7:41 p.m.
Hi all,
Quick introduction: I am the system administrator of CipherMail B.V., a
company which specializes in email security, and Stichting Bits of
Freedom, the digital rights movement in the Netherlands. I also
volunteer for a community wireless network in Amsterdam called Amsterdam
Wireless. I've started using DebOps in Februari this year when we were
provisioning a new datacenter at CipherMail. So far it's been really
great and I'm introducing DebOps at Bits of Freedom now as well. Last
year I graduated with a bachelor's thesis about deploying DNSSEC at a
large Dutch hosting company. They went from zero to full DNSSEC with
PowerDNS and some Python scripts I wrote. You can find the thesis
(Dutch) here:
https://www.imrejonk.nl/deploying-dnssec-at-a-web-hosting-company/.
Hobbies and sports include computer tinkering, running, shooting sports,
biking, amateur radio and scuba diving.
To business. I wrote some DebOps-integrated roles at CipherMail which
might be useful to others. My employer has agreed to release the roles
under the GPL version 3 (or later). Some roles lack documentation, tests
and functionality to be useful to anyone, so I'll have to do some work
to improve the overall role quality. I guess I'll do that and create PRs
for new debops-contrib roles soon.
These are the roles I'm talking about:
- amsw.dnsui: provides complete functionality for integrating Opera's
DNS-UI, an LDAP-authenticated web frontend for PowerDNS authoritative
server. The role uses the nginx PAM module for LDAP authentication.
Requires PowerDNS 4.1+ for DNSSEC functionality. Depends on
debops.secret, debops.users, debops.postgresql, debops.php, debops.nginx
and debops.cron.
- amsw.powerdns_auth: a simple role for PowerDNS authoritative server
management. Right now you can only use this role with the Postgresql
backend and the upstream packages (I needed v4.1 for DNSSEC capabilities
on the API). Nonetheless it should be very easy to integrate this with
debops.mariadb and the PowerDNS BIND backend.
- ciphermail.nut: almost complete role for managing a Network UPS Tools
(NUT) server. Needs documentation and tests.
- ciphermail.nut_client: NUT client management.
- ciphermail.cups: manages our CUPS print server. Integrates with
debops.pki and applies some hardening tricks to ensure our print jobs
are always TLS encrypted with verified certificates.
- ciphermail.simplesamlphp: manages a SAML 2.0 iDP-only SimpleSAMLphp
installation, integrated with debops.pki. We use it for Single Sign-On.
- ciphermail.docker_container: simple role for managing Docker containers.
- ciphermail.docker_network: additional Docker role for managing networks.
We've also modified some existing DebOps roles because they weren't
entirely satisfactory for us. We'll contribute these changes back as
well. We're using a lot of DebOps roles :)
Any suggestions (on where I should start, for example) are most welcome!
Cheers,
Imre
9:10 a.m.
On maj 16, Imre Jonk wrote:
Hi all,
Hello, and welcome to the mailing list! :)
To business. I wrote some DebOps-integrated roles at CipherMail
which
might be useful to others. My employer has agreed to release the roles
under the GPL version 3 (or later).
Awesome, good to hear that your employer is OK with releasing your work to the
community.
Some roles lack documentation, tests and functionality to be useful
to
anyone, so I'll have to do some work to improve the overall role quality.
I guess I'll do that and create PRs for new debops-contrib roles soon.
If the role is for something included in Debian, you should create PRs against
the https://github.com/debops/debops/ repository, so that we can keep
everything in one place. Commercial software could go into the
https://github.com/debops/debops-contrib/ repository, which has similar layout
to the main DebOps monorepo. In the future the debops-contrib repository will
probably be downloadable and installable using some kind of debops script
subcommand.
These are the roles I'm talking about:
- amsw.dnsui: provides complete functionality for integrating Opera's
DNS-UI, an LDAP-authenticated web frontend for PowerDNS authoritative
server. The role uses the nginx PAM module for LDAP authentication.
Requires PowerDNS 4.1+ for DNSSEC functionality. Depends on
debops.secret, debops.users, debops.postgresql, debops.php, debops.nginx
and debops.cron.
