aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Merge branch 'master' into 'ansible-lint'

Browse source 
# Conflicts:
#   roles/codimd/tasks/0_apt_dependencies.yml
This commit is contained in:
Alexandre IOOSS 2019-03-11 15:00:11 +01:00
commit 1a4e41d318
27 changed files with 1048 additions and 149 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
base.yml
View file

@ -3,3 +3,4 @@
- hosts: all
roles:
- baseconfig
- basesecurity

28
hosts
View file

@ -14,10 +14,11 @@ synapse.adm.auro.re
codimd.adm.auro.re
services-bdd.adm.auro.re
phabricator.adm.auro.re
horus-wiki ansible_host=10.128.0.51
wiki.adm.auro.re
www.adm.auro.re
pad.adm.auro.re
proxy.adm.auro.re
matrix-services.adm.auro.re
[ovh-vm]
re2o-server.adm.auro.re
@ -25,13 +26,21 @@ re2o-ldap.adm.auro.re
re2o-db.adm.auro.re
serge.adm.auro.re
[ovh-testing-vm]
re2o-test.adm.auro.re
[fleming-pve]
freya.adm.auro.re
odin.adm.auro.re
#freya.adm.auro.re
#odin.adm.auro.re
[fleming-vm-ldap-replica]
ldap-replica-fleming1.adm.auro.re
ldap-replica-fleming2.adm.auro.re
#ldap-replica-fleming1.adm.auro.re
#ldap-replica-fleming2.adm.auro.re
[pacaterie-pve]
#merlin.adm.auro.re
#leodagan.adm.auro.re
#mordred.adm.auro.re
# everything at ovh
[ovh:children]
@ -39,11 +48,19 @@ ovh-pve
ovh-container
ovh-vm
# everything at ovh-testing
[ovh-testing:children]
ovh-testing-vm
# everything at fleming
[fleming:children]
fleming-pve
fleming-vm-ldap-replica
# everything at pacaterie
[pacaterie:children]
pacaterie-pve
# every LXC container
[container:children]
ovh-container
@ -57,6 +74,7 @@ fleming-vm-ldap-replica
[pve:children]
ovh-pve
fleming-pve
pacaterie-pve
# every LDAP replica
[ldap-replica:children]

27
hosts_testing
View file

@ -1,27 +0,0 @@
# Aurore servers inventory
[ovh-testing-pve]
[ovh-testing-container]
[ovh-testing-vm]
re2o-test.adm.auro.re
# everything at ovh-testing
[ovh-testing:children]
ovh-testing-pve
ovh-testing-container
ovh-testing-vm
# every LXC container
[container:children]
ovh-testing-container
# every virtual machine
[vm:children]
ovh-testing-vm
# every PVE
[pve:children]
ovh-testing-pve

7
matrix.yml
View file

@ -8,8 +8,15 @@
- debian-backports
- matrix-synapse
- matrix-mxisd
- matrix-appservice-discord
- matrix-appservice-irc
# Install Matrix Riot on corresponding containers
- hosts: riot.adm.auro.re
roles:
- matrix-riot
# Install Matrix services
- hosts: matrix-services.adm.auro.re
roles:
- debian-backports

17
nginx-reverse-proxy.yml
View file

@ -5,28 +5,25 @@
reversed_proxy_subdomains:
- name: re2o
from: re2o.auro.re
to: 10.128.0.10
to: re2o-server.adm.auro.re
- name: intranet
from: intranet.auro.re
to: 10.128.0.10
to: re2o-server.adm.auro.re
- name: pad
from: pad.auro.re
to: 10.128.0.54:9001
to: pad.adm.auro.re:9001
- name: phabricator
from: phabricator.auro.re
to: 10.128.0.50
to: phabricator.adm.auro.re
- name: wiki
from: wiki.auro.re
to: 10.128.0.51
to: wiki.adm.auro.re
- name: www
from: www.auro.re
to: 10.128.0.52
- name: main
from: auro.re
to: 10.128.0.52
to: www.adm.auro.re
- name: re2o-test
from: re2o-test.auro.re
to: 10.128.0.100
to: re2o-test.adm.auro.re
- name: riot
from: riot.auro.re
to: riot.adm.auro.re

25
roles/basesecurity/tasks/main.yml Normal file
View file

@ -0,0 +1,25 @@
---
- name: Configure sysctl
template:
src: 'sysctl.d/local.conf.j2'
dest: '/etc/sysctl.d/local.conf'
mode: 0644
# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
file:
path: "{{ item }}"
mode: u-s,g-s
loop:
- /usr/lib/openssh/sshkeysign # Not used
- /usr/bin/gpasswd # No group auth
- /usr/bin/passwd # Only root should change passwd
- /usr/bin/expiry # With re2o
- /usr/bin/newgrp # No group auth
- /usr/bin/chage # With re2o
- /usr/bin/chsh # With re2o
- /usr/bin/chfn # With re2o
- /bin/mount # Only root should mount
- /bin/umount # Only root should umount
ignore_errors: yes # Sometimes file won't exist

17
roles/basesecurity/templates/sysctl.d/local.conf.j2 Normal file
View file

@ -0,0 +1,17 @@
# {{ ansible_managed }}
# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
# Disable core dump of setuid executables
# So an user can't read privileged information in memory
fs.suid_dumpable = 0
# Obfuscate kernel memory addresses
kernel.kptr_restrict = 1
# Restrict dmesg access
# This can leak specific harware failures to exploit
kernel.dmesg_restrict = 1
# Do not load kernel modules after boot
# Some modules have security issues and are used in exploits
kernel.modules_disabled = 1

3
roles/codimd/handlers/main.yml
View file

@ -1,7 +1,8 @@
---
# Build front-end bundle
# This can take very long and requires > 2GB of RAM
- name: Build front-end for CodiMD
command: npm run build
command: NODE_ENV="production" yarn run build
args:
chdir: /var/local/codimd/codimd
become: true

7
roles/codimd/tasks/0_apt_dependencies.yml
View file

@ -9,6 +9,11 @@
dest: /etc/apt/preferences.d/nodejs
mode: 0644
# TODO
# apt-transport-https
# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
# echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
# Install CodiMD dependencies
- name: Install required packages
apt:
@ -20,7 +25,7 @@
- nodejs
- npm
- build-essential
- zlib1g-dev # uws module
register: apt_result
retries: 3
until: apt_result is succeeded
- yarn

