diff options
author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-15 19:03:23 +0200 |
---|---|---|
committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-15 19:03:23 +0200 |
commit | 73b98210f69455b33116f8c2ca3aab6daf473bab (patch) | |
tree | 1c059346ab41ac895ddbf1e7b4cc10918b6cdb18 /manifests/auth | |
parent | Initial commit. (diff) | |
download | concourse-73b98210f69455b33116f8c2ca3aab6daf473bab.tar.gz concourse-73b98210f69455b33116f8c2ca3aab6daf473bab.tar.xz |
Initial add.
Diffstat (limited to 'manifests/auth')
-rw-r--r-- | manifests/auth/ldap.pp | 49 | ||||
-rw-r--r-- | manifests/auth/local.pp | 72 |
2 files changed, 121 insertions, 0 deletions
diff --git a/manifests/auth/ldap.pp b/manifests/auth/ldap.pp new file mode 100644 index 0000000..7e4472b --- /dev/null +++ b/manifests/auth/ldap.pp @@ -0,0 +1,49 @@ +# @summary Concourse local authentication +# @param users +# List of local users. +# @param main_team_users +# List of users which should be added to the "main" team. +# @param main_team_group +# Ignored, but here to keep the same "API" with the other auth modules. +class concourse::auth::local ( + Array[Struct[{ + 'name' => String, + 'password' => Variant[String, Sensitive[String]], + }]] $users, + Optional[Array[String]] $main_team_user, + Optional[Array[String]] $main_team_group, # ignored + Enum['absent', 'present'] $ensure = 'present', +) { + $env_file = "${concourse::web::conf_dir}/auth-local" + + $environment = { + 'CONCOURSE_ADD_LOCAL_USER' => $users.map |$user| { + $name = $user['name'] + $pass = $user['password'] ? { + String => $user['password'], + default => $user['password'].unwrap, + } + "${name}:${pass}" + }.join(','), + 'CONCOURSE_MAIN_TEAM_LOCAL_USER' => $main_team_group ? { + Array => $main_team_group.join(','), + default => undef, + }, + } + + file { $env_file: + ensure => $ensure, + content => epp("${module_name}/env.epp", $environment), + # To not show new password + show_diff => false, + mode => '0600', + } + + systemd::manage_dropin { 'concourse-local-auth': + ensure => $ensure, + unit => $concourse::web::service, + service_entry => { + 'EnvironmentFile' => $env_file, + }, + } +} diff --git a/manifests/auth/local.pp b/manifests/auth/local.pp new file mode 100644 index 0000000..289ce15 --- /dev/null +++ b/manifests/auth/local.pp @@ -0,0 +1,72 @@ +# @summary Concourse LDAP authentication +# Most attributes maps directly to concourse's options, but with +# `CONCOURSE_LDAP_` prefixed. +class concourse::auth::ldap ( + String $host, + String $bind_dn, + Variant[String, Sensitive[String]] $bind_pw, + String $user_search_base_dn, + String $user_search_username = 'uid', + Optional[String] $display_name = undef, + Optional[String] $user_search_filter = undef, + Optioal[String] $user_search_id_attr = undef, + Optional[String] $user_search_email_attr = undef, + Optional[String] $user_search_name_attr = undef, + Optional[Stdlib::Absolutepath] $ca_cert = undef, + Boolean $insecure_no_ssl = false, + Optional[String] $group_search_base_dn = undef, + String $group_search_name_attr = 'ou', + String $group_search_user_attr = 'uid', + String $group_search_group_attr = 'members', + Optional[String] $group_search_filter = undef, + Optional[Array[String]] $main_team_user, + Optional[Array[String]] $main_team_group, + + Enum['absent', 'present'] $ensure = 'present', +) { + $env_file = "${concourse::web::conf_dir}/auth-ldap" + + $environment = { + 'CONCOURSE_LDAP_HOST' => $host, + 'CONCOURSE_LDAP_BIND_DN' => $bind_dn, + 'CONCOURSE_LDAP_BIND_PW' => $bind_pw, + 'CONCOURSE_LDAP_USER_SEARCH_BASE_DN' => $user_search_base_dn, + 'CONCOURSE_LDAP_USER_SEARCH_USERNAME' => $user_search_username, + 'CONCOURSE_LDAP_DISPLAY_NAME' => $display_name, + 'CONCOURSE_LDAP_USER_SEARCH_FILTER' => $user_search_filter, + 'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR' => $user_search_id_attr, + 'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR' => $user_search_email_attr, + 'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR' => $user_search_name_attr, + 'CONCOURSE_LDAP_CA_CERT' => $ca_cert, + 'CONCOURSE_LDAP_INSECURE_NO_SSL' => $insecure_no_ssl, + 'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN' => $group_search_base_dn, + 'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR' => $group_search_name_attr, + 'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR' => $group_search_user_attr, + 'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr, + 'CONCOURSE_LDAP_GROUP_SEARCH_FILTER' => $group_search_filter, + 'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER' => $main_team_user ? { + Array => $main_team_user.join(','), + default => undef, + }, + 'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP' => $main_team_group ? { + Array => $main_team_user.join(','), + default => undef, + }, + } + + file { $env_file: + ensure => $ensure, + content => epp("${module_name}/env.epp", $environment), + # To not show new password + show_diff => false, + mode => '0600', + } + + systemd::manage_dropin { 'concourse-ldap-auth': + ensure => $ensure, + unit => $concourse::web::service, + service_entry => { + 'EnvironmentFile' => $env_file, + }, + } +} |