For this you probably have to build the nginx .deb package from source to
include the LDAP support, correct? Now that nginx modules are in separate
packages in Debian, I wonder when LDAP support will be available in the
distribution itself. I'm not sure why it's not there yet, licensing? Lack of
manpower or interest?
As for using the debops.users and debops.cron roles from your own role, can
you tell me the reasons behind it? The roles mainly exist so that users can
create UNIX groups/accounts on the hosts and manage cron jobs via the Ansible
inventory, without the need to write their own playbooks. Ansible has modules
for managing users, groups and cron jobs, which you could use in your role
directly, without the additional overhead of using debops.users and
debops.cron.
- amsw.powerdns_auth: a simple role for PowerDNS authoritative
server
management. Right now you can only use this role with the Postgresql
backend and the upstream packages (I needed v4.1 for DNSSEC capabilities
on the API). Nonetheless it should be very easy to integrate this with
debops.mariadb and the PowerDNS BIND backend.
- ciphermail.nut: almost complete role for managing a Network UPS Tools
(NUT) server. Needs documentation and tests.
- ciphermail.nut_client: NUT client management.
- ciphermail.cups: manages our CUPS print server. Integrates with
debops.pki and applies some hardening tricks to ensure our print jobs
are always TLS encrypted with verified certificates.
- ciphermail.simplesamlphp: manages a SAML 2.0 iDP-only SimpleSAMLphp
installation, integrated with debops.pki. We use it for Single Sign-On.
- ciphermail.docker_container: simple role for managing Docker containers.
- ciphermail.docker_network: additional Docker role for managing networks.
Very interesting set of roles, looking forward for the PRs. :-) If you want,
you could fork the debops/debops repository on GitHub and create a branch for
each role right away, perhaps some other DebOps users could help you clean
those up, test the functionality and prepare the documentation.
We've also modified some existing DebOps roles because they
weren't
entirely satisfactory for us. We'll contribute these changes back as
well. We're using a lot of DebOps roles :)
Any suggestions (on where I should start, for example) are most welcome!
I would start with creating PRs for existing roles to merge in your changes,
then your own roles that depend on them should be easier to merge as well.
Once again, welcome to the list and I'm looking forward for your
contributions. :-)
Maciej
8:48 p.m.
Hi Maciej,
On 17-05-19 09:10, Maciej Delmanowski wrote:
If the role is for something included in Debian, you should create
PRs against
the https://github.com/debops/debops/ repository, so that we can keep
everything in one place. Commercial software could go into the
https://github.com/debops/debops-contrib/ repository, which has similar layout
to the main DebOps monorepo. In the future the debops-contrib repository will
probably be downloadable and installable using some kind of debops script
subcommand.
Ah, I figured that debops-contrib was for roles that were not yet
included in DebOps but might be in the future (like
debops-contrib.dropbear_initramfs). I'll make the PRs directly to
debops/debops then.
> - amsw.dnsui: provides complete functionality for integrating
Opera's
> DNS-UI, an LDAP-authenticated web frontend for PowerDNS authoritative
> server. The role uses the nginx PAM module for LDAP authentication.
> Requires PowerDNS 4.1+ for DNSSEC functionality. Depends on
> debops.secret, debops.users, debops.postgresql, debops.php, debops.nginx
> and debops.cron.
For this you probably have to build the nginx .deb package from source to
include the LDAP support, correct? Now that nginx modules are in separate
packages in Debian, I wonder when LDAP support will be available in the
distribution itself. I'm not sure why it's not there yet, licensing? Lack of
manpower or interest?
Nope :)
Nginx in Debian 9 has the PAM module compiled in. Otherwise I probably
wouldn't have been able to write this role this quick, I'm pretty lazy
when it comes to software. I just take whatever is in Debian stable,
with the occasional backports package or Docker image.
I use the debops.auth and debops.nsswitch roles to configure PAM for
authentication against my debops.slapd managed OpenLDAP server. All
DebOps v0.8.1. I'll see if I can somehow integrate this configuration
with the dnsui role as well.