27
roles/codimd/tasks/main.yml
View file

@ -6,19 +6,18 @@
- include_tasks: 1_user_group.yml
# Download CodiMD
# TODO : temporally disabled until 1.3.0 is out (because of uws bug)
# - name: Clone CodiMD project
# git:
# repo: https://github.com/hackmdio/codimd.git
# dest: /var/local/codimd/codimd
# version: 1.2.1
# become: true
# become_user: codimd
# notify: Build front-end for CodiMD
- name: Clone CodiMD project
git:
repo: https://github.com/hackmdio/codimd.git
dest: /var/local/codimd/codimd
version: 1.3.0
become: true
become_user: codimd
notify: Build front-end for CodiMD
# Setup dependencies and configs
- name: Install CodiMD depedencies
command: bin/setup
command: NODE_ENV="production" bin/setup
args:
chdir: /var/local/codimd/codimd
become: true
@ -33,14 +32,6 @@
group: codimd
mode: 0600
# Update database
- name: Migrate the db to the latest schema
command: node_modules/.bin/sequelize db:migrate
args:
chdir: /var/local/codimd/codimd
become: true
become_user: codimd
# Configure
- name: Configure CodiMD
template:

175
roles/ldap-replica/templates/schema.ldiff.j2
View file

@ -49,7 +49,7 @@ cn: {0}core
olcAttributeTypes: {0}( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: k
nowledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.15{32768} )
olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last
olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last
(family) name(s) for which the entity is known by' SUP name )
olcAttributeTypes: {2}( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial nu
mber of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
@ -94,7 +94,7 @@ olcAttributeTypes: {17}( 2.5.4.21 NAME 'telexNumber' DESC 'RFC2256: Telex Nu
mber' SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
olcAttributeTypes: {18}( 2.5.4.22 NAME 'teletexTerminalIdentifier' DESC 'RFC
2256: Teletex Terminal Identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
olcAttributeTypes: {19}( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
olcAttributeTypes: {19}( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
DESC 'RFC2256: Facsimile (Fax) Telephone Number' SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.22 )
olcAttributeTypes: {20}( 2.5.4.24 NAME 'x121Address' DESC 'RFC2256: X.121 Ad
@ -112,7 +112,7 @@ olcAttributeTypes: {23}( 2.5.4.27 NAME 'destinationIndicator' DESC 'RFC2256:
olcAttributeTypes: {24}( 2.5.4.28 NAME 'preferredDeliveryMethod' DESC 'RFC22
56: preferred delivery method' SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SINGLE-
VALUE )
olcAttributeTypes: {25}( 2.5.4.29 NAME 'presentationAddress' DESC 'RFC2256:
olcAttributeTypes: {25}( 2.5.4.29 NAME 'presentationAddress' DESC 'RFC2256:
presentation address' EQUALITY presentationAddressMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.43 SINGLE-VALUE )
olcAttributeTypes: {26}( 2.5.4.30 NAME 'supportedApplicationContext' DESC 'R
@ -120,14 +120,14 @@ olcAttributeTypes: {26}( 2.5.4.30 NAME 'supportedApplicationContext' DESC 'R
X 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {27}( 2.5.4.31 NAME 'member' DESC 'RFC2256: member of a g
roup' SUP distinguishedName )
olcAttributeTypes: {28}( 2.5.4.32 NAME 'owner' DESC 'RFC2256: owner (of the
olcAttributeTypes: {28}( 2.5.4.32 NAME 'owner' DESC 'RFC2256: owner (of the
object)' SUP distinguishedName )
olcAttributeTypes: {29}( 2.5.4.33 NAME 'roleOccupant' DESC 'RFC2256: occupan
t of role' SUP distinguishedName )
olcAttributeTypes: {30}( 2.5.4.36 NAME 'userCertificate' DESC 'RFC2256: X.50
9 user certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.
6.1.4.1.1466.115.121.1.8 )
olcAttributeTypes: {31}( 2.5.4.37 NAME 'cACertificate' DESC 'RFC2256: X.509
olcAttributeTypes: {31}( 2.5.4.37 NAME 'cACertificate' DESC 'RFC2256: X.509
CA certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.8 )
olcAttributeTypes: {32}( 2.5.4.38 NAME 'authorityRevocationList' DESC 'RFC22
@ -143,7 +143,7 @@ olcAttributeTypes: {35}( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'RFC2256: f
irst name(s) for which the entity is known by' SUP name )
olcAttributeTypes: {36}( 2.5.4.43 NAME 'initials' DESC 'RFC2256: initials of
some or all of names, but not the surname(s).' SUP name )
olcAttributeTypes: {37}( 2.5.4.44 NAME 'generationQualifier' DESC 'RFC2256:
olcAttributeTypes: {37}( 2.5.4.44 NAME 'generationQualifier' DESC 'RFC2256:
name qualifier indicating a generation' SUP name )
olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256:
X.500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.1
@ -151,20 +151,20 @@ olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256:
olcAttributeTypes: {39}( 2.5.4.46 NAME 'dnQualifier' DESC 'RFC2256: DN quali
fier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR case
IgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
olcAttributeTypes: {40}( 2.5.4.47 NAME 'enhancedSearchGuide' DESC 'RFC2256:
olcAttributeTypes: {40}( 2.5.4.47 NAME 'enhancedSearchGuide' DESC 'RFC2256:
enhanced search guide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
olcAttributeTypes: {41}( 2.5.4.48 NAME 'protocolInformation' DESC 'RFC2256:
olcAttributeTypes: {41}( 2.5.4.48 NAME 'protocolInformation' DESC 'RFC2256:
protocol information' EQUALITY protocolInformationMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.42 )
olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique
olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique
member of a group' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.34 )
olcAttributeTypes: {43}( 2.5.4.51 NAME 'houseIdentifier' DESC 'RFC2256: hous
e identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcAttributeTypes: {44}( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'RFC2256:
olcAttributeTypes: {44}( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'RFC2256:
supported algorithms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
olcAttributeTypes: {45}( 2.5.4.53 NAME 'deltaRevocationList' DESC 'RFC2256:
olcAttributeTypes: {45}( 2.5.4.53 NAME 'deltaRevocationList' DESC 'RFC2256:
delta revocation list; use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
olcAttributeTypes: {46}( 2.5.4.54 NAME 'dmdName' DESC 'RFC2256: name of DMD'
SUP name )
@ -172,20 +172,20 @@ olcAttributeTypes: {47}( 2.5.4.65 NAME 'pseudonym' DESC 'X.520(4th): pseudon
ym for the object' SUP name )
olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mail
box' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBST
R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
)
olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompo
nent' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match S
UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
GLE-VALUE )
olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain'
DESC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match S
UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {51}( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress'
'pkcs9email' ) DESC 'RFC3280: legacy attribute for email addresses in DNs'
olcAttributeTypes: {51}( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress'
'pkcs9email' ) DESC 'RFC3280: legacy attribute for email addresses in DNs'
EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.
6.1.4.1.1466.115.121.1.26{128} )
olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP
olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP
top STRUCTURAL MUST c MAY ( searchGuide $ description ) )
olcObjectClasses: {1}( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SU
P top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ descriptio
@ -195,7 +195,7 @@ olcObjectClasses: {2}( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organiz
$ businessCategory $ x121Address $ registeredAddress $ destinationIndicato
r $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ tel
ephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street
$ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName
$ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName
$ st $ l $ description ) )
olcObjectClasses: {3}( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an o
rganizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchG
@ -215,9 +215,9 @@ olcObjectClasses: {5}( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an
lAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
olcObjectClasses: {6}( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an o
rganizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ register
edAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $
edAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ fac
simileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $
simileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $
street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOffic
eName $ ou $ st $ l $ description ) )
olcObjectClasses: {7}( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of
@ -230,24 +230,24 @@ olcObjectClasses: {8}( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an r
onaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ stree
t $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName
$ st $ l ) )
olcObjectClasses: {9}( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an
olcObjectClasses: {9}( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an
application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ de
scription ) )
olcObjectClasses: {10}( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an
olcObjectClasses: {10}( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an
application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MA
Y ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) )
olcObjectClasses: {11}( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory syste
m agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformati
on )
olcObjectClasses: {12}( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP
top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $
olcObjectClasses: {12}( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP
top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $
description ) )
olcObjectClasses: {13}( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC22
56: a strong authentication user' SUP top AUXILIARY MUST userCertificate )
olcObjectClasses: {14}( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256
: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList
$ certificateRevocationList $ cACertificate ) MAY crossCertificatePair )
olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a
olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a
group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST (
uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ de
scription ) )
@ -263,7 +263,7 @@ olcObjectClasses: {19}( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdNam
e ) MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Add
ress $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationali
SDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode
SDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode
$ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
olcObjectClasses: {20}( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' S
UP top AUXILIARY MAY userCertificate )
@ -278,7 +278,7 @@ olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'R
olcObjectClasses: {24}( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObjec
t' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPasswo
rd )
olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247:
olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247:
domain component object' SUP top AUXILIARY MUST dc )
olcObjectClasses: {26}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid ob
ject' SUP top AUXILIARY MUST uid )
@ -328,7 +328,7 @@ olcAttributeTypes: {10}( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' D
olcAttributeTypes: {11}( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DE
SC 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {12}( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
olcAttributeTypes: {12}( 0.9.2342.19200300.100.1.15 NAME 'documentLocation'
DESC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBS
TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
olcAttributeTypes: {13}( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'home
@ -340,7 +340,7 @@ olcAttributeTypes: {14}( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'R
.1466.115.121.1.12 )
olcAttributeTypes: {15}( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNT
AX 1.3.6.1.4.1.1466.115.121.1.39 )
olcAttributeTypes: {16}( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY
olcAttributeTypes: {16}( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY
caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {17}( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY
caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
@ -370,9 +370,9 @@ olcAttributeTypes: {26}( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTel
mberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115
.121.1.50 )
olcAttributeTypes: {27}( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCou
ntryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch
ntryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {28}( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
olcAttributeTypes: {28}( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
DESC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.15{256} )
olcAttributeTypes: {29}( 0.9.2342.19200300.100.1.45 NAME 'organizationalStat
@ -401,7 +401,7 @@ olcAttributeTypes: {36}( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQual
olcAttributeTypes: {37}( 0.9.2342.19200300.100.1.53 NAME 'personalSignature'
DESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.23 )
olcAttributeTypes: {38}( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC
olcAttributeTypes: {38}( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC
'RFC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.12 )
olcAttributeTypes: {39}( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC12
@ -412,16 +412,16 @@ olcAttributeTypes: {40}( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher'
olcObjectClasses: {0}( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPi
lotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rf
c822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber
$ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod
$ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $
$ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod
$ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $
pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ person
alSignature ) )
