Merge branch 'feature/107-ldap_server' of kosmos/chef into master
This commit is contained in:
commit
7fd558215d
|
@ -51,3 +51,5 @@ cookbook 'ipfs',
|
|||
ref: 'v0.4.1'
|
||||
cookbook 'elasticsearch', '= 4.2.0'
|
||||
cookbook 'java', '~> 4.3.0'
|
||||
|
||||
cookbook 'ulimit', '~> 1.0.0'
|
||||
|
|
|
@ -50,6 +50,7 @@ DEPENDENCIES
|
|||
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
|
||||
ref: v0.5.6
|
||||
timezone_iii (= 1.0.4)
|
||||
ulimit (~> 1.0.0)
|
||||
users (~> 5.3.1)
|
||||
|
||||
GRAPH
|
||||
|
@ -159,6 +160,7 @@ GRAPH
|
|||
seven_zip (3.1.1)
|
||||
windows (>= 0.0.0)
|
||||
timezone_iii (1.0.4)
|
||||
ulimit (1.0.0)
|
||||
users (5.3.1)
|
||||
windows (6.0.0)
|
||||
yum (5.1.0)
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
~FC059
|
|
@ -0,0 +1,68 @@
|
|||
# CHANGELOG for ulimit
|
||||
|
||||
This file is used to list changes made in each version of ulimit.
|
||||
|
||||
## 1.0.0
|
||||
|
||||
- Breaking change: This cookbook now requires Chef 12.7 or later
|
||||
- LWRPs converted to custom resources with Chef 13 compatibility
|
||||
- Added the rtprio property to the user resource
|
||||
- Updated the cookbook to not append .conf onto filenames when the user already specified a name that ends in .conf
|
||||
- Added a chefignore file to limit what files get uploaded to the chef server
|
||||
- Added a Test Kitchen config + InSpec tests for unit testing
|
||||
- Added the license file to the repo to resolve a Foodcritic warning
|
||||
- Added a Berksfile
|
||||
- Resolved all cookstyle warnings
|
||||
- Fixed the metadata license string to be an SPDX standard license string to resolve Foodcritic warnings
|
||||
- Add supports, source_url, issues_url, and chef_version metadata to resolve Foodcritic warnings
|
||||
- Switched the default recipe from platform to platform_family to catch more Debian/Ubuntu derivatives
|
||||
- Added testing with ChefDK's delivery local mode in Travis
|
||||
- Expanded the readme with better information on requirements and usage examples
|
||||
- Removed ChefSpec matchers that are autogenerated by ChefSpec now
|
||||
- Added Cookstyle and autocorrected all code
|
||||
- Added a basic ChefSpec unit test
|
||||
|
||||
## 0.3.2
|
||||
|
||||
- Resolves issue some users were having with a resource-loading race condition, thanks to Chris Roberts (<https://github.com/chrisroberts>)
|
||||
|
||||
## 0.3.1
|
||||
|
||||
- Fix domain typo, thanks to David Radcliffe (<https://github.com/dwradcliffe>) (also reported by Lewis Thompson (<https://github.com/lewisthompson>))
|
||||
- Add support for split hard/soft nofile limits, thanks to Troy Ready (<https://github.com/troyready>)
|
||||
- Fix license boilerplate, thanks to Troy Ready (<https://github.com/troyready>)
|
||||
- Fix limits.d file extension, thanks to <https://github.com/soul-rebel>
|
||||
|
||||
## 0.3.0
|
||||
|
||||
- Add Domain LWRP for arbitrary rule creation. Thanks for Chris Roberts (<https://github.com/chrisroberts>)
|
||||
|
||||
## 0.2.0
|
||||
|
||||
- Support specifying users via attributes (as long as your runlist includes the ulimit::default recipe). Thanks to Dmytro Shteflyuk (<https://github.com/kpumuk>)
|
||||
|
||||
## 0.1.5
|
||||
|
||||
- Allow setting core_limit. Thanks to Aaron Nichols (<https://github.com/adnichols>)
|
||||
|
||||
## 0.1.4:
|
||||
|
||||
- Does not set any ulimit parameter by default - only when specified. Thanks to Graham Christensen (<https://github.com/zippykid>)
|
||||
|
||||
## 0.1.3:
|
||||
|
||||
- Adds node attribute node['ulimit']['pam_su_template_cookbook'] to allow users to provide a su pam.d template from another cookbook
|
||||
|
||||
## 0.1.2:
|
||||
|
||||
- Add memory limit handling, courtesy of Sean Porter (<https://github.com/bmhatfield/chef-ulimit/pull/3>)
|
||||
|
||||
## 0.1.0:
|
||||
|
||||
- Initial release of ulimit
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
|
||||
|
||||
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
|
|
@ -0,0 +1,145 @@
|
|||
# ulimit Cookbook
|
||||
|
||||
[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit)
|
||||
|
||||
This cookbook provides resources for managing ulimits configuration on nodes.