As for using the debops.users and debops.cron roles from your own
role, can
you tell me the reasons behind it? The roles mainly exist so that users can
create UNIX groups/accounts on the hosts and manage cron jobs via the Ansible
inventory, without the need to write their own playbooks. Ansible has modules
for managing users, groups and cron jobs, which you could use in your role
directly, without the additional overhead of using debops.users and
debops.cron.
No particular reason, guess I just wanted to use more DebOps roles.
Might not be the best idea in this case, so I'll rewrite the role a bit
to remove these dependencies.
Very interesting set of roles, looking forward for the PRs. :-) If
you want,
you could fork the debops/debops repository on GitHub and create a branch for
each role right away, perhaps some other DebOps users could help you clean
those up, test the functionality and prepare the documentation.
I'm glad you're interested! My employer has allowed me some time to
improve the roles next week, so you can review the PRs soon :)
> Any suggestions (on where I should start, for example) are most
welcome!
I would start with creating PRs for existing roles to merge in your changes,
then your own roles that depend on them should be easier to merge as well.
Great, I'll start there then!
Have a great weekend.
Imre
10:27 p.m.
On maj 17, Imre Jonk wrote:
Ah, I figured that debops-contrib was for roles that were not yet
included in DebOps but might be in the future (like
debops-contrib.dropbear_initramfs). I'll make the PRs directly to
debops/debops then.
Thid only had merit when DebOps roles were in separate git repositories. Now,
you can just fork the DebOps monorepo, create your own branch and put the
roles there. It's very easy to keep your changed updated with the main project
by fetching new changes from master and rebasing your branch on top of them.
> For this you probably have to build the nginx .deb package from
source to
> include the LDAP support, correct? Now that nginx modules are in separate
> packages in Debian, I wonder when LDAP support will be available in the
> distribution itself. I'm not sure why it's not there yet, licensing? Lack of
> manpower or interest?
Nope :)
Nginx in Debian 9 has the PAM module compiled in. Otherwise I probably
wouldn't have been able to write this role this quick, I'm pretty lazy
when it comes to software. I just take whatever is in Debian stable,
with the occasional backports package or Docker image.
Interesting, I only came across nginx with LDAP setups that use the custom
LDAP module, and I hadn't considered the PAM route, which probably is more
universal anyway. I'll have to check that out.
I use the debops.auth and debops.nsswitch roles to configure PAM for
authentication against my debops.slapd managed OpenLDAP server. All
DebOps v0.8.1. I'll see if I can somehow integrate this configuration
with the dnsui role as well.
In that case you should check out the new changes in the DebOps master branch,
here's the Changelog: https://docs.debops.org/en/master/news/changelog.html
Tere are many changes related to LDAP support in DebOps. Most of the code from
'debops.auth' role has been ripped out and moved to other roles,
'debops.slapd' role was rewritten from scratch, and there's new
'debops.ldap'
role which will be used to add support for LDAP to many DebOps roles. I hope
that you will like it. :-)
I'm currently working on updating the 'debops.users' role and moving the
management of sysadmin accounts to a new 'debops.system_users' role which will
integrate with the LDAP support. After finishing these, I plan to make a new
DebOps release so there's something tagged. Probably a week or two from now.
I'm glad you're interested! My employer has allowed me some
time to
improve the roles next week, so you can review the PRs soon :)
You should work against the 'master' branch, of course. Perhaps a separate
development environment is in order. :)
Cheers,
Maciej
7:20 p.m.
On 17-05-19 22:27, Maciej Delmanowski wrote:
On maj 17, Imre Jonk wrote:
> Ah, I figured that debops-contrib was for roles that were not yet
> included in DebOps but might be in the future (like
> debops-contrib.dropbear_initramfs). I'll make the PRs directly to
> debops/debops then.
Thid only had merit when DebOps roles were in separate git repositories. Now,
you can just fork the DebOps monorepo, create your own branch and put the
roles there. It's very easy to keep your changed updated with the main project
by fetching new changes from master and rebasing your branch on top of them.