olcObjectClasses: {1}( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRU
CTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizatio
nName $ organizationalUnitName $ host ) )
olcObjectClasses: {2}( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STR
UCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $
localityName $ organizationName $ organizationalUnitName $ documentTitle $
UCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $
localityName $ organizationName $ organizationalUnitName $ documentTitle $
documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) )
olcObjectClasses: {3}( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTU
RAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNum
@ -452,7 +452,7 @@ olcObjectClasses: {8}( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject'
ciatedDomain )
olcObjectClasses: {9}( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP
country STRUCTURAL MUST friendlyCountryName )
olcObjectClasses: {10}( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization'
olcObjectClasses: {10}( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization'
SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )
olcObjectClasses: {11}( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa S
TRUCTURAL MAY dSAQuality )
@ -470,13 +470,13 @@ modifyTimestamp: 20150225150906Z
dn: cn={2}nis,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {2}nis
olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field;
olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field;
the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absol
ute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to
olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to
the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
.1.26 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY int
@ -496,14 +496,14 @@ olcAttributeTypes: {9}( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerM
olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExac
tIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.26 )
olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY
olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY
caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.146
6.115.121.1.26 )
olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Net
group triple' SYNTAX 1.3.6.1.1.1.0.0 )
olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY inte
gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' SUP name
olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' SUP name
)
olcAttributeTypes: {15}( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' EQUALITY i
ntegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
@ -539,7 +539,7 @@ olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction o
f a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( use
rPassword $ memberUid $ description ) )
olcObjectClasses: {3}( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an
Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $
Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $
ipServiceProtocol ) MAY description )
olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o
f an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ descrip
@ -547,24 +547,24 @@ olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o
olcObjectClasses: {5}( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an
ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description
) MAY description )
olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a
host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $
olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a
host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $
description $ manager ) )
olcObjectClasses: {7}( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of
an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNe
tmaskNumber $ l $ description $ manager ) )
olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction
olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction
of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberN
isNetgroup $ description ) )
olcObjectClasses: {9}( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstrac
tion of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description )
olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in
olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in
a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY de
scription )
olcObjectClasses: {11}( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device
with a MAC address' SUP top AUXILIARY MAY macAddress )
olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic
e with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter )
e with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter )
)
structuralObjectClass: olcSchemaConfig
entryUUID: fc8f6894-514b-1034-9c32-0faf5bc7ead5
@ -608,7 +608,7 @@ olcAttributeTypes: {8}( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RF
C2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.14
66.115.121.1.5 )
olcObjectClasses: {0}( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RF
C2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL
C2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL
MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayNam
e $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddre
ss $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ page
@ -625,16 +625,16 @@ modifyTimestamp: 20150225150906Z
dn: cn={4}samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}samba
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC
'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC
olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC
'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6
.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC '
Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.
1.26{16} SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC
olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC
'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.
1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DES
@ -646,7 +646,7 @@ olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DE
olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC '
Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC
olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC
'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC
@ -656,12 +656,12 @@ olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1
.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX
DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC
'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.
1.26{42} SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC
olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC
'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTA
X 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DES
@ -694,8 +694,8 @@ olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'S
ecurity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.26{64} )
olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC
'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC
'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DES
C 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.
@ -707,10 +707,10 @@ olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'N
ext NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4
.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBa
se' DESC 'Base at which the samba RID generation algorithm should operate'
se' DESC 'Base at which the samba RID generation algorithm should operate'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC
'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC
'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC
'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY
@ -739,10 +739,10 @@ olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength
olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' D
ESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC
'Maximum password age, in seconds (default: -1 => never expire passwords)'
olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC
'Maximum password age, in seconds (default: -1 => never expire passwords)'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC
olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC
'Minimum password age, in seconds (default: 0 => allow immediate password c
hange)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V
ALUE )
@ -759,25 +759,25 @@ olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DES
C 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwd
Change' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY
Change' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPasswor
d' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY
d' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTex
tPassword' DESC 'Previous clear text password (used for trusted domain pass
words)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC
'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC
'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes'
DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX
DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection'
olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection'
DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DE
SC 'Fully qualified name of the domain with which a trust exists' EQUALITY
SC 'Fully qualified name of the domain with which a trust exists' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC '
NetBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
@ -793,7 +793,7 @@ olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifi
xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALU
E )
olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrust
Info' DESC 'Forest trust information for a trusted domain object' EQUALITY
Info' DESC 'Forest trust information for a trusted domain object' EQUALITY
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'S
amba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MA
@ -803,7 +803,7 @@ olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'S
baLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sa
mbaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCo
unt $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC
olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC
'Samba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ samba
GroupType ) MAY ( displayName $ description $ sambaSIDList ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DES
@ -816,7 +816,7 @@ olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassw
olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba
Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithm
icRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd
icRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd
$ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObse
rvationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachi
nePwdChange ) )
@ -833,7 +833,7 @@ olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samb
olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba
Share Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DES
C 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY
C 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY
( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringLis
toption $ description ) )
olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DE
@ -871,12 +871,12 @@ olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
INGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationI
d' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC ''
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC ''
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddres
s' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
@ -911,10 +911,10 @@ olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DE
olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtoco
l' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute'
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DE
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
@ -922,16 +922,16 @@ olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC ''
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
LUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout'
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
NGLE-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost'
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
NGLE-VALUE )
olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
@ -949,15 +949,15 @@ olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
INGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DE
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
LE-VALUE )
olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DE
SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
VALUE )
olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm'
@ -969,7 +969,7 @@ olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRe
olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC '
' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
ALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType'
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType'
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI
NGLE-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeou
@ -998,7 +998,7 @@ olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerE
1.1.26 )
olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' D
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC ''
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC ''
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientE
ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
@ -1013,7 +1013,7 @@ olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory'
INGLE-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName
' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
VALUE )
olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' D
@ -1024,7 +1024,7 @@ olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DE
olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DE
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC ''
SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $
SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $
radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNu
mber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiu
sClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFrame
@ -1183,3 +1183,4 @@ createTimestamp: 20150305013830Z
entryCSN: 20160607103125.521039Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160607103125Z

