diff --git a/all.yml b/all.yml index 0880c025..87ea3658 100755 --- a/all.yml +++ b/all.yml @@ -14,6 +14,7 @@ - import_playbook: plays/monitoring.yml # Services that only apply to a subset of server +- import_playbook: plays/cas.yml - import_playbook: plays/dhcp.yml - import_playbook: plays/dns.yml - import_playbook: plays/etherpad.yml diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml index fa185203..01abae8f 100644 --- a/group_vars/reverseproxy.yml +++ b/group_vars/reverseproxy.yml @@ -29,9 +29,6 @@ nginx: # - {from: roundcube.crans.org, to: 10.231.136.105} # - {from: phabricator.crans.org, to: 10.231.136.123} # - {from: trackerusercontent.crans.org, to: 10.231.136.123} - # - {from: cas.crans.org, to: 10.231.136.18} - # - {from: auth.crans.org, to: 10.231.136.18} - # - {from: login.crans.org, to: 10.231.136.18} # - {from: webmail.crans.org, to: 10.231.136.107} # - {from: horde.crans.org, to: 10.231.136.107} # - {from: owncloud.crans.org, to: 10.231.136.26} @@ -49,6 +46,9 @@ nginx: # - {from: webirc.crans.org, to: "10.231.136.1:9000"} - {from: framadate.crans.org, to: 172.16.10.109} - {from: stream.crans.org, to: 172.16.10.118} + - {from: cas.crans.org, to: 172.16.10.120} + - {from: auth.crans.org, to: 172.16.10.120} + - {from: login.crans.org, to: 172.16.10.120} # - {from: mailman.crans.org, to: 10.231.136.180} # # # Zamok diff --git a/hosts b/hosts index 7757a23d..d2e4bbc3 100644 --- a/hosts +++ b/hosts @@ -90,6 +90,8 @@ monitoring.adm.crans.org boeing.adm.crans.org fluxx.adm.crans.org unifi.adm.crans.org +pastemoisa.adm.crans.org +casouley.adm.crans.org [ovh_physical] sputnik.adm.crans.org diff --git a/plays/cas.yml b/plays/cas.yml new file mode 100755 index 00000000..9fe92223 --- /dev/null +++ b/plays/cas.yml @@ -0,0 +1,9 @@ +#!/usr/bin/env ansible-playbook +--- +# Django CAS server + +- hosts: casouley.adm.crans.org + vars: + cas_secret_key: "{{ vault_cas_secret_key }}" + cas_ldap_password: "{{ vault_cas_ldap_password }}" + roles: ["django-cas"] diff --git a/roles/django-cas/README.md b/roles/django-cas/README.md new file mode 100644 index 00000000..6b9b47c5 --- /dev/null +++ b/roles/django-cas/README.md @@ -0,0 +1,3 @@ +# Django CAS + +Une fois le rôle appliqué il faut aller dans `/var/local/django-cas` et faire un `./manage.py collectstatic`. diff --git a/roles/django-cas/handlers/main.yml b/roles/django-cas/handlers/main.yml new file mode 100644 index 00000000..fe8fbf15 --- /dev/null +++ b/roles/django-cas/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart nginx + service: + name: nginx + state: restarted + +- name: Restart uwsgi + service: + name: uwsgi + state: restarted diff --git a/roles/django-cas/tasks/main.yml b/roles/django-cas/tasks/main.yml index 80307620..6472c515 100644 --- a/roles/django-cas/tasks/main.yml +++ b/roles/django-cas/tasks/main.yml @@ -8,10 +8,62 @@ - uwsgi-plugin-python3 - python3-django - python3-django-cas-server + - python3-psycopg2 register: apt_result retries: 3 until: apt_result is succeeded +- name: Upgrade to Bullseye Django CAS + apt: + deb: http://mirror.adm.crans.org/debian/pool/main/d/django-cas-server/python3-django-cas-server_1.1.0-2_all.deb + register: apt_result + retries: 3 + until: apt_result is succeeded + when: + - ansible_lsb.codename == 'buster' + +- name: Clone Django CAS project repository + git: + repo: http://gitlab.adm.crans.org/nounous/django-cas.git + dest: /var/local/django-cas + version: master + umask: '002' + +- name: Configure Django CAS + template: + src: cas/settings_local.py.j2 + dest: /var/local/django-cas/cas/settings_local.py + mode: 0600 + notify: Restart uwsgi + +- name: Configure NGINX site + template: + src: nginx/sites-available/cas.j2 + dest: /etc/nginx/sites-available/cas + mode: 0644 + notify: Restart nginx + +- name: Enable nginx site + file: + src: /etc/nginx/sites-available/cas + dest: /etc/nginx/sites-enabled/cas + state: link + notify: Restart nginx + +- name: Configure UWSGI app + template: + src: uwsgi/apps-available/cas.ini.j2 + dest: /etc/uwsgi/apps-available/cas.ini + mode: 0644 + notify: Restart uwsgi + +- name: Enable uwsgi app + file: + src: /etc/uwsgi/apps-available/cas.ini + dest: /etc/uwsgi/apps-enabled/cas.ini + state: link + notify: Restart uwsgi + - name: Install CAS crons template: src: cron.d/cas.j2 diff --git a/roles/django-cas/templates/cas/settings_local.py.j2 b/roles/django-cas/templates/cas/settings_local.py.j2 new file mode 100644 index 00000000..aaaebe11 --- /dev/null +++ b/roles/django-cas/templates/cas/settings_local.py.j2 @@ -0,0 +1,9 @@ +{{ ansible_header | comment }} + +SECRET_KEY = '{{ cas_secret_key }}' + +# Settings for the CAS server +CAS_LDAP_SERVER = "172.16.10.90" +CAS_LDAP_USER = "cn=cas,ou=service-users,dc=crans,dc=org" +CAS_LDAP_PASSWORD = "{{ cas_ldap_password }}" +CAS_LDAP_BASE_DN = "cn=Utilisateurs,dc=crans,dc=org" diff --git a/roles/django-cas/templates/cron.d/cas.j2 b/roles/django-cas/templates/cron.d/cas.j2 index ec29265e..0fd4795d 100644 --- a/roles/django-cas/templates/cron.d/cas.j2 +++ b/roles/django-cas/templates/cron.d/cas.j2 @@ -1,4 +1,4 @@ {{ ansible_header | comment }} -0 0 * * * www-data /usr/local/django/cas/manage.py clearsessions -*/5 * * * * www-data /usr/local/django/cas/manage.py cas_clean_tickets -5 0 * * * www-data /usr/local/django/cas/manage.py cas_clean_sessions +0 0 * * * www-data /var/local/django-cas/manage.py clearsessions +*/5 * * * * www-data /var/local/django-cas/manage.py cas_clean_tickets +5 0 * * * www-data /var/local/django-cas/manage.py cas_clean_sessions diff --git a/roles/django-cas/templates/nginx/sites-available/cas.j2 b/roles/django-cas/templates/nginx/sites-available/cas.j2 new file mode 100644 index 00000000..c243822e --- /dev/null +++ b/roles/django-cas/templates/nginx/sites-available/cas.j2 @@ -0,0 +1,25 @@ +{{ ansible_header | comment }} + +server { + server_name cas.crans.org cas.adm.crans.org login.crans.org login.adm.crans.org auth.crans.org auth.adm.crans.org; + listen 80; + listen [::]:80; + + location /cas { + rewrite ^/cas$ / redirect; + rewrite ^/cas/(.*)$ /$1 redirect; + } + + location /static { + alias /var/local/django-cas/cas/local_static; + } + + set_real_ip_from 10.231.136.0/24; + set_real_ip_from 2a0c:700:0:2::/64; + real_ip_header P-Real-Ip; + + location / { + uwsgi_pass unix:///var/run/uwsgi/app/cas/socket; + include uwsgi_params; + } +} diff --git a/roles/django-cas/templates/update-motd.d/05-service.j2 b/roles/django-cas/templates/update-motd.d/05-service.j2 index 0a1da54c..242bc2ca 100755 --- a/roles/django-cas/templates/update-motd.d/05-service.j2 +++ b/roles/django-cas/templates/update-motd.d/05-service.j2 @@ -1,3 +1,3 @@ #!/usr/bin/tail +14 {{ ansible_header | comment }} -> django-cas-server a été déployé sur cette machine. Voir /usr/local/django/cas/. +> django-cas-server a été déployé sur cette machine. Voir /var/local/django-cas/. diff --git a/roles/django-cas/templates/uwsgi/apps-available/cas.ini.j2 b/roles/django-cas/templates/uwsgi/apps-available/cas.ini.j2 new file mode 100644 index 00000000..7ec92804 --- /dev/null +++ b/roles/django-cas/templates/uwsgi/apps-available/cas.ini.j2 @@ -0,0 +1,17 @@ +{{ ansible_header | comment }} + +[uwsgi] +plugin = python3 +chdir = /var/local/django-cas/ +wsgi-file = /var/local/django-cas/cas/wsgi.py +max-request=50 +cheaper = 1 +cheaper-initial = 1 +workers = 2 +die-on-term = true +memory-report = true +reload-on-rss = 75M +evil-reload-on-rss = 200M +limit-as = 450M +reload-on-as = 350M +evil-reload-on-as = 500M