From dc91128eca3042701e94c9e881f7ae95830a5cd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 29 Nov 2019 14:34:52 +0100 Subject: [PATCH] Use a custom resource to create a 389 Directory Server instance This replaces the default recipe and will make it much easier to create other types of instances, for example for replication --- data_bags/credentials/389.json | 24 ---- data_bags/credentials/dirsrv.json | 10 ++ .../kosmos-dirsrv/attributes/default.rb | 1 - .../kosmos-dirsrv/recipes/default.rb | 110 +--------------- .../kosmos-dirsrv/resources/instance.rb | 118 ++++++++++++++++++ .../kosmos-dirsrv/templates/setup.inf.erb | 26 ++-- 6 files changed, 146 insertions(+), 143 deletions(-) delete mode 100644 data_bags/credentials/389.json create mode 100644 data_bags/credentials/dirsrv.json create mode 100644 site-cookbooks/kosmos-dirsrv/resources/instance.rb diff --git a/data_bags/credentials/389.json b/data_bags/credentials/389.json deleted file mode 100644 index 1386d63..0000000 --- a/data_bags/credentials/389.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "id": "389", - "bind_dn": { - "encrypted_data": "PAe/xCFVzL7pwIfoIppewvx6k9rwYWNZKT9ZcZOm9Et0EcV0yrDo\n", - "iv": "rfIdXDbcfzBn98ld\n", - "auth_tag": "2YVDjVV9MCM1Mj8bylm2Ew==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "password": { - "encrypted_data": "OWt9gh5k+N/Vn1ko6FAcd0GECdozzsSkv44oxBAqVY/obHc=\n", - "iv": "PkFuXiB5y++4qE7k\n", - "auth_tag": "/1QXYOb8rhkX1qTIYVSipg==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "username": { - "encrypted_data": "ZdwTaB+T8qe2F9vJ5KssZVs/elnTnU1K\n", - "iv": "BoBhvqkz/2aEvFsh\n", - "auth_tag": "fSOwmozRZCI7958VzikMbg==\n", - "version": 3, - "cipher": "aes-256-gcm" - } -} \ No newline at end of file diff --git a/data_bags/credentials/dirsrv.json b/data_bags/credentials/dirsrv.json new file mode 100644 index 0000000..cf4ce41 --- /dev/null +++ b/data_bags/credentials/dirsrv.json @@ -0,0 +1,10 @@ +{ + "id": "dirsrv", + "admin_password": { + "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n", + "iv": "KNW2B8tpX7ywZwbg\n", + "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-dirsrv/attributes/default.rb b/site-cookbooks/kosmos-dirsrv/attributes/default.rb index 820a549..e69de29 100644 --- a/site-cookbooks/kosmos-dirsrv/attributes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/attributes/default.rb @@ -1 +0,0 @@ -node.default["kosmos-dirsrv"]["nginx"]["domain"] = "ldap.kosmos.org" diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb index 9ce4d23..d7f50ca 100644 --- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb @@ -24,110 +24,10 @@ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. -include_recipe "apt" -package "389-ds-base" +credentials = data_bag_item("credentials", "dirsrv") -include_recipe "ulimit" -user_ulimit "dirsrv" do - filehandle_limit 40960 -end - -credentials = data_bag_item("credentials", "389") - -config = { - instance: node[:hostname], - suffix: "dc=kosmos,dc=org", - port: 389, - credentials: credentials, - base_dir: "/var/lib/dirsrv", - conf_dir: "/etc/dirsrv" -} - -inst_dir = "/etc/dirsrv/slapd-#{config[:instance]}" -service_name = "dirsrv@#{config[:instance]}" - -unless ::Dir.exists?(inst_dir) - setup_config = "#{config[:conf_dir]}/setup-#{config[:instance]}.inf" - template setup_config do - source "setup.inf.erb" - mode "0600" - owner "root" - group "root" - sensitive true - variables config - end - - execute "setup-#{config[:instance]}" do - command "setup-ds --silent --file #{setup_config}" - creates ::File.join inst_dir, 'dse.ldif' - action :nothing - subscribes :run, "template[#{setup_config}]", :immediately - notifies :restart, "service[#{service_name}]", :immediately - notifies :delete, "template[#{setup_config}]", :immediately - notifies :run, "execute[add users group]", :delayed - end -end - -service service_name do - action [:enable, :start] -end - -cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do - source "users.ldif" - owner "root" - group "root" -end - -execute "add users group" do - command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/users.ldif'" - sensitive true - action :nothing -end - - -unless node.chef_environment == "development" - cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do - source "tls.ldif" - owner "root" - group "root" - end - - include_recipe "kosmos-nginx" - - domain = node["kosmos-dirsrv"]["nginx"]["domain"] - - nginx_certbot_site domain do - notifies :run, "execute[generate p12 cert]", :immediately - end - - # Merge the full chain and private key into one cert, to import into the - # dirsrv dir - execute "generate p12 cert" do - command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{domain}/fullchain.pem -inkey /etc/letsencrypt/live/#{domain}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{domain}.p12 -name 'Server-Cert'" - action :nothing - notifies :run, "execute[import p12 cert]", :immediately - end - - execute "import p12 cert" do - command "pk12util -i #{Chef::Config[:file_cache_path]}/#{domain}.p12 -d #{inst_dir}" - action :nothing - notifies :run, "execute[add tls config]", :immediately - end - - execute "add tls config" do - command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/tls.ldif'" - sensitive true - action :nothing - end - - include_recipe "firewall" - firewall_rule "ldap" do - port [config[:port], 636] - protocol :tcp - command :allow - end - - # backup the data dir and the config files - node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"] - include_recipe "backup" +dirsrv_instance "master" do + hostname "ldap.kosmos.org" + admin_password credentials['admin_password'] + suffix "dc=kosmos,dc=org" end diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb new file mode 100644 index 0000000..fd8ee07 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb @@ -0,0 +1,118 @@ +resource_name :dirsrv_instance + +property :instance_name, String, name_property: true +property :hostname, String, required: true +property :admin_password, String, required: true +property :suffix, String, required: true +property :admin_username, String, default: 'admin' +property :bind_dn, String, default: 'cn=Directory Manager' +property :port, Integer, default: 389 + +action :create do + include_recipe "apt" + package "389-ds-base" + + include_recipe "ulimit" + user_ulimit "dirsrv" do + filehandle_limit 40960 + end + + config = { + instance_name: new_resource.instance_name, + hostname: new_resource.hostname, + suffix: new_resource.suffix, + port: new_resource.port, + bind_dn: new_resource.bind_dn, + admin_username: new_resource.admin_username, + admin_password: new_resource.admin_password, + base_dir: "/var/lib/dirsrv", + conf_dir: "/etc/dirsrv" + } + + inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}" + service_name = "dirsrv@#{new_resource.instance_name}" + + unless ::Dir.exists?(inst_dir) + setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf" + template setup_config do + source "setup.inf.erb" + mode "0600" + owner "root" + group "root" + sensitive true + variables config + end + + execute "setup-#{new_resource.instance_name}" do + command "setup-ds --silent --file #{setup_config}" + creates ::File.join inst_dir, 'dse.ldif' + action :nothing + subscribes :run, "template[#{setup_config}]", :immediately + notifies :restart, "service[#{service_name}]", :immediately + notifies :delete, "template[#{setup_config}]", :immediately + notifies :run, "execute[add users group]", :delayed + end + end + + service service_name do + action [:enable, :start] + end + + cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do + source "users.ldif" + owner "root" + group "root" + end + + execute "add users group" do + command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost" + sensitive true + action :nothing + end + + + unless node.chef_environment == "development" + cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do + source "tls.ldif" + owner "root" + group "root" + end + + include_recipe "kosmos-nginx" + + nginx_certbot_site new_resource.hostname do + notifies :run, "execute[generate p12 cert]", :immediately + end + + # Merge the full chain and private key into one cert, to import into the + # dirsrv dir + execute "generate p12 cert" do + command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem -inkey /etc/letsencrypt/live/#{new_resource.hostname}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert'" + action :nothing + notifies :run, "execute[import p12 cert]", :immediately + end + + execute "import p12 cert" do + command "pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir}" + action :nothing + notifies :run, "execute[add tls config]", :immediately + end + + execute "add tls config" do + command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost" + sensitive true + action :nothing + end + + include_recipe "firewall" + firewall_rule "ldap" do + port [config[:port], 636] + protocol :tcp + command :allow + end + + # backup the data dir and the config files + node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"] + include_recipe "backup" + end +end diff --git a/site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb b/site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb index ef332e7..432de04 100644 --- a/site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb +++ b/site-cookbooks/kosmos-dirsrv/templates/setup.inf.erb @@ -6,16 +6,16 @@ SuiteSpotUserID = dirsrv <% if @cfgdir_domain %> AdminDomain = <%= @cfgdir_domain %> <% end -%> -ConfigDirectoryAdminID = <%= @cfgdir_credentials['username'] %> -ConfigDirectoryAdminPwd = <%= @cfgdir_credentials['password'] %> +ConfigDirectoryAdminID = <%= @admin_username %> +ConfigDirectoryAdminPwd = <%= @admin_password %> ConfigDirectoryLdapURL = ldap://<%= @cfgdir_addr %>:<%= @cfgdir_ldap_port %>/o=NetscapeRoot <% end -%> <% if @is_cfgdir -%> [admin] Port = <%= @cfgdir_http_port %> -ServerAdminID = <%= @cfgdir_credentials['username'] %> -ServerAdminPwd = <%= @cfgdir_credentials['password'] %> +ServerAdminID = <%= @admin_username %> +ServerAdminPwd = <%= @admin_password %> ServerIpAddress = <%= @cfgdir_addr %> SysUser = dirsrv <% end -%> @@ -24,14 +24,14 @@ SysUser = dirsrv AddOrgEntries = <%= @add_org_entries %> AddSampleEntries = <%= @add_sample_entries %> InstallLdifFile = <%= @preseed_ldif %> -RootDN = <%= @credentials['bind_dn'] %> -RootDNPwd = <%= @credentials['password'] %> -ServerIdentifier = <%= @instance %> +RootDN = <%= @bind_dn %> +RootDNPwd = <%= @admin_password %> +ServerIdentifier = <%= @instance_name %> ServerPort = <%= @port %> Suffix = <%= @suffix %> -cert_dir = <%= @conf_dir %>/slapd-<%= @instance %> -config_dir = <%= @conf_dir %>/slapd-<%= @instance %> -bak_dir = <%= @base_dir %>/slapd-<%= @instance %>/bak -db_dir = <%= @base_dir %>/slapd-<%= @instance %>/db -ldif_dir = <%= @base_dir %>/slapd-<%= @instance %>/ldif -schema_dir = <%= @conf_dir %>/slapd-<%= @instance %>/schema +cert_dir = <%= @conf_dir %>/slapd-<%= @instance_name %> +config_dir = <%= @conf_dir %>/slapd-<%= @instance_name %> +bak_dir = <%= @base_dir %>/slapd-<%= @instance_name %>/bak +db_dir = <%= @base_dir %>/slapd-<%= @instance_name %>/db +ldif_dir = <%= @base_dir %>/slapd-<%= @instance_name %>/ldif +schema_dir = <%= @conf_dir %>/slapd-<%= @instance_name %>/schema