4
roles/matrix-appservice-discord/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
# Reload systemd daemons when a service file changes
- name: Reload systemd daemons
command: systemctl daemon-reload

20
roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Configure NodeJS pin
when:
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: apt/nodejs.j2
dest: /etc/apt/preferences.d/nodejs
mode: 0644
- name: Install required packages
apt:
name: "{{ item }}"
state: present
update_cache: true
with_items:
- git
- nodejs
- npm
- build-essential

26
roles/matrix-appservice-discord/tasks/1_user_group.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Security #1
- name: Create matrix-appservice-discord system group
group:
name: matrix-appservice-discord
system: yes
state: present
# Security #2
- name: Create matrix-appservice-discord user
user:
name: matrix-appservice-discord
group: matrix-appservice-discord
home: /var/local/matrix-appservice-discord
comment: Matrix Appservice Discord
system: yes
state: present
# Security #3
- name: Secure matrix-appservice-discord home directory
file:
path: /var/local/matrix-appservice-discord
state: directory
owner: matrix-appservice-discord
group: matrix-appservice-discord
mode: 0750

57
roles/matrix-appservice-discord/tasks/main.yml Normal file
View file

@ -0,0 +1,57 @@
---
# Install APT dependencies
- include_tasks: 0_apt_dependencies.yml
# Create CodiMD user and group
- include_tasks: 1_user_group.yml
# Download CodiMD
- name: Clone matrix-appservice-discord project
git:
repo: https://github.com/Half-Shot/matrix-appservice-discord.git
dest: /var/local/matrix-appservice-discord/matrix-appservice-discord
version: v0.4.0
become: true
become_user: matrix-appservice-discord
# Setup dependencies
- name: Install matrix-appservice-discord depedencies
command: npm ci
args:
chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord
become: true
become_user: matrix-appservice-discord
# Typescript into javascript
- name: Compile matrix-appservice-discord
command: npm run build
args:
chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord
become: true
become_user: matrix-appservice-discord
# Configure
- name: Configure matrix-appservice-discord
template:
src: config.yaml.j2
dest: /var/local/matrix-appservice-discord/matrix-appservice-discord/config.yaml
owner: matrix-appservice-discord
group: matrix-appservice-discord
mode: 0600
# Service file
- name: Install matrix-appservice-discord systemd unit
template:
src: 'systemd/matrix-appservice-discord.service.j2'
dest: '/etc/systemd/system/matrix-appservice-discord.service'
owner: root
group: root
mode: 0644
notify: Reload systemd daemons
# Run
#- name: Ensure that matrix-appservice-discord is started
# service:
# name: matrix-appservice-discord
# state: started
# enabled: true

