slapd: use LE certificate via dns
This commit is contained in:
parent
3471c0ca34
commit
606851de76
@ -2,6 +2,9 @@
|
||||
|
||||
acertmgr_mode: webdir
|
||||
|
||||
acme_dnskey_file: /etc/acme/nsupdate.key
|
||||
acme_dnskey_server: neon.binary-kitchen.net
|
||||
|
||||
dns_axfr_ips:
|
||||
- 216.218.133.2
|
||||
- 2001:470:600::2
|
||||
@ -86,6 +89,8 @@ root_keys:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETMJ1JTX+xKC7ML8Or+8wunwy1rjIkp7MfeZLzLIyvP tomoto"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd rudi@helheim"
|
||||
|
||||
slapd_san: ldap.binary.kitchen
|
||||
|
||||
snmp_allowed:
|
||||
- 172.23.2.5
|
||||
- 172.23.2.6
|
||||
|
@ -1,8 +1,5 @@
|
||||
---
|
||||
|
||||
acme_dnskey_file: /etc/acme/nsupdate.key
|
||||
acme_dnskey_server: neon.binary-kitchen.net
|
||||
|
||||
dhcpd_failover: true
|
||||
dhcpd_primary: 172.23.2.3
|
||||
dhcpd_secondary: 172.23.2.4
|
||||
|
@ -1,4 +1,7 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /opt/acertmgr/acertmgr.py
|
||||
|
||||
- name: Restart slapd
|
||||
service: name=slapd state=restarted
|
||||
|
4
roles/slapd/meta/main.yml
Normal file
4
roles/slapd/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
@ -31,5 +31,16 @@
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/srv.key -out /etc/ldap/ssl/srv.crt -days 730 -subj "/CN={{ slapd_hostname }}" creates=/etc/ldap/ssl/srv.crt
|
||||
notify: Restart slapd
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ slapd_hostname }}"
|
||||
- "{{ slapd_san }}"
|
||||
|
||||
- name: Configure certificate manager for slapd
|
||||
template: src=certs.j2 dest=/etc/acme/domains.d/{{ slapd_hostname }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Start slapd
|
||||
service: name=slapd state=started enabled=yes
|
||||
|
18
roles/slapd/templates/certs.j2
Normal file
18
roles/slapd/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
{{ slapd_hostname }} {{ slapd_san }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/ldap/ssl/srv.key
|
||||
user: openldap
|
||||
group: openldap
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service slapd restart'
|
||||
- path: /etc/ldap/ssl/srv.crt
|
||||
user: openldap
|
||||
group: openldap
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service slapd restart'
|
Loading…
Reference in New Issue
Block a user