From 9e4685a74300d88d6785e58347a90da31e00f5a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 4 Nov 2019 18:15:44 +0100 Subject: [PATCH] Initial version of the kosmos-dirsrv cookbook It sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP) --- Berksfile | 2 + Berksfile.lock | 2 + Berksfile.lock.old | 173 ++++++++++++++++++ cookbooks/ulimit/.foodcritic | 1 + cookbooks/ulimit/CHANGELOG.md | 68 +++++++ cookbooks/ulimit/README.md | 145 +++++++++++++++ cookbooks/ulimit/attributes/default.rb | 5 + cookbooks/ulimit/files/sudo | 9 + cookbooks/ulimit/libraries/domain.rb | 59 ++++++ cookbooks/ulimit/libraries/rule.rb | 31 ++++ cookbooks/ulimit/libraries/user.rb | 63 +++++++ cookbooks/ulimit/metadata.json | 1 + cookbooks/ulimit/recipes/default.rb | 41 +++++ cookbooks/ulimit/templates/domain.erb | 9 + cookbooks/ulimit/templates/su.erb | 63 +++++++ cookbooks/ulimit/templates/ulimit.erb | 35 ++++ data_bags/credentials/389.json | 24 +++ site-cookbooks/kosmos-dirsrv/.gitignore | 22 +++ site-cookbooks/kosmos-dirsrv/Berksfile | 3 + site-cookbooks/kosmos-dirsrv/CHANGELOG.md | 5 + site-cookbooks/kosmos-dirsrv/LICENSE | 20 ++ site-cookbooks/kosmos-dirsrv/README.md | 4 + .../kosmos-dirsrv/attributes/default.rb | 1 + site-cookbooks/kosmos-dirsrv/chefignore | 110 +++++++++++ site-cookbooks/kosmos-dirsrv/files/tls.ldif | 26 +++ site-cookbooks/kosmos-dirsrv/files/users.ldif | 4 + site-cookbooks/kosmos-dirsrv/metadata.rb | 13 ++ .../kosmos-dirsrv/recipes/default.rb | 133 ++++++++++++++ .../kosmos-dirsrv/templates/setup.inf.erb | 37 ++++ 29 files changed, 1109 insertions(+) create mode 100644 Berksfile.lock.old create mode 100644 cookbooks/ulimit/.foodcritic create mode 100644 cookbooks/ulimit/CHANGELOG.md create mode 100644 cookbooks/ulimit/README.md create mode 100644 cookbooks/ulimit/attributes/default.rb create mode 100644 cookbooks/ulimit/files/sudo create mode 100644 cookbooks/ulimit/libraries/domain.rb create mode 100644 cookbooks/ulimit/libraries/rule.rb create mode 100644 cookbooks/ulimit/libraries/user.rb create mode 100644 cookbooks/ulimit/metadata.json create mode 100644 cookbooks/ulimit/recipes/default.rb create mode 100644 cookbooks/ulimit/templates/domain.erb create mode 100644 cookbooks/ulimit/templates/su.erb create mode 100644 cookbooks/ulimit/templates/ulimit.erb create mode 100644 data_bags/credentials/389.json create mode 100644 site-cookbooks/kosmos-dirsrv/.gitignore create mode 100644 site-cookbooks/kosmos-dirsrv/Berksfile create mode 100644 site-cookbooks/kosmos-dirsrv/CHANGELOG.md create mode 100644 site-cookbooks/kosmos-dirsrv/LICENSE create mode 100644 site-cookbooks/kosmos-dirsrv/README.md create mode 100644 site-cookbooks/kosmos-dirsrv/attributes/default.rb create mode 100644 site-cookbooks/kosmos-dirsrv/chefignore create mode 100644 site-cookbooks/kosmos-dirsrv/files/tls.ldif create mode 100644 site-cookbooks/kosmos-dirsrv/files/users.ldif create mode 100644 site-cookbooks/kosmos-dirsrv/metadata.rb create mode 100644 site-cookbooks/kosmos-dirsrv/recipes/default.rb create mode 100644 site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb diff --git a/Berksfile b/Berksfile index 2b307b7..66a0bf2 100644 --- a/Berksfile +++ b/Berksfile @@ -51,3 +51,5 @@ cookbook 'ipfs', ref: 'v0.4.1' cookbook 'elasticsearch', '= 4.2.0' cookbook 'java', '~> 4.3.0' + +cookbook 'ulimit', '~> 1.0.0' diff --git a/Berksfile.lock b/Berksfile.lock index ea2522a..ada5dc2 100644 --- a/Berksfile.lock +++ b/Berksfile.lock @@ -50,6 +50,7 @@ DEPENDENCIES revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b ref: v0.5.6 timezone_iii (= 1.0.4) + ulimit (~> 1.0.0) users (~> 5.3.1) GRAPH @@ -159,6 +160,7 @@ GRAPH seven_zip (3.1.1) windows (>= 0.0.0) timezone_iii (1.0.4) + ulimit (1.0.0) users (5.3.1) windows (6.0.0) yum (5.1.0) diff --git a/Berksfile.lock.old b/Berksfile.lock.old new file mode 100644 index 0000000..47a0f24 --- /dev/null +++ b/Berksfile.lock.old @@ -0,0 +1,173 @@ +DEPENDENCIES + apache2 (= 3.3.0) + application (= 5.2.0) + application_git (= 1.1.0) + application_javascript (= 1.0.0) + application_ruby (= 4.1.0) + apt (~> 7.0.0) + ark (= 3.1.0) + build-essential (~> 8.2.1) + chef-sugar (= 3.3.0) + chef_client_updater (= 1.1.1) + compat_resource (= 12.19.0) + composer (~> 2.6.1) + database (= 6.1.1) + firewall (~> 2.6.3) + git (= 6.0.0) + homebrew (= 3.0.0) + hostname (= 0.4.2) + hostsfile (= 2.4.5) + ipfs + git: https://github.com/67P/ipfs-cookbook.git + revision: 5aa50ecc7eca5c7f113492057ca3bc8158e5154c + ref: feature + logrotate (= 2.2.0) + mariadb (= 0.3.1) + mediawiki + path: ../cookbooks/mediawiki-cookbook + mysql + git: https://github.com/sous-chefs/mysql + revision: d2e300440590bcf7a7605f0aa69beae73654e73b + ref: d2e3004 + mysql2_chef_gem (= 1.1.0) + nginx (= 9.0.0) + nodejs (~> 5.0.0) + ntp (= 3.4.0) + ohai (~> 5.2.5) + openssl (~> 8.5.5) + php (= 6.1.1) + php-fpm (~> 0.8.0) + poise (~> 2.8.2) + poise-archive (~> 1.5.0) + poise-javascript (~> 1.2.0) + poise-languages (= 2.1.1) + poise-ruby (~> 2.4.0) + poise-ruby-build (= 1.1.0) + poise-service (~> 1.5.2) + postfix (= 5.0.2) + postgresql (= 7.1.4) + redis + git: https://github.com/phlipper/chef-redis.git + revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b + ref: v0.5.6 + timezone_iii (= 1.0.4) + users (~> 5.3.1) + +GRAPH + apache2 (3.3.0) + application (5.2.0) + poise (~> 2.4) + poise-service (~> 1.0) + application_git (1.1.0) + application (~> 5.0) + git (>= 0.0.0) + poise (~> 2.0) + application_javascript (1.0.0) + application (~> 5.0) + poise (~> 2.0) + poise-javascript (~> 1.0) + poise-service (~> 1.0) + application_ruby (4.1.0) + application (~> 5.0) + poise (~> 2.0) + poise-ruby (~> 2.1) + poise-service (~> 1.0) + apt (7.0.0) + ark (3.1.0) + build-essential (>= 0.0.0) + seven_zip (>= 0.0.0) + windows (>= 0.0.0) + build-essential (8.2.1) + mingw (>= 1.1) + seven_zip (>= 0.0.0) + chef-sugar (3.3.0) + chef_client_updater (1.1.1) + compat_resource (>= 12.16.3) + compat_resource (12.19.0) + composer (2.6.1) + apt (>= 0.0.0) + php (>= 0.0.0) + windows (>= 0.0.0) + database (6.1.1) + postgresql (>= 1.0.0) + dmg (4.1.1) + firewall (2.6.3) + chef-sugar (>= 0.0.0) + git (6.0.0) + build-essential (>= 0.0.0) + dmg (>= 0.0.0) + yum-epel (>= 0.0.0) + homebrew (3.0.0) + hostname (0.4.2) + hostsfile (>= 0.0.0) + hostsfile (2.4.5) + ipfs (0.1.3) + ark (>= 0.0.0) + logrotate (2.2.0) + mariadb (0.3.1) + apt (>= 0.0.0) + yum (>= 0.0.0) + yum-epel (>= 0.0.0) + mediawiki (0.4.0) + apache2 (>= 0.0.0) + database (>= 0.0.0) + mysql (>= 0.0.0) + nginx (>= 0.0.0) + php (>= 0.0.0) + php-fpm (>= 0.0.0) + mingw (2.1.0) + seven_zip (>= 0.0.0) + mysql (8.5.2) + mysql2_chef_gem (1.1.0) + build-essential (>= 0.0.0) + mariadb (>= 0.0.0) + mysql (>= 6.0) + nginx (9.0.0) + build-essential (>= 5.0) + ohai (>= 4.1.0) + yum-epel (>= 0.0.0) + nodejs (5.0.0) + ark (>= 2.0.2) + build-essential (>= 0.0.0) + ntp (3.4.0) + ohai (5.2.5) + openssl (8.5.5) + php (6.1.1) + build-essential (>= 5.0) + yum-epel (>= 0.0.0) + php-fpm (0.8.0) + poise (2.8.2) + poise-archive (1.5.0) + poise (~> 2.6) + poise-build-essential (1.0.0) + poise (~> 2.6) + poise-git (1.0.0) + poise (~> 2.6) + poise-languages (~> 2.1) + poise-javascript (1.2.0) + poise (~> 2.0) + poise-languages (~> 2.0) + poise-languages (2.1.1) + poise (~> 2.5) + poise-archive (~> 1.0) + poise-ruby (2.4.0) + poise (~> 2.0) + poise-languages (~> 2.0) + poise-ruby-build (1.1.0) + poise (~> 2.0) + poise-build-essential (~> 1.0) + poise-git (~> 1.0) + poise-ruby (~> 2.1) + poise-service (1.5.2) + poise (~> 2.0) + postfix (5.0.2) + postgresql (7.1.4) + redis (0.5.6) + apt (>= 0.0.0) + seven_zip (2.0.2) + windows (>= 1.2.2) + timezone_iii (1.0.4) + users (5.3.1) + windows (5.3.0) + yum (5.1.0) + yum-epel (3.3.0) diff --git a/cookbooks/ulimit/.foodcritic b/cookbooks/ulimit/.foodcritic new file mode 100644 index 0000000..6c2ff5a --- /dev/null +++ b/cookbooks/ulimit/.foodcritic @@ -0,0 +1 @@ +~FC059 diff --git a/cookbooks/ulimit/CHANGELOG.md b/cookbooks/ulimit/CHANGELOG.md new file mode 100644 index 0000000..8c6498c --- /dev/null +++ b/cookbooks/ulimit/CHANGELOG.md @@ -0,0 +1,68 @@ +# CHANGELOG for ulimit + +This file is used to list changes made in each version of ulimit. + +## 1.0.0 + +- Breaking change: This cookbook now requires Chef 12.7 or later +- LWRPs converted to custom resources with Chef 13 compatibility +- Added the rtprio property to the user resource +- Updated the cookbook to not append .conf onto filenames when the user already specified a name that ends in .conf +- Added a chefignore file to limit what files get uploaded to the chef server +- Added a Test Kitchen config + InSpec tests for unit testing +- Added the license file to the repo to resolve a Foodcritic warning +- Added a Berksfile +- Resolved all cookstyle warnings +- Fixed the metadata license string to be an SPDX standard license string to resolve Foodcritic warnings +- Add supports, source_url, issues_url, and