# # Cookbook Name:: kosmos-dirsrv # Recipe:: default # # The MIT License (MIT) # # Copyright:: 2019, Kosmos Developers # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. include_recipe "apt" package "389-ds-base" include_recipe "ulimit" user_ulimit "dirsrv" do filehandle_limit 40960 end credentials = data_bag_item("credentials", "389") config = { instance: node[:hostname], suffix: "dc=kosmos,dc=org", port: 389, credentials: credentials, base_dir: "/var/lib/dirsrv", conf_dir: "/etc/dirsrv" } inst_dir = "/etc/dirsrv/slapd-#{config[:instance]}" service_name = "dirsrv@#{config[:instance]}" unless ::Dir.exists?(inst_dir) setup_config = "#{config[:conf_dir]}/setup-#{config[:instance]}.inf" template setup_config do source "setup.inf.erb" mode "0600" owner "root" group "root" sensitive true variables config end execute "setup-#{config[:instance]}" do command "setup-ds --silent --file #{setup_config}" creates ::File.join inst_dir, 'dse.ldif' action :nothing subscribes :run, "template[#{setup_config}]", :immediately notifies :restart, "service[#{service_name}]", :immediately notifies :delete, "template[#{setup_config}]", :immediately notifies :run, "execute[add users group]", :delayed end end service service_name do action [:enable, :start] end cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do source "users.ldif" owner "root" group "root" end execute "add users group" do command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/users.ldif'" sensitive true action :nothing end unless node.chef_environment == "development" cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do source "tls.ldif" owner "root" group "root" end include_recipe "kosmos-nginx" domain = node["kosmos-dirsrv"]["nginx"]["domain"] nginx_certbot_site domain do notifies :run, "execute[generate p12 cert]", :immediately end # Merge the full chain and private key into one cert, to import into the # dirsrv dir execute "generate p12 cert" do command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{domain}/fullchain.pem -inkey /etc/letsencrypt/live/#{domain}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{domain}.p12 -name 'Server-Cert'" action :nothing notifies :run, "execute[import p12 cert]", :immediately end execute "import p12 cert" do command "pk12util -i #{Chef::Config[:file_cache_path]}/#{domain}.p12 -d #{inst_dir}" action :nothing notifies :run, "execute[add tls config]", :immediately end execute "add tls config" do command "ldapadd -x -w #{credentials['password']} -D 'cn=Directory Manager' -f '#{Chef::Config[:file_cache_path]}/tls.ldif'" sensitive true action :nothing end include_recipe "firewall" firewall_rule "ldap" do port [config[:port], 636] protocol :tcp command :allow end # backup the data dir and the config files node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"] include_recipe "backup" end