|
||||
|
||||
- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to.
|
||||
- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.
|
||||
|
||||
The cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu.
|
||||
|
||||
## Requirements
|
||||
|
||||
### Platforms
|
||||
|
||||
- Debian/Ubuntu and derivatives
|
||||
- RHEL/Fedora and derivatives
|
||||
|
||||
### Chef
|
||||
|
||||
- Chef 12.7+
|
||||
|
||||
### Cookbooks
|
||||
|
||||
- none
|
||||
|
||||
## Attributes
|
||||
|
||||
- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from
|
||||
- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below.
|
||||
|
||||
## Default Recipe
|
||||
|
||||
Instead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.
|
||||
|
||||
### Example role configuration:
|
||||
|
||||
```ruby
|
||||
"default_attributes": {
|
||||
"ulimit": {
|
||||
"users": {
|
||||
"tomcat": {
|
||||
"filehandle_limit": 8193,
|
||||
"process_limit": 61504
|
||||
},
|
||||
"hbase": {
|
||||
"filehandle_limit": 32768
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
To specify a change for all users change specify a wildcard resource or user name like so `user_ulimit "*"`
|
||||
|
||||
## Resources
|
||||
|
||||
### user_ulimit
|
||||
|
||||
The `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory.
|
||||
|
||||
#### Actions:
|
||||
|
||||
- `create`
|
||||
- `delete`
|
||||
|
||||
#### Properties
|
||||
|
||||
- `username` - Optional property to set the username if the resource name itself is not the username. See the example below.
|
||||
- `filename` - Optional filename to use instead of naming the file based on the username
|
||||
- `filehandle_limit` -
|
||||
- `filehandle_soft_limit` -
|
||||
- `filehandle_hard_limit` -
|
||||
- `process_limit` -
|
||||
- `process_soft_limit` -
|
||||
- `process_hard_limit` -
|
||||
- `memory_limit` -
|
||||
- `core_limit` -
|
||||
- `core_soft_limit` -
|
||||
- `core_hard_limit` -
|
||||
- `stack_soft_limit` -
|
||||
- `stack_hard_limit` -
|
||||
- `rtprio_limit` -
|
||||
- `rtprio_soft_limit` -
|
||||
- `rtprio_hard_limit` -
|
||||
|
||||
#### Examples
|
||||
|
||||
Example of a resource where the resource name is the username:
|
||||
|
||||
```ruby
|
||||
user_ulimit "tomcat" do
|
||||
filehandle_limit 8192 # optional
|
||||
filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)
|
||||
filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)
|
||||
process_limit 61504 # optional
|
||||
process_soft_limit 61504 # optional; not used if process_limit is set)
|
||||
process_hard_limit 61504 # optional; not used if process_limit is set)
|
||||
memory_limit 1024 # optional
|
||||
core_limit 2048 # optional
|
||||
core_soft_limit 1024 # optional
|
||||
core_hard_limit 'unlimited' # optional
|
||||
stack_soft_limit 2048 # optional
|
||||
stack_hard_limit 2048 # optional
|
||||
rtprio_limit 60 # optional
|
||||
rtprio_soft_limit 60 # optional
|
||||
rtprio_hard_limit 60 # optional
|
||||
end
|
||||
```
|
||||
|
||||
Example where the resource name is not the username:
|
||||
|
||||
```ruby
|
||||
user_ulimit 'set filehandle ulimits for our tomcat user' do
|
||||
username 'tomcat'
|
||||
filehandle_soft_limit 8192
|
||||
filehandle_hard_limit 8192
|
||||
end
|
||||
```
|
||||
|
||||
### ulimit_domain
|
||||
|
||||
Note: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource.