chef_version metadata to resolve Foodcritic warnings +- Switched the default recipe from platform to platform_family to catch more Debian/Ubuntu derivatives +- Added testing with ChefDK's delivery local mode in Travis +- Expanded the readme with better information on requirements and usage examples +- Removed ChefSpec matchers that are autogenerated by ChefSpec now +- Added Cookstyle and autocorrected all code +- Added a basic ChefSpec unit test + +## 0.3.2 + +- Resolves issue some users were having with a resource-loading race condition, thanks to Chris Roberts () + +## 0.3.1 + +- Fix domain typo, thanks to David Radcliffe () (also reported by Lewis Thompson ()) +- Add support for split hard/soft nofile limits, thanks to Troy Ready () +- Fix license boilerplate, thanks to Troy Ready () +- Fix limits.d file extension, thanks to + +## 0.3.0 + +- Add Domain LWRP for arbitrary rule creation. Thanks for Chris Roberts () + +## 0.2.0 + +- Support specifying users via attributes (as long as your runlist includes the ulimit::default recipe). Thanks to Dmytro Shteflyuk () + +## 0.1.5 + +- Allow setting core_limit. Thanks to Aaron Nichols () + +## 0.1.4: + +- Does not set any ulimit parameter by default - only when specified. Thanks to Graham Christensen () + +## 0.1.3: + +- Adds node attribute node['ulimit']['pam_su_template_cookbook'] to allow users to provide a su pam.d template from another cookbook + +## 0.1.2: + +- Add memory limit handling, courtesy of Sean Porter () + +## 0.1.0: + +- Initial release of ulimit + +-------------------------------------------------------------------------------- + +Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown. + +The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown. diff --git a/cookbooks/ulimit/README.md b/cookbooks/ulimit/README.md new file mode 100644 index 0000000..f456879 --- /dev/null +++ b/cookbooks/ulimit/README.md @@ -0,0 +1,145 @@ +# ulimit Cookbook + +[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit) + +This cookbook provides resources for managing ulimits configuration on nodes. + +- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to. +- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource. + +The cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu. + +## Requirements + +### Platforms + +- Debian/Ubuntu and derivatives +- RHEL/Fedora and derivatives + +### Chef + +- Chef 12.7+ + +### Cookbooks + +- none + +## Attributes + +- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from +- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below. + +## Default Recipe + +Instead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust. + +### Example role configuration: + +```ruby +"default_attributes": { + "ulimit": { + "users": { + "tomcat": { + "filehandle_limit": 8193, + "process_limit": 61504 + }, + "hbase": { + "filehandle_limit": 32768 + } + } + } + } +``` + +To specify a change for all users change specify a wildcard resource or user name like so `user_ulimit "*"` + +## Resources + +### user_ulimit + +The `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory. + +#### Actions: + +- `create` +- `delete` + +#### Properties + +- `username` - Optional property to set the username if the resource name itself is not the username. See the example below. +- `filename` - Optional filename to use instead of naming the file based on the username +- `filehandle_limit` - +- `filehandle_soft_limit` - +- `filehandle_hard_limit` - +- `process_limit` - +- `process_soft_limit` - +- `process_hard_limit` - +- `memory_limit` - +- `core_limit` - +- `core_soft_limit` - +- `core_hard_limit` - +- `stack_soft_limit` - +- `stack_hard_limit` - +- `rtprio_limit` - +- `rtprio_soft_limit` - +- `rtprio_hard_limit` - + +#### Examples + +Example of a resource where the resource name is the username: + +```ruby +user_ulimit "tomcat" do + filehandle_limit 8192 # optional + filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set) + filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set) + process_limit 61504 # optional + process_soft_limit 61504 # optional; not used if process_limit is set) + process_hard_limit 61504 # optional; not used if process_limit is set) + memory_limit 1024 # optional + core_limit 2048 # optional + core_soft_limit 1024 # optional + core_hard_limit 'unlimited' # optional + stack_soft_limit 2048 # optional + stack_hard_limit 2048 # optional + rtprio_limit 60 # optional + rtprio_soft_limit 60 # optional + rtprio_hard_limit 60 # optional +end +``` + +Example where the resource name is not the username: + +```ruby +user_ulimit 'set filehandle ulimits for our tomcat user' do + username 'tomcat' + filehandle_soft_limit 8192 + filehandle_hard_limit 8192 +end +``` + +### ulimit_domain + +Note: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource. + +#### Actions: + +- `create` +- `delete` + +#### Examples: + +```ruby +ulimit_domain 'my_user' do + rule do + item :nofile + type :hard + value 10000 + end + rule do + item :nofile + type :soft + value 5000 + end +end +``` diff --git a/cookbooks/ulimit/attributes/default.rb b/cookbooks/ulimit/attributes/default.rb new file mode 100644 index 0000000..67df720 --- /dev/null +++ b/cookbooks/ulimit/attributes/default.rb @@ -0,0 +1,5 @@ +default['ulimit']['pam_su_template_cookbook'] = nil +default['ulimit']['users'] = Mash.new +default['ulimit']['security_limits_directory'] = '/etc/security/limits.d' +default['ulimit']['ulimit_overriding_sudo_file_name'] = 'sudo' +default['ulimit']['ulimit_overriding_sudo_file_cookbook'] = nil diff --git a/cookbooks/ulimit/files/sudo b/cookbooks/ulimit/files/sudo new file mode 100644 index 0000000..a0b6341 --- /dev/null +++ b/cookbooks/ulimit/files/sudo @@ -0,0 +1,9 @@ +#%PAM-1.0 + +auth required pam_env.so readenv=1 user_readenv=0 +auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 +session required pam_limits.so +@include common-auth +@include common-account +@include common-session-noninteractive + diff --git a/cookbooks/ulimit/libraries/domain.rb b/cookbooks/ulimit/libraries/domain.rb new file mode 100644 index 0000000..a9e7c94 --- /dev/null +++ b/cookbooks/ulimit/libraries/domain.rb @@ -0,0 +1,59 @@ +require 'chef/resource' + +class Chef + class Resource + class UlimitDomain < Chef::Resource + property :domain, String + property :domain_name, String, name_property: true + property :filename, String + + load_current_value do |new_resource| + new_resource.filename new_resource.name unless new_resource.filename + new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf') + + new_resource.subresource_rules.map! do |name, block| + urule = Chef::Resource::UlimitRule.new("#{new_resource.name}:#{name}]", nil) + urule.domain new_resource + urule.action :nothing + urule.instance_eval(&block) + unless name + urule.name "ulimit_rule[#{new_resource.name}:#{urule.item}-#{urule.type}-#{urule.value}]" + end + urule + end + end + + attr_reader :subresource_rules + + def initialize(*args) + @subresource_rules = [] + super + end + + def rule(name = nil, &block) + @subresource_rules << [name, block] + end + + action :create do + new_resource.subresource_rules.map do |sub_resource| + sub_resource.run_context = new_resource.run_context + sub_resource.run_action(:create) + end + + new_resource.filename new_resource.name unless new_resource.filename + new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf') + template ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do + source 'domain.erb' + cookbook 'ulimit' + variables domain: new_resource.domain_name + end + end + + action :delete do + file ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do + action :delete + end + end + end + end +end diff --git a/cookbooks/ulimit/libraries/rule.rb b/cookbooks/ulimit/libraries/rule.rb new file mode 100644 index 0000000..3814acd --- /dev/null +++ b/cookbooks/ulimit/libraries/rule.rb @@ -0,0 +1,31 @@ +require 'chef/resource' + +class Chef + class Resource + class UlimitRule < Chef::Resource + property :type, [Symbol, String], required: true + property :item, [Symbol, String], required: true + property :value, [String, Numeric], required: true + property :domain, [Chef::Resource, String], required: true + + load_current_value do |new_resource| + new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource) + node.run_state[:ulimit] ||= Mash.new + node.run_state[:ulimit][new_resource.domain] ||= Mash.new + end + + action :create do + new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource) + node.run_state[:ulimit] ||= Mash.new + node.run_state[:ulimit][new_resource.domain] ||= Mash.new + node.run_state[:ulimit][new_resource.domain][new_resource.item] ||= Mash.new + node.run_state[:ulimit][new_resource.domain][new_resource.item][new_resource.type] = new_resource.value + puts "Create: #{node.run_state[:ulimit].inspect}" + end + + action :delete do + # NOOP + end + end + end +end diff --git a/cookbooks/ulimit/libraries/user.rb