5
roles/matrix-appservice-discord/templates/apt/nodejs.j2 Normal file
View file

@ -0,0 +1,5 @@
# {{ ansible_managed }}
Package: node* libuv1*
Pin: release a=stretch-backports
Pin-Priority: 600

85
roles/matrix-appservice-discord/templates/config.yaml.j2 Normal file
View file

@ -0,0 +1,85 @@
# {{ ansible_managed }}
bridge:
# Domain part of the bridge, e.g. matrix.org
domain: "auro.re"
# This should be your publically facing URL because Discord may use it to
# fetch media from the media store.
homeserverUrl: "https://auro.re"
# Interval at which to process users in the 'presence queue'. If you have
# 5 users, one user will be processed every 500 milliseconds according to the
# value below. This has a minimum value of 250.
# WARNING: This has a high chance of spamming the homeserver with presence
# updates since it will send one each time somebody changes state or is online.
presenceInterval: 500
# Disable setting presence for 'ghost users' which means Discord users on Matrix
# will not be shown as away or online.
disablePresence: false
# Disable sending typing notifications when somebody on Discord types.
disableTypingNotifications: false
# Disable deleting messages on Discord if a message is redacted on Matrix.
disableDeletionForwarding: false
# Enable users to bridge rooms using !discord commands. See
# https://t2bot.io/discord for instructions.
enableSelfServiceBridging: false
# Disable sending of read receipts for Matrix events which have been
# successfully bridged to Discord.
disableReadReceipts: false
# Authentication configuration for the discord bot.
auth:
clientID: "12345"
botToken: "foobar"
logging:
# What level should the logger output to the console at.
console: "warn" #silly, verbose, info, http, warn, error, silent
lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
files:
- file: "warn.log" # Will capture warnings
level: "warn"
- file: "botlogs.log" # Will capture logs from DiscordBot
level: "info"
enable:
- "DiscordBot"
database:
userStorePath: "user-store.db"
roomStorePath: "room-store.db"
# You may either use SQLite or Postgresql for the bridge database, which contains
# important mappings for events and user puppeting configurations.
# Use the filename option for SQLite, or connString for Postgresql.
# If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
# WARNING: You will almost certainly be fine with sqlite unless your bridge
# is in heavy demand and you suffer from IO slowness.
filename: "discord.db"
# connString: "postgresql://user:password@localhost/database_name"
room:
# Set the default visibility of alias rooms, defaults to "public".
# One of: "public", "private"
defaultVisibility: "public"
channel:
# Pattern of the name given to bridged rooms.
# Can use :guild for the guild name and :name for the channel name.
namePattern: "[Discord] :guild :name"
# Changes made to rooms when a channel is deleted.
deleteOptions:
# Prefix the room name with a string.
#namePrefix: "[Deleted]"
# Prefix the room topic with a string.
#topicPrefix: "This room has been deleted"
# Disable people from talking in the room by raising the event PL to 50
disableMessaging: false
# Remove the discord alias from the room.
unsetRoomAlias: true
# Remove the room from the directory.
unlistFromDirectory: true
# Set the room to be unavaliable for joining without an invite.
setInviteOnly: true
# Make all the discord users leave the room.
ghostsLeave: true
limits:
# Delay in milliseconds between discord users joining a room.
roomGhostJoinDelay: 6000
# Delay in milliseconds before sending messages to discord to avoid echos.
# (Copies of a sent message may arrive from discord before we've
# fininished handling it, causing us to echo it back to the room)
discordSendDelay: 750

18
roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 Normal file
View file

@ -0,0 +1,18 @@
# {{ ansible_managed }}
[Unit]
Description=A bridge between Matrix and Discord
After=syslog.target network-online.target mysql.service postgresql.service
Conflicts=shutdown.target
[Service]
Type=simple
User=matrix-appservice-discord
Group=matrix-appservice-discord
WorkingDirectory=/var/local/matrix-appservice-discord/matrix-appservice-discord
Environment="NODE_ENV=production"
ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-discord/matrix-appservice-discord/app.js
Restart=always
[Install]
WantedBy=multi-user.target

4
roles/matrix-appservice-irc/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
# Reload systemd daemons when a service file changes
- name: Reload systemd daemons
command: systemctl daemon-reload

20
roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Configure NodeJS pin
when:
- ansible_distribution == 'Debian'
- ansible_distribution_release == 'stretch'
template:
src: apt/nodejs.j2
dest: /etc/apt/preferences.d/nodejs
mode: 0644
- name: Install required packages
apt:
name: "{{ item }}"
state: present
update_cache: true
with_items:
- git
- nodejs
- npm
- build-essential

26
roles/matrix-appservice-irc/tasks/1_user_group.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Security #1
- name: Create matrix-appservice-irc system group
group:
name: matrix-appservice-irc
system: yes
state: present
# Security #2
- name: Create matrix-appservice-irc user
user:
name: matrix-appservice-irc
group: matrix-appservice-irc
home: /var/local/matrix-appservice-irc
comment: Matrix Appservice IRC
system: yes
state: present
# Security #3
- name: Secure matrix-appservice-irc home directory
file:
path: /var/local/matrix-appservice-irc
state: directory
owner: matrix-appservice-irc
group: matrix-appservice-irc
mode: 0750

48
roles/matrix-appservice-irc/tasks/main.yml Normal file
View file

@ -0,0 +1,48 @@
---
# Install APT dependencies
- include_tasks: 0_apt_dependencies.yml
# Create matrix-appservice-irc user and group
- include_tasks: 1_user_group.yml
- name: Clone matrix-appservice-irc project
git:
repo: https://github.com/matrix-org/matrix-appservice-irc.git
dest: /var/local/matrix-appservice-irc/matrix-appservice-irc
version: 0.11.2
become: true
become_user: matrix-appservice-irc
# Setup dependencies
- name: Install matrix-appservice-irc depedencies
command: npm install
args:
chdir: /var/local/matrix-appservice-irc/matrix-appservice-irc
become: true
become_user: matrix-appservice-irc
# Configure
- name: Configure matrix-appservice-irc
template:
src: config.yaml.j2
dest: /var/local/matrix-appservice-irc/matrix-appservice-irc/config.yaml
owner: matrix-appservice-irc
group: matrix-appservice-irc
mode: 0600
# Service file
- name: Install matrix-appservice-irc systemd unit
template:
src: 'systemd/matrix-appservice-irc.service.j2'
dest: '/etc/systemd/system/matrix-appservice-irc.service'
owner: root
group: root
mode: 0644
notify: Reload systemd daemons
# Run
#- name: Ensure that matrix-appservice-irc is started
# service:
# name: matrix-appservice-irc
# state: started
# enabled: true