|
||||
|
||||
#### Actions:
|
||||
|
||||
- `create`
|
||||
- `delete`
|
||||
|
||||
#### Examples:
|
||||
|
||||
```ruby
|
||||
ulimit_domain 'my_user' do
|
||||
rule do
|
||||
item :nofile
|
||||
type :hard
|
||||
value 10000
|
||||
end
|
||||
rule do
|
||||
item :nofile
|
||||
type :soft
|
||||
value 5000
|
||||
end
|
||||
end
|
||||
```
|
|
@ -0,0 +1,5 @@
|
|||
default['ulimit']['pam_su_template_cookbook'] = nil
|
||||
default['ulimit']['users'] = Mash.new
|
||||
default['ulimit']['security_limits_directory'] = '/etc/security/limits.d'
|
||||
default['ulimit']['ulimit_overriding_sudo_file_name'] = 'sudo'
|
||||
default['ulimit']['ulimit_overriding_sudo_file_cookbook'] = nil
|
|
@ -0,0 +1,9 @@
|
|||
#%PAM-1.0
|
||||
|
||||
auth required pam_env.so readenv=1 user_readenv=0
|
||||
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
|
||||
session required pam_limits.so
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session-noninteractive
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
require 'chef/resource'
|
||||
|
||||
class Chef
|
||||
class Resource
|
||||
class UlimitDomain < Chef::Resource
|
||||
property :domain, String
|
||||
property :domain_name, String, name_property: true
|
||||
property :filename, String
|
||||
|
||||
load_current_value do |new_resource|
|
||||
new_resource.filename new_resource.name unless new_resource.filename
|
||||
new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf')
|
||||
|
||||
new_resource.subresource_rules.map! do |name, block|
|
||||
urule = Chef::Resource::UlimitRule.new("#{new_resource.name}:#{name}]", nil)
|
||||
urule.domain new_resource
|
||||
urule.action :nothing
|
||||
urule.instance_eval(&block)
|
||||
unless name
|
||||
urule.name "ulimit_rule[#{new_resource.name}:#{urule.item}-#{urule.type}-#{urule.value}]"
|
||||
end
|
||||
urule
|
||||
end
|
||||
end
|
||||
|
||||
attr_reader :subresource_rules
|
||||
|
||||
def initialize(*args)
|
||||
@subresource_rules = []
|
||||
super
|
||||
end
|
||||
|
||||
def rule(name = nil, &block)
|
||||
@subresource_rules << [name, block]
|
||||
end
|
||||
|
||||
action :create do
|
||||
new_resource.subresource_rules.map do |sub_resource|
|
||||
sub_resource.run_context = new_resource.run_context
|
||||
sub_resource.run_action(:create)
|
||||
end
|
||||
|
||||
new_resource.filename new_resource.name unless new_resource.filename
|
||||
new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf')
|
||||
template ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
|
||||
source 'domain.erb'
|
||||
cookbook 'ulimit'
|
||||
variables domain: new_resource.domain_name
|
||||
end
|
||||
end
|
||||
|
||||
action :delete do
|
||||
file ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
|
||||
action :delete
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,31 @@
|
|||
require 'chef/resource'
|
||||
|
||||
class Chef
|
||||
class Resource
|
||||
class UlimitRule < Chef::Resource
|
||||
property :type, [Symbol, String], required: true
|
||||
property :item, [Symbol, String], required: true
|
||||
property :value, [String, Numeric], required: true
|
||||
property :domain, [Chef::Resource, String], required: true
|
||||
|
||||
load_current_value do |new_resource|
|
||||
new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource)
|
||||
node.run_state[:ulimit] ||= Mash.new
|
||||
node.run_state[:ulimit][new_resource.domain] ||= Mash.new
|
||||
end
|
||||
|
||||
action :create do
|
||||
new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource)
|
||||
node.run_state[:ulimit] ||= Mash.new
|
||||
node.run_state[:ulimit][new_resource.domain] ||= Mash.new
|
||||
node.run_state[:ulimit][new_resource.domain][new_resource.item] ||= Mash.new
|
||||
node.run_state[:ulimit][new_resource.domain][new_resource.item][new_resource.type] = new_resource.value
|
||||
puts "Create: #{node.run_state[:ulimit].inspect}"
|
||||
end
|
||||
|
||||
action :delete do
|
||||
# NOOP
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,63 @@
|
|||
require 'chef/resource'
|
||||
|
||||
class Chef
|
||||
class Resource
|
||||
class UlimitUser < Chef::Resource
|
||||
resource_name :user_ulimit
|
||||
|
||||
property :username, String, name_property: true
|
||||
property :filename, String, default: lazy { |r| r.username == '*' ? '00_all_limits' : "#{r.username}_limits" }
|
||||
property :filehandle_limit, [String, Integer]
|
||||
property :filehandle_soft_limit, [String, Integer]
|
||||
property :filehandle_hard_limit, [String, Integer]
|
||||
property :process_limit, [String, Integer]
|
||||
property :process_soft_limit, [String, Integer]
|
||||
property :process_hard_limit, [String, Integer]
|
||||
property :memory_limit, [String, Integer]
|
||||
