kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity
chef/site-cookbooks/kosmos-dirsrv/resources/instance.rb
Greg Karékinian b4209fa294 Fix the invalid ACIs on initial creation (for real) 
Follow-up to #156

I found another issue with the initial ACI creation, while creating a
fresh VM. I thought I had fixed it in #156 but I was wrong. This time
the ACIs are really set and the code runs successfully.

The ACIs are set on the suffix, so modifying it is needed

This won't be executed on a server that is already running, this is only
done on the initial setup
2020-05-15 14:05:35 +02:00

175 lines
5.9 KiB
Ruby
Raw Blame History

resource_name :dirsrv_instance
property :instance_name, String, name_property: true
property :hostname, String, required: true
property :admin_password, String, required: true
property :suffix, String, required: true
property :admin_username, String, default: 'admin'
property :bind_dn, String, default: 'cn=Directory Manager'
property :port, Integer, default: 389
action :create do
include_recipe "apt"
package "389-ds-base"
include_recipe "ulimit"
user_ulimit "dirsrv" do
filehandle_limit 40960
end
config = {
instance_name: new_resource.instance_name,
hostname: new_resource.hostname,
suffix: new_resource.suffix,
port: new_resource.port,
bind_dn: new_resource.bind_dn,
admin_username: new_resource.admin_username,
admin_password: new_resource.admin_password,
base_dir: "/var/lib/dirsrv",
conf_dir: "/etc/dirsrv"
}
inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
service_name = "dirsrv@#{new_resource.instance_name}"
unless ::Dir.exists?(inst_dir)
setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
template setup_config do
source "setup.inf.erb"
mode "0600"
owner "root"
group "root"
sensitive true
variables config
end
execute "setup-#{new_resource.instance_name}" do
command "setup-ds --silent --file #{setup_config}"
creates ::File.join inst_dir, 'dse.ldif'
action :nothing
subscribes :run, "template[#{setup_config}]", :immediately
notifies :restart, "service[#{service_name}]", :immediately
notifies :delete, "template[#{setup_config}]", :immediately
notifies :run, "execute[set base acis]", :delayed
notifies :run, "execute[add users group]", :delayed
notifies :run, "execute[disable anonymous access]", :delayed
end
end
service service_name do
action [:enable, :start]
end
cookbook_file "#{Chef::Config[:file_cache_path]}/acis.ldif" do
source "acis.ldif"
owner "root"
group "root"
end
execute "set base acis" do
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/acis.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
end
cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
source "users.ldif"
owner "root"
group "root"
end
execute "add users group" do
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/users.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
end
file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do
content <<-EOF
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
EOF
owner "root"
group "root"
end
execute "disable anonymous access" do
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
end
unless node.chef_environment == "development"
package "libnss3-tools" # provides pk12util
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
source "tls.ldif"
owner "root"
group "root"
end
include_recipe "kosmos-nginx"
include_recipe "kosmos-base::letsencrypt"
dirsrv_hook = <<-EOF
#!/usr/bin/env bash
set -e
# Copy the dirsrv certificate and restart the server if it has been renewed
# This is necessary because dirsrv uses a different format for the certificates
for domain in $RENEWED_DOMAINS; do
case $domain in
#{new_resource.hostname})
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
# Remove the encryption key entries from the current database.
# They will be recreated on restart for the new certificate
awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
systemctl restart #{service_name}
;;
esac
done
EOF
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
content dirsrv_hook
mode 0755
owner "root"
group "root"
end
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
source 'nginx_conf_empty.erb'
owner node["nginx"]["user"]
mode 0640
notifies :reload, 'service[nginx]', :delayed
end
nginx_certbot_site new_resource.hostname do
notifies :run, "letsencrypt cert for #{domain}", :delayed
end
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for #{domain}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n"
only_if do
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
!::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
end
notifies :run, "execute[add tls config]", :immediately
end
execute "add tls config" do
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
notifies :restart, "service[#{service_name}]", :immediately
end
end
end
Reference in New Issue View Git Blame Copy Permalink