Check. Will the non-commercial roles currently in debops-contrib (like
debops-contrib.dropbear_initramfs) be merged into debops master?
>> For this you probably have to build the nginx .deb package
from source to
>> include the LDAP support, correct? Now that nginx modules are in separate
>> packages in Debian, I wonder when LDAP support will be available in the
>> distribution itself. I'm not sure why it's not there yet, licensing? Lack
of
>> manpower or interest?
> Nope :)
> Nginx in Debian 9 has the PAM module compiled in. Otherwise I probably
> wouldn't have been able to write this role this quick, I'm pretty lazy
> when it comes to software. I just take whatever is in Debian stable,
> with the occasional backports package or Docker image.
Interesting, I only came across nginx with LDAP setups that use the custom
LDAP module, and I hadn't considered the PAM route, which probably is more
universal anyway. I'll have to check that out.
I still have to look at enforcing different authorization rules for
nginx (DNS-UI) PAM users. All system users now also pass nginx
authentication, and the other way around. DNS-UI uses php-ldap to solve
LDAP group authorization in an application-specific way though.
Tere are many changes related to LDAP support in DebOps. Most of the
code from
'debops.auth' role has been ripped out and moved to other roles,
'debops.slapd' role was rewritten from scratch, and there's new
'debops.ldap'
role which will be used to add support for LDAP to many DebOps roles. I hope
that you will like it. :-)
I'm currently working on updating the 'debops.users' role and moving the
management of sysadmin accounts to a new 'debops.system_users' role which will
integrate with the LDAP support. After finishing these, I plan to make a new
DebOps release so there's something tagged. Probably a week or two from now.
I red it on the list. Sounds good! We've only been using v0.8.1 roles
until now, so that means that I'll have to get some work done to get our
infrastructure ready for the next tag :)
You should work against the 'master' branch, of course.
Perhaps a separate
development environment is in order. :)
Yeah, I guess now's a really good time to build a proper development
environment for that.
Cheers,
Imre
10:31 a.m.
On May 18, Imre Jonk wrote:
> Thid only had merit when DebOps roles were in separate git
repositories. Now,
> you can just fork the DebOps monorepo, create your own branch and put the
> roles there. It's very easy to keep your changed updated with the main project
> by fetching new changes from master and rebasing your branch on top of them.
Check. Will the non-commercial roles currently in debops-contrib (like
debops-contrib.dropbear_initramfs) be merged into debops master?
Yes, that's the plan. They will have to be renamed and cleaned up, of course.
They were imported from the repositories in https://github.com/debops-contrib/
organization when the migration to the monorepo happened, but I hadn't got
time to work on them yet. I'll probably migrate the 'debops-contrib.apparmor'
role next, or better yet write a similar one as 'debops.apparmor' since this
will be mandatory in Debian Buster. The next development cycle will probably
be focused on Debian Buster compatibility to prepare for the next release of
Debian Stable.
> I'm currently working on updating the 'debops.users'
role and moving the
> management of sysadmin accounts to a new 'debops.system_users' role which
will
> integrate with the LDAP support. After finishing these, I plan to make a new
> DebOps release so there's something tagged. Probably a week or two from now.
I red it on the list. Sounds good! We've only been using v0.8.1 roles
until now, so that means that I'll have to get some work done to get our
infrastructure ready for the next tag :)
After the v1.0.0 release I plan to cherry-pick any non-breaking changes to it
from later versions, so that sticking to one release without suddenly breaking
your infrastructure is feasible. I'm not sure how many such "stable"
branches
will be feasible, perhaps sticking to the Debian release cycle will make the
most sense, we will see. But to get to that point, I want to clean up all of
the old roles first... Hmm, you know what? Screw that plan - people are using
DebOps in production already, so I'll bite the bullet and release v1.0.0 after
merging the user role changes. Let's get this thing rolling, this will be
a good test if cherry-picking non-breaking changes makes sense. Expect
a release in a week or two when I get the user roles updated.
Cheers,
Maciej
1796
days inactive
1800
days old
5 comments
2 participants
participants (2)
-
Imre Jonk -
Maciej Delmanowski