property :core_limit, [String, Integer]
|
||||
property :core_soft_limit, [String, Integer]
|
||||
property :core_hard_limit, [String, Integer]
|
||||
property :stack_limit, [String, Integer]
|
||||
property :stack_soft_limit, [String, Integer]
|
||||
property :stack_hard_limit, [String, Integer]
|
||||
property :rtprio_limit, [String, Integer]
|
||||
property :rtprio_soft_limit, [String, Integer]
|
||||
property :rtprio_hard_limit, [String, Integer]
|
||||
|
||||
action :create do
|
||||
new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf')
|
||||
template "/etc/security/limits.d/#{new_resource.filename}" do
|
||||
source 'ulimit.erb'
|
||||
cookbook 'ulimit'
|
||||
mode '0644'
|
||||
variables(
|
||||
ulimit_user: new_resource.username,
|
||||
filehandle_limit: new_resource.filehandle_limit,
|
||||
filehandle_soft_limit: new_resource.filehandle_soft_limit,
|
||||
filehandle_hard_limit: new_resource.filehandle_hard_limit,
|
||||
process_limit: new_resource.process_limit,
|
||||
process_soft_limit: new_resource.process_soft_limit,
|
||||
process_hard_limit: new_resource.process_hard_limit,
|
||||
memory_limit: new_resource.memory_limit,
|
||||
core_limit: new_resource.core_limit,
|
||||
core_soft_limit: new_resource.core_soft_limit,
|
||||
core_hard_limit: new_resource.core_hard_limit,
|
||||
stack_limit: new_resource.stack_limit,
|
||||
stack_soft_limit: new_resource.stack_soft_limit,
|
||||
stack_hard_limit: new_resource.stack_hard_limit,
|
||||
rtprio_limit: new_resource.rtprio_limit,
|
||||
rtprio_soft_limit: new_resource.rtprio_soft_limit,
|
||||
rtprio_hard_limit: new_resource.rtprio_hard_limit
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
action :delete do
|
||||
new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf')
|
||||
file "/etc/security/limits.d/#{new_resource.filename}" do
|
||||
action :delete
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1 @@
|
|||
{"name":"ulimit","version":"1.0.0","description":"Resources for manaing ulimits","long_description":"# ulimit Cookbook\n\n[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit)\n\nThis cookbook provides resources for managing ulimits configuration on nodes.\n\n- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to.\n- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.\n\nThe cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu.\n\n## Requirements\n\n### Platforms\n\n- Debian/Ubuntu and derivatives\n- RHEL/Fedora and derivatives\n\n### Chef\n\n- Chef 12.7+\n\n### Cookbooks\n\n- none\n\n## Attributes\n\n- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from\n- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below.\n\n## Default Recipe\n\nInstead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.\n\n### Example role configuration:\n\n```ruby\n\"default_attributes\": {\n \"ulimit\": {\n \"users\": {\n \"tomcat\": {\n \"filehandle_limit\": 8193,\n \"process_limit\": 61504\n },\n \"hbase\": {\n \"filehandle_limit\": 32768\n }\n }\n }\n }\n```\n\nTo specify a change for all users change specify a wildcard resource or user name like so `user_ulimit \"*\"`\n\n## Resources\n\n### user_ulimit\n\nThe `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Properties\n\n- `username` - Optional property to set the username if the resource name itself is not the username. See the example below.\n- `filename` - Optional filename to use instead of naming the file based on the username\n- `filehandle_limit` -\n- `filehandle_soft_limit` -\n- `filehandle_hard_limit` -\n- `process_limit` -\n- `process_soft_limit` -\n- `process_hard_limit` -\n- `memory_limit` -\n- `core_limit` -\n- `core_soft_limit` -\n- `core_hard_limit` -\n- `stack_soft_limit` -\n- `stack_hard_limit` -\n- `rtprio_limit` -\n- `rtprio_soft_limit` -\n- `rtprio_hard_limit` -\n\n#### Examples\n\nExample of a resource where the resource name is the username:\n\n```ruby\nuser_ulimit \"tomcat\" do\n filehandle_limit 8192 # optional\n filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)\n filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)\n process_limit 61504 # optional\n process_soft_limit 61504 # optional; not used if process_limit is set)\n process_hard_limit 61504 # optional; not used if process_limit is set)\n memory_limit 1024 # optional\n core_limit 2048 # optional\n core_soft_limit 1024 # optional\n core_hard_limit 'unlimited' # optional\n stack_soft_limit 2048 # optional\n stack_hard_limit 2048 # optional\n rtprio_limit 60 # optional\n rtprio_soft_limit 60 # optional\n rtprio_hard_limit 60 # optional\nend\n```\n\nExample where the resource name is not the username:\n\n```ruby\nuser_ulimit 'set filehandle ulimits for our tomcat user' do\n username 'tomcat'\n filehandle_soft_limit 