kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Initial version of the kosmos-dirsrv cookbook

Browse Source 
It sets up 389 Directory Server, including a TLS cert acquired using
Let's Encrypt in production (that requires ldap.kosmos.org pointing to
the server's IP)
This commit is contained in:
Greg Karékinian 2019-11-04 18:15:44 +01:00
parent 529a4fc4a8
commit 9e4685a743
29 changed files with 1109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Berksfile
View File

@ -51,3 +51,5 @@ cookbook 'ipfs',
ref: 'v0.4.1' ref: 'v0.4.1'
cookbook 'elasticsearch', '= 4.2.0' cookbook 'elasticsearch', '= 4.2.0'
cookbook 'java', '~> 4.3.0' cookbook 'java', '~> 4.3.0'
cookbook 'ulimit', '~> 1.0.0'

2
Berksfile.lock
View File

@ -50,6 +50,7 @@ DEPENDENCIES
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
ref: v0.5.6 ref: v0.5.6
timezone_iii (= 1.0.4) timezone_iii (= 1.0.4)
ulimit (~> 1.0.0)
users (~> 5.3.1) users (~> 5.3.1)
GRAPH GRAPH
@ -159,6 +160,7 @@ GRAPH
seven_zip (3.1.1) seven_zip (3.1.1)
windows (>= 0.0.0) windows (>= 0.0.0)
timezone_iii (1.0.4) timezone_iii (1.0.4)
ulimit (1.0.0)
users (5.3.1) users (5.3.1)
windows (6.0.0) windows (6.0.0)
yum (5.1.0) yum (5.1.0)

