A few roles that might be of interest
by Imre Jonk
Hi all,
The company I work for just open-sourced these roles that were written
for use with DebOps:
- debops.simplesamlphp
Manages SimpleSAMLphp as a SAML iDP. Installs
simplesamlphp-module-webauthn by default, which adds WebAuthn 2FA.
- debops.selfservicepassword
Manages Self Service Password, a web interface for changing one's LDAP
password.
- debops.openvpn
Manages OpenVPN server for client-server use. Authenticates clients
against LDAP and integrates with YK-VAL to provide Yubikey TOTP 2FA.
- debops.matomo
Manages Matomo analytics platform.
- debops.dhcpd
Manages ISC DHCP server. Essentially a rewrite of the existing
debops.dhcpd role with support for DHCPv6, but it's still missing some
features.
- debops.dnsui
Manages Opera DNS UI, a web-based LDAP-authenticated DNS management
system for use with PowerDNS authoritative nameserver.
- debops.powerdns_auth
Manages PowerDNS authoritative nameserver.
We use all these roles in production. A lot of documentation is still
missing, I hope to be able to add that soon so the roles can be
integrated into DebOps mainline. The roles are licensed under
GPL-3.0-or-later and can be found here:
https://gitlab.com/ciphermail?filter=debops
Suggestions for improvements are more than welcome.
Imre
4 years, 3 months
common role: suddenly commented out most certs in ca-certificates.conf
by Jan Kowalsky
Hi all,
after running bootstrap and during common role adding of additional apt
sources failed because of unknown certificates.
FAILED! => {"changed": false, "cmd": "/usr/bin/git clone --origin origin
https://github.com/TheLocehiliosan/yadm
/usr/local/src/yadm/github.com/TheLocehiliosan/yadm", "msg": "Cloning
into '/usr/local/src/yadm/github.com/TheLocehiliosan/yadm'...\nfatal:
unable to access 'https://github.com/TheLocehiliosan/yadm/': server
certificate verification failed.
I inspect the problem and found that most of certificates configured in
/etc/ca-certificates.conf where commented out suddenly.
This is not really reproducible but the error took place some times in
the past.
Any idea what is happening here?
Thanks and regards
Jan
4 years, 4 months
debops pki role and letsencrypt
by Jan Kowalsky
Hi all,
since there are some references for acme and letsencrypt in the debops
roles pki and nginx I was wondering if debops actually supports the
generation of letsencrypt certificates (e.g. through an nginx_server role).
If yes: can somebody point me in the right direction?
Sorry, I don't get make head of the documentation in this point.
Kind regards
Jan
4 years, 4 months
ifupdown role breaks with current implementation of "auto"
by Roché Compaan
Hi there!
First, thank you for an awesome project! It is really well thought out and
well documented given the scope that you are trying to cover.
I have used quite a few roles successfully now. However, I ran into an
issue with the ifupdown role.
My config was straightforward:
ifupdown__host_interfaces:
> 'eno1':
>
auto: 'True'
inet: 'static'
> inet6: 'auto'
> address: '10.0.0.2/29'
> gateway: '10.0.0.1'
> dns_nameservers:
> - '192.168.8.1'
> - '10.0.8.1'
This generates the following config on the target server:
allow-auto eno1
allow-hotplug eno1
> iface eno1 inet static
> address 10.0.0.2
> netmask 255.255.255.248
> gateway 10.0.0.1
> dns-nameservers 192.168.8.1 10.0.8.1
> iface eno1 inet6 auto
Unfortunately, "allow-auto" and "auto" does not behave in the same way and
unless I have "auto eno1" in my config, the link is not up after networking
is started. This is on fresh Debian 10 install.
I came across this thread that seems to suggest that there might be some
ambiguity in the directives used:
https://lists.debian.org/debian-user/2017/09/msg00901.html
Since the debops role already distinguishes between "auto" and "allow:
auto" keys, perhaps "auto: 'True'" should simple generate "auto <iface>"
in the resulting config and not "allow-auto"?
Kind regards,
Roché Compaan
4 years, 4 months