheRFOgC8IKR\n", + "auth_tag": "iU2kkA1q8OsblN5jaZrWGQ==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json index 7bc96ba..1cd9134 100644 --- a/nodes/mastodon-3.json +++ b/nodes/mastodon-3.json @@ -14,6 +14,7 @@ "ipaddress": "192.168.122.161", "roles": [ "kvm_guest", + "ldap_client", "garage_gateway", "mastodon", "postgresql_client" @@ -22,6 +23,7 @@ "kosmos-base", "kosmos-base::default", "kosmos_kvm::guest", + "kosmos-dirsrv::hostsfile", "kosmos_garage", "kosmos_garage::default", "kosmos_garage::firewall_rpc", @@ -84,6 +86,7 @@ "run_list": [ "recipe[kosmos-base]", "role[kvm_guest]", + "role[ldap_client]", "role[garage_gateway]", "role[mastodon]" ] diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 2ab20b0..5c2d3cb 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -44,7 +44,7 @@ end elasticsearch_service 'elasticsearch' -postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') +postgresql_credentials = data_bag_item('credentials', 'postgresql') mastodon_path = node["kosmos-mastodon"]["directory"] mastodon_user = "mastodon" @@ -168,7 +168,22 @@ execute "restart mastodon services" do notifies :restart, "service[mastodon-streaming]", :delayed end -mastodon_credentials = data_bag_item('credentials', 'mastodon') +credentials = data_bag_item('credentials', 'mastodon') + +ldap_config = { + host: "ldap.kosmos.local", + port: 389, + method: "plain", + base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org", + bind_dn: credentials["ldap_bind_dn"], + password: credentials["ldap_password"], + uid: "cn", + mail: "mail", + search_filter: "(&(|(cn=%{email})(mail=%{email}))(serviceEnabled=mastodon))", + uid_conversion_enabled: "true", + uid_conversion_search: "-", + uid_conversion_replace: "_" +} template "#{mastodon_path}/.env.#{rails_env}" do source "env.erb" @@ -178,21 +193,22 @@ template "#{mastodon_path}/.env.#{rails_env}" do variables redis_url: node["kosmos-mastodon"]["redis_url"], domain: node["kosmos-mastodon"]["domain"], alternate_domains: node["kosmos-mastodon"]["alternate_domains"], - paperclip_secret: mastodon_credentials['paperclip_secret'], - secret_key_base: mastodon_credentials['secret_key_base'], - otp_secret: mastodon_credentials['otp_secret'], - smtp_login: mastodon_credentials['smtp_user_name'], - smtp_password: mastodon_credentials['smtp_password'], + paperclip_secret: credentials['paperclip_secret'], + secret_key_base: credentials['secret_key_base'], + otp_secret: credentials['otp_secret'], + ldap: ldap_config, + smtp_login: credentials['smtp_user_name'], + smtp_password: credentials['smtp_password'], smtp_from_address: "mail@#{node['kosmos-mastodon']['domain']}", s3_endpoint: node["kosmos-mastodon"]["s3_endpoint"], s3_region: node["kosmos-mastodon"]["s3_region"], s3_bucket: node["kosmos-mastodon"]["s3_bucket"], s3_alias_host: node["kosmos-mastodon"]["s3_alias_host"], - aws_access_key_id: mastodon_credentials['s3_key_id'], - aws_secret_access_key: mastodon_credentials['s3_secret_key'], - vapid_private_key: mastodon_credentials['vapid_private_key'], - vapid_public_key: mastodon_credentials['vapid_public_key'], - db_pass: postgresql_data_bag_item['mastodon_user_password'], + aws_access_key_id: credentials['s3_key_id'], + aws_secret_access_key: credentials['s3_secret_key'], + vapid_private_key: credentials['vapid_private_key'], + vapid_public_key: credentials['vapid_public_key'], + db_pass: postgresql_credentials['mastodon_user_password'], db_host: "pg.kosmos.local", default_locale: node["kosmos-mastodon"]["default_locale"], allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"], diff --git a/site-cookbooks/kosmos-mastodon/templates/default/env.erb b/site-cookbooks/kosmos-mastodon/templates/default/env.erb index e81a6fa..4e1fae1 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/env.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/env.erb @@ -29,6 +29,23 @@ SMTP_LOGIN=<%= @smtp_login %> SMTP_PASSWORD=<%= @smtp_password %> SMTP_FROM_ADDRESS=<%= @smtp_from_address %> +<% if @ldap %> +# LDAP configuration +LDAP_ENABLED=true +LDAP_HOST=<%= @ldap[:host] %> +LDAP_PORT=<%= @ldap[:port] %> +LDAP_METHOD='<%= @ldap[:method] %>' +LDAP_BASE='<%= @ldap[:base] %>' +LDAP_BIND_DN='<%= @ldap[:bind_dn] %>' +LDAP_PASSWORD='<%= @ldap[:password] %>' +LDAP_UID=<%= @ldap[:uid] %> +LDAP_MAIL=<%= @ldap[:mail] %> +LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>' +LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %> +LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %> +LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %> +<% end %> + # Optional asset host for multi-server setups # CDN_HOST=assets.example.com