Merge branch 'master' of kishi/infra into master

This commit is contained in:
Kishi 2018-09-20 19:10:53 +02:00 committed by Gogs
commit 8c1d0d5f6d
12 changed files with 34 additions and 23 deletions

View File

@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
hackmd_dbpass: "{{ vault_hackmd_dbpass }}" hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
hackmd_secret: "{{ vault_hackmd_secret }}" hackmd_secret: "{{ vault_hackmd_secret }}"
ldap_ca: /etc/ldap/ssl/BKCA.crt
ldap_uri: ldaps://ldap.binary.kitchen/ ldap_uri: ldaps://ldap.binary.kitchen/
ldap_host: ldap.binary.kitchen ldap_host: ldap.binary.kitchen
ldap_base: dc=binary-kitchen,dc=de ldap_base: dc=binary-kitchen,dc=de

View File

@ -8,3 +8,6 @@
- name: update-initramfs - name: update-initramfs
command: update-initramfs -u -k all command: update-initramfs -u -k all
- name: update-ca-certificates
command: update-ca-certificates

View File

@ -50,14 +50,16 @@
- name: Set shell for root user - name: Set shell for root user
user: name=root shell=/bin/zsh user: name=root shell=/bin/zsh
- name: Create LDAP certificate directory - name: Create BKCA certificate directory
file: path=/etc/ldap/ssl state=directory file: path=/usr/local/share/ca-certificates state=directory
- name: Copy BKCA certificate
copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
notify: update-ca-certificates
- name: Create LDAP client config - name: Create LDAP client config
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644 template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
- name: Copy LDAP certificate
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
- name: Disable hibernation/resume - name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume copy: src=resume dest=/etc/initramfs-tools/conf.d/resume

View File

@ -27,8 +27,14 @@
- { src: '.zshrc.local', dest: '/root/.zshrc.local' } - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' } - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
- name: Create LDAP certificate directory - name: Create BKCA certificate directory
file: path=/etc/ldap/ssl state=directory file: path="{{ item }}" state=directory
loop:
- "/etc/ssl/certs"
- "/usr/local/etc/ssl/certs"
- name: Copy LDAP certificate - name: Copy BKCA certificate
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444 copy: src=BKCA.crt dest="{{ item }}/BKCA.crt" mode=0444
loop:
- "/etc/ssl/certs"
- "/usr/local/etc/ssl/certs"

View File

@ -13,5 +13,7 @@ URI {{ ldap_uri }}
#DEREF never #DEREF never
# TLS certificates (needed for GnuTLS) # TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/BKCA.crt TLS_REQCERT demand
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

View File

@ -37,7 +37,7 @@
"searchAttributes": ["cn", "uid"], "searchAttributes": ["cn", "uid"],
"usernameField": "cn", "usernameField": "cn",
"useridField": "uid", "useridField": "uid",
"tlsca": "/etc/ldap/ssl/BKCA.crt" "tlsca": "/etc/ssl/certs/ca-certificates.crt"
}, },
"email": false "email": false
} }

View File

@ -32,4 +32,5 @@ base shadow {{ nslcd_base_shadow }}
# SSL options # SSL options
tls_reqcert demand tls_reqcert demand
tls_cacertfile {{ ldap_ca }} tls_cacertfile /etc/ssl/certs/ca-certificates.crt
tls_cacertdir /etc/ssl/certs

View File

@ -102,11 +102,8 @@
- postfix/virtual-alias - postfix/virtual-alias
notify: Run postmap notify: Run postmap
- name: Ensure postfix chroot has an LDAP CA directory - name: Ensure postfix chroot has an up2date ca-certificates.crt file
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
- name: Ensure postfix chroot has the LDAP CA file
copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
- name: Ensure postfix certificates are available - name: Ensure postfix certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt

View File

@ -43,10 +43,10 @@ dnpass = {{ ldap_bindpw }}
#sasl_authz_id = #sasl_authz_id =
# Use TLS to connect to the LDAP server. # Use TLS to connect to the LDAP server.
tls = no tls = yes
# TLS options, currently supported only with OpenLDAP: # TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = {{ ldap_ca }} tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
#tls_ca_cert_dir = tls_ca_cert_dir = /etc/ssl/certs
#tls_cipher_suite = #tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate. # TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file = #tls_cert_file =

View File

@ -1,5 +1,5 @@
server_host = {{ ldap_uri }} server_host = {{ ldap_uri }}
tls_ca_cert_file = {{ ldap_ca }} tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_require_cert = yes tls_require_cert = yes
bind = yes bind = yes
bind_dn = {{ ldap_binddn }} bind_dn = {{ ldap_binddn }}

View File

@ -1,5 +1,5 @@
server_host = {{ ldap_uri }} server_host = {{ ldap_uri }}
tls_ca_cert_file = {{ ldap_ca }} tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_require_cert = yes tls_require_cert = yes
bind = yes bind = yes
bind_dn = {{ ldap_binddn }} bind_dn = {{ ldap_binddn }}

View File

@ -67,7 +67,8 @@ access to *
TLSCertificateFile /etc/ldap/ssl/srv.crt TLSCertificateFile /etc/ldap/ssl/srv.crt
TLSCertificateKeyFile /etc/ldap/ssl/srv.key TLSCertificateKeyFile /etc/ldap/ssl/srv.key
TLSCACertificateFile {{ ldap_ca }} TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSCACertificatePath /etc/ssl/certs
TLSCipherSuite NORMAL TLSCipherSuite NORMAL
TLSVerifyClient never TLSVerifyClient never