resource_name :dirsrv_instance property :instance_name, String, name_property: true property :hostname, String, required: true property :admin_password, String, required: true property :suffix, String, required: true property :admin_username, String, default: 'admin' property :bind_dn, String, default: 'cn=Directory Manager' property :port, Integer, default: 389 action :create do include_recipe "apt" package "389-ds-base" include_recipe "ulimit" user_ulimit "dirsrv" do filehandle_limit 40960 end config = { instance_name: new_resource.instance_name, hostname: new_resource.hostname, suffix: new_resource.suffix, port: new_resource.port, bind_dn: new_resource.bind_dn, admin_username: new_resource.admin_username, admin_password: new_resource.admin_password, base_dir: "/var/lib/dirsrv", conf_dir: "/etc/dirsrv" } inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}" service_name = "dirsrv@#{new_resource.instance_name}" unless ::Dir.exists?(inst_dir) setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf" template setup_config do source "setup.inf.erb" mode "0600" owner "root" group "root" sensitive true variables config end execute "setup-#{new_resource.instance_name}" do command "setup-ds --silent --file #{setup_config}" creates ::File.join inst_dir, 'dse.ldif' action :nothing subscribes :run, "template[#{setup_config}]", :immediately notifies :restart, "service[#{service_name}]", :immediately notifies :delete, "template[#{setup_config}]", :immediately notifies :run, "execute[set base acis]", :delayed notifies :run, "execute[add users group]", :delayed notifies :run, "execute[disable anonymous access]", :delayed end end service service_name do action [:start] end # :enable on the dirsrv@master service creates the wrong file # (/etc/systemd/system/dirsrv.target.wants/dirsrv@master.service), seems to # be a Chef bug. Let's do it manually link "/etc/systemd/system/multi-user.target.wants/dirsrv@master.service" do to "/lib/systemd/system/dirsrv@.service" end cookbook_file "#{Chef::Config[:file_cache_path]}/acis.ldif" do source "acis.ldif" owner "root" group "root" end execute "set base acis" do command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/acis.ldif' -p #{new_resource.port} -h localhost" sensitive true action :nothing end cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do source "users.ldif" owner "root" group "root" end execute "add users group" do command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost" sensitive true action :nothing end file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do content <<-EOF dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: off EOF owner "root" group "root" end execute "disable anonymous access" do command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost" sensitive true action :nothing end unless node.chef_environment == "development" package "libnss3-tools" # provides pk12util cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do source "tls.ldif" owner "root" group "root" end include_recipe "kosmos-nginx" include_recipe "kosmos-base::letsencrypt" dirsrv_hook = <<-EOF #!/usr/bin/env bash set -e # Copy the dirsrv certificate and restart the server if it has been renewed # This is necessary because dirsrv uses a different format for the certificates for domain in $RENEWED_DOMAINS; do case $domain in #{new_resource.hostname}) openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass: pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W '' # Remove the encryption key entries from the current database. # They will be recreated on restart for the new certificate awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif systemctl restart #{service_name} ;; esac done EOF file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do content dirsrv_hook mode 0755 owner "root" group "root" end template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do source 'nginx_conf_empty.erb' owner node["nginx"]["user"] mode 0640 notifies :reload, 'service[nginx]', :delayed end nginx_certbot_site new_resource.hostname do notifies :run, "execute[letsencrypt cert for #{domain}]", :delayed end # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert # has been generated before. The renew cron will take care of renewing execute "letsencrypt cert for #{domain}" do command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n" only_if do ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") && !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem") end notifies :run, "execute[add tls config]", :immediately end execute "add tls config" do command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost" sensitive true action :nothing notifies :restart, "service[#{service_name}]", :immediately end end end