8192\n filehandle_hard_limit 8192\nend\n```\n\n### ulimit_domain\n\nNote: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Examples:\n\n```ruby\nulimit_domain 'my_user' do\n rule do\n item :nofile\n type :hard\n value 10000\n end\n rule do\n item :nofile\n type :soft\n value 5000\n end\nend\n```\n","maintainer":"Brian Hatfield","maintainer_email":"bmhatfield@gmail.com","license":"Apache-2.0","platforms":{"amazon":">= 0.0.0","centos":">= 0.0.0","redhat":">= 0.0.0","scientific":">= 0.0.0","oracle":">= 0.0.0","fedora":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/bmhatfield/chef-ulimit","issues_url":"https://github.com/bmhatfield/chef-ulimit/issues","chef_version":[[">= 12.7"]],"ohai_version":[]}
|
|
@ -0,0 +1,41 @@
|
|||
# Cookbook:: ulimit
|
||||
# Recipe:: default
|
||||
#
|
||||
# Copyright 2012, Brightcove, Inc
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
ulimit = node['ulimit']
|
||||
|
||||
case node['platform_family']
|
||||
when 'debian'
|
||||
template '/etc/pam.d/su' do
|
||||
cookbook ulimit['pam_su_template_cookbook']
|
||||
end
|
||||
|
||||
cookbook_file '/etc/pam.d/sudo' do
|
||||
cookbook node['ulimit']['ulimit_overriding_sudo_file_cookbook']
|
||||
source node['ulimit']['ulimit_overriding_sudo_file_name']
|
||||
mode '0644'
|
||||
end
|
||||
end
|
||||
|
||||
if ulimit.key?('users')
|
||||
ulimit['users'].each do |user, attributes|
|
||||
user_ulimit user do
|
||||
attributes.each do |a, v|
|
||||
send(a.to_sym, v)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,9 @@
|
|||
<%
|
||||
node.run_state[:ulimit][@domain].each do |item, entries|
|
||||
entries.each do |type, value|
|
||||
-%>
|
||||
<%= @domain %> <%= type %> <%= item %> <%= value %>
|
||||
<%
|
||||
end
|
||||
end
|
||||
-%>
|
|
@ -0,0 +1,63 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `su' service
|
||||
#
|
||||
# This file modified by Chef to enable ulimit switching with `su`
|
||||
#
|
||||
|
||||
# This allows root to su without passwords (normal operation)
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Uncomment this to force users to be a member of group root
|
||||
# before they can use `su'. You can also add "group=foo"
|
||||
# to the end of this line if you want to use a group other
|
||||
# than the default "root" (but this may have side effect of
|
||||
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||
# auth required pam_wheel.so
|
||||
|
||||
# Uncomment this if you want wheel members to be able to
|
||||
# su without a password.
|
||||
# auth sufficient pam_wheel.so trust
|
||||
|
||||
# Uncomment this if you want members of a specific group to not
|
||||
# be allowed to use su at all.
|
||||
# auth required pam_wheel.so deny group=nosu
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on su usage.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
#
|
||||
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||
session optional pam_mail.so nopen
|
||||
|
||||
# Sets up user limits, please uncomment and read /etc/security/limits.conf
|
||||
# to enable this functionality.
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
# Limits settings for <%= @ulimit_user %>
|
||||
|
||||
<% unless @filehandle_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - nofile <%= @filehandle_limit %>
|
||||
<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%>
|
||||
<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless @process_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - nproc <%= @process_limit %>
|
||||
<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%>
|
||||
<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless @memory_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - memlock <%= @memory_limit %>
|
||||
<% end -%>
|
||||
|
||||
<% unless @core_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - core <%= @core_limit %>
|
||||
<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%>
|
||||
<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless @stack_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - stack <%= @stack_limit %>
|
||||
<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%>
|
||||
<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless @rtprio_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %>
|
||||
<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%>
|
||||
<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%>
|
||||
<% end -%>
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"id": "dirsrv",
|
||||
"admin_password": {
|
||||
"encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
|
||||
"iv": "KNW2B8tpX7ywZwbg\n",
|
||||
"auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# LDAP (389 Directory Server).
