diff options
Diffstat (limited to 'roles/znc')
| -rw-r--r-- | roles/znc/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/znc/files/etc/sasl2/znc.conf | 2 | ||||
| -rw-r--r-- | roles/znc/handlers/main.yml | 8 | ||||
| -rw-r--r-- | roles/znc/meta/main.yml | 4 | ||||
| -rw-r--r-- | roles/znc/tasks/freeipa.yml | 49 | ||||
| -rw-r--r-- | roles/znc/tasks/main.yml | 86 | ||||
| -rw-r--r-- | roles/znc/templates/var/lib/znc/.znc/configs/znc.conf.j2 | 62 | ||||
| -rw-r--r-- | roles/znc/templates/var/lib/znc/.znc/moddata/cyrusauth/.registry.j2 | 2 | ||||
| -rw-r--r-- | roles/znc/vars/main.yml | 20 |
9 files changed, 237 insertions, 0 deletions
diff --git a/roles/znc/defaults/main.yml b/roles/znc/defaults/main.yml new file mode 100644 index 0000000..229ab0a --- /dev/null +++ b/roles/znc/defaults/main.yml @@ -0,0 +1,4 @@ +znc_irc_port: 6697 +znc_https_port: 8443 +znc_max_networks: 10 +znc_access_group: role-znc-access diff --git a/roles/znc/files/etc/sasl2/znc.conf b/roles/znc/files/etc/sasl2/znc.conf new file mode 100644 index 0000000..ad929f7 --- /dev/null +++ b/roles/znc/files/etc/sasl2/znc.conf @@ -0,0 +1,2 @@ +pwcheck_method: saslauthd +mech_list: plain diff --git a/roles/znc/handlers/main.yml b/roles/znc/handlers/main.yml new file mode 100644 index 0000000..4db4153 --- /dev/null +++ b/roles/znc/handlers/main.yml @@ -0,0 +1,8 @@ +- name: restart saslauthd + systemd: + name: saslauthd + state: restarted + +- name: reload znc + command: pkill -HUP znc + failed_when: no diff --git a/roles/znc/meta/main.yml b/roles/znc/meta/main.yml new file mode 100644 index 0000000..29230f9 --- /dev/null +++ b/roles/znc/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: yum + yum_repositories: epel + tags: yum diff --git a/roles/znc/tasks/freeipa.yml b/roles/znc/tasks/freeipa.yml new file mode 100644 index 0000000..3e3ab07 --- /dev/null +++ b/roles/znc/tasks/freeipa.yml @@ -0,0 +1,49 @@ +- name: create HBAC service + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ znc_hbac_service }}' + description: ZNC IRC Bouncer + state: present + run_once: yes + +- name: create znc-servers hostgroup + ipahostgroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ znc_hbac_hostgroup }}' + description: ZNC Servers + host: "{{ groups[znc_hbac_hostgroup] | map('regex_replace', '$', '.' ~ ansible_domain) }}" + state: present + run_once: yes + +- name: create access group + ipagroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ znc_access_group }}' + description: ZNC Users + nonposix: yes + state: present + run_once: yes + +- name: create HBAC rule + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: allow_znc_on_znc_servers + description: Allow ZNC on ZNC servers + hostgroup: + - '{{ znc_hbac_hostgroup }}' + group: + - '{{ znc_access_group }}' + hbacsvc: + - '{{ znc_hbac_service }}' + run_once: yes + +- name: generate PAM configuration + copy: + content: | + auth required pam_sss.so + account required pam_sss.so + dest: /etc/pam.d/znc diff --git a/roles/znc/tasks/main.yml b/roles/znc/tasks/main.yml new file mode 100644 index 0000000..a64ffc5 --- /dev/null +++ b/roles/znc/tasks/main.yml @@ -0,0 +1,86 @@ +- name: install packages + dnf: + name: '{{ znc_packages }}' + state: present + +- name: request TLS certificate + include_role: + name: getcert_request + vars: + certificate_service: irc + certificate_path: '{{ znc_certificate_path }}' + certificate_key_path: '{{ znc_certificate_key_path }}' + certificate_owner: znc + certificate_hook: pkill -HUP znc + +- name: generate dhparams + openssl_dhparam: + path: '{{ znc_dhparams_path }}' + size: 2048 + +- import_tasks: freeipa.yml + tags: freeipa + +- name: configure saslauthd for znc + copy: + src: etc/sasl2/znc.conf + dest: /etc/sasl2/znc.conf + notify: restart saslauthd + +- name: enable saslauthd + systemd: + name: saslauthd + enabled: yes + state: started + +- name: create config directories + file: + path: '{{ znc_home }}/{{ item }}' + state: directory + owner: znc + group: znc + mode: 0700 + loop: + - '' + - 'configs' + - 'moddata' + - 'moddata/cyrusauth' + +- name: generate config files + template: + src: '{{ znc_home[1:] }}/{{ item }}.j2' + dest: '{{ znc_home }}/{{ item }}' + owner: znc + group: znc + loop: + - configs/znc.conf + - moddata/cyrusauth/.registry + notify: reload znc + +- name: start znc + systemd: + name: znc + enabled: yes + state: started + +- name: forward https port + firewalld: + permanent: yes + immediate: yes + rich_rule: 'rule family={{ item }} forward-port port={{ 443 }} protocol=tcp to-port={{ znc_https_port }}' + state: enabled + loop: + - ipv4 + - ipv6 + tags: firewalld + +- name: open firewall ports + firewalld: + permanent: yes + immediate: yes + service: '{{ item }}' + state: enabled + loop: + - ircs + - https + tags: firewalld diff --git a/roles/znc/templates/var/lib/znc/.znc/configs/znc.conf.j2 b/roles/znc/templates/var/lib/znc/.znc/configs/znc.conf.j2 new file mode 100644 index 0000000..10f4df5 --- /dev/null +++ b/roles/znc/templates/var/lib/znc/.znc/configs/znc.conf.j2 @@ -0,0 +1,62 @@ +AnonIPLimit = 10 +AuthOnlyViaModule = true +ConfigWriteDelay = 0 +ConnectDelay = 5 +HideVersion = false +LoadModule = cyrusauth saslauthd +LoadModule = webadmin +MaxBufferSize = 500 +ProtectWebSessions = true +SSLCertFile = {{ znc_certificate_path }} +SSLDHParamFile = {{ znc_dhparams_path }} +SSLKeyFile = {{ znc_certificate_key_path }} +ServerThrottle = 30 +Version = 1.8.2 + +<Listener web> + AllowIRC = false + AllowWeb = true + IPv4 = true + IPv6 = true + Port = {{ znc_https_port }} + SSL = true +</Listener> + +<Listener irc> + AllowIRC = true + AllowWeb = false + IPv4 = true + IPv6 = true + Port = {{ znc_irc_port }} + SSL = true +</Listener> + +<User admin> + Admin = true + Nick = znc_admin + AltNick = znc_admin_ + Ident = znc_admin + RealName = ZNC Administrator + + <Pass password> + Hash = :: + Method = MD5 + Salt = :: + </Pass> +</User> + +<User {{ znc_clone_user }}> + Admin = false + Nick = znc_user + AltNick = znc_user_ + Ident = znc_user + RealName = ZNC User + MaxNetworks = {{ znc_max_networks }} + LoadModule = chansaver + + <Pass password> + Hash = :: + Method = MD5 + Salt = :: + </Pass> +</User> diff --git a/roles/znc/templates/var/lib/znc/.znc/moddata/cyrusauth/.registry.j2 b/roles/znc/templates/var/lib/znc/.znc/moddata/cyrusauth/.registry.j2 new file mode 100644 index 0000000..31bbe6e --- /dev/null +++ b/roles/znc/templates/var/lib/znc/.znc/moddata/cyrusauth/.registry.j2 @@ -0,0 +1,2 @@ +CloneUser {{ znc_clone_user }} +CreateUser yes diff --git a/roles/znc/vars/main.yml b/roles/znc/vars/main.yml new file mode 100644 index 0000000..27cebbf --- /dev/null +++ b/roles/znc/vars/main.yml @@ -0,0 +1,20 @@ +znc_packages: + - znc + - cyrus-sasl + - cyrus-sasl-plain + +znc_home: /var/lib/znc/.znc +znc_clone_user: cloneuser + +znc_hbac_hostgroup: znc_servers +znc_hbac_service: znc + +znc_certificate_path: /etc/pki/tls/certs/znc.pem +znc_certificate_key_path: /etc/pki/tls/private/znc.key +znc_dhparams_path: /etc/pki/tls/certs/dhparams-znc.pem + +znc_archive_shell: >- + TIMESTAMP=$(date +%Y%m%d%H%M%S); + tar czf "znc-${TIMESTAMP}.tar.gz" + --transform "s|^\.|znc-${TIMESTAMP}|" + -C "{{ znc_home }}" . |