173
Berksfile.lock.old Normal file
View File

@ -0,0 +1,173 @@
DEPENDENCIES
apache2 (= 3.3.0)
application (= 5.2.0)
application_git (= 1.1.0)
application_javascript (= 1.0.0)
application_ruby (= 4.1.0)
apt (~> 7.0.0)
ark (= 3.1.0)
build-essential (~> 8.2.1)
chef-sugar (= 3.3.0)
chef_client_updater (= 1.1.1)
compat_resource (= 12.19.0)
composer (~> 2.6.1)
database (= 6.1.1)
firewall (~> 2.6.3)
git (= 6.0.0)
homebrew (= 3.0.0)
hostname (= 0.4.2)
hostsfile (= 2.4.5)
ipfs
git: https://github.com/67P/ipfs-cookbook.git
revision: 5aa50ecc7eca5c7f113492057ca3bc8158e5154c
ref: feature
logrotate (= 2.2.0)
mariadb (= 0.3.1)
mediawiki
path: ../cookbooks/mediawiki-cookbook
mysql
git: https://github.com/sous-chefs/mysql
revision: d2e300440590bcf7a7605f0aa69beae73654e73b
ref: d2e3004
mysql2_chef_gem (= 1.1.0)
nginx (= 9.0.0)
nodejs (~> 5.0.0)
ntp (= 3.4.0)
ohai (~> 5.2.5)
openssl (~> 8.5.5)
php (= 6.1.1)
php-fpm (~> 0.8.0)
poise (~> 2.8.2)
poise-archive (~> 1.5.0)
poise-javascript (~> 1.2.0)
poise-languages (= 2.1.1)
poise-ruby (~> 2.4.0)
poise-ruby-build (= 1.1.0)
poise-service (~> 1.5.2)
postfix (= 5.0.2)
postgresql (= 7.1.4)
redis
git: https://github.com/phlipper/chef-redis.git
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
ref: v0.5.6
timezone_iii (= 1.0.4)
users (~> 5.3.1)
GRAPH
apache2 (3.3.0)
application (5.2.0)
poise (~> 2.4)
poise-service (~> 1.0)
application_git (1.1.0)
application (~> 5.0)
git (>= 0.0.0)
poise (~> 2.0)
application_javascript (1.0.0)
application (~> 5.0)
poise (~> 2.0)
poise-javascript (~> 1.0)
poise-service (~> 1.0)
application_ruby (4.1.0)
application (~> 5.0)
poise (~> 2.0)
poise-ruby (~> 2.1)
poise-service (~> 1.0)
apt (7.0.0)
ark (3.1.0)
build-essential (>= 0.0.0)
seven_zip (>= 0.0.0)
windows (>= 0.0.0)
build-essential (8.2.1)
mingw (>= 1.1)
seven_zip (>= 0.0.0)
chef-sugar (3.3.0)
chef_client_updater (1.1.1)
compat_resource (>= 12.16.3)
compat_resource (12.19.0)
composer (2.6.1)
apt (>= 0.0.0)
php (>= 0.0.0)
windows (>= 0.0.0)
database (6.1.1)
postgresql (>= 1.0.0)
dmg (4.1.1)
firewall (2.6.3)
chef-sugar (>= 0.0.0)
git (6.0.0)
build-essential (>= 0.0.0)
dmg (>= 0.0.0)
yum-epel (>= 0.0.0)
homebrew (3.0.0)
hostname (0.4.2)
hostsfile (>= 0.0.0)
hostsfile (2.4.5)
ipfs (0.1.3)
ark (>= 0.0.0)
logrotate (2.2.0)
mariadb (0.3.1)
apt (>= 0.0.0)
yum (>= 0.0.0)
yum-epel (>= 0.0.0)
mediawiki (0.4.0)
apache2 (>= 0.0.0)
database (>= 0.0.0)
mysql (>= 0.0.0)
nginx (>= 0.0.0)
php (>= 0.0.0)
php-fpm (>= 0.0.0)
mingw (2.1.0)
seven_zip (>= 0.0.0)
mysql (8.5.2)
mysql2_chef_gem (1.1.0)
build-essential (>= 0.0.0)
mariadb (>= 0.0.0)
mysql (>= 6.0)
nginx (9.0.0)
build-essential (>= 5.0)
ohai (>= 4.1.0)
yum-epel (>= 0.0.0)
nodejs (5.0.0)
ark (>= 2.0.2)
build-essential (>= 0.0.0)
ntp (3.4.0)
ohai (5.2.5)
openssl (8.5.5)
php (6.1.1)
build-essential (>= 5.0)
yum-epel (>= 0.0.0)
php-fpm (0.8.0)
poise (2.8.2)
poise-archive (1.5.0)
poise (~> 2.6)
poise-build-essential (1.0.0)
poise (~> 2.6)
poise-git (1.0.0)
poise (~> 2.6)
poise-languages (~> 2.1)
poise-javascript (1.2.0)
poise (~> 2.0)
poise-languages (~> 2.0)
poise-languages (2.1.1)
poise (~> 2.5)
poise-archive (~> 1.0)
poise-ruby (2.4.0)
poise (~> 2.0)
poise-languages (~> 2.0)
poise-ruby-build (1.1.0)
poise (~> 2.0)
poise-build-essential (~> 1.0)
poise-git (~> 1.0)
poise-ruby (~> 2.1)
poise-service (1.5.2)
poise (~> 2.0)
postfix (5.0.2)
postgresql (7.1.4)
redis (0.5.6)
apt (>= 0.0.0)
seven_zip (2.0.2)
windows (>= 1.2.2)
timezone_iii (1.0.4)
users (5.3.1)
windows (5.3.0)
yum (5.1.0)
yum-epel (3.3.0)