b/cookbooks/ulimit/libraries/user.rb new file mode 100644 index 0000000..beecdf9 --- /dev/null +++ b/cookbooks/ulimit/libraries/user.rb @@ -0,0 +1,63 @@ +require 'chef/resource' + +class Chef + class Resource + class UlimitUser < Chef::Resource + resource_name :user_ulimit + + property :username, String, name_property: true + property :filename, String, default: lazy { |r| r.username == '*' ? '00_all_limits' : "#{r.username}_limits" } + property :filehandle_limit, [String, Integer] + property :filehandle_soft_limit, [String, Integer] + property :filehandle_hard_limit, [String, Integer] + property :process_limit, [String, Integer] + property :process_soft_limit, [String, Integer] + property :process_hard_limit, [String, Integer] + property :memory_limit, [String, Integer] + property :core_limit, [String, Integer] + property :core_soft_limit, [String, Integer] + property :core_hard_limit, [String, Integer] + property :stack_limit, [String, Integer] + property :stack_soft_limit, [String, Integer] + property :stack_hard_limit, [String, Integer] + property :rtprio_limit, [String, Integer] + property :rtprio_soft_limit, [String, Integer] + property :rtprio_hard_limit, [String, Integer] + + action :create do + new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf') + template "/etc/security/limits.d/#{new_resource.filename}" do + source 'ulimit.erb' + cookbook 'ulimit' + mode '0644' + variables( + ulimit_user: new_resource.username, + filehandle_limit: new_resource.filehandle_limit, + filehandle_soft_limit: new_resource.filehandle_soft_limit, + filehandle_hard_limit: new_resource.filehandle_hard_limit, + process_limit: new_resource.process_limit, + process_soft_limit: new_resource.process_soft_limit, + process_hard_limit: new_resource.process_hard_limit, + memory_limit: new_resource.memory_limit, + core_limit: new_resource.core_limit, + core_soft_limit: new_resource.core_soft_limit, + core_hard_limit: new_resource.core_hard_limit, + stack_limit: new_resource.stack_limit, + stack_soft_limit: new_resource.stack_soft_limit, + stack_hard_limit: new_resource.stack_hard_limit, + rtprio_limit: new_resource.rtprio_limit, + rtprio_soft_limit: new_resource.rtprio_soft_limit, + rtprio_hard_limit: new_resource.rtprio_hard_limit + ) + end + end + + action :delete do + new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf') + file "/etc/security/limits.d/#{new_resource.filename}" do + action :delete + end + end + end + end +end diff --git a/cookbooks/ulimit/metadata.json b/cookbooks/ulimit/metadata.json new file mode 100644 index 0000000..e83ee81 --- /dev/null +++ b/cookbooks/ulimit/metadata.json @@ -0,0 +1 @@ +{"name":"ulimit","version":"1.0.0","description":"Resources for manaing ulimits","long_description":"# ulimit Cookbook\n\n[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit)\n\nThis cookbook provides resources for managing ulimits configuration on nodes.\n\n- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to.\n- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.\n\nThe cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu.\n\n## Requirements\n\n### Platforms\n\n- Debian/Ubuntu and derivatives\n- RHEL/Fedora and derivatives\n\n### Chef\n\n- Chef 12.7+\n\n### Cookbooks\n\n- none\n\n## Attributes\n\n- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from\n- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below.\n\n## Default Recipe\n\nInstead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.\n\n### Example role configuration:\n\n```ruby\n\"default_attributes\": {\n \"ulimit\": {\n \"users\": {\n \"tomcat\": {\n \"filehandle_limit\": 8193,\n \"process_limit\": 61504\n },\n \"hbase\": {\n \"filehandle_limit\": 32768\n }\n }\n }\n }\n```\n\nTo specify a change for all users change specify a wildcard resource or user name like so `user_ulimit \"*\"`\n\n## Resources\n\n### user_ulimit\n\nThe `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Properties\n\n- `username` - Optional property to set the username if the resource name itself is not the username. See the example below.