5
roles/matrix-appservice-irc/templates/apt/nodejs.j2 Normal file
View file

@ -0,0 +1,5 @@
# {{ ansible_managed }}
Package: node* libuv1*
Pin: release a=stretch-backports
Pin-Priority: 600

443
roles/matrix-appservice-irc/templates/config.yaml.j2 Normal file
View file

@ -0,0 +1,443 @@
# {{ ansible_managed }}
homeserver:
# The URL to the home server for client-server API calls, also used to form the
# media URLs as displayed in bridged IRC channels:
url: "https://auro.re"
#
# The URL of the homeserver hosting media files. This is only used to transform
# mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
# default, this is the homeserver URL, specified above.
#
# media_url: "http://media.repo:8008"
# Drop Matrix messages which are older than this number of seconds, according to
# the event's origin_server_ts.
# If the bridge is down for a while, the homeserver will attempt to send all missed
# events on reconnection. These events may be hours old, which can be confusing to
# IRC users if they are then bridged. This option allows these old messages to be
# dropped.
# CAUTION: This is a very coarse heuristic. Federated homeservers may have different
# clock times and hence produce different origin_server_ts values, which may be old
# enough to cause *all* events from the homeserver to be dropped.
# Default: 0 (don't ever drop)
dropMatrixMessagesAfterSecs: 300 # 5 minutes
# The 'domain' part for user IDs on this home server. Usually (but not always)
# is the "domain name" part of the HS URL.
domain: "auro.re"
# Should presence be enabled for matrix clients on this bridge. If disabled on the
# homeserver then it should also be disabled here to avoid excess traffic.
# Default: true
enablePresence: true
# Configuration specific to the IRC service
ircService:
servers:
# The address of the server to connect to.
irc.crans.org:
# A human-readable short name. This is used to label IRC status rooms
# where matrix users control their connections.
# E.g. 'ExampleNet IRC Bridge status'.
# It is also used in the Third Party Lookup API as the instance `desc`
# property, where each server is an instance.
name: "Crans IRC Bridge status"
additionalAddresses: [ ]
#
# [DEPRECATED] Use `name`, above, instead.
# A human-readable description string
# description: "Example.com IRC network"
# An ID for uniquely identifying this server amongst other servers being bridged.
networkId: "crans"
# URL to an icon used as the network icon whenever this network appear in
# a network list. (Like in the riot room directory, for instance.)
# icon: https://example.com/images/hash.png
# The port to connect to. Optional.
port: 6697
# Whether to use SSL or not. Default: false.
ssl: true
# Whether or not IRC server is using a self-signed cert or not providing CA Chain
sslselfsign: false
# Should the connection attempt to identify via SASL (if a server or user password is given)
# If false, this will use PASS instead. If SASL fails, we do not fallback to PASS.
sasl: false
# Whether to allow expired certs when connecting to the IRC server.
# Usually this should be off. Default: false.
allowExpiredCerts: false
# A specific CA to trust instead of the default CAs. Optional.
#ca: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
#
# The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
# password: 'pa$$w0rd'
#
# Whether or not to send connection/error notices to real Matrix users. Default: true.
sendConnectionMessages: true
quitDebounce:
# Whether parts due to net-splits are debounced for delayMs, to allow
# time for the netsplit to resolve itself. A netsplit is detected as being
# a QUIT rate higher than quitsPerSecond. Default: false.
enabled: false
# The maximum number of quits per second acceptable above which a netsplit is
# considered ongoing. Default: 5.
quitsPerSecond: 5
# The time window in which to wait before bridging a QUIT to Matrix that occurred during
# a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS
# is not sent many requests to leave rooms all at once if a netsplit occurs and many
# people to not rejoin.
# If the user with the same IRC nick as the one who sent the quit rejoins a channel
# they are considered back online and the quit is not bridged, so long as the rejoin
# occurs before the randomly-jittered timeout is not reached.
# Default: 3600000, = 1h
delayMinMs: 3600000 # 1h
# Default: 7200000, = 2h
delayMaxMs: 7200000 # 2h
# A map for conversion of IRC user modes to Matrix power levels. This enables bridging
# of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
# been given multiple modes, the one that maps to the highest power level will be used.
modePowerMap:
o: 50
botConfig:
# Enable the presence of the bot in IRC channels. The bot serves as the entity
# which maps from IRC -> Matrix. You can disable the bot entirely which
# means IRC -> Matrix chat will be shared by active "M-Nick" connections
# in the room. If there are no users in the room (or if there are users
# but their connections are not on IRC) then nothing will be bridged to
# Matrix. If you're concerned about the bot being treated as a "logger"
# entity, then you may want to disable the bot. If you want IRC->Matrix
# but don't want to have TCP connections to IRC unless a Matrix user speaks
# (because your client connection limit is low), then you may want to keep
# the bot enabled. Default: true.
# NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned
# on, else there will be no users and no bot in a channel (meaning no
# messages to Matrix!) until a Matrix user speaks which makes a client
# join the target IRC channel.
# NBB: The bridge bot IRC client will still join the target IRC network so
# it can service bridge-specific queries from the IRC-side e.g. so
# real IRC clients have a way to change their Matrix display name.
# See https://github.com/matrix-org/matrix-appservice-irc/issues/55
enabled: true
# The nickname to give the AS bot.
nick: "AuroreBot"
# The password to give to NickServ or IRC Server for this nick. Optional.
# password: "helloworld"
#
# Join channels even if there are no Matrix users on the other side of
# the bridge. Set to false to prevent the bot from joining channels which have no
# real matrix users in them, even if there is a mapping for the channel.
# Default: true
joinChannelsIfNoUsers: true
# Configuration for PMs / private 1:1 communications between users.
privateMessages:
# Enable the ability for PMs to be sent to/from IRC/Matrix.
# Default: true.
enabled: true
# Prevent Matrix users from sending PMs to the following IRC nicks.
# Optional. Default: [].
# exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
# Should created Matrix PM rooms be federated? If false, only users on the
# HS attached to this AS will be able to interact with this room.
# Optional. Default: true.
federate: true
# Configuration for mappings not explicitly listed in the 'mappings'
# section.
dynamicChannels:
# Enable the ability for Matrix users to join *any* channel on this IRC
# network.
# Default: false.
enabled: true
# Should the AS create a room alias for the new Matrix room? The form of
# the alias can be modified via 'aliasTemplate'. Default: true.
createAlias: true
# Should the AS publish the new Matrix room to the public room list so
# anyone can see it? Default: true.
published: false
# What should the join_rule be for the new Matrix room? If 'public',
# anyone can join the room. If 'invite', only users with an invite can
# join the room. Note that if an IRC channel has +k or +i set on it,
# join_rules will be set to 'invite' until these modes are removed.
# Default: "public".
joinRule: public
# This will set the m.room.related_groups state event in newly created rooms
# with the given groupId. This means flares will show up on IRC users in those rooms.
# This should be set to the same thing as namespaces.users.group_id in irc_registration.
# This does not alter existing rooms.
# Leaving this option empty will not set the event.
groupId: +myircnetwork:localhost
# Should created Matrix rooms be federated? If false, only users on the
# HS attached to this AS will be able to interact with this room.
# Default: true.
federate: true
# The room alias template to apply when creating new aliases. This only
# applies if createAlias is 'true'. The following variables are exposed:
# $SERVER => The IRC server address (e.g. "irc.example.com")
# $CHANNEL => The IRC channel (e.g. "#python")
# This MUST have $CHANNEL somewhere in it.
# Default: '#irc_$SERVER_$CHANNEL'
aliasTemplate: "#irc_crans_$CHANNEL"
# A list of user IDs which the AS bot will send invites to in response
# to a !join. Only applies if joinRule is 'invite'. Default: []
# whitelist:
# - "@foo:example.com"
# - "@bar:example.com"
#
# Prevent the given list of channels from being mapped under any
# circumstances.
# exclude: ["#foo", "#bar"]
# Configuration for controlling how Matrix and IRC membership lists are
# synced.
membershipLists:
# Enable the syncing of membership lists between IRC and Matrix. This
# can have a significant effect on performance on startup as the lists are
# synced. This must be enabled for anything else in this section to take
# effect. Default: false.
enabled: true
# Syncing membership lists at startup can result in hundreds of members to
# process all at once. This timer drip feeds membership entries at the
# specified rate. Default: 10000. (10s)
floodDelayMs: 10000
global:
ircToMatrix:
