Add the kosmos-dirsrv recipe to barnard

See the comment for more details

nodes/barnard.kosmos.org.json

@@ -35,6 +35,8 @@
       "sockethub::proxy",
       "kosmos-akkounts",
       "kosmos-akkounts::default",
+      "kosmos-dirsrv",
+      "kosmos-dirsrv::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -75,7 +77,8 @@
       "sockethub::_firewall",
       "kosmos-akkounts::nginx",
       "git::default",
-      "git::package"
+      "git::package",
+      "ulimit::default"
     ],
     "platform": "ubuntu",
     "platform_version": "18.04",
@@ -107,6 +110,7 @@
     "recipe[kosmos-hubot::wormhole]",
     "recipe[sockethub]",
     "recipe[sockethub::proxy]",
-    "recipe[kosmos-akkounts]"
+    "recipe[kosmos-akkounts]",
+    "recipe[kosmos-dirsrv]"
   ]
 }

site-cookbooks/kosmos-dirsrv/metadata.rb

@@ -11,3 +11,4 @@ depends "firewall"
 depends "apt"
 depends "ulimit"
 depends "backup"
+depends "kosmos-nginx"

site-cookbooks/kosmos-dirsrv/recipes/default.rb

@@ -31,3 +31,21 @@ dirsrv_instance "master" do
   admin_password credentials['admin_password']
   suffix "dc=kosmos,dc=org"
 end
+
+# FIXME: The firewall and backup recipes do not work in the custom resource, so
+# the code lives here for now. The issue is described here, but I think messing
+# with the run context is confusing:
+#
+# https://github.com/chef-cookbooks/firewall/issues/134
+unless node.chef_environment == "development"
+  include_recipe "firewall"
+  firewall_rule "ldap" do
+    port     [389, 636]
+    protocol :tcp
+    command  :allow
+  end
+
+  # backup the data dir and the config files
+  node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"]
+  include_recipe "backup"
+end

site-cookbooks/kosmos-dirsrv/resources/instance.rb

@@ -70,8 +70,9 @@ action :create do
     action :nothing
   end
 
-
   unless node.chef_environment == "development"
+    package "libnss3-tools" # provides pk12util
+
     cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
       source "tls.ldif"
       owner "root"
@@ -80,6 +81,12 @@ action :create do
 
     include_recipe "kosmos-nginx"
 
+    template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
+      source 'nginx_conf_empty.erb'
+      owner node["nginx"]["user"]
+      mode 0640
+    end
+
     nginx_certbot_site new_resource.hostname do
       notifies :run, "execute[generate p12 cert]", :immediately
     end
@@ -87,13 +94,13 @@ action :create do
     # Merge the full chain and private key into one cert, to import into the
     # dirsrv dir
     execute "generate p12 cert" do
-      command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem -inkey /etc/letsencrypt/live/#{new_resource.hostname}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert'"
+      command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem -inkey /etc/letsencrypt/live/#{new_resource.hostname}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:"
       action :nothing
       notifies :run, "execute[import p12 cert]", :immediately
     end
 
     execute "import p12 cert" do
-      command "pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir}"
+      command "pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''"
       action :nothing
       notifies :run, "execute[add tls config]", :immediately
     end
@@ -103,16 +110,5 @@ action :create do
       sensitive true
       action :nothing
     end
-
-    include_recipe "firewall"
-    firewall_rule "ldap" do
-      port     [config[:port], 636]
-      protocol :tcp
-      command  :allow
-    end
-
-    # backup the data dir and the config files
-    node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"]
-    include_recipe "backup"
   end
 end