kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 2 Projects 1 Activity
1,850 Commits 16 Branches 0 Tags 14 MiB
Commit Graph

36 Commits

Author SHA1 Message Date
Râu Cao 2958ba4b81
Use *.kosmos.local hostnames for LDAP nodes 2022-11-26 16:47:28 +01:00
Râu Cao 991458208d
Use a role for configuring LDAP hostname on clients 
This way it's also easy to converge all LDAP clients at once.
 2022-11-26 16:45:45 +01:00
Râu Cao 8d4db7290e
Rename dirsrv_primary role 
The term used in 389 docs is "supplier" instead (ex "master")
 2022-11-26 16:44:05 +01:00
Greg 85abfd4e5e Create the required groups and ACIs 2022-08-22 16:15:02 +02:00
Greg 5c00e2d28a Add an attribute containing the LDAP server's address 2022-05-11 15:37:36 +02:00
Basti 590366639e
Fix fresh dirsrv installs on Ubuntu 20.04 2022-04-26 20:10:51 +02:00
Basti da3a70ef4c
WIP dirsrv changes 2021-12-02 13:56:23 -06:00
Greg 685deea920 Simplify dirsrv setup 
Connecting directly using zerotier, no more nginx
 2021-12-02 19:08:27 +01:00
Greg 346b6540d1 Fix an undefined variable 2021-03-30 12:14:40 +02:00
Greg 456639bdf8 Fix a syntax error in certbot dirsrv hook 
The newline was not escaped and rendered as an actual newline

Fixes #272
 2020-12-31 11:38:49 +01:00
Greg e6b7794e20 Extract firewall definitions to their own recipe 
This allows us to use them for KVM hosts as well. Until now we had set
up ufw rules manually on the two KVM hosts (draco and centaurus)

Refs #244
 2020-12-04 16:27:42 +01:00
Greg 23ca3552d2 Remove the absolute path of certbot to use the new package 2020-11-25 16:36:07 +01:00
Basti ac49430521
Install lib389 
Fixes 389 CLIs not working (e.g. `dsctl`).
 2020-11-08 17:23:24 +01:00
Greg 5062392c71 Fix the undefined variable in the instance resource 2020-10-20 19:53:11 +02:00
Greg d2126f6153 Use the right variable for the TLS cert's domain 
`domain` was undefined. `new_resource.hostname` is ldap.kosmos.org and
is what we need

Fixes #193
 2020-07-22 15:59:27 +02:00
Greg 210c76c479 Fix the name of the Let's Encrypt cert execute resource 
The resource in the notification was invalid, missing the type of
resource (execute)

Fixes #171
 2020-05-26 14:10:47 +02:00
Greg 57f46c6c61 Merge branch 'master' into bugfix/enable_dirsrv 2020-05-15 17:24:04 +02:00
Greg b4209fa294 Fix the invalid ACIs on initial creation (for real) 
Follow-up to #156

I found another issue with the initial ACI creation, while creating a
fresh VM. I thought I had fixed it in #156 but I was wrong. This time
the ACIs are really set and the code runs successfully.

The ACIs are set on the suffix, so modifying it is needed

This won't be executed on a server that is already running, this is only
done on the initial setup
 2020-05-15 14:05:35 +02:00
Greg 10f0460fd5 Fix startup of the dirsrv@master Systemd unit on boot 
The symlink created by Chef's service resource was wrong. Creating the
correct symlink fixes the automatic startup on boot
 2020-05-15 13:54:34 +02:00
Greg 53d53f2375 Merge branch 'bugfix/152-remove_encryption_keys_tls' of kosmos/chef into master 2020-04-30 15:50:26 +00:00
Greg 1c920a8cb2 Remove the encryption keys after TLS cert renewal 
This is done with awk, this was the best way I found to perform the
multi-line deletion. It deletes both the AES AND 3DES sections

The keys will be recreated on service restart

https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption

Closes #152
 2020-04-20 19:11:34 +02:00
Greg 5e3c8066f9 Add the missing certbot command to generate the LDAP TLS cert 
This had been done manually on barnard. This will not be executed on
barnard again since the cert exists
 2020-04-20 19:10:15 +02:00
Greg d01c9a4d0a Fix the name of the deploy certbot hook 2020-04-20 19:09:43 +02:00
Greg 3ca8ab45da Fix the invalid ACIs on initial creation 
This is only executed on initial creation of the instance, the
production one is using these fixed ACIs, this was only an issue with
the setup

The issue was the ACI was set at the wrong level
 2020-04-20 19:00:28 +02:00
Greg e56faab5b1 Set the ACIs on the base DN 
Allow users to change their own password, but nothing else (no search,
no read, no write)

This will only run when setting up the 389-dirsrv instance for the first
time, this has been applied on barnard by editing the dn (see
#128 (comment))

Closes #128
 2020-02-12 16:13:45 +01:00
Greg a69192a863 Enable LDAP support on mediawiki 
Users can log in using their LDAP account (in the
ou=users,dc=kosmos,dc=org group and with the wiki attribute set to
enabled)

Add an attribute for the ldap master server, so it can be overridden in
the development environment

Refs #107
 2020-01-24 13:45:17 +01:00
Greg 9828b867ba Disable anonymous binds 
See https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/configuring-special-binds.html#disabling-anonymous-binds
 2019-12-20 16:46:03 +01:00
Greg 1240ed9da8 Move the dirsrv cert generation to a certbot deploy hook 2019-12-05 15:47:10 +01:00
Greg 0d192f536f Add the empty nginx vhost template 2019-12-05 15:05:37 +01:00
Greg 0dbf350540 Restart the server after importing the TLS cert 2019-12-04 17:40:27 +01:00
Greg 4e7d453942 Move the firewall and backup recipes outside of the custom resource 
See the comment for more details
 2019-12-04 17:33:41 +01:00
Greg e24cd01287 Add an empty template because the nginx_certbot_site resource needs one 2019-12-04 17:33:13 +01:00
Greg 632cb38aab Pass an empty passphrase on the command line for the p12 cert 2019-12-04 17:32:40 +01:00
Greg 9d9493af0d Add a missing dependency on the kosmos-nginx cookbook 2019-12-04 17:32:03 +01:00
Greg dc91128eca Use a custom resource to create a 389 Directory Server instance 
This replaces the default recipe and will make it much easier to create
other types of instances, for example for replication
 2019-11-29 14:34:52 +01:00
Greg 9e4685a743 Initial version of the kosmos-dirsrv cookbook 
It sets up 389 Directory Server, including a TLS cert acquired using
Let's Encrypt in production (that requires ldap.kosmos.org pointing to
the server's IP)
 2019-11-15 15:41:30 +01:00