diff --git a/roles/lemonldap_ng/templates/nginx_portal.conf.j2 b/roles/lemonldap_ng/templates/nginx_portal.conf.j2 index 690653d..8446161 100644 --- a/roles/lemonldap_ng/templates/nginx_portal.conf.j2 +++ b/roles/lemonldap_ng/templates/nginx_portal.conf.j2 @@ -51,19 +51,19 @@ server { try_files $uri $uri/ =404; } - location /index.psgi/adminSessions { + location ~ ^/index.psgi/adminSessions { deny all; } - location /index.psgi/sessions { + location ~ ^/index.psgi/sessions { deny all; } - location /index.psgi/config { + location ~ ^/index.psgi/config { deny all; } - location /index.psgi/notification { + location ~ ^/index.psgi/notification { deny all; } } @@ -87,7 +87,7 @@ server { {% endif %} {% endif %} - location ~ /index.psgi/(adminSessions|sessions|config|notification) { + location ~ ^/index.psgi/config { {% if llng_engine == 'fastcgi' %} include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; @@ -107,12 +107,39 @@ server { {% endfor %} deny all; {% if llng_api_pass is defined %} - auth_basic "Lemonldap::NG SOAP endpoint"; + auth_basic "Lemonldap::NG API"; auth_basic_user_file /etc/lemonldap-ng/api.htpasswd; satisfy all; {% endif %} } + location ~ ^/index.psgi/(adminSessions|sessions) { +{% if llng_engine == 'fastcgi' %} + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE psgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; +{% elif llng_engine == 'uwsgi' %} + include /etc/nginx/uwsgi_params; + uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock; + uwsgi_param LLTYPE psgi; + uwsgi_param SCRIPT_FILENAME $document_root$sc; + uwsgi_param SCRIPT_NAME $sc; +{% endif %} +{% for ip in llng_api_src_ip %} + allow {{ ip }}; +{% endfor %} + deny all; +{% if llng_api_pass is defined %} + auth_basic "Lemonldap::NG API"; + auth_basic_user_file /etc/lemonldap-ng/api.htpasswd; + satisfy all; + access_log off; +{% endif %} + } + location / { deny all; } diff --git a/roles/seafile/defaults/main.yml b/roles/seafile/defaults/main.yml index 6038cd7..a522527 100644 --- a/roles/seafile/defaults/main.yml +++ b/roles/seafile/defaults/main.yml @@ -11,11 +11,11 @@ # MaxUsers = "9" # Mode = "subscription" # etc... -seafile_version: "{{ seafile_license is defined | ternary('10.0.9','10.0.1') }}" +seafile_version: "{{ seafile_license is defined | ternary('10.0.9','11.0.3') }}" # Archive URL and sha256 are only used for the community version seafile_archive_url: https://s3.eu-central-1.amazonaws.com/download.seadrive.org/seafile-server_{{ seafile_version }}_x86-64.tar.gz -seafile_archive_sha256: 4ce8d51c464ccde8478dfb5f6c92a43b6beece210a939e799b647521ce5baf42 +seafile_archive_sha256: 72fced8581fcded3b63d64c2cc34ca22c30278e4a540d9321cb4727a566a3bf7 seafile_root_dir: /opt/seafile seafile_data_dir: "{{ seafile_root_dir }}/data" @@ -80,6 +80,11 @@ seafile_ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | def # prevent seafevents from starting ! # seafile_ldap_bind_pass: seafile_ldap_login_attr: "{{ ad_auth | default(False) | ternary('userPrincipalName','mail') }}" +seafile_ldap_email_attr: mail +seafile_ldap_first_name_attr: givenName +seafile_ldap_last_name_attr: sn +seafile_ldap_dept_attr: department +seafile_ldap_uid_attr: "{{ ad_auth | default(False) | ternary('sAMAccountName', 'uid') }}" seafile_ldap_filter: "{{ ad_auth | default(False) | ternary('&(objectClass=user)(objectCategory=person)(primaryGroupId=513)','objectClass=inetOrgPerson') }}" # seafile_ldap_group_filter: (mail=*) diff --git a/roles/seafile/tasks/facts.yml b/roles/seafile/tasks/facts.yml index 14e8045..4a2e776 100644 --- a/roles/seafile/tasks/facts.yml +++ b/roles/seafile/tasks/facts.yml @@ -8,6 +8,14 @@ - vars/{{ ansible_os_family }}.yml tags: seafile +- set_fact: seafile_edition='pro' + when: seafile_licence is defined + tags: seafile + +- set_fact: seafile_edition='community' + when: seafile_licence is not defined + tags: seafile + - name: Set default install mode set_fact: seafile_install_mode='none' tags: seafile diff --git a/roles/seafile/tasks/install.yml b/roles/seafile/tasks/install.yml index e985809..86abb3f 100644 --- a/roles/seafile/tasks/install.yml +++ b/roles/seafile/tasks/install.yml @@ -37,7 +37,7 @@ pip: virtualenv: "{{ seafile_root_dir }}" virtualenv_command: /bin/python3.9 -m venv - name: "{{ seafile_python_libs }}" + name: "{{ seafile_python_libs[seafile_edition] }}" notify: - restart seafile - restart seahub @@ -150,7 +150,7 @@ # Needed since CentOS 7.5 so ldaps can be used - name: Remove bundled libs file: path={{ seafile_root_dir }}/seafile-server/seafile/lib/{{ item }} state=absent - loop: "{{ seafile_rm_libs }}" + loop: "{{ seafile_rm_libs[seafile_edition] }}" notify: restart seafile tags: seafile diff --git a/roles/seafile/templates/ccnet.conf.j2 b/roles/seafile/templates/ccnet.conf.j2 index d153140..e1e9ffc 100644 --- a/roles/seafile/templates/ccnet.conf.j2 +++ b/roles/seafile/templates/ccnet.conf.j2 @@ -15,7 +15,7 @@ PASSWD = {{ seafile_db_pass }} DB = {{ seafile_db_ccnet }} CONNECTION_CHARSET = utf8 -{% if seafile_ldap_auth is defined and seafile_ldap_auth %} +{% if seafile_edition == 'pro' and seafile_ldap_auth is defined and seafile_ldap_auth %} [LDAP] HOST = {{ seafile_ldap_uri }} BASE = {{ seafile_ldap_base }} diff --git a/roles/seafile/templates/seahub_settings.py.j2 b/roles/seafile/templates/seahub_settings.py.j2 index c41d4bb..2c1accc 100644 --- a/roles/seafile/templates/seahub_settings.py.j2 +++ b/roles/seafile/templates/seahub_settings.py.j2 @@ -122,6 +122,7 @@ OAUTH_ATTRIBUTE_MAP = { "name": (False, "name"), } {% endif %} +{% endif %} {% if seafile_header_auth == True %} ENABLE_REMOTE_USER_AUTHENTICATION = True REMOTE_USER_HEADER = '{{ seafile_header_auth_name }}' @@ -169,3 +170,34 @@ ENABLE_UPLOAD_LINK_VIRUS_CHECK = True VIRUS_SCAN_NOTIFY_LIST = ['{{ system_admin_email }}'] {% endif %} {% endif %} + +{% if seafile_edition == 'community' and seafile_ldap_auth is defined and seafile_ldap_auth %} +ENABLE_LDAP = True +LDAP_SERVER_URL = '{{ seafile_ldap_uri }}' +LDAP_BASE_DN = '{{ seafile_ldap_base }}' +{% if seafile_ldap_bind_dn is defined and seafile_ldap_bind_pass is defined %} +LDAP_ADMIN_DN = '{{ seafile_ldap_bind_dn }}' +LDAP_ADMIN_PASSWORD = '{{ seafile_ldap_bind_pass }}' +{% endif %} +LDAP_PROVIDER = 'ldap' +LDAP_LOGIN_ATTR = '{{ seafile_ldap_login_attr }}' +LDAP_FILTER = '{{ seafile_ldap_filter }}' +LDAP_CONTACT_EMAIL_ATTR = '{{ seafile_ldap_email_attr }}' +LDAP_USER_FIRST_NAME_ATTR = '{{ seafile_ldap_first_name_attr }}' +LDAP_USER_LAST_NAME_ATTR = '{{ seafile_ldap_last_name_attr }}' + +{% if seafile_license is defined %} +LDAP_SYNC_INTERVAL = 60 +ENABLE_LDAP_USER_SYNC = True +{% if seafile_ldap_group_filter is defined %} +ENABLE_LDAP_GROUP_SYNC = True +{% endif %} +DEACTIVE_USER_IF_NOTFOUND = True +LDAP_USER_OBJECT_CLASS = 'person' +ENABLE_EXTRA_USER_INFO_SYNC = True +DEPT_ATTR = '{{ seafile_ldap_dept_attr }}' +LDAP_UID_ATTR = '{{ seafile_ldap_uid_attr }}' +ACTIVATE_USER_WHEN_IMPORT = False +ACTIVATE_AFTER_FIRST_LOGIN = True +{% endif %} +{% endif %} diff --git a/roles/seafile/vars/RedHat-7.yml b/roles/seafile/vars/RedHat-7.yml index f08756d..e134653 100644 --- a/roles/seafile/vars/RedHat-7.yml +++ b/roles/seafile/vars/RedHat-7.yml @@ -24,20 +24,44 @@ seafile_packages: - python-setuptools # needed for ansible to create the venv seafile_python_libs: - - Pillow - - pylibmc - - captcha - - jinja2 - - sqlalchemy - - psd-tools - - django-pylibmc - - django-simple-captcha - - python3-ldap - - requests_oauthlib - - future - - mysqlclient==2.0.1 - - pycryptodome - - lxml + community: + - pillow==10.0.* + - pylibmc + - captcha==0.4 + - jinja2 + - SQLAlchemy==2.0.18 + - psd-tools + - django-pylibmc + - django_simple_captcha==0.5.* + - djangosaml2==1.5.* + - pysaml2==7.2.* + - python-ldap==3.4.3 + - requests_oauthlib + - future==0.18.* + - mysqlclient==2.1.* + - pycryptodome==3.16.* + - cffi==1.15.1 + - lxml + - chardet + pro: + - pillow==9.3.* + - pylibmc + - captcha==0.4 + - jinja2 + - SQLAlchemy==1.4.3 + - psd-tools + - django-pylibmc + - django_simple_captcha==0.5.* + - djangosaml2==1.5.* + - pysaml2==7.2.* + - python-ldap + - requests_oauthlib + - future==0.18.* + - mysqlclient==2.1.* + - pycryptodome==3.16.* + - cffi==1.15.1 + - lxml + - chardet seafile_rm_libs: - libnssutil3.so diff --git a/roles/seafile/vars/RedHat-8.yml b/roles/seafile/vars/RedHat-8.yml index d4543d0..43d96f5 100644 --- a/roles/seafile/vars/RedHat-8.yml +++ b/roles/seafile/vars/RedHat-8.yml @@ -24,29 +24,54 @@ seafile_packages: - python3-setuptools # needed for ansible to create the venv seafile_python_libs: - - pillow==9.3.* - - pylibmc - - captcha==0.4 - - jinja2 - - SQLAlchemy==1.4.3 - - psd-tools - - django-pylibmc - - django_simple_captcha==0.5.