1
cookbooks/ulimit/.foodcritic Normal file
View File

@ -0,0 +1 @@
~FC059

68
cookbooks/ulimit/CHANGELOG.md Normal file
View File

@ -0,0 +1,68 @@
# CHANGELOG for ulimit
This file is used to list changes made in each version of ulimit.
## 1.0.0
- Breaking change: This cookbook now requires Chef 12.7 or later
- LWRPs converted to custom resources with Chef 13 compatibility
- Added the rtprio property to the user resource
- Updated the cookbook to not append .conf onto filenames when the user already specified a name that ends in .conf
- Added a chefignore file to limit what files get uploaded to the chef server
- Added a Test Kitchen config + InSpec tests for unit testing
- Added the license file to the repo to resolve a Foodcritic warning
- Added a Berksfile
- Resolved all cookstyle warnings
- Fixed the metadata license string to be an SPDX standard license string to resolve Foodcritic warnings
- Add supports, source_url, issues_url, and chef_version metadata to resolve Foodcritic warnings
- Switched the default recipe from platform to platform_family to catch more Debian/Ubuntu derivatives
- Added testing with ChefDK's delivery local mode in Travis
- Expanded the readme with better information on requirements and usage examples
- Removed ChefSpec matchers that are autogenerated by ChefSpec now
- Added Cookstyle and autocorrected all code
- Added a basic ChefSpec unit test
## 0.3.2
- Resolves issue some users were having with a resource-loading race condition, thanks to Chris Roberts (<https://github.com/chrisroberts>)
## 0.3.1
- Fix domain typo, thanks to David Radcliffe (<https://github.com/dwradcliffe>) (also reported by Lewis Thompson (<https://github.com/lewisthompson>))
- Add support for split hard/soft nofile limits, thanks to Troy Ready (<https://github.com/troyready>)
- Fix license boilerplate, thanks to Troy Ready (<https://github.com/troyready>)
- Fix limits.d file extension, thanks to <https://github.com/soul-rebel>
## 0.3.0
- Add Domain LWRP for arbitrary rule creation. Thanks for Chris Roberts (<https://github.com/chrisroberts>)
## 0.2.0
- Support specifying users via attributes (as long as your runlist includes the ulimit::default recipe). Thanks to Dmytro Shteflyuk (<https://github.com/kpumuk>)
## 0.1.5
- Allow setting core_limit. Thanks to Aaron Nichols (<https://github.com/adnichols>)
## 0.1.4:
- Does not set any ulimit parameter by default - only when specified. Thanks to Graham Christensen (<https://github.com/zippykid>)
## 0.1.3:
- Adds node attribute node['ulimit']['pam_su_template_cookbook'] to allow users to provide a su pam.d template from another cookbook
## 0.1.2:
- Add memory limit handling, courtesy of Sean Porter (<https://github.com/bmhatfield/chef-ulimit/pull/3>)
## 0.1.0:
- Initial release of ulimit
--------------------------------------------------------------------------------
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.

145
cookbooks/ulimit/README.md Normal file
View File

@ -0,0 +1,145 @@
# ulimit Cookbook
[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit)
This cookbook provides resources for managing ulimits configuration on nodes.
- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to.
- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.
The cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu.
## Requirements
### Platforms
- Debian/Ubuntu and derivatives
- RHEL/Fedora and derivatives
### Chef
- Chef 12.7+
### Cookbooks
- none
## Attributes
- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from
- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below.
## Default Recipe
Instead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.
### Example role configuration:
```ruby
"default_attributes": {
"ulimit": {
"users": {
"tomcat": {
"filehandle_limit": 8193,
"process_limit": 61504
},
"hbase": {
"filehandle_limit": 32768
}
}
}
}
```
To specify a change for all users change specify a wildcard resource or user name like so `user_ulimit "*"`
## Resources
### user_ulimit
The `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory.
#### Actions:
- `create`
- `delete`
#### Properties
- `username` - Optional property to set the username if the resource name itself is not the username. See the example below.
- `filename` - Optional filename to use instead of naming the file based on the username
- `filehandle_limit` -
- `filehandle_soft_limit` -
- `filehandle_hard_limit` -
- `process_limit` -
- `process_soft_limit` -
- `process_hard_limit` -
- `memory_limit` -
- `core_limit` -
- `core_soft_limit` -
- `core_hard_limit` -
- `stack_soft_limit` -
- `stack_hard_limit` -
- `rtprio_limit` -
- `rtprio_soft_limit` -
- `rtprio_hard_limit` -
#### Examples
Example of a resource where the resource name is the username:
```ruby
user_ulimit "tomcat" do
filehandle_limit 8192 # optional
filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)
filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)
process_limit 61504 # optional
process_soft_limit 61504 # optional; not used if process_limit is set)
process_hard_limit 61504 # optional; not used if process_limit is set)
memory_limit 1024 # optional
core_limit 2048 # optional
core_soft_limit 1024 # optional
core_hard_limit 'unlimited' # optional
stack_soft_limit 2048 # optional
stack_hard_limit 2048 # optional
rtprio_limit 60 # optional
rtprio_soft_limit 60 # optional
rtprio_hard_limit 60 # optional
end
```
Example where the resource name is not the username:
```ruby
user_ulimit 'set filehandle ulimits for our tomcat user' do
username 'tomcat'
filehandle_soft_limit 8192
filehandle_hard_limit 8192
end
```
### ulimit_domain
Note: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource.
#### Actions:
- `create`
- `delete`
#### Examples:
```ruby
ulimit_domain 'my_user' do
rule do
item :nofile
type :hard
value 10000
end
rule do
item :nofile
type :soft
value 5000
end
end
```