|
||||
|
||||
## Credentials
|
||||
|
||||
The admin account is `cn=Directory Manager` with the password stored in the
|
||||
encrypted data bag `admin_password` item
|
||||
|
||||
```
|
||||
$ knife data bag show credentials dirsrv --secret-file .chef/encrypted_data_bag_secret
|
||||
```
|
||||
|
||||
## Example search:
|
||||
|
||||
```
|
||||
$ ldapsearch -x -w $password -D 'cn=Directory Manager' -b "ou=users,dc=kosmos,dc=org" -H "ldaps://ldap.kosmos.org" -v
|
||||
```
|
|
@ -35,6 +35,8 @@
|
|||
"sockethub::proxy",
|
||||
"kosmos-akkounts",
|
||||
"kosmos-akkounts::default",
|
||||
"kosmos-dirsrv",
|
||||
"kosmos-dirsrv::default",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -75,7 +77,8 @@
|
|||
"sockethub::_firewall",
|
||||
"kosmos-akkounts::nginx",
|
||||
"git::default",
|
||||
"git::package"
|
||||
"git::package",
|
||||
"ulimit::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "18.04",
|
||||
|
@ -107,6 +110,7 @@
|
|||
"recipe[kosmos-hubot::wormhole]",
|
||||
"recipe[sockethub]",
|
||||
"recipe[sockethub::proxy]",
|
||||
"recipe[kosmos-akkounts]"
|
||||
"recipe[kosmos-akkounts]",
|
||||
"recipe[kosmos-dirsrv]"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
.vagrant
|
||||
*~
|
||||
*#
|
||||
.#*
|
||||
\#*#
|
||||
.*.sw[a-z]
|
||||
*.un~
|
||||
|
||||
# Bundler
|
||||
Gemfile.lock
|
||||
gems.locked
|
||||
bin/*
|
||||
.bundle/*
|
||||
|
||||
# test kitchen
|
||||
.kitchen/
|
||||
kitchen.local.yml
|
||||
|
||||
# Chef
|
||||
Berksfile.lock
|
||||
.zero-knife.rb
|
||||
Policyfile.lock.json
|
|
@ -0,0 +1,3 @@
|
|||
source 'https://supermarket.chef.io'
|
||||
|
||||
metadata
|
|
@ -0,0 +1,5 @@
|
|||
# kosmos-dirsrv CHANGELOG
|
||||
|
||||
# 0.1.0
|
||||
|
||||
Initial release.
|
|
@ -0,0 +1,20 @@
|
|||
Copyright (c) 2019 Kosmos Developers
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -0,0 +1,4 @@
|
|||
# kosmos-dirsrv
|
||||
|
||||
Set up 389 Directory Server
|
||||
(https://directory.fedoraproject.org/docs/389ds/documentation.html)
|
|
@ -0,0 +1,110 @@
|
|||
# Put files/directories that should be ignored in this file when uploading
|
||||
# to a Chef Infra Server or Supermarket.
|
||||
# Lines that start with '# ' are comments.
|
||||
|
||||
# OS generated files #
|
||||
######################
|
||||
.DS_Store
|
||||
ehthumbs.db
|
||||
Icon?
|
||||
nohup.out
|
||||
Thumbs.db
|
||||
|
||||
# SASS #
|
||||
########
|
||||
.sass-cache
|
||||
|
||||
# EDITORS #
|
||||
###########
|
||||
.#*
|
||||
.project
|
||||
.settings
|
||||
*_flymake
|
||||
*_flymake.*
|
||||
*.bak
|
||||
*.sw[a-z]
|
||||
*.tmproj
|
||||
*~
|
||||
\#*
|
||||
mkmf.log
|
||||
REVISION
|
||||
TAGS*
|
||||
tmtags
|
||||
|
||||
## COMPILED ##
|
||||
##############
|
||||
*.class
|
||||
*.com
|
||||
*.dll
|
||||
*.exe
|
||||
*.o
|
||||
*.pyc
|
||||
*.so
|
||||
*/rdoc/
|
||||
a.out
|
||||
|
||||
# Testing #
|
||||
###########
|
||||
.circleci/*
|
||||
.codeclimate.yml
|
||||
.foodcritic
|
||||
.kitchen*
|
||||
.rspec
|
||||
.rubocop.yml
|
||||
.travis.yml
|
||||
.watchr
|
||||
azure-pipelines.yml
|
||||
examples/*
|
||||
features/*
|
||||
Guardfile
|
||||
kitchen.yml*
|
||||
Procfile
|
||||
Rakefile
|
||||
spec/*
|
||||
spec/*
|
||||
spec/fixtures/*
|
||||
test/*
|
||||
|
||||
# SCM #
|
||||
#######
|
||||
.git
|
||||
.gitattributes
|
||||
.gitconfig
|
||||
.github/*
|
||||
.gitignore
|
||||
.gitmodules
|
||||
.svn
|
||||
*/.bzr/*
|
||||
*/.git
|
||||
*/.hg/*
|
||||
*/.svn/*
|
||||
|
||||
# Berkshelf #
|
||||
#############
|
||||
Berksfile
|
||||
Berksfile.lock
|
||||
cookbooks/*
|
||||
tmp
|
||||
|
||||
# Bundler #
|
||||
###########
|
||||
vendor/*
|
||||
Gemfile
|
||||
Gemfile.lock
|
||||
|
||||
# Policyfile #
|
||||
##############
|
||||
Policyfile.rb
|
||||
Policyfile.lock.json
|
||||
|
||||
# Cookbooks #
|
||||
#############
|
||||
CHANGELOG*
|
||||
CONTRIBUTING*
|
||||
TESTING*
|
||||
CODE_OF_CONDUCT*
|
||||
|
||||
# Vagrant #
|
||||
###########
|
||||
.vagrant
|
||||
Vagrantfile
|
|
@ -0,0 +1,26 @@
|