\n- `filename` - Optional filename to use instead of naming the file based on the username\n- `filehandle_limit` -\n- `filehandle_soft_limit` -\n- `filehandle_hard_limit` -\n- `process_limit` -\n- `process_soft_limit` -\n- `process_hard_limit` -\n- `memory_limit` -\n- `core_limit` -\n- `core_soft_limit` -\n- `core_hard_limit` -\n- `stack_soft_limit` -\n- `stack_hard_limit` -\n- `rtprio_limit` -\n- `rtprio_soft_limit` -\n- `rtprio_hard_limit` -\n\n#### Examples\n\nExample of a resource where the resource name is the username:\n\n```ruby\nuser_ulimit \"tomcat\" do\n filehandle_limit 8192 # optional\n filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)\n filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)\n process_limit 61504 # optional\n process_soft_limit 61504 # optional; not used if process_limit is set)\n process_hard_limit 61504 # optional; not used if process_limit is set)\n memory_limit 1024 # optional\n core_limit 2048 # optional\n core_soft_limit 1024 # optional\n core_hard_limit 'unlimited' # optional\n stack_soft_limit 2048 # optional\n stack_hard_limit 2048 # optional\n rtprio_limit 60 # optional\n rtprio_soft_limit 60 # optional\n rtprio_hard_limit 60 # optional\nend\n```\n\nExample where the resource name is not the username:\n\n```ruby\nuser_ulimit 'set filehandle ulimits for our tomcat user' do\n username 'tomcat'\n filehandle_soft_limit 8192\n filehandle_hard_limit 8192\nend\n```\n\n### ulimit_domain\n\nNote: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Examples:\n\n```ruby\nulimit_domain 'my_user' do\n rule do\n item :nofile\n type :hard\n value 10000\n end\n rule do\n item :nofile\n type :soft\n value 5000\n end\nend\n```\n","maintainer":"Brian Hatfield","maintainer_email":"bmhatfield@gmail.com","license":"Apache-2.0","platforms":{"amazon":">= 0.0.0","centos":">= 0.0.0","redhat":">= 0.0.0","scientific":">= 0.0.0","oracle":">= 0.0.0","fedora":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/bmhatfield/chef-ulimit","issues_url":"https://github.com/bmhatfield/chef-ulimit/issues","chef_version":[[">= 12.7"]],"ohai_version":[]} \ No newline at end of file diff --git a/cookbooks/ulimit/recipes/default.rb b/cookbooks/ulimit/recipes/default.rb new file mode 100644 index 0000000..41ed229 --- /dev/null +++ b/cookbooks/ulimit/recipes/default.rb @@ -0,0 +1,41 @@ +# Cookbook:: ulimit +# Recipe:: default +# +# Copyright 2012, Brightcove, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +ulimit = node['ulimit'] + +case node['platform_family'] +when 'debian' + template '/etc/pam.d/su' do + cookbook ulimit['pam_su_template_cookbook'] + end + + cookbook_file '/etc/pam.d/sudo' do + cookbook node['ulimit']['ulimit_overriding_sudo_file_cookbook'] + source node['ulimit']['ulimit_overriding_sudo_file_name'] + mode '0644' + end +end + +if ulimit.key?('users') + ulimit['users'].each do |user, attributes| + user_ulimit user do + attributes.each do |a, v| + send(a.to_sym, v) + end + end + end +end diff --git a/cookbooks/ulimit/templates/domain.erb b/cookbooks/ulimit/templates/domain.erb new file mode 100644 index 0000000..baedc36 --- /dev/null +++ b/cookbooks/ulimit/templates/domain.erb @@ -0,0 +1,9 @@ +<% + node.run_state[:ulimit][@domain].each do |item, entries| + entries.each do |type, value| +-%> +<%= @domain %> <%= type %> <%= item %> <%= value %> +<% + end + end +-%> diff --git a/cookbooks/ulimit/templates/su.erb b/cookbooks/ulimit/templates/su.erb new file mode 100644 index 0000000..b3adcf3 --- /dev/null +++ b/cookbooks/ulimit/templates/su.erb @@ -0,0 +1,63 @@ +# +# The PAM configuration file for the Shadow `su' service +# +# This file modified by Chef to enable ulimit switching with `su` +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + diff --git a/cookbooks/ulimit/templates/ulimit.erb b/cookbooks/ulimit/templates/ulimit.erb new file mode 100644 index 0000000..d2c89a7 --- /dev/null +++ b/cookbooks/ulimit/templates/ulimit.erb @@ -0,0 +1,35 @@ +# Limits settings for <%= @ulimit_user %> + +<% unless @filehandle_limit.nil? -%> +<%= @ulimit_user -%> - nofile <%= @filehandle_limit %> +<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%> +<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%> +<% end -%> + +<% unless @process_limit.nil? -%> +<%= @ulimit_user -%> - nproc <%= @process_limit %> +<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%> +<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%> +<% end -%> + +<% unless @memory_limit.nil? -%> +<%= @ulimit_user -%> - memlock <%= @memory_limit %> +<% end -%> + +<% unless @core_limit.nil? -%> +<%= @ulimit_user -%> - core <%= @core_limit %> +<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%> +<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%> +<% end -%> + +<% unless @stack_limit.nil? -%> +<%= @ulimit_user -%> - stack <%= @stack_limit %> +<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%> +<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%> +<% end -%> + +<% unless @rtprio_limit.nil? -%> +<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %> +<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%> +<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%> +<% end -%> diff --git a/data_bags/credentials/389.json b/data_bags/credentials/389.json new file mode 100644 index 0000000..1386d63 --- /dev/null +++ b/data_bags/credentials/389.json @@ -0,0 +1,24 @@ +{ + "id": "389", + "bind_dn": { + "encrypted_data": "PAe/xCFVzL7pwIfoIppewvx6k9rwYWNZKT9ZcZOm9Et0EcV0yrDo\n", + "iv": "rfIdXDbcfzBn98ld\n", + "auth_tag": "2YVDjVV9MCM1Mj8bylm2Ew==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "password": { + "encrypted_data": "OWt9gh5k+N/Vn1ko6FAcd0GECdozzsSkv44oxBAqVY/obHc=\n", + "iv": "PkFuXiB5y++4qE7k\n", + "auth_tag": "/1QXYOb8rhkX1qTIYVSipg==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "username": { + "encrypted_data": "ZdwTaB+T8qe2F9vJ5KssZVs/elnTnU1K\n", + "iv": "BoBhvqkz/2aEvFsh\n", + "auth_tag": "fSOwmozRZCI7958VzikMbg==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-dirsrv/.gitignore b/site-cookbooks/kosmos-dirsrv/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos-dirsrv/Berksfile b/site-cookbooks/kosmos-dirsrv/Berksfile new file mode 100644 index 0000000..34fea21 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/Berksfile @@ -0,0 +1,3 @@ +source 'https://supermarket.chef.io' + +metadata diff --git a/site-cookbooks/kosmos-dirsrv/CHANGELOG.md b/site-cookbooks/kosmos-dirsrv/CHANGELOG.md new file mode 100644 index 0000000..04ff9ce --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/CHANGELOG.md @@ -0,0 +1,5 @@ +# kosmos-dirsrv CHANGELOG + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos-dirsrv/LICENSE b/site-cookbooks/kosmos-dirsrv/LICENSE new file mode 100644 index 0000000..f3b5d1c --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2019 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos-dirsrv/README.md b/site-cookbooks/kosmos-dirsrv/README.md new file mode 100644 index 0000000..70858e3 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/README.md @@ -0,0 +1,4 @@ +# kosmos-dirsrv + +Set up 389 Directory Server +(https://directory.fedoraproject.org/docs/389ds/documentation.html) diff --git a/site-cookbooks/kosmos-dirsrv/attributes/default.rb b/site-cookbooks/kosmos-dirsrv/attributes/default.rb new file mode 100644 index 0000000..820a549 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/attributes/default.rb @@ -0,0 +1 @@ +node.default["kosmos-dirsrv"]["nginx"]["domain"] = "ldap.kosmos.org" diff --git a/site-cookbooks/kosmos-dirsrv/chefignore b/site-cookbooks/kosmos-dirsrv/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos-dirsrv/files/tls.ldif b/site-cookbooks/kosmos-dirsrv/files/tls.ldif new file mode 100644 index 0000000..0cc5065 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/files/tls.ldif @@ -0,0 +1,26 @@ +dn: cn=config +changetype: modify +replace: nsslapd-security +nsslapd-security: on + +dn: cn=encryption,cn=config +changetype: modify +replace: nsSSLSessionTimeout +nsSSLSessionTimeout: 0 +- +replace: nsSSLClientAuth +nsSSLClientAuth: off +- +replace: nsSSL3 +nsSSL3: off +- +replace: nsSSL2 +nsSSL2: off + +dn: cn=RSA,cn=encryption,cn=config +objectClass: top +objectClass: nsEncryptionModule +nsSSLPersonalitySSL: Server-Cert +nsSSLActivation: on +nsSSLToken: internal (software) +cn: RSA diff --git a/site-cookbooks/kosmos-dirsrv/files/users.ldif b/site-cookbooks/kosmos-dirsrv/files/users.ldif new file mode 100644 index 0000000..5055e99 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif @@ -0,0 +1,4 @@ +dn: ou=users,dc=kosmos,dc=org +objectClass: top +objectClass: organizationalUnit +ou: users diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb new file mode 100644 index 0000000..0a019c4 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/metadata.rb @@ -0,0 +1,13 @@ +name 'kosmos-dirsrv' +maintainer 'Kosmos Developers' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/Configures 389 Directory Server' +long_description 'Installs/Configures 389 Directory Server' +version '0.1.0' +chef_version '>= 14.0' + +depends "firewall" +depends "apt" +depends "ulimit" +depends "backup" diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb new file mode 100644 index 0000000..9ce4d23 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb @@ -0,0 +1,133 @@ +# +# Cookbook Name:: kosmos-dirsrv +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "apt" +package "389-ds-base" + +include_recipe "ulimit" +user_ulimit "dirsrv" do + filehandle_limit 40960 +end + +credentials = data_bag_item("credentials", "389") + +config = { + instance: node[:hostname], + suffix: "dc=kosmos,dc=org", + port: 389, + credentials: credentials, + base_dir: "/var/lib/dirsrv", + conf_dir: "/etc/dirsrv" +} + +inst_dir = "/etc/dirsrv/slapd-#{config[:instance]}" +service_name = "dirsrv@#{config[:instance]}" + +unless ::Dir.exists?