Merge branch 'feature/107-ldap_server' of kosmos/chef into master

site-cookbooks/kosmos-dirsrv/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos-dirsrv/Berksfile

@@ -0,0 +1,3 @@
+source 'https://supermarket.chef.io'
+
+metadata

site-cookbooks/kosmos-dirsrv/CHANGELOG.md

@@ -0,0 +1,5 @@
+# kosmos-dirsrv CHANGELOG
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos-dirsrv/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2019 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos-dirsrv/README.md

@@ -0,0 +1,4 @@
+# kosmos-dirsrv
+
+Set up 389 Directory Server
+(https://directory.fedoraproject.org/docs/389ds/documentation.html)

site-cookbooks/kosmos-dirsrv/chefignore

@@ -0,0 +1,110 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+mkmf.log
+REVISION
+TAGS*
+tmtags
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.foodcritic
+.kitchen*
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+azure-pipelines.yml
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+Procfile
+Rakefile
+spec/*
+spec/*
+spec/fixtures/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CHANGELOG*
+CONTRIBUTING*
+TESTING*
+CODE_OF_CONDUCT*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos-dirsrv/files/tls.ldif

@@ -0,0 +1,26 @@
+dn: cn=config
+changetype: modify
+replace: nsslapd-security
+nsslapd-security: on
+
+dn: cn=encryption,cn=config
+changetype: modify
+replace: nsSSLSessionTimeout
+nsSSLSessionTimeout: 0
+-
+replace: nsSSLClientAuth
+nsSSLClientAuth: off
+-
+replace: nsSSL3
+nsSSL3: off
+-
+replace: nsSSL2
+nsSSL2: off
+
+dn: cn=RSA,cn=encryption,cn=config
+objectClass: top
+objectClass: nsEncryptionModule
+nsSSLPersonalitySSL: Server-Cert
+nsSSLActivation: on
+nsSSLToken: internal (software)
+cn: RSA

site-cookbooks/kosmos-dirsrv/files/users.ldif

@@ -0,0 +1,4 @@
+dn: ou=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: users

site-cookbooks/kosmos-dirsrv/metadata.rb

@@ -0,0 +1,15 @@
+name 'kosmos-dirsrv'
+maintainer 'Kosmos Developers'
+maintainer_email 'mail@kosmos.org'
+license 'MIT'
+description 'Installs/Configures 389 Directory Server'
+long_description 'Installs/Configures 389 Directory Server'
+version '0.1.0'
+chef_version '>= 14.0'
+
+depends "firewall"
+depends "apt"
+depends "ulimit"
+depends "backup"
+depends "kosmos-nginx"
+depends "kosmos-base"

site-cookbooks/kosmos-dirsrv/recipes/default.rb

@@ -0,0 +1,51 @@
+#
+# Cookbook Name:: kosmos-dirsrv
+# Recipe:: default
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2019, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+credentials = data_bag_item("credentials", "dirsrv")
+
+dirsrv_instance "master" do
+  hostname "ldap.kosmos.org"
+  admin_password credentials['admin_password']
+  suffix "dc=kosmos,dc=org"
+end
+
+# FIXME: The firewall and backup recipes do not work in the custom resource, so
+# the code lives here for now. The issue is described here, but I think messing
+# with the run context is confusing:
+#
+# https://github.com/chef-cookbooks/firewall/issues/134
+unless node.chef_environment == "development"
+  include_recipe "firewall"
+  firewall_rule "ldap" do
+    port     [389, 636]
+    protocol :tcp
+    command  :allow
+  end
+
+  # backup the data dir and the config files
+  node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"]
+  include_recipe "backup"
+end

