From 121f49a828e3a64261b0392091ab75b72eec82e5 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Tue, 21 Dec 2021 10:48:22 +0100
Subject: [PATCH] add ldap frontend

---
 bundles/ldap-frontend/files/config.json       |  4 ++
 .../ldap-frontend/files/ldap-frontend.service | 14 +++++
 bundles/ldap-frontend/items.py                | 59 +++++++++++++++++++
 bundles/ldap-frontend/metadata.py             | 21 +++++++
 nodes/qzwi.toml                               | 11 ++++
 5 files changed, 109 insertions(+)
 create mode 100644 bundles/ldap-frontend/files/config.json
 create mode 100644 bundles/ldap-frontend/files/ldap-frontend.service
 create mode 100644 bundles/ldap-frontend/items.py
 create mode 100644 bundles/ldap-frontend/metadata.py

diff --git a/bundles/ldap-frontend/files/config.json b/bundles/ldap-frontend/files/config.json
new file mode 100644
index 0000000..d7feb99
--- /dev/null
+++ b/bundles/ldap-frontend/files/config.json
@@ -0,0 +1,4 @@
+<%
+    from bundlewrap.metadata import metadata_to_json
+%>\
+${metadata_to_json(node.metadata.get('ldap-frontend', {}))}
diff --git a/bundles/ldap-frontend/files/ldap-frontend.service b/bundles/ldap-frontend/files/ldap-frontend.service
new file mode 100644
index 0000000..14ccbbb
--- /dev/null
+++ b/bundles/ldap-frontend/files/ldap-frontend.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=LDAP fronten
+After=network.target
+Requires=slapd.service
+
+[Service]
+User=www-data
+Group=www-data
+Environment=APP_CONFIG=/opt/ldap-frontend/config.json
+WorkingDirectory=/opt/ldap-frontend/src
+ExecStart=/opt/ldap-frontend/venv/bin/gunicorn --threads 4 --bind 127.0.0.1:23000 'ldap_frontend:app'
+
+[Install]
+WantedBy=multi-user.target
diff --git a/bundles/ldap-frontend/items.py b/bundles/ldap-frontend/items.py
new file mode 100644
index 0000000..8d458d6
--- /dev/null
+++ b/bundles/ldap-frontend/items.py
@@ -0,0 +1,59 @@
+directories = {
+    '/opt/ldap-frontend/src': {},
+}
+
+git_deploy = {
+    '/opt/ldap-frontend/src': {
+        'repo': 'https://git.franzi.business/qzwi/ldap-frontend.git',
+        'rev': 'main',
+        'triggers': {
+            'action:ldap-frontend_install_deps',
+            'svc_systemd:ldap-frontend:restart',
+        },
+    },
+}
+
+actions = {
+    'ldap-frontend_make_virtualenv': {
+        'command': 'virtualenv -p python3 /opt/ldap-frontend/venv',
+        'unless': 'test -d /opt/ldap-frontend/venv',
+        'needs': {
+            'directory:/opt/ldap-frontend/src',
+        },
+    },
+    'ldap-frontend_install_deps': {
+        'triggered': True,
+        'command': ' && '.join([
+            'cd /opt/ldap-frontend/src',
+            '/opt/ldap-frontend/venv/bin/pip install --upgrade -r requirements.txt',
+        ]),
+        'needs': {
+            'action:ldap-frontend_make_virtualenv',
+        },
+    },
+}
+
+files = {
+    '/etc/systemd/system/ldap-frontend.service': {
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:ldap-frontend:restart',
+        },
+    },
+    '/opt/ldap-frontend/config.json': {
+        'content_type': 'mako',
+        'triggers': {
+            'svc_systemd:ldap-frontend:restart',
+        },
+    },
+}
+
+svc_systemd = {
+    'ldap-frontend': {
+        'needs': {
+            'action:ldap-frontend_install_deps',
+            'file:/etc/systemd/system/ldap-frontend.service',
+            'file:/opt/ldap-frontend/config.json',
+        },
+    },
+}
diff --git a/bundles/ldap-frontend/metadata.py b/bundles/ldap-frontend/metadata.py
new file mode 100644
index 0000000..86b9212
--- /dev/null
+++ b/bundles/ldap-frontend/metadata.py
@@ -0,0 +1,21 @@
+defaults = {
+    'ldap-frontend': {
+        'ldap': {
+            'server': 'ldap://localhost:389',
+            'username': 'uid=ldap-frontend,ou=Applications,dc=qzwi,dc=de',
+            'password': repo.vault.decrypt('encrypt$gAAAAABhwZ_5KNOCqkSwMm9zmeVksndPXXtrKJUatf7GYhwvVJQJQwM0OX7S-ZKHwBVCxegMqS46LrJX0ZLTH_gouekKEGRSsttARZgs9giAGy9ijXdDirQ='),
+            'group_base': 'ou=Groups,dc=qzwi,dc=de',
+            'user_base': 'ou=Users,dc=qzwi,dc=de',
+        },
+        'template': {
+            'group_admin': '(&(objectclass=inetOrgPerson)(uid={})(memberOf=ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de))',
+            'group_dn': 'ou={},ou=Groups,dc=qzwi,dc=de',
+            'group_members': '(&(objectclass=inetOrgPerson)(memberOf=ou={},ou=Groups,dc=qzwi,dc=de))',
+            'group_nonmembers': '(&(objectclass=inetOrgPerson)(!(memberOf=ou={},ou=Groups,dc=qzwi,dc=de)))',
+            'user_dn': 'uid={},ou=Users,dc=qzwi,dc=de',
+            'user_search': '(&(objectclass=inetOrgPerson)(uid={}))',
+        },
+        'title': 'Usermanagement QZWI',
+    },
+}
+
diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml
index f9fab90..2e7cbdf 100644
--- a/nodes/qzwi.toml
+++ b/nodes/qzwi.toml
@@ -1,6 +1,7 @@
 #hostname = "2a00:f820:528::4"
 hostname = "31.47.232.108"
 bundles = [
+  "ldap-frontend",
   "letsencrypt",
   "nginx",
   "nextcloud",
@@ -37,6 +38,8 @@ ssl = "letsencrypt"
 [metadata.nginx.vhosts.openldap]
 domain = "ldap.qzwi.de"
 ssl = "letsencrypt"
+[metadata.nginx.vhosts.openldap.locations."/"]
+target = "http://127.0.0.1:23000"
 
 [metadata.openldap]
 my_hostname = "ldap.qzwi.de"
@@ -52,6 +55,14 @@ schemas = [
 write = [
   "uid=nextcloud,ou=Applications,dc=qzwi,dc=de",
 ]
+manage = [
+  "uid=ldap-frontend,ou=Applications,dc=qzwi,dc=de",
+]
+
+[metadata.openldap.access."ou=Groups,dc=qzwi,dc=de"]
+manage = [
+  "uid=ldap-frontend,ou=Applications,dc=qzwi,dc=de",
+]
 
 [metadata.vm]
 cpu = 4