Simplify dirsrv setup
Connecting directly using zerotier, no more nginx
This commit is contained in:
Greg Karékinian
parent
d1d48cb749
commit
685deea920
@ -1,26 +0,0 @@
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-security
|
||||
nsslapd-security: on
|
||||
|
||||
dn: cn=encryption,cn=config
|
||||
changetype: modify
|
||||
replace: nsSSLSessionTimeout
|
||||
nsSSLSessionTimeout: 0
|
||||
-
|
||||
replace: nsSSLClientAuth
|
||||
nsSSLClientAuth: off
|
||||
-
|
||||
replace: nsSSL3
|
||||
nsSSL3: off
|
||||
-
|
||||
replace: nsSSL2
|
||||
nsSSL2: off
|
||||
|
||||
dn: cn=RSA,cn=encryption,cn=config
|
||||
objectClass: top
|
||||
objectClass: nsEncryptionModule
|
||||
nsSSLPersonalitySSL: Server-Cert
|
||||
nsSSLActivation: on
|
||||
nsSSLToken: internal (software)
|
||||
cn: RSA
|
||||
@ -11,5 +11,4 @@ depends "firewall"
|
||||
depends "apt"
|
||||
depends "ulimit"
|
||||
depends "backup"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos-base"
|
||||
|
||||
@ -2,27 +2,6 @@
|
||||
# Cookbook Name:: kosmos-dirsrv
|
||||
# Recipe:: default
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
credentials = data_bag_item("credentials", "dirsrv")
|
||||
|
||||
|
||||
@ -2,32 +2,12 @@
|
||||
# Cookbook Name:: kosmos-dirsrv
|
||||
# Recipe:: firewall
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2020, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
firewall_rule "ldap" do
|
||||
port [389, 636]
|
||||
source "10.1.1.0/24" # zerotier
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
@ -109,75 +109,4 @@ nsslapd-allow-anonymous-access: off
|
||||
action :nothing
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
package "libnss3-tools" # provides pk12util
|
||||
|
||||
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
|
||||
source "tls.ldif"
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
dirsrv_hook = <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
# Copy the dirsrv certificate and restart the server if it has been renewed
|
||||
# This is necessary because dirsrv uses a different format for the certificates
|
||||
for domain in $RENEWED_DOMAINS; do
|
||||
case $domain in
|
||||
#{new_resource.hostname})
|
||||
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
|
||||
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
|
||||
# Remove the encryption key entries from the current database.
|
||||
# They will be recreated on restart for the new certificate
|
||||
awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
|
||||
mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
|
||||
systemctl restart #{service_name}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
EOF
|
||||
|
||||
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
|
||||
content dirsrv_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
|
||||
source 'nginx_conf_empty.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_certbot_site new_resource.hostname do
|
||||
notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
||||
# has been generated before. The renew cron will take care of renewing
|
||||
execute "letsencrypt cert for #{new_resource.hostname}" do
|
||||
root_directory = "/var/www/#{new_resource.hostname}"
|
||||
command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
|
||||
only_if do
|
||||
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
|
||||
!::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
|
||||
end
|
||||
notifies :run, "execute[add tls config]", :immediately
|
||||
end
|
||||
|
||||
execute "add tls config" do
|
||||
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
|
||||
sensitive true
|
||||
action :nothing
|
||||
notifies :restart, "service[#{service_name}]", :immediately
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user