5
cookbooks/ulimit/attributes/default.rb Normal file
View File

@ -0,0 +1,5 @@
default['ulimit']['pam_su_template_cookbook'] = nil
default['ulimit']['users'] = Mash.new
default['ulimit']['security_limits_directory'] = '/etc/security/limits.d'
default['ulimit']['ulimit_overriding_sudo_file_name'] = 'sudo'
default['ulimit']['ulimit_overriding_sudo_file_cookbook'] = nil

9
cookbooks/ulimit/files/sudo Normal file
View File

@ -0,0 +1,9 @@
#%PAM-1.0
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
session required pam_limits.so
@include common-auth
@include common-account
@include common-session-noninteractive

59
cookbooks/ulimit/libraries/domain.rb Normal file
View File

@ -0,0 +1,59 @@
require 'chef/resource'
class Chef
class Resource
class UlimitDomain < Chef::Resource
property :domain, String
property :domain_name, String, name_property: true
property :filename, String
load_current_value do |new_resource|
new_resource.filename new_resource.name unless new_resource.filename
new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf')
new_resource.subresource_rules.map! do |name, block|
urule = Chef::Resource::UlimitRule.new("#{new_resource.name}:#{name}]", nil)
urule.domain new_resource
urule.action :nothing
urule.instance_eval(&block)
unless name
urule.name "ulimit_rule[#{new_resource.name}:#{urule.item}-#{urule.type}-#{urule.value}]"
end
urule
end
end
attr_reader :subresource_rules
def initialize(*args)
@subresource_rules = []
super
end
def rule(name = nil, &block)
@subresource_rules << [name, block]
end
action :create do
new_resource.subresource_rules.map do |sub_resource|
sub_resource.run_context = new_resource.run_context
sub_resource.run_action(:create)
end
new_resource.filename new_resource.name unless new_resource.filename
new_resource.filename "#{new_resource.filename}.conf" unless new_resource.filename.end_with?('.conf')
template ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
source 'domain.erb'
cookbook 'ulimit'
variables domain: new_resource.domain_name
end
end
action :delete do
file ::File.join(node['ulimit']['security_limits_directory'], new_resource.filename) do
action :delete
end
end
end
end
end

31
cookbooks/ulimit/libraries/rule.rb Normal file
View File

@ -0,0 +1,31 @@
require 'chef/resource'
class Chef
class Resource
class UlimitRule < Chef::Resource
property :type, [Symbol, String], required: true
property :item, [Symbol, String], required: true
property :value, [String, Numeric], required: true
property :domain, [Chef::Resource, String], required: true
load_current_value do |new_resource|
new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource)
node.run_state[:ulimit] ||= Mash.new
node.run_state[:ulimit][new_resource.domain] ||= Mash.new
end
action :create do
new_resource.domain new_resource.domain.domain_name if new_resource.domain.is_a?(Chef::Resource)
node.run_state[:ulimit] ||= Mash.new
node.run_state[:ulimit][new_resource.domain] ||= Mash.new
node.run_state[:ulimit][new_resource.domain][new_resource.item] ||= Mash.new
node.run_state[:ulimit][new_resource.domain][new_resource.item][new_resource.type] = new_resource.value
puts "Create: #{node.run_state[:ulimit].inspect}"
end
action :delete do
# NOOP
end
end
end
end

