kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity

Simplify dirsrv setup

Browse Source 
Connecting directly using zerotier, no more nginx
This commit is contained in:
Greg Karékinian 2021-12-02 19:08:27 +01:00
parent d1d48cb749
commit 685deea920
6 changed files with 1 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
site-cookbooks/kosmos-dirsrv/files/tls.ldif
View File

@ -1,26 +0,0 @@
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSLSessionTimeout
nsSSLSessionTimeout: 0
-
replace: nsSSLClientAuth
nsSSLClientAuth: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL2
nsSSL2: off
dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
nsSSLPersonalitySSL: Server-Cert
nsSSLActivation: on
nsSSLToken: internal (software)
cn: RSA

1
site-cookbooks/kosmos-dirsrv/metadata.rb
View File

@ -11,5 +11,4 @@ depends "firewall"
depends "apt" depends "apt"
depends "ulimit" depends "ulimit"
depends "backup" depends "backup"
depends "kosmos-nginx"
depends "kosmos-base" depends "kosmos-base"

21
site-cookbooks/kosmos-dirsrv/recipes/default.rb
View File

@ -2,27 +2,6 @@
# Cookbook Name:: kosmos-dirsrv # Cookbook Name:: kosmos-dirsrv
# Recipe:: default # Recipe:: default
# #
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
credentials = data_bag_item("credentials", "dirsrv") credentials = data_bag_item("credentials", "dirsrv")

22
site-cookbooks/kosmos-dirsrv/recipes/firewall.rb
View File

@ -2,32 +2,12 @@
# Cookbook Name:: kosmos-dirsrv # Cookbook Name:: kosmos-dirsrv
# Recipe:: firewall # Recipe:: firewall
# #
# The MIT License (MIT)
#
# Copyright:: 2020, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe "kosmos-base::firewall" include_recipe "kosmos-base::firewall"
firewall_rule "ldap" do firewall_rule "ldap" do
port [389, 636] port [389, 636]
source "10.1.1.0/24" # zerotier
protocol :tcp protocol :tcp
command :allow command :allow
end end

71
site-cookbooks/kosmos-dirsrv/resources/instance.rb
View File

@ -109,75 +109,4 @@ nsslapd-allow-anonymous-access: off
action :nothing action :nothing
end end
unless node.chef_environment == "development"
package "libnss3-tools" # provides pk12util
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
source "tls.ldif"
owner "root"
group "root"
end
include_recipe "kosmos-nginx"
include_recipe "kosmos-base::letsencrypt"
dirsrv_hook = <<-EOF
#!/usr/bin/env bash
set -e
# Copy the dirsrv certificate and restart the server if it has been renewed
# This is necessary because dirsrv uses a different format for the certificates
for domain in $RENEWED_DOMAINS; do
case $domain in
#{new_resource.hostname})
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
# Remove the encryption key entries from the current database.
# They will be recreated on restart for the new certificate
awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
systemctl restart #{service_name}
;;
esac
done
EOF
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
content dirsrv_hook
mode 0755
owner "root"
group "root"
end
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
source 'nginx_conf_empty.erb'
owner node["nginx"]["user"]
mode 0640
notifies :reload, 'service[nginx]', :delayed
end
nginx_certbot_site new_resource.hostname do
notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
end
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for #{new_resource.hostname}" do
root_directory = "/var/www/#{new_resource.hostname}"
command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
only_if do
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
!::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
end
notifies :run, "execute[add tls config]", :immediately
end
execute "add tls config" do
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
notifies :restart, "service[#{service_name}]", :immediately
end
end
end end

0
site-cookbooks/kosmos-dirsrv/templates/nginx_conf_empty.erb
View File