From f17a420a648e4a0835044d5cd59db0ebd9f3b6f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 22 Aug 2022 13:40:07 +0100 Subject: [PATCH 1/4] Update VM base image --- site-cookbooks/kosmos_kvm/attributes/default.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_kvm/attributes/default.rb b/site-cookbooks/kosmos_kvm/attributes/default.rb index 709728b..d20a34b 100644 --- a/site-cookbooks/kosmos_kvm/attributes/default.rb +++ b/site-cookbooks/kosmos_kvm/attributes/default.rb @@ -1,7 +1,7 @@ -ubuntu_server_cloud_image_release = "20220530" +ubuntu_server_cloud_image_release = "20220810" node.default["kosmos_kvm"]["host"]["qemu_base_image"] = { "url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img", - "checksum" => "0295bee0539924774327d5267aa8e2eeac315b9efea7136c83643fce454529b8", + "checksum" => "6db74917f85146569cb6ae89e1d163ac6d1e488a7f32bc74761ec6d1869c714f", "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2" } From 80c3e4e2700c65e7a3d40d89ba466efb098aa7c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 22 Aug 2022 13:40:26 +0100 Subject: [PATCH 2/4] Create ldap-3 VM --- clients/ldap-3.json | 4 ++++ nodes/ldap-3.json | 54 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 clients/ldap-3.json create mode 100644 nodes/ldap-3.json diff --git a/clients/ldap-3.json b/clients/ldap-3.json new file mode 100644 index 0000000..a31f0ff --- /dev/null +++ b/clients/ldap-3.json @@ -0,0 +1,4 @@ +{ + "name": "ldap-3", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLndVZtKubbJf2izx6vN\ntU0gwZUhcCz4Dq+Ilu9D8tPVEWUqKp9RyPkSO8iIxdLXJ8ZjtG3oBVPFGka/fW1a\n/SSf4Yn6ArkNhP9dmDKzrOYOuoPF+h+Fa9Jecy2PtNzhGdBdynIK4ezJIdq5vPEG\nAsJf/Ad9EIU8D4Aj/nhNUwfUwsFTTE++LL9yCzRiDHg6pjNToM75V/+fFPk0UL1/\neLcaJzqi5WeXhfq7DbjMtqnt/+vUxO2YAk9MDb3U15hnH4xkxtDfRth1UGkpR/PK\naLn/RTS9sqk3oMZVzDSioXO0TGp00sWDmvpBvEBwlYgWnx1o8JQnkClvn2OSo6va\nzQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/nodes/ldap-3.json b/nodes/ldap-3.json new file mode 100644 index 0000000..7ca28bd --- /dev/null +++ b/nodes/ldap-3.json @@ -0,0 +1,54 @@ +{ + "name": "ldap-3", + "normal": { + "knife_zero": { + "host": "10.1.1.6" + } + }, + "automatic": { + "fqdn": "ldap-3", + "os": "linux", + "os_version": "5.4.0-1073-kvm", + "hostname": "ldap-3", + "ipaddress": "192.168.122.34", + "roles": [ + + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.10.3", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[kvm_guest]" + ] +} From 85abfd4e5e565760fce6b6d54abe9546d2a71c92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 22 Aug 2022 16:15:02 +0200 Subject: [PATCH 3/4] Create the required groups and ACIs --- site-cookbooks/kosmos-dirsrv/files/acis.ldif | 5 +-- site-cookbooks/kosmos-dirsrv/files/users.ldif | 32 +++++++++++++++++-- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/site-cookbooks/kosmos-dirsrv/files/acis.ldif b/site-cookbooks/kosmos-dirsrv/files/acis.ldif index f882afc..641fce9 100644 --- a/site-cookbooks/kosmos-dirsrv/files/acis.ldif +++ b/site-cookbooks/kosmos-dirsrv/files/acis.ldif @@ -1,5 +1,6 @@ +# LDAPv3 [0/223] +# kosmos.org dn: dc=kosmos,dc=org changetype: modify replace: aci -aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";) -aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";) +aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";) diff --git a/site-cookbooks/kosmos-dirsrv/files/users.ldif b/site-cookbooks/kosmos-dirsrv/files/users.ldif index 5055e99..754b6e4 100644 --- a/site-cookbooks/kosmos-dirsrv/files/users.ldif +++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif @@ -1,4 +1,32 @@ -dn: ou=users,dc=kosmos,dc=org +# users, kosmos.org +dn: cn=users,dc=kosmos,dc=org +objectClass: top +objectClass: organizationalRole +cn: users + +# kosmos.org, users, kosmos.org +dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit -ou: users +description: Kosmos +ou: kosmos.org +aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) + +# 5apps.com, users, kosmos.org +dn: ou=5apps.com,cn=users,dc=kosmos,dc=org +objectClass: top +objectClass: organizationalUnit +description: 5apps +ou: 5apps.com +aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-5apps-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) + +# admin role +dn: cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org +objectClass: top +objectClass: LDAPsubentry +objectClass: nsRoleDefinition +objectClass: nsComplexRoleDefinition +objectClass: nsFilteredRoleDefinition +cn: admin_role +nsRoleFilter: (&(objectclass=person)(admin=true)) +description: filtered role for admins From e4d4aa45f7c6639550768637c56e151559776a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 22 Aug 2022 16:16:01 +0200 Subject: [PATCH 4/4] Use FQDN for hostname, add LDAP server --- nodes/{ldap-3.json => ldap-3.kosmos.org.json} | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) rename nodes/{ldap-3.json => ldap-3.kosmos.org.json} (73%) diff --git a/nodes/ldap-3.json b/nodes/ldap-3.kosmos.org.json similarity index 73% rename from nodes/ldap-3.json rename to nodes/ldap-3.kosmos.org.json index 7ca28bd..c3570d0 100644 --- a/nodes/ldap-3.json +++ b/nodes/ldap-3.kosmos.org.json @@ -1,22 +1,26 @@ { - "name": "ldap-3", + "name": "ldap-3.kosmos.org", "normal": { "knife_zero": { "host": "10.1.1.6" } }, "automatic": { - "fqdn": "ldap-3", + "fqdn": "ldap-3.kosmos.org", "os": "linux", "os_version": "5.4.0-1073-kvm", "hostname": "ldap-3", "ipaddress": "192.168.122.34", "roles": [ - + "kvm_guest", + "dirsrv_primary" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos_kvm::guest", + "kosmos-dirsrv", + "kosmos-dirsrv::default", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -30,7 +34,12 @@ "postfix::_common", "postfix::_attributes", "postfix::sasl_auth", - "hostname::default" + "hostname::default", + "kosmos-dirsrv::hostsfile", + "kosmos-dirsrv::firewall", + "backup::default", + "logrotate::default", + "ulimit::default" ], "platform": "ubuntu", "platform_version": "20.04", @@ -49,6 +58,7 @@ }, "run_list": [ "recipe[kosmos-base]", - "role[kvm_guest]" + "role[kvm_guest]", + "role[dirsrv_primary]" ] -} +} \ No newline at end of file