63
cookbooks/ulimit/libraries/user.rb Normal file
View File

@ -0,0 +1,63 @@
require 'chef/resource'
class Chef
class Resource
class UlimitUser < Chef::Resource
resource_name :user_ulimit
property :username, String, name_property: true
property :filename, String, default: lazy { |r| r.username == '*' ? '00_all_limits' : "#{r.username}_limits" }
property :filehandle_limit, [String, Integer]
property :filehandle_soft_limit, [String, Integer]
property :filehandle_hard_limit, [String, Integer]
property :process_limit, [String, Integer]
property :process_soft_limit, [String, Integer]
property :process_hard_limit, [String, Integer]
property :memory_limit, [String, Integer]
property :core_limit, [String, Integer]
property :core_soft_limit, [String, Integer]
property :core_hard_limit, [String, Integer]
property :stack_limit, [String, Integer]
property :stack_soft_limit, [String, Integer]
property :stack_hard_limit, [String, Integer]
property :rtprio_limit, [String, Integer]
property :rtprio_soft_limit, [String, Integer]
property :rtprio_hard_limit, [String, Integer]
action :create do
new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf')
template "/etc/security/limits.d/#{new_resource.filename}" do
source 'ulimit.erb'
cookbook 'ulimit'
mode '0644'
variables(
ulimit_user: new_resource.username,
filehandle_limit: new_resource.filehandle_limit,
filehandle_soft_limit: new_resource.filehandle_soft_limit,
filehandle_hard_limit: new_resource.filehandle_hard_limit,
process_limit: new_resource.process_limit,
process_soft_limit: new_resource.process_soft_limit,
process_hard_limit: new_resource.process_hard_limit,
memory_limit: new_resource.memory_limit,
core_limit: new_resource.core_limit,
core_soft_limit: new_resource.core_soft_limit,
core_hard_limit: new_resource.core_hard_limit,
stack_limit: new_resource.stack_limit,
stack_soft_limit: new_resource.stack_soft_limit,
stack_hard_limit: new_resource.stack_hard_limit,
rtprio_limit: new_resource.rtprio_limit,
rtprio_soft_limit: new_resource.rtprio_soft_limit,
rtprio_hard_limit: new_resource.rtprio_hard_limit
)
end
end
action :delete do
new_resource.filename = "#{new_resource.filename}.conf" unless new_resource.filename.include?('.conf')
file "/etc/security/limits.d/#{new_resource.filename}" do
action :delete
end
end
end
end
end

1
cookbooks/ulimit/metadata.json Normal file
View File

@ -0,0 +1 @@
{"name":"ulimit","version":"1.0.0","description":"Resources for manaing ulimits","long_description":"# ulimit Cookbook\n\n[![Build Status](https://travis-ci.org/bmhatfield/chef-ulimit.svg?branch=master)](https://travis-ci.org/bmhatfield/chef-ulimit) [![Cookbook Version](https://img.shields.io/cookbook/v/ulimit.svg)](https://supermarket.chef.io/cookbooks/ulimit)\n\nThis cookbook provides resources for managing ulimits configuration on nodes.\n\n- `user_ulimit` resource for overriding various ulimit settings. It places configured templates into `/etc/security/limits.d/`, named for the user the ulimit applies to.\n- `ulimit_domain` which allows for configuring complex sets of rules beyond those supported by the user_ulimit resource.\n\nThe cookbook also includes a recipe (`default.rb`) which allows ulimit overrides with the 'su' command on Ubuntu.\n\n## Requirements\n\n### Platforms\n\n- Debian/Ubuntu and derivatives\n- RHEL/Fedora and derivatives\n\n### Chef\n\n- Chef 12.7+\n\n### Cookbooks\n\n- none\n\n## Attributes\n\n- `node['ulimit']['pam_su_template_cookbook']` - Defaults to nil (current cookbook). Determines what cookbook the su pam.d template is taken from\n- `node['ulimit']['users']` - Defaults to empty Mash. List of users with their limits, as below.\n\n## Default Recipe\n\nInstead of using the user_ulimit resource directly you may define user ulimits via node attributes. The definition may be made via an environment file, a role file, or in a wrapper cookbook. Note: The preferred way to use this cookbook is by directly defining resources as it is much easier to troubleshoot and far more robust.\n\n### Example role configuration:\n\n```ruby\n\"default_attributes\": {\n \"ulimit\": {\n \"users\": {\n \"tomcat\": {\n \"filehandle_limit\": 8193,\n \"process_limit\": 61504\n },\n \"hbase\": {\n \"filehandle_limit\": 32768\n }\n }\n }\n }\n```\n\nTo specify a change for all users change specify a wildcard resource or user name like so `user_ulimit \"*\"`\n\n## Resources\n\n### user_ulimit\n\nThe `user_ulimit` resource creates individual ulimit files that are installed into the `/etc/security/limits.d/` directory.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Properties\n\n- `username` - Optional property to set the username if the resource name itself is not the username. See the example below.\n- `filename` - Optional filename to use instead of naming the file based on the username\n- `filehandle_limit` -\n- `filehandle_soft_limit` -\n- `filehandle_hard_limit` -\n- `process_limit` -\n- `process_soft_limit` -\n- `process_hard_limit` -\n- `memory_limit` -\n- `core_limit` -\n- `core_soft_limit` -\n- `core_hard_limit` -\n- `stack_soft_limit` -\n- `stack_hard_limit` -\n- `rtprio_limit` -\n- `rtprio_soft_limit` -\n- `rtprio_hard_limit` -\n\n#### Examples\n\nExample of a resource where the resource name is the username:\n\n```ruby\nuser_ulimit \"tomcat\" do\n filehandle_limit 8192 # optional\n filehandle_soft_limit 8192 # optional; not used if filehandle_limit is set)\n filehandle_hard_limit 8192 # optional; not used if filehandle_limit is set)\n process_limit 61504 # optional\n process_soft_limit 61504 # optional; not used if process_limit is set)\n process_hard_limit 61504 # optional; not used if process_limit is set)\n memory_limit 1024 # optional\n core_limit 2048 # optional\n core_soft_limit 1024 # optional\n core_hard_limit 'unlimited' # optional\n stack_soft_limit 2048 # optional\n stack_hard_limit 2048 # optional\n rtprio_limit 60 # optional\n rtprio_soft_limit 60 # optional\n rtprio_hard_limit 60 # optional\nend\n```\n\nExample where the resource name is not the username:\n\n```ruby\nuser_ulimit 'set filehandle ulimits for our tomcat user' do\n username 'tomcat'\n filehandle_soft_limit 8192\n filehandle_hard_limit 8192\nend\n```\n\n### ulimit_domain\n\nNote: The `ulimit_domain` resource creates files named after the domain with no modifiers by default. To override this behavior, specify the `filename` parameter to the resource.\n\n#### Actions:\n\n- `create`\n- `delete`\n\n#### Examples:\n\n```ruby\nulimit_domain 'my_user' do\n rule do\n item :nofile\n type :hard\n value 10000\n end\n rule do\n item :nofile\n type :soft\n value 5000\n end\nend\n```\n","maintainer":"Brian Hatfield","maintainer_email":"bmhatfield@gmail.com","license":"Apache-2.0","platforms":{"amazon":">= 0.0.0","centos":">= 0.0.0","redhat":">= 0.0.0","scientific":">= 0.0.0","oracle":">= 0.0.0","fedora":">= 0.0.0","debian":">= 0.0.0","ubuntu":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/bmhatfield/chef-ulimit","issues_url":"https://github.com/bmhatfield/chef-ulimit/issues","chef_version":[[">= 12.7"]],"ohai_version":[]}

