5e3c8066f9
This had been done manually on barnard. This will not be executed on barnard again since the cert exists
158 lines
5.3 KiB
Ruby
158 lines
5.3 KiB
Ruby
resource_name :dirsrv_instance
|
|
|
|
property :instance_name, String, name_property: true
|
|
property :hostname, String, required: true
|
|
property :admin_password, String, required: true
|
|
property :suffix, String, required: true
|
|
property :admin_username, String, default: 'admin'
|
|
property :bind_dn, String, default: 'cn=Directory Manager'
|
|
property :port, Integer, default: 389
|
|
|
|
action :create do
|
|
include_recipe "apt"
|
|
package "389-ds-base"
|
|
|
|
include_recipe "ulimit"
|
|
user_ulimit "dirsrv" do
|
|
filehandle_limit 40960
|
|
end
|
|
|
|
config = {
|
|
instance_name: new_resource.instance_name,
|
|
hostname: new_resource.hostname,
|
|
suffix: new_resource.suffix,
|
|
port: new_resource.port,
|
|
bind_dn: new_resource.bind_dn,
|
|
admin_username: new_resource.admin_username,
|
|
admin_password: new_resource.admin_password,
|
|
base_dir: "/var/lib/dirsrv",
|
|
conf_dir: "/etc/dirsrv"
|
|
}
|
|
|
|
inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
|
|
service_name = "dirsrv@#{new_resource.instance_name}"
|
|
|
|
unless ::Dir.exists?(inst_dir)
|
|
setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
|
|
template setup_config do
|
|
source "setup.inf.erb"
|
|
mode "0600"
|
|
owner "root"
|
|
group "root"
|
|
sensitive true
|
|
variables config
|
|
end
|
|
|
|
execute "setup-#{new_resource.instance_name}" do
|
|
command "setup-ds --silent --file #{setup_config}"
|
|
creates ::File.join inst_dir, 'dse.ldif'
|
|
action :nothing
|
|
subscribes :run, "template[#{setup_config}]", :immediately
|
|
notifies :restart, "service[#{service_name}]", :immediately
|
|
notifies :delete, "template[#{setup_config}]", :immediately
|
|
notifies :run, "execute[add users group]", :delayed
|
|
notifies :run, "execute[disable anonymous access]", :delayed
|
|
end
|
|
end
|
|
|
|
service service_name do
|
|
action [:enable, :start]
|
|
end
|
|
|
|
cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
|
|
source "users.ldif"
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
execute "add users group" do
|
|
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost"
|
|
sensitive true
|
|
action :nothing
|
|
end
|
|
|
|
file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do
|
|
content <<-EOF
|
|
dn: cn=config
|
|
changetype: modify
|
|
replace: nsslapd-allow-anonymous-access
|
|
nsslapd-allow-anonymous-access: off
|
|
EOF
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
execute "disable anonymous access" do
|
|
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost"
|
|
sensitive true
|
|
action :nothing
|
|
end
|
|
|
|
unless node.chef_environment == "development"
|
|
package "libnss3-tools" # provides pk12util
|
|
|
|
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
|
|
source "tls.ldif"
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
include_recipe "kosmos-nginx"
|
|
include_recipe "kosmos-base::letsencrypt"
|
|
|
|
dirsrv_hook = <<-EOF
|
|
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
# Copy the dirsrv certificate and restart the server if it has been renewed
|
|
# This is necessary because dirsrv uses a different format for the certificates
|
|
for domain in $RENEWED_DOMAINS; do
|
|
case $domain in
|
|
#{new_resource.hostname})
|
|
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
|
|
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
|
|
systemctl restart #{service_name}
|
|
;;
|
|
esac
|
|
done
|
|
EOF
|
|
|
|
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
|
|
content dirsrv_hook
|
|
mode 0755
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
|
|
source 'nginx_conf_empty.erb'
|
|
owner node["nginx"]["user"]
|
|
mode 0640
|
|
notifies :reload, 'service[nginx]', :delayed
|
|
end
|
|
|
|
nginx_certbot_site new_resource.hostname do
|
|
notifies :run, "letsencrypt cert for #{domain}", :delayed
|
|
end
|
|
|
|
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
|
# has been generated before. The renew cron will take care of renewing
|
|
execute "letsencrypt cert for #{domain}" do
|
|
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n"
|
|
only_if do
|
|
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
|
|
!::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
|
|
end
|
|
notifies :run, "execute[add tls config]", :immediately
|
|
end
|
|
|
|
execute "add tls config" do
|
|
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
|
|
sensitive true
|
|
action :nothing
|
|
notifies :restart, "service[#{service_name}]", :immediately
|
|
end
|
|
end
|
|
end
|