184 lines
6.4 KiB
Ruby
184 lines
6.4 KiB
Ruby
resource_name :dirsrv_instance
|
|
|
|
property :instance_name, String, name_property: true
|
|
property :hostname, String, required: true
|
|
property :admin_password, String, required: true
|
|
property :suffix, String, required: true
|
|
property :admin_username, String, default: 'admin'
|
|
property :bind_dn, String, default: 'cn=Directory Manager'
|
|
property :port, Integer, default: 389
|
|
|
|
action :create do
|
|
include_recipe "apt"
|
|
package "389-ds-base"
|
|
package "python3-lib389"
|
|
|
|
include_recipe "ulimit"
|
|
user_ulimit "dirsrv" do
|
|
filehandle_limit 40960
|
|
end
|
|
|
|
config = {
|
|
instance_name: new_resource.instance_name,
|
|
hostname: new_resource.hostname,
|
|
suffix: new_resource.suffix,
|
|
port: new_resource.port,
|
|
bind_dn: new_resource.bind_dn,
|
|
admin_username: new_resource.admin_username,
|
|
admin_password: new_resource.admin_password,
|
|
base_dir: "/var/lib/dirsrv",
|
|
conf_dir: "/etc/dirsrv"
|
|
}
|
|
|
|
inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
|
|
service_name = "dirsrv@#{new_resource.instance_name}"
|
|
|
|
unless ::Dir.exists?(inst_dir)
|
|
setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
|
|
template setup_config do
|
|
source "setup.inf.erb"
|
|
mode "0600"
|
|
owner "root"
|
|
group "root"
|
|
sensitive true
|
|
variables config
|
|
end
|
|
|
|
execute "setup-#{new_resource.instance_name}" do
|
|
command "setup-ds --silent --file #{setup_config}"
|
|
creates ::File.join inst_dir, 'dse.ldif'
|
|
action :nothing
|
|
subscribes :run, "template[#{setup_config}]", :immediately
|
|
notifies :restart, "service[#{service_name}]", :immediately
|
|
notifies :delete, "template[#{setup_config}]", :immediately
|
|
notifies :run, "execute[set base acis]", :delayed
|
|
notifies :run, "execute[add users group]", :delayed
|
|
notifies :run, "execute[disable anonymous access]", :delayed
|
|
end
|
|
end
|
|
|
|
service service_name do
|
|
action [:start]
|
|
end
|
|
|
|
# :enable on the dirsrv@master service creates the wrong file
|
|
# (/etc/systemd/system/dirsrv.target.wants/dirsrv@master.service), seems to
|
|
# be a Chef bug. Let's do it manually
|
|
link "/etc/systemd/system/multi-user.target.wants/dirsrv@master.service" do
|
|
to "/lib/systemd/system/dirsrv@.service"
|
|
end
|
|
|
|
cookbook_file "#{Chef::Config[:file_cache_path]}/acis.ldif" do
|
|
source "acis.ldif"
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
execute "set base acis" do
|
|
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/acis.ldif' -p #{new_resource.port} -h localhost"
|
|
sensitive true
|
|
action :nothing
|
|
end
|
|
|
|
cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
|
|
source "users.ldif"
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
execute "add users group" do
|
|
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost"
|
|
sensitive true
|
|
action :nothing
|
|
end
|
|
|
|
file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do
|
|
content <<-EOF
|
|
dn: cn=config
|
|
changetype: modify
|
|
replace: nsslapd-allow-anonymous-access
|
|
nsslapd-allow-anonymous-access: off
|
|
EOF
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
execute "disable anonymous access" do
|
|
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost"
|
|
sensitive true
|
|
action :nothing
|
|
end
|
|
|
|
unless node.chef_environment == "development"
|
|
package "libnss3-tools" # provides pk12util
|
|
|
|
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
|
|
source "tls.ldif"
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
include_recipe "kosmos-nginx"
|
|
include_recipe "kosmos-base::letsencrypt"
|
|
|
|
dirsrv_hook = <<-EOF
|
|
#!/usr/bin/env bash
|
|
|
|
set -e
|
|
|
|
# Copy the dirsrv certificate and restart the server if it has been renewed
|
|
# This is necessary because dirsrv uses a different format for the certificates
|
|
for domain in $RENEWED_DOMAINS; do
|
|
case $domain in
|
|
#{new_resource.hostname})
|
|
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
|
|
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
|
|
# Remove the encryption key entries from the current database.
|
|
# They will be recreated on restart for the new certificate
|
|
awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
|
|
mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
|
|
systemctl restart #{service_name}
|
|
;;
|
|
esac
|
|
done
|
|
EOF
|
|
|
|
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
|
|
content dirsrv_hook
|
|
mode 0755
|
|
owner "root"
|
|
group "root"
|
|
end
|
|
|
|
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
|
|
source 'nginx_conf_empty.erb'
|
|
owner node["nginx"]["user"]
|
|
mode 0640
|
|
notifies :reload, 'service[nginx]', :delayed
|
|
end
|
|
|
|
nginx_certbot_site new_resource.hostname do
|
|
notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
|
|
end
|
|
|
|
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
|
# has been generated before. The renew cron will take care of renewing
|
|
execute "letsencrypt cert for #{new_resource.hostname}" do
|
|
root_directory = "/var/www/#{new_resource.hostname}"
|
|
command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
|
|
only_if do
|
|
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
|
|
!::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
|
|
end
|
|
notifies :run, "execute[add tls config]", :immediately
|
|
end
|
|
|
|
execute "add tls config" do
|
|
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
|
|
sensitive true
|
|
action :nothing
|
|
notifies :restart, "service[#{service_name}]", :immediately
|
|
end
|
|
end
|
|
end
|