41
cookbooks/ulimit/recipes/default.rb Normal file
View File

@ -0,0 +1,41 @@
# Cookbook:: ulimit
# Recipe:: default
#
# Copyright 2012, Brightcove, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
ulimit = node['ulimit']
case node['platform_family']
when 'debian'
template '/etc/pam.d/su' do
cookbook ulimit['pam_su_template_cookbook']
end
cookbook_file '/etc/pam.d/sudo' do
cookbook node['ulimit']['ulimit_overriding_sudo_file_cookbook']
source node['ulimit']['ulimit_overriding_sudo_file_name']
mode '0644'
end
end
if ulimit.key?('users')
ulimit['users'].each do |user, attributes|
user_ulimit user do
attributes.each do |a, v|
send(a.to_sym, v)
end
end
end
end

9
cookbooks/ulimit/templates/domain.erb Normal file
View File

@ -0,0 +1,9 @@
<%
node.run_state[:ulimit][@domain].each do |item, entries|
entries.each do |type, value|
-%>
<%= @domain %> <%= type %> <%= item %> <%= value %>
<%
end
end
-%>

63
cookbooks/ulimit/templates/su.erb Normal file
View File

@ -0,0 +1,63 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This file modified by Chef to enable ulimit switching with `su`
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

35
cookbooks/ulimit/templates/ulimit.erb Normal file
View File

@ -0,0 +1,35 @@
# Limits settings for <%= @ulimit_user %>
<% unless @filehandle_limit.nil? -%>
<%= @ulimit_user -%> - nofile <%= @filehandle_limit %>
<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%>
<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%>
<% end -%>
<% unless @process_limit.nil? -%>
<%= @ulimit_user -%> - nproc <%= @process_limit %>
<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%>
<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%>
<% end -%>
<% unless @memory_limit.nil? -%>
<%= @ulimit_user -%> - memlock <%= @memory_limit %>
<% end -%>
<% unless @core_limit.nil? -%>
<%= @ulimit_user -%> - core <%= @core_limit %>
<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%>
<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%>
<% end -%>
<% unless @stack_limit.nil? -%>
<%= @ulimit_user -%> - stack <%= @stack_limit %>
<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%>
<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%>
<% end -%>
<% unless @rtprio_limit.nil? -%>
<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %>
<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%>
<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%>
<% end -%>

