kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 2 Projects 1 Activity
chef/site-cookbooks/kosmos-dirsrv/resources/instance.rb

184 lines
6.4 KiB
Ruby
Raw Blame History

resource_name :dirsrv_instance
property :instance_name, String, name_property: true
property :hostname, String, required: true
property :admin_password, String, required: true
property :suffix, String, required: true
property :admin_username, String, default: 'admin'
property :bind_dn, String, default: 'cn=Directory Manager'
property :port, Integer, default: 389
action :create do
include_recipe "apt"
package "389-ds-base"
package "python3-lib389"
include_recipe "ulimit"
user_ulimit "dirsrv" do
filehandle_limit 40960
end
config = {
instance_name: new_resource.instance_name,
hostname: new_resource.hostname,
suffix: new_resource.suffix,
port: new_resource.port,
bind_dn: new_resource.bind_dn,
admin_username: new_resource.admin_username,
admin_password: new_resource.admin_password,
base_dir: "/var/lib/dirsrv",
conf_dir: "/etc/dirsrv"
}
inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
service_name = "dirsrv@#{new_resource.instance_name}"
unless ::Dir.exists?(inst_dir)
setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
template setup_config do
source "setup.inf.erb"
mode "0600"
owner "root"
group "root"
sensitive true
variables config
end
execute "setup-#{new_resource.instance_name}" do
command "setup-ds --silent --file #{setup_config}"
creates ::File.join inst_dir, 'dse.ldif'
action :nothing
subscribes :run, "template[#{setup_config}]", :immediately
notifies :restart, "service[#{service_name}]", :immediately
notifies :delete, "template[#{setup_config}]", :immediately
notifies :run, "execute[set base acis]", :delayed
notifies :run, "execute[add users group]", :delayed
notifies :run, "execute[disable anonymous access]", :delayed
end
end
service service_name do
action [:start]
end
# :enable on the dirsrv@master service creates the wrong file
# (/etc/systemd/system/dirsrv.target.wants/dirsrv@master.service), seems to
# be a Chef bug. Let's do it manually
link "/etc/systemd/system/multi-user.target.wants/dirsrv@master.service" do
to "/lib/systemd/system/dirsrv@.service"
end
cookbook_file "#{Chef::Config[:file_cache_path]}/acis.ldif" do
source "acis.ldif"
owner "root"
group "root"
end
execute "set base acis" do
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/acis.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
end
cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
source "users.ldif"
owner "root"
group "root"
end
execute "add users group" do
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
end
file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do
content <<-EOF
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
EOF
owner "root"
group "root"
end
execute "disable anonymous access" do
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
end
unless node.chef_environment == "development"
package "libnss3-tools" # provides pk12util
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
source "tls.ldif"
owner "root"
group "root"
end
include_recipe "kosmos-nginx"
include_recipe "kosmos-base::letsencrypt"
dirsrv_hook = <<-EOF
#!/usr/bin/env bash
set -e
# Copy the dirsrv certificate and restart the server if it has been renewed
# This is necessary because dirsrv uses a different format for the certificates
for domain in $RENEWED_DOMAINS; do
case $domain in
#{new_resource.hostname})
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
# Remove the encryption key entries from the current database.
# They will be recreated on restart for the new certificate
awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
systemctl restart #{service_name}
;;
esac
done
EOF
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
content dirsrv_hook
mode 0755
owner "root"
group "root"
end
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
source 'nginx_conf_empty.erb'
owner node["nginx"]["user"]
mode 0640
notifies :reload, 'service[nginx]', :delayed
end
nginx_certbot_site new_resource.hostname do
notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
end
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for #{new_resource.hostname}" do
root_directory = "/var/www/#{new_resource.hostname}"
command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
only_if do
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
!::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
end
notifies :run, "execute[add tls config]", :immediately
end
execute "add tls config" do
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
notifies :restart, "service[#{service_name}]", :immediately
end
end
end
Reference in New Issue View Git Blame Copy Permalink