infra
/
ansible
4
5
Fork 5
Code Issues 6 Pull Requests Activity

BKCA as system CA to allow smooth migration to let's encrypt #17

Closed
kishi wants to merge 1 commits from (deleted):master into master
pull from: (deleted):master
merge into: infra:master
Conversation 0 Commits 1 Files Changed 12 +20 -18
12 changed files with 20 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
group_vars/all/vars.yml
View File

@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
hackmd_secret: "{{ vault_hackmd_secret }}"
ldap_ca: /etc/ldap/ssl/BKCA.crt
ldap_uri: ldaps://ldap.binary.kitchen/
ldap_host: ldap.binary.kitchen
ldap_base: dc=binary-kitchen,dc=de

3
roles/common/handlers/main.yml
View File

@ -8,3 +8,6 @@
- name: update-initramfs
command: update-initramfs -u -k all
- name: update-ca-certificates
command: update-ca-certificates

3
roles/common/tasks/Debian.yml
View File

@ -57,7 +57,8 @@
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
- name: Copy LDAP certificate
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
notify: update-ca-certificates
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume

15
roles/common/tasks/FreeBSD.yml
View File

@ -28,7 +28,18 @@
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
- name: Create LDAP certificate directory
file: path=/etc/ldap/ssl state=directory
file:
path: "{{ item }}"
state: "directory"
loop:
- "/etc/ssl/certs"
- "/usr/local/etc/ssl/certs"
- name: Copy LDAP certificate
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
copy:
src: "BKCA.crt"
dest: "{{ item }}/BKCA.crt"
mode: "0444"
loop:
- "/etc/ssl/certs"
- "/usr/local/etc/ssl/certs"

4
roles/common/templates/ldap.conf.j2
View File

@ -11,7 +11,3 @@ URI {{ ldap_uri }}
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/BKCA.crt

1
roles/hackmd/templates/config.json.j2
View File

@ -37,7 +37,6 @@
"searchAttributes": ["cn", "uid"],
"usernameField": "cn",
"useridField": "uid",
"tlsca": "/etc/ldap/ssl/BKCA.crt"
},
"email": false
}

1
roles/ldap-pam/templates/nslcd.conf.j2
View File

@ -32,4 +32,3 @@ base shadow {{ nslcd_base_shadow }}
# SSL options
tls_reqcert demand
tls_cacertfile {{ ldap_ca }}

3
roles/mail/tasks/main.yml
View File

@ -105,9 +105,6 @@
- name: Ensure postfix chroot has an LDAP CA directory
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
- name: Ensure postfix chroot has the LDAP CA file
copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
- name: Ensure postfix certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
notify: Restart postfix

4
roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
View File

@ -43,9 +43,9 @@ dnpass = {{ ldap_bindpw }}
#sasl_authz_id =
# Use TLS to connect to the LDAP server.
tls = no
tls = yes
# TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = {{ ldap_ca }}
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.

1
roles/mail/templates/postfix/ldap-aliases.cf.j2
View File

@ -1,5 +1,4 @@
server_host = {{ ldap_uri }}
tls_ca_cert_file = {{ ldap_ca }}
tls_require_cert = yes
bind = yes
bind_dn = {{ ldap_binddn }}

1
roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
View File

@ -1,5 +1,4 @@
server_host = {{ ldap_uri }}
tls_ca_cert_file = {{ ldap_ca }}
tls_require_cert = yes
bind = yes
bind_dn = {{ ldap_binddn }}

1
roles/slapd/templates/slapd.conf.j2
View File

@ -67,7 +67,6 @@ access to *
TLSCertificateFile /etc/ldap/ssl/srv.crt
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
TLSCACertificateFile {{ ldap_ca }}
TLSCipherSuite NORMAL
TLSVerifyClient never