24
data_bags/credentials/389.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "389",
"bind_dn": {
"encrypted_data": "PAe/xCFVzL7pwIfoIppewvx6k9rwYWNZKT9ZcZOm9Et0EcV0yrDo\n",
"iv": "rfIdXDbcfzBn98ld\n",
"auth_tag": "2YVDjVV9MCM1Mj8bylm2Ew==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"password": {
"encrypted_data": "OWt9gh5k+N/Vn1ko6FAcd0GECdozzsSkv44oxBAqVY/obHc=\n",
"iv": "PkFuXiB5y++4qE7k\n",
"auth_tag": "/1QXYOb8rhkX1qTIYVSipg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"username": {
"encrypted_data": "ZdwTaB+T8qe2F9vJ5KssZVs/elnTnU1K\n",
"iv": "BoBhvqkz/2aEvFsh\n",
"auth_tag": "fSOwmozRZCI7958VzikMbg==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

22
site-cookbooks/kosmos-dirsrv/.gitignore vendored Normal file
View File

@ -0,0 +1,22 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json

3
site-cookbooks/kosmos-dirsrv/Berksfile Normal file
View File

@ -0,0 +1,3 @@
source 'https://supermarket.chef.io'
metadata

5
site-cookbooks/kosmos-dirsrv/CHANGELOG.md Normal file
View File

@ -0,0 +1,5 @@
# kosmos-dirsrv CHANGELOG
# 0.1.0
Initial release.

20
site-cookbooks/kosmos-dirsrv/LICENSE Normal file
View File

@ -0,0 +1,20 @@
Copyright (c) 2019 Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

4
site-cookbooks/kosmos-dirsrv/README.md Normal file
View File

@ -0,0 +1,4 @@
# kosmos-dirsrv
Set up 389 Directory Server
(https://directory.fedoraproject.org/docs/389ds/documentation.html)

1
site-cookbooks/kosmos-dirsrv/attributes/default.rb Normal file
View File

@ -0,0 +1 @@
node.default["kosmos-dirsrv"]["nginx"]["domain"] = "ldap.kosmos.org"

110
site-cookbooks/kosmos-dirsrv/chefignore Normal file
View File

@ -0,0 +1,110 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
# SASS #
########
.sass-cache
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
mkmf.log
REVISION
TAGS*
tmtags
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
# Testing #
###########
.circleci/*
.codeclimate.yml
.foodcritic
.kitchen*
.rspec
.rubocop.yml
.travis.yml
.watchr
azure-pipelines.yml
examples/*
features/*
Guardfile
kitchen.yml*
Procfile
Rakefile
spec/*
spec/*
spec/fixtures/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Cookbooks #
#############
CHANGELOG*
CONTRIBUTING*
TESTING*
CODE_OF_CONDUCT*
# Vagrant #
###########
.vagrant
Vagrantfile

26
site-cookbooks/kosmos-dirsrv/files/tls.ldif Normal file
View File

@ -0,0 +1,26 @@
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSLSessionTimeout
nsSSLSessionTimeout: 0
-
replace: nsSSLClientAuth
nsSSLClientAuth: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL2
nsSSL2: off
dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
nsSSLPersonalitySSL: Server-Cert
nsSSLActivation: on
nsSSLToken: internal (software)
cn: RSA

4
site-cookbooks/kosmos-dirsrv/files/users.ldif Normal file
View File

@ -0,0 +1,4 @@
dn: ou=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

13
site-cookbooks/kosmos-dirsrv/metadata.rb Normal file
View File

@ -0,0 +1,13 @@
name 'kosmos-dirsrv'
maintainer 'Kosmos Developers'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/Configures 389 Directory Server'
long_description 'Installs/Configures 389 Directory Server'
version '0.1.0'
chef_version '>= 14.0'
depends "firewall"
depends "apt"
depends "ulimit"
depends "backup"