* - - djangosaml2==1.5.* - - pysaml2==7.2.* - - python-ldap - - requests_oauthlib - - future==0.18.* - - mysqlclient==2.1.* - - pycryptodome==3.16.* - - cffi==1.15.1 - - lxml - - chardet + community: + - pillow==10.0.* + - pylibmc + - captcha==0.4 + - jinja2 + - SQLAlchemy==2.0.18 + - psd-tools + - django-pylibmc + - django_simple_captcha==0.5.* + - djangosaml2==1.5.* + - pysaml2==7.2.* + - python-ldap==3.4.3 + - requests_oauthlib + - future==0.18.* + - mysqlclient==2.1.* + - pycryptodome==3.16.* + - cffi==1.15.1 + - lxml + - chardet + pro: + - pillow==9.3.* + - pylibmc + - captcha==0.4 + - jinja2 + - SQLAlchemy==1.4.3 + - psd-tools + - django-pylibmc + - django_simple_captcha==0.5.* + - djangosaml2==1.5.* + - pysaml2==7.2.* + - python-ldap + - requests_oauthlib + - future==0.18.* + - mysqlclient==2.1.* + - pycryptodome==3.16.* + - cffi==1.15.1 + - lxml + - chardet seafile_rm_libs: - - liblber-2.4.so.2 - - libldap-2.4.so.2 - - libsasl2.so.3 - - libldap_r-2.4.so.2 # 9.0.0 - - libcrypto.so.1.1 # 9.0.0 - - libssl.so.1.1 # 9.0.0 + community: + - libcrypto.so.1.1 # 9.0.0 + - libssl.so.1.1 # 9.0.0 + + pro: + - liblber-2.4.so.2 + - libldap-2.4.so.2 + - libsasl2.so.3 + - libldap_r-2.4.so.2 # 9.0.0 + - libcrypto.so.1.1 # 9.0.0 + - libssl.so.1.1 # 9.0.0 diff --git a/roles/seafile/vars/RedHat-9.yml b/roles/seafile/vars/RedHat-9.yml new file mode 100644 index 0000000..43d96f5 --- /dev/null +++ b/roles/seafile/vars/RedHat-9.yml @@ -0,0 +1,77 @@ +--- + +seafile_packages: + - python39 + - python39-setuptools + - python39-pip + - python39-devel + - gcc + - gcc-c++ + - ffmpeg + - ffmpeg-devel + - libmemcached-devel + - mysql-devel + - zlib-devel + - openldap-devel + - openssl-devel + - gcc + - tar + - mariadb + - fuse + - java-1.8.0-openjdk # For seafile-pro + - poppler-utils # For seafile-pro + - unoconv # For seafile-pro + - python3-setuptools # needed for ansible to create the venv + +seafile_python_libs: + community: + - pillow==10.0.* + - pylibmc + - captcha==0.4 + - jinja2 + - SQLAlchemy==2.0.18 + - psd-tools + - django-pylibmc + - django_simple_captcha==0.5.* + - djangosaml2==1.5.* + - pysaml2==7.2.* + - python-ldap==3.4.3 + - requests_oauthlib + - future==0.18.* + - mysqlclient==2.1.* + - pycryptodome==3.16.* + - cffi==1.15.1 + - lxml + - chardet + pro: + - pillow==9.3.* + - pylibmc + - captcha==0.4 + - jinja2 + - SQLAlchemy==1.4.3 + - psd-tools + - django-pylibmc + - django_simple_captcha==0.5.* + - djangosaml2==1.5.* + - pysaml2==7.2.* + - python-ldap + - requests_oauthlib + - future==0.18.* + - mysqlclient==2.1.* + - pycryptodome==3.16.* + - cffi==1.15.1 + - lxml + - chardet + +seafile_rm_libs: + community: + - libcrypto.so.1.1 # 9.0.0 + - libssl.so.1.1 # 9.0.0 + + pro: + - liblber-2.4.so.2 + - libldap-2.4.so.2 + - libsasl2.so.3 + - libldap_r-2.4.so.2 # 9.0.0 + - libcrypto.so.1.1 # 9.0.0 + - libssl.so.1.1 # 9.0.0