slapd: use LE certificate via dns
This commit is contained in:
parent
3471c0ca34
commit
606851de76
@ -2,6 +2,9 @@
|
|||||||
|
|
||||||
acertmgr_mode: webdir
|
acertmgr_mode: webdir
|
||||||
|
|
||||||
|
acme_dnskey_file: /etc/acme/nsupdate.key
|
||||||
|
acme_dnskey_server: neon.binary-kitchen.net
|
||||||
|
|
||||||
dns_axfr_ips:
|
dns_axfr_ips:
|
||||||
- 216.218.133.2
|
- 216.218.133.2
|
||||||
- 2001:470:600::2
|
- 2001:470:600::2
|
||||||
@ -86,6 +89,8 @@ root_keys:
|
|||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETMJ1JTX+xKC7ML8Or+8wunwy1rjIkp7MfeZLzLIyvP tomoto"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETMJ1JTX+xKC7ML8Or+8wunwy1rjIkp7MfeZLzLIyvP tomoto"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd rudi@helheim"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd rudi@helheim"
|
||||||
|
|
||||||
|
slapd_san: ldap.binary.kitchen
|
||||||
|
|
||||||
snmp_allowed:
|
snmp_allowed:
|
||||||
- 172.23.2.5
|
- 172.23.2.5
|
||||||
- 172.23.2.6
|
- 172.23.2.6
|
||||||
|
@ -1,8 +1,5 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
acme_dnskey_file: /etc/acme/nsupdate.key
|
|
||||||
acme_dnskey_server: neon.binary-kitchen.net
|
|
||||||
|
|
||||||
dhcpd_failover: true
|
dhcpd_failover: true
|
||||||
dhcpd_primary: 172.23.2.3
|
dhcpd_primary: 172.23.2.3
|
||||||
dhcpd_secondary: 172.23.2.4
|
dhcpd_secondary: 172.23.2.4
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Run acertmgr
|
||||||
|
command: /opt/acertmgr/acertmgr.py
|
||||||
|
|
||||||
- name: Restart slapd
|
- name: Restart slapd
|
||||||
service: name=slapd state=restarted
|
service: name=slapd state=restarted
|
||||||
|
4
roles/slapd/meta/main.yml
Normal file
4
roles/slapd/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: acertmgr }
|
@ -31,5 +31,16 @@
|
|||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/srv.key -out /etc/ldap/ssl/srv.crt -days 730 -subj "/CN={{ slapd_hostname }}" creates=/etc/ldap/ssl/srv.crt
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/srv.key -out /etc/ldap/ssl/srv.crt -days 730 -subj "/CN={{ slapd_hostname }}" creates=/etc/ldap/ssl/srv.crt
|
||||||
notify: Restart slapd
|
notify: Restart slapd
|
||||||
|
|
||||||
|
- name: Request nsupdate key for certificate
|
||||||
|
include_role: name=acme-dnskey-generate
|
||||||
|
vars:
|
||||||
|
acme_dnskey_san_domains:
|
||||||
|
- "{{ slapd_hostname }}"
|
||||||
|
- "{{ slapd_san }}"
|
||||||
|
|
||||||
|
- name: Configure certificate manager for slapd
|
||||||
|
template: src=certs.j2 dest=/etc/acme/domains.d/{{ slapd_hostname }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
- name: Start slapd
|
- name: Start slapd
|
||||||
service: name=slapd state=started enabled=yes
|
service: name=slapd state=started enabled=yes
|
||||||
|
18
roles/slapd/templates/certs.j2
Normal file
18
roles/slapd/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
{{ slapd_hostname }} {{ slapd_san }}:
|
||||||
|
- mode: dns.nsupdate
|
||||||
|
nsupdate_server: {{ acme_dnskey_server }}
|
||||||
|
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||||
|
- path: /etc/ldap/ssl/srv.key
|
||||||
|
user: openldap
|
||||||
|
group: openldap
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service slapd restart'
|
||||||
|
- path: /etc/ldap/ssl/srv.crt
|
||||||
|
user: openldap
|
||||||
|
group: openldap
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service slapd restart'
|
Loading…
Reference in New Issue
Block a user