133
site-cookbooks/kosmos-dirsrv/recipes/default.rb Normal file
View File

@ -0,0 +1,133 @@
#
# Cookbook Name:: kosmos-dirsrv
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe "apt"
package "389-ds-base"
include_recipe "ulimit"
user_ulimit "dirsrv" do
filehandle_limit 40960
end
credentials = data_bag_item("credentials", "389")
config = {
instance: node[:hostname],
suffix: "dc=kosmos,dc=org",
port: 389,
credentials: credentials,
base_dir: "/var/lib/dirsrv",
conf_dir: "/etc/dirsrv"
}
inst_dir = "/etc/dirsrv/slapd-#{config[:instance]}"
service_name = "dirsrv@#{config[:instance]}"
unless ::Dir.exists?(inst_dir)
setup_config = "#{config[:conf_dir]}/setup-#{config[:instance]}.inf"
template setup_config do
source "setup.inf.erb"
mode "0600"
owner "root"
group "root"
sensitive true
variables config
end
execute "setup-#{config[:instance]}" do
command "setup-ds --silent --file #{setup_config}"
creates ::File.join inst_dir, 'dse.ldif'
action :nothing
subscribes :run, "template[#{setup_config}]", :immediately
notifies :restart, "service[#{service_name}]", :immediately
notifies :delete, "template[#{setup_config}]", :immediately
notifies :run, "execute[add users group]", :delayed
end
end
service service_name do
action [:enable, :start]
end
cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
source "users.ldif"
owner "root"
group "root"
end
execute "add users group" do
command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/users.ldif'"
sensitive true
action :nothing
end
unless node.chef_environment == "development"
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
source "tls.ldif"
owner "root"
group "root"
end
include_recipe "kosmos-nginx"
domain = node["kosmos-dirsrv"]["nginx"]["domain"]
nginx_certbot_site domain do
notifies :run, "execute[generate p12 cert]", :immediately
end
# Merge the full chain and private key into one cert, to import into the
# dirsrv dir
execute "generate p12 cert" do
command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{domain}/fullchain.pem -inkey /etc/letsencrypt/live/#{domain}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{domain}.p12 -name 'Server-Cert'"
action :nothing
notifies :run, "execute[import p12 cert]", :immediately
end
execute "import p12 cert" do
command "pk12util -i #{Chef::Config[:file_cache_path]}/#{domain}.p12 -d #{inst_dir}"
action :nothing
notifies :run, "execute[add tls config]", :immediately
end
execute "add tls config" do
command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/tls.ldif'"
sensitive true
action :nothing
end
include_recipe "firewall"
firewall_rule "ldap" do
port [config[:port], 636]
protocol :tcp
command :allow
end
# backup the data dir and the config files
node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"]
include_recipe "backup"
end

37
site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb Normal file
View File

@ -0,0 +1,37 @@
[General]
FullMachineName = <%= node[:fqdn] %>
SuiteSpotGroup = dirsrv
SuiteSpotUserID = dirsrv
<% if @has_cfgdir -%>
<% if @cfgdir_domain %>
AdminDomain = <%= @cfgdir_domain %>
<% end -%>
ConfigDirectoryAdminID = <%= @cfgdir_credentials['username'] %>
ConfigDirectoryAdminPwd = <%= @cfgdir_credentials['password'] %>
ConfigDirectoryLdapURL = ldap://<%= @cfgdir_addr %>:<%= @cfgdir_ldap_port %>/o=NetscapeRoot
<% end -%>
<% if @is_cfgdir -%>
[admin]
Port = <%= @cfgdir_http_port %>
ServerAdminID = <%= @cfgdir_credentials['username'] %>
ServerAdminPwd = <%= @cfgdir_credentials['password'] %>
ServerIpAddress = <%= @cfgdir_addr %>
SysUser = dirsrv
<% end -%>
[slapd]
AddOrgEntries = <%= @add_org_entries %>
AddSampleEntries = <%= @add_sample_entries %>
InstallLdifFile = <%= @preseed_ldif %>
RootDN = <%= @credentials['bind_dn'] %>
RootDNPwd = <%= @credentials['password'] %>
ServerIdentifier = <%= @instance %>
ServerPort = <%= @port %>
Suffix = <%= @suffix %>
cert_dir = <%= @conf_dir %>/slapd-<%= @instance %>
config_dir = <%= @conf_dir %>/slapd-<%= @instance %>
bak_dir = <%= @base_dir %>/slapd-<%= @instance %>/bak
db_dir = <%= @base_dir %>/slapd-<%= @instance %>/db
ldif_dir = <%= @base_dir %>/slapd-<%= @instance %>/ldif
schema_dir = <%= @conf_dir %>/slapd-<%= @instance %>/schema