# Get a snapshot of all real IRC users on a channel (via NAMES) and
# join their virtual matrix clients to the room.
initial: false
# Make virtual matrix clients join and leave rooms as their real IRC
# counterparts join/part channels. Default: false.
incremental: true
matrixToIrc:
# Get a snapshot of all real Matrix users in the room and join all of
# them to the mapped IRC channel on startup. Default: false.
initial: false
# Make virtual IRC clients join and leave channels as their real Matrix
# counterparts join/leave rooms. Make sure your 'maxClients' value is
# high enough! Default: false.
incremental: true
# Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
rooms:
# Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
channels:
mappings:
# 1:many mappings from IRC channels to room IDs on this IRC server.
# The matrix room must already exist. Your matrix client should expose
# the room ID in a "settings" page for the room.
# "#thepub": ["!kieouiJuedJoxtVdaG:localhost"]
# Configuration for virtual matrix users. The following variables are
# exposed:
# $NICK => The IRC nick
# $SERVER => The IRC server address (e.g. "irc.example.com")
matrixClients:
# The user ID template to use when creating virtual matrix users. This
# MUST have $NICK somewhere in it.
# Optional. Default: "@$SERVER_$NICK".
# Example: "@irc.example.com_Alice:example.com"
userTemplate: "@irc_$NICK"
# The display name to use for created matrix clients. This should have
# $NICK somewhere in it if it is specified. Can also use $SERVER to
# insert the IRC domain.
# Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
displayName: "$NICK (IRC)"
# Number of tries a client can attempt to join a room before the request
# is discarded. You can also use -1 to never retry or 0 to never give up.
# Optional. Default: -1
joinAttempts: -1
# Configuration for virtual IRC users. The following variables are exposed:
# $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
# $USERID => The user ID
# $DISPLAY => The display name of this user, with excluded characters
# (e.g. space) removed. If the user has no display name, this
# falls back to $LOCALPART.
ircClients:
# The template to apply to every IRC client nick. This MUST have either
# $DISPLAY or $USERID or $LOCALPART somewhere in it.
# Optional. Default: "M-$DISPLAY". Example: "M-Alice".
nickTemplate: "$DISPLAY[m]"
# True to allow virtual IRC clients to change their nick on this server
# by issuing !nick <server> <nick> commands to the IRC AS bot.
# This is completely freeform: it will NOT follow the nickTemplate.
allowNickChanges: true
# The max number of IRC clients that will connect. If the limit is
# reached, the client that spoke the longest time ago will be
# disconnected and replaced.
# Optional. Default: 30.
maxClients: 30
# IPv6 configuration.
ipv6:
# Optional. Set to true to force IPv6 for outgoing connections.
only: false
# Optional. The IPv6 prefix to use for generating unique addresses for each
# connected user. If not specified, all users will connect from the same
# (default) address. This may require additional OS-specific work to allow
# for the node process to bind to multiple different source addresses
# e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
# https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
# prefix: "2001:0db8:85a3::" # modify appropriately
#
# The maximum amount of time in seconds that the client can exist
# without sending another message before being disconnected. Use 0 to
# not apply an idle timeout. This value is ignored if this IRC server is
# mirroring matrix membership lists to IRC. Default: 172800 (48 hours)
idleTimeout: 10800
# The number of millseconds to wait between consecutive reconnections if a
# client gets disconnected. Setting to 0 will cause the scheduling to be
# disabled, i.e. it will be scheduled immediately (with jitter.
# Otherwise, the scheduling interval will be used such that one client
# reconnect for this server will be handled every reconnectIntervalMs ms using
# a FIFO queue.
# Default: 5000 (5 seconds)
reconnectIntervalMs: 5000
# The number of concurrent reconnects if a user has been disconnected unexpectedly
# (e.g. a netsplit). You should set this to a reasonably high number so that
# bridges are not waiting an eternity to reconnect all its clients if
# we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs
# setting above which is for connecting on restart of the bridge. Set to 0 to
# immediately try to reconnect all users.
# Default: 50
concurrentReconnectLimit: 50
# The number of lines to allow being sent by the IRC client that has received
# a large block of text to send from matrix. If the number of lines that would
# be sent is > lineLimit, the text will instead be uploaded to matrix and the
# resulting URI is treated as a file. As such, a link will be sent to the IRC
# side instead of potentially spamming IRC and getting the IRC client kicked.
# Default: 3.
lineLimit: 3
# A list of user modes to set on every IRC client. For example, "RiG" would set
# +R, +i and +G on every IRC connection when they have successfully connected.
# User modes vary wildly depending on the IRC network you're connecting to,
# so check before setting this value. Some modes may not work as intended
# through the bridge e.g. caller ID as there is no way to /ACCEPT.
# Default: "" (no user modes)
# userModes: "R"
# Configuration for an ident server. If you are running a public bridge it is
# advised you setup an ident server so IRC mods can ban specific matrix users
# rather than the application service itself.
ident:
# True to listen for Ident requests and respond with the
# matrix user's user_id (converted to ASCII, respecting RFC 1413).
# Default: false.
enabled: false
# The port to listen on for incoming ident requests.
# Ports below 1024 require root to listen on, and you may not want this to
# run as root. Instead, you can get something like an Apache to yank up
# incoming requests to 113 to a high numbered port. Set the port to listen
# on instead of 113 here.
# Default: 113.
port: 1113
# The address to listen on for incoming ident requests.
# Default: 0.0.0.0
address: "::"
# Configuration for logging. Optional. Default: console debug level logging
# only.
logging:
# Level to log on console/logfile. One of error|warn|info|debug
level: "info"
# The file location to log to. This is relative to the project directory.
logfile: "debug.log"
# The file location to log errors to. This is relative to the project
# directory.
errfile: "errors.log"
# Whether to log to the console or not.
toConsole: true
# The max number of files to keep. Files will be overwritten eventually due
# to rotations.
maxFiles: 5
# Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
# $ npm install prom-client@6.3.0
# Metrics will then be available via GET /metrics on the bridge listening port (-p).
metrics:
# Whether to actually enable the metric endpoint. Default: false
enabled: false
# When collecting remote user active times, which "buckets" should be used. Defaults are given below.
# The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
remoteUserAgeBuckets:
- "1h"
- "1d"
- "1w"
# The nedb database URI to connect to. This is the name of the directory to
# dump .db files to. This is relative to the project directory.
# Required.
databaseUri: "nedb://data"
# Configuration options for the debug HTTP API. To access this API, you must
# append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests.
#
# The debug API exposes the following endpoints:
#
# GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID.
#
# POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection.
# Format: new line delimited commands as per IRC protocol.
#
debugApi:
# True to enable the HTTP API endpoint. Default: false.
enabled: false
# The port to host the HTTP API.
port: 11100
# Configuration for the provisioning API.
#
# GET /_matrix/provision/link
# GET /_matrix/provision/unlink
# GET /_matrix/provision/listlinks
#
provisioning:
# True to enable the provisioning HTTP endpoint. Default: false.
enabled: false
# The number of seconds to wait before giving up on getting a response from
# an IRC channel operator. If the channel operator does not respond within the
# allotted time period, the provisioning request will fail.
# Default: 300 seconds (5 mins)
requestTimeoutSeconds: 300
# WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
# send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
# the database.
#
# To generate a .pem file:
# $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
#
# The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
# for storage in the database. Passwords are stored by using the admin room command
# `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
# the Matrix user, this password will be sent as the server password (PASS command).
passwordEncryptionKeyPath: "passkey.pem"
# Config for Matrix -> IRC bridging
matrixHandler:
# Cache this many matrix events in memory to be used for m.relates_to messages (usually replies).
eventCacheSize: 4096
# Options here are generally only applicable to large-scale bridges and may have
# consequences greater than other options in this configuration file.
advanced:
# The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited
# however for large bridges it is important to rate limit the bridge to avoid
# accidentally overloading the homeserver. Defaults to 1000, which should be
# enough for the vast majority of use cases.
maxHttpSockets: 1000