site-cookbooks/kosmos-dirsrv/resources/instance.rb

@@ -0,0 +1,145 @@
+resource_name :dirsrv_instance
+
+property :instance_name,  String,  name_property: true
+property :hostname,       String,  required: true
+property :admin_password, String,  required: true
+property :suffix,         String,  required: true
+property :admin_username, String,  default: 'admin'
+property :bind_dn,        String,  default: 'cn=Directory Manager'
+property :port,           Integer, default: 389
+
+action :create do
+  include_recipe "apt"
+  package "389-ds-base"
+
+  include_recipe "ulimit"
+  user_ulimit "dirsrv" do
+    filehandle_limit 40960
+  end
+
+  config = {
+    instance_name:  new_resource.instance_name,
+    hostname:       new_resource.hostname,
+    suffix:         new_resource.suffix,
+    port:           new_resource.port,
+    bind_dn:        new_resource.bind_dn,
+    admin_username: new_resource.admin_username,
+    admin_password: new_resource.admin_password,
+    base_dir:       "/var/lib/dirsrv",
+    conf_dir:       "/etc/dirsrv"
+  }
+
+  inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
+  service_name = "dirsrv@#{new_resource.instance_name}"
+
+  unless ::Dir.exists?(inst_dir)
+    setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
+    template setup_config do
+      source "setup.inf.erb"
+      mode "0600"
+      owner "root"
+      group "root"
+      sensitive true
+      variables config
+    end
+
+    execute "setup-#{new_resource.instance_name}" do
+      command "setup-ds --silent --file #{setup_config}"
+      creates ::File.join inst_dir, 'dse.ldif'
+      action :nothing
+      subscribes :run, "template[#{setup_config}]", :immediately
+      notifies :restart, "service[#{service_name}]", :immediately
+      notifies :delete, "template[#{setup_config}]", :immediately
+      notifies :run, "execute[add users group]", :delayed
+      notifies :run, "execute[disable anonymous access]", :delayed
+    end
+  end
+
+  service service_name do
+    action [:enable, :start]
+  end
+
+  cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
+    source "users.ldif"
+    owner "root"
+    group "root"
+  end
+
+  execute "add users group" do
+    command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost"
+    sensitive true
+    action :nothing
+  end
+
+  file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do
+    content <<-EOF
+dn: cn=config
+changetype: modify
+replace: nsslapd-allow-anonymous-access
+nsslapd-allow-anonymous-access: off
+    EOF
+    owner "root"
+    group "root"
+  end
+
+  execute "disable anonymous access" do
+    command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost"
+    sensitive true
+    action :nothing
+  end
+
+  unless node.chef_environment == "development"
+    package "libnss3-tools" # provides pk12util
+
+    cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
+      source "tls.ldif"
+      owner "root"
+      group "root"
+    end
+
+    include_recipe "kosmos-nginx"
+    include_recipe "kosmos-base::letsencrypt"
+
+    dirsrv_hook = <<-EOF
+    #!/usr/bin/env bash
+
+    set -e
+
+    # Copy the dirsrv certificate and restart the server if it has been renewed
+    # This is necessary because dirsrv uses a different format for the certificates
+    for domain in $RENEWED_DOMAINS; do
+      case $domain in
+      #{new_resource.hostname})
+        openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
+        pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
+        systemctl restart #{service_name}
+        ;;
+      esac
+    done
+    EOF
+
+    file "/etc/letsencrypt/renewal-hooks/deploy/dirsrrv" do
+      content dirsrv_hook
+      mode 0755
+      owner "root"
+      group "root"
+    end
+
+    template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
+      source 'nginx_conf_empty.erb'
+      owner node["nginx"]["user"]
+      mode 0640
+    end
+
+    nginx_certbot_site new_resource.hostname do
+      notifies :run, "execute[add tls config]", :immediately
+    end
+
+    execute "add tls config" do
+      command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
+      sensitive true
+      action :nothing
+      notifies :restart, "service[#{service_name}]", :immediately
+    end
+  end
+end

site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb

@@ -0,0 +1,37 @@
+[General]
+FullMachineName         = <%= node[:fqdn] %>
+SuiteSpotGroup          = dirsrv
+SuiteSpotUserID         = dirsrv
+<% if @has_cfgdir -%>
+  <% if @cfgdir_domain %>
+AdminDomain             = <%= @cfgdir_domain %>
+  <% end -%>
+ConfigDirectoryAdminID  = <%= @admin_username %>
+ConfigDirectoryAdminPwd = <%= @admin_password %>
+ConfigDirectoryLdapURL  = ldap://<%= @cfgdir_addr %>:<%= @cfgdir_ldap_port %>/o=NetscapeRoot
+<% end -%>
+
+<% if @is_cfgdir -%>
+[admin]
+Port            = <%= @cfgdir_http_port %>
+ServerAdminID   = <%= @admin_username %>
+ServerAdminPwd  = <%= @admin_password %>
+ServerIpAddress = <%= @cfgdir_addr %>
+SysUser         = dirsrv
+<% end -%>
+
+[slapd]
+AddOrgEntries    = <%= @add_org_entries %>
+AddSampleEntries = <%= @add_sample_entries %>
+InstallLdifFile  = <%= @preseed_ldif %>
+RootDN           = <%= @bind_dn %>
+RootDNPwd        = <%= @admin_password %>
+ServerIdentifier = <%= @instance_name %>
+ServerPort       = <%= @port %>
+Suffix           = <%= @suffix %>
+cert_dir         = <%= @conf_dir %>/slapd-<%= @instance_name %>
+config_dir       = <%= @conf_dir %>/slapd-<%= @instance_name %>
+bak_dir          = <%= @base_dir %>/slapd-<%= @instance_name %>/bak
+db_dir           = <%= @base_dir %>/slapd-<%= @instance_name %>/db
+ldif_dir         = <%= @base_dir %>/slapd-<%= @instance_name %>/ldif
+schema_dir       = <%= @conf_dir %>/slapd-<%= @instance_name %>/schema