From 685deea920514b656718a630a3cddd8a316bf895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 2 Dec 2021 19:08:27 +0100 Subject: [PATCH] Simplify dirsrv setup Connecting directly using zerotier, no more nginx --- site-cookbooks/kosmos-dirsrv/files/tls.ldif | 26 ------- site-cookbooks/kosmos-dirsrv/metadata.rb | 1 - .../kosmos-dirsrv/recipes/default.rb | 21 ------ .../kosmos-dirsrv/recipes/firewall.rb | 22 +----- .../kosmos-dirsrv/resources/instance.rb | 71 ------------------- .../templates/nginx_conf_empty.erb | 0 6 files changed, 1 insertion(+), 140 deletions(-) delete mode 100644 site-cookbooks/kosmos-dirsrv/files/tls.ldif delete mode 100644 site-cookbooks/kosmos-dirsrv/templates/nginx_conf_empty.erb diff --git a/site-cookbooks/kosmos-dirsrv/files/tls.ldif b/site-cookbooks/kosmos-dirsrv/files/tls.ldif deleted file mode 100644 index 0cc5065..0000000 --- a/site-cookbooks/kosmos-dirsrv/files/tls.ldif +++ /dev/null @@ -1,26 +0,0 @@ -dn: cn=config -changetype: modify -replace: nsslapd-security -nsslapd-security: on - -dn: cn=encryption,cn=config -changetype: modify -replace: nsSSLSessionTimeout -nsSSLSessionTimeout: 0 -- -replace: nsSSLClientAuth -nsSSLClientAuth: off -- -replace: nsSSL3 -nsSSL3: off -- -replace: nsSSL2 -nsSSL2: off - -dn: cn=RSA,cn=encryption,cn=config -objectClass: top -objectClass: nsEncryptionModule -nsSSLPersonalitySSL: Server-Cert -nsSSLActivation: on -nsSSLToken: internal (software) -cn: RSA diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb index b022a52..34060e5 100644 --- a/site-cookbooks/kosmos-dirsrv/metadata.rb +++ b/site-cookbooks/kosmos-dirsrv/metadata.rb @@ -11,5 +11,4 @@ depends "firewall" depends "apt" depends "ulimit" depends "backup" -depends "kosmos-nginx" depends "kosmos-base" diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb index 6bcb871..9b00066 100644 --- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook Name:: kosmos-dirsrv # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. credentials = data_bag_item("credentials", "dirsrv") diff --git a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb index b466666..e0b7c9a 100644 --- a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb +++ b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb @@ -2,32 +2,12 @@ # Cookbook Name:: kosmos-dirsrv # Recipe:: firewall # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. include_recipe "kosmos-base::firewall" firewall_rule "ldap" do port [389, 636] + source "10.1.1.0/24" # zerotier protocol :tcp command :allow end diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb index d0f80bc..87675dd 100644 --- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb +++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb @@ -109,75 +109,4 @@ nsslapd-allow-anonymous-access: off action :nothing end - unless node.chef_environment == "development" - package "libnss3-tools" # provides pk12util - - cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do - source "tls.ldif" - owner "root" - group "root" - end - - include_recipe "kosmos-nginx" - include_recipe "kosmos-base::letsencrypt" - - dirsrv_hook = <<-EOF -#!/usr/bin/env bash - -set -e - -# Copy the dirsrv certificate and restart the server if it has been renewed -# This is necessary because dirsrv uses a different format for the certificates -for domain in $RENEWED_DOMAINS; do - case $domain in - #{new_resource.hostname}) - openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass: - pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W '' - # Remove the encryption key entries from the current database. - # They will be recreated on restart for the new certificate - awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif - mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif - systemctl restart #{service_name} - ;; - esac -done - EOF - - file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do - content dirsrv_hook - mode 0755 - owner "root" - group "root" - end - - template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do - source 'nginx_conf_empty.erb' - owner node["nginx"]["user"] - mode 0640 - notifies :reload, 'service[nginx]', :delayed - end - - nginx_certbot_site new_resource.hostname do - notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed - end - - # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert - # has been generated before. The renew cron will take care of renewing - execute "letsencrypt cert for #{new_resource.hostname}" do - root_directory = "/var/www/#{new_resource.hostname}" - command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n" - only_if do - ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") && - !::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem") - end - notifies :run, "execute[add tls config]", :immediately - end - - execute "add tls config" do - command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost" - sensitive true - action :nothing - notifies :restart, "service[#{service_name}]", :immediately - end - end end diff --git a/site-cookbooks/kosmos-dirsrv/templates/nginx_conf_empty.erb b/site-cookbooks/kosmos-dirsrv/templates/nginx_conf_empty.erb deleted file mode 100644 index e69de29..0000000