|||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-security
|
||||
nsslapd-security: on
|
||||
|
||||
dn: cn=encryption,cn=config
|
||||
changetype: modify
|
||||
replace: nsSSLSessionTimeout
|
||||
nsSSLSessionTimeout: 0
|
||||
-
|
||||
replace: nsSSLClientAuth
|
||||
nsSSLClientAuth: off
|
||||
-
|
||||
replace: nsSSL3
|
||||
nsSSL3: off
|
||||
-
|
||||
replace: nsSSL2
|
||||
nsSSL2: off
|
||||
|
||||
dn: cn=RSA,cn=encryption,cn=config
|
||||
objectClass: top
|
||||
objectClass: nsEncryptionModule
|
||||
nsSSLPersonalitySSL: Server-Cert
|
||||
nsSSLActivation: on
|
||||
nsSSLToken: internal (software)
|
||||
cn: RSA
|
|
@ -0,0 +1,4 @@
|
|||
dn: ou=users,dc=kosmos,dc=org
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
ou: users
|
|
@ -0,0 +1,15 @@
|
|||
name 'kosmos-dirsrv'
|
||||
maintainer 'Kosmos Developers'
|
||||
maintainer_email 'mail@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures 389 Directory Server'
|
||||
long_description 'Installs/Configures 389 Directory Server'
|
||||
version '0.1.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends "firewall"
|
||||
depends "apt"
|
||||
depends "ulimit"
|
||||
depends "backup"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos-base"
|
|
@ -0,0 +1,51 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-dirsrv
|
||||
# Recipe:: default
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
credentials = data_bag_item("credentials", "dirsrv")
|
||||
|
||||
dirsrv_instance "master" do
|
||||
hostname "ldap.kosmos.org"
|
||||
admin_password credentials['admin_password']
|
||||
suffix "dc=kosmos,dc=org"
|
||||
end
|
||||
|
||||
# FIXME: The firewall and backup recipes do not work in the custom resource, so
|
||||
# the code lives here for now. The issue is described here, but I think messing
|
||||
# with the run context is confusing:
|
||||
#
|
||||
# https://github.com/chef-cookbooks/firewall/issues/134
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "firewall"
|
||||
firewall_rule "ldap" do
|
||||
port [389, 636]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
# backup the data dir and the config files
|
||||
node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"]
|
||||
include_recipe "backup"
|
||||
end
|
|
@ -0,0 +1,145 @@
|
|||
resource_name :dirsrv_instance
|
||||
|
||||
property :instance_name, String, name_property: true
|
||||
property :hostname, String, required: true
|
||||
property :admin_password, String, required: true
|
||||
property :suffix, String, required: true
|
||||
property :admin_username, String, default: 'admin'
|
||||
property :bind_dn, String, default: 'cn=Directory Manager'
|
||||
property :port, Integer, default: 389
|
||||
|
||||
action :create do
|
||||
include_recipe "apt"
|
||||
package "389-ds-base"
|
||||
|
||||
include_recipe "ulimit"
|
||||
user_ulimit "dirsrv" do
|
||||
filehandle_limit 40960
|
||||
end
|
||||
|
||||
config = {
|
||||
instance_name: new_resource.instance_name,
|
||||
hostname: new_resource.hostname,
|
||||
suffix: new_resource.suffix,
|
||||
port: new_resource.port,
|
||||
bind_dn: new_resource.bind_dn,
|
||||
admin_username: new_resource.admin_username,
|
||||
admin_password: new_resource.admin_password,
|
||||
base_dir: "/var/lib/dirsrv",
|
||||
conf_dir: "/etc/dirsrv"
|
||||
}
|
||||
|
||||
inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
|
||||
service_name = "dirsrv@#{new_resource.instance_name}"
|
||||
|
||||
unless ::Dir.exists?(inst_dir)
|
||||
setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
|
||||
template setup_config do
|
||||
source "setup.inf.erb"
|
||||
mode "0600"
|
||||
owner "root"
|
||||
group "root"
|
||||
sensitive true
|
||||
variables config
|
||||
end
|
||||
|
||||
execute "setup-#{new_resource.instance_name}" do
|
||||
command "setup-ds --silent --file #{setup_config}"
|
||||
creates ::File.join inst_dir, 'dse.ldif'
|
||||
action :nothing
|
||||
subscribes :run, "template[#{setup_config}]", :immediately
|
||||
notifies :restart, "service[#{service_name}]", :immediately