17
roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 Normal file
View file

@ -0,0 +1,17 @@
# {{ ansible_managed }}
[Unit]
Description=A bridge between Matrix and IRC
After=syslog.target network-online.target mysql.service postgresql.service
Conflicts=shutdown.target
[Service]
Type=simple
User=matrix-appservice-irc
Group=matrix-appservice-irc
WorkingDirectory=/var/local/matrix-appservice-irc/matrix-appservice-irc
ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-irc/matrix-appservice-irc/app.js -c config.yaml -f my_registration_file.yaml -p 9999
Restart=always
[Install]
WantedBy=multi-user.target

16
roles/nginx-reverse-proxy/tasks/main.yml
View file

@ -32,3 +32,19 @@
state: link
loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service
# Install main site
- name: Configure NGINX main site
template:
src: nginx-sites-available-main.j2
dest: /etc/nginx/sites-available/main
mode: 0644
notify: Reload NGINX service
# Activate main site
- name: Activate main site
file:
src: /etc/nginx/sites-available/main
dest: /etc/nginx/sites-enabled/main
state: link
notify: Reload NGINX service

69
roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 Normal file
View file

@ -0,0 +1,69 @@
# {{ ansible_managed }}
server {
server_name auro.re;
include "snippets/proxy-common.conf";
location / {
return 302 https://$host$request_uri;
}
}
server {
include "snippets/proxy-common-ssl.conf";
server_name auro.re;
# Separate log files
access_log /var/log/nginx/main.access.log;
error_log /var/log/nginx/main.error.log;
# Use LetsEncrypt SSL
ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
location / {
proxy_redirect off;
proxy_pass http://www.adm.auro.re;
proxy_set_header Host auro.re;
proxy_set_header P-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU Terry Pratchett";
}
# For Matrix identity server
location /_matrix/identity {
proxy_pass http://synapse.adm.auro.re:8090/_matrix/identity;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
# For Matrix Synapse
location /_matrix {
proxy_pass http://synapse.adm.auro.re:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
server_name auro.re;
# Separate log files
access_log /var/log/nginx/main.access.log;
error_log /var/log/nginx/main.error.log;
# Use LetsEncrypt SSL
ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
# For Matrix Synapse federation
location / {
proxy_pass http://synapse.adm.auro.re:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}