(inst_dir) + setup_config = "#{config[:conf_dir]}/setup-#{config[:instance]}.inf" + template setup_config do + source "setup.inf.erb" + mode "0600" + owner "root" + group "root" + sensitive true + variables config + end + + execute "setup-#{config[:instance]}" do + command "setup-ds --silent --file #{setup_config}" + creates ::File.join inst_dir, 'dse.ldif' + action :nothing + subscribes :run, "template[#{setup_config}]", :immediately + notifies :restart, "service[#{service_name}]", :immediately + notifies :delete, "template[#{setup_config}]", :immediately + notifies :run, "execute[add users group]", :delayed + end +end + +service service_name do + action [:enable, :start] +end + +cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do + source "users.ldif" + owner "root" + group "root" +end + +execute "add users group" do + command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/users.ldif'" + sensitive true + action :nothing +end + + +unless node.chef_environment == "development" + cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do + source "tls.ldif" + owner "root" + group "root" + end + + include_recipe "kosmos-nginx" + + domain = node["kosmos-dirsrv"]["nginx"]["domain"] + + nginx_certbot_site domain do + notifies :run, "execute[generate p12 cert]", :immediately + end + + # Merge the full chain and private key into one cert, to import into the + # dirsrv dir + execute "generate p12 cert" do + command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{domain}/fullchain.pem -inkey /etc/letsencrypt/live/#{domain}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{domain}.p12 -name 'Server-Cert'" + action :nothing + notifies :run, "execute[import p12 cert]", :immediately + end + + execute "import p12 cert" do + command "pk12util -i #{Chef::Config[:file_cache_path]}/#{domain}.p12 -d #{inst_dir}" + action :nothing + notifies :run, "execute[add tls config]", :immediately + end + + execute "add tls config" do + command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/tls.ldif'" + sensitive true + action :nothing + end + + include_recipe "firewall" + firewall_rule "ldap" do + port [config[:port], 636] + protocol :tcp + command :allow + end + + # backup the data dir and the config files + node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"] + include_recipe "backup" +end diff --git a/site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb b/site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb new file mode 100644 index 0000000..ef332e7 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb @@ -0,0 +1,37 @@ +[General] +FullMachineName = <%= node[:fqdn] %> +SuiteSpotGroup = dirsrv +SuiteSpotUserID = dirsrv +<% if @has_cfgdir -%> + <% if @cfgdir_domain %> +AdminDomain = <%= @cfgdir_domain %> + <% end -%> +ConfigDirectoryAdminID = <%= @cfgdir_credentials['username'] %> +ConfigDirectoryAdminPwd = <%= @cfgdir_credentials['password'] %> +ConfigDirectoryLdapURL = ldap://<%= @cfgdir_addr %>:<%= @cfgdir_ldap_port %>/o=NetscapeRoot +<% end -%> + +<% if @is_cfgdir -%> +[admin] +Port = <%= @cfgdir_http_port %> +ServerAdminID = <%= @cfgdir_credentials['username'] %> +ServerAdminPwd = <%= @cfgdir_credentials['password'] %> +ServerIpAddress = <%= @cfgdir_addr %> +SysUser = dirsrv +<% end -%> + +[slapd] +AddOrgEntries = <%= @add_org_entries %> +AddSampleEntries = <%= @add_sample_entries %> +InstallLdifFile = <%= @preseed_ldif %> +RootDN = <%= @credentials['bind_dn'] %> +RootDNPwd = <%= @credentials['password'] %> +ServerIdentifier = <%= @instance %> +ServerPort = <%= @port %> +Suffix = <%= @suffix %> +cert_dir = <%= @conf_dir %>/slapd-<%= @instance %> +config_dir = <%= @conf_dir %>/slapd-<%= @instance %> +bak_dir = <%= @base_dir %>/slapd-<%= @instance %>/bak +db_dir = <%= @base_dir %>/slapd-<%= @instance %>/db +ldif_dir = <%= @base_dir %>/slapd-<%= @instance %>/ldif +schema_dir = <%= @conf_dir %>/slapd-<%= @instance %>/schema