|
||||
notifies :delete, "template[#{setup_config}]", :immediately
|
||||
notifies :run, "execute[add users group]", :delayed
|
||||
notifies :run, "execute[disable anonymous access]", :delayed
|
||||
end
|
||||
end
|
||||
|
||||
service service_name do
|
||||
action [:enable, :start]
|
||||
end
|
||||
|
||||
cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
|
||||
source "users.ldif"
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
execute "add users group" do
|
||||
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost"
|
||||
sensitive true
|
||||
action :nothing
|
||||
end
|
||||
|
||||
file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do
|
||||
content <<-EOF
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-allow-anonymous-access
|
||||
nsslapd-allow-anonymous-access: off
|
||||
EOF
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
execute "disable anonymous access" do
|
||||
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost"
|
||||
sensitive true
|
||||
action :nothing
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
package "libnss3-tools" # provides pk12util
|
||||
|
||||
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
|
||||
source "tls.ldif"
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
dirsrv_hook = <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
# Copy the dirsrv certificate and restart the server if it has been renewed
|
||||
# This is necessary because dirsrv uses a different format for the certificates
|
||||
for domain in $RENEWED_DOMAINS; do
|
||||
case $domain in
|
||||
#{new_resource.hostname})
|
||||
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
|
||||
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
|
||||
systemctl restart #{service_name}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
EOF
|
||||
|
||||
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrrv" do
|
||||
content dirsrv_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
|
||||
source 'nginx_conf_empty.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
end
|
||||
|
||||
nginx_certbot_site new_resource.hostname do
|
||||
notifies :run, "execute[add tls config]", :immediately
|
||||
end
|
||||
|
||||
execute "add tls config" do
|
||||
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
|
||||
sensitive true
|
||||
action :nothing
|
||||
notifies :restart, "service[#{service_name}]", :immediately
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,37 @@
|
|||
[General]
|
||||
FullMachineName = <%= node[:fqdn] %>
|
||||
SuiteSpotGroup = dirsrv
|
||||
SuiteSpotUserID = dirsrv
|
||||
<% if @has_cfgdir -%>
|
||||
<% if @cfgdir_domain %>
|
||||
AdminDomain = <%= @cfgdir_domain %>
|
||||
<% end -%>
|
||||
ConfigDirectoryAdminID = <%= @admin_username %>
|
||||
ConfigDirectoryAdminPwd = <%= @admin_password %>
|
||||
ConfigDirectoryLdapURL = ldap://<%= @cfgdir_addr %>:<%= @cfgdir_ldap_port %>/o=NetscapeRoot
|
||||
<% end -%>
|
||||
|
||||
<% if @is_cfgdir -%>
|
||||
[admin]
|
||||
Port = <%= @cfgdir_http_port %>
|
||||
ServerAdminID = <%= @admin_username %>
|
||||
ServerAdminPwd = <%= @admin_password %>
|
||||
ServerIpAddress = <%= @cfgdir_addr %>
|
||||
SysUser = dirsrv
|
||||
<% end -%>
|
||||
|
||||
[slapd]
|
||||
AddOrgEntries = <%= @add_org_entries %>
|
||||
AddSampleEntries = <%= @add_sample_entries %>
|
||||
InstallLdifFile = <%= @preseed_ldif %>
|
||||
RootDN = <%= @bind_dn %>
|
||||
RootDNPwd = <%= @admin_password %>
|
||||
ServerIdentifier = <%= @instance_name %>
|
||||
ServerPort = <%= @port %>
|
||||
Suffix = <%= @suffix %>
|
||||
cert_dir = <%= @conf_dir %>/slapd-<%= @instance_name %>
|
||||
config_dir = <%= @conf_dir %>/slapd-<%= @instance_name %>
|
||||
bak_dir = <%= @base_dir %>/slapd-<%= @instance_name %>/bak
|
||||
db_dir = <%= @base_dir %>/slapd-<%= @instance_name %>/db
|
||||
ldif_dir = <%= @base_dir %>/slapd-<%= @instance_name %>/ldif
|
||||
schema_dir = <%= @conf_dir %>/slapd-<%= @instance_name %>/schema
|
Loading…
Reference in New Issue