BKCA as system CA to allow smooth migration to let's encrypt #17
|
@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
|
||||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||||
|
|
||||||
ldap_ca: /etc/ldap/ssl/BKCA.crt
|
|
||||||
ldap_uri: ldaps://ldap.binary.kitchen/
|
ldap_uri: ldaps://ldap.binary.kitchen/
|
||||||
ldap_host: ldap.binary.kitchen
|
ldap_host: ldap.binary.kitchen
|
||||||
ldap_base: dc=binary-kitchen,dc=de
|
ldap_base: dc=binary-kitchen,dc=de
|
||||||
|
|
|
@ -8,3 +8,6 @@
|
||||||
|
|
||||||
- name: update-initramfs
|
- name: update-initramfs
|
||||||
command: update-initramfs -u -k all
|
command: update-initramfs -u -k all
|
||||||
|
|
||||||
|
- name: update-ca-certificates
|
||||||
|
command: update-ca-certificates
|
||||||
|
|
|
@ -57,7 +57,8 @@
|
||||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||||
|
|
||||||
- name: Copy LDAP certificate
|
- name: Copy LDAP certificate
|
||||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
|
||||||
|
notify: update-ca-certificates
|
||||||
|
|
||||||
- name: Disable hibernation/resume
|
- name: Disable hibernation/resume
|
||||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||||
|
|
|
@ -28,7 +28,18 @@
|
||||||
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
|
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
|
||||||
|
|
||||||
- name: Create LDAP certificate directory
|
- name: Create LDAP certificate directory
|
||||||
file: path=/etc/ldap/ssl state=directory
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: "directory"
|
||||||
|
loop:
|
||||||
|
- "/etc/ssl/certs"
|
||||||
|
- "/usr/local/etc/ssl/certs"
|
||||||
|
|
||||||
- name: Copy LDAP certificate
|
- name: Copy LDAP certificate
|
||||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
copy:
|
||||||
|
src: "BKCA.crt"
|
||||||
|
dest: "{{ item }}/BKCA.crt"
|
||||||
|
mode: "0444"
|
||||||
|
loop:
|
||||||
|
- "/etc/ssl/certs"
|
||||||
|
- "/usr/local/etc/ssl/certs"
|
||||||
|
|
|
@ -11,7 +11,3 @@ URI {{ ldap_uri }}
|
||||||
#SIZELIMIT 12
|
#SIZELIMIT 12
|
||||||
#TIMELIMIT 15
|
#TIMELIMIT 15
|
||||||
#DEREF never
|
#DEREF never
|
||||||
|
|
||||||
# TLS certificates (needed for GnuTLS)
|
|
||||||
TLS_CACERT /etc/ldap/ssl/BKCA.crt
|
|
||||||
|
|
||||||
|
|
|
@ -37,7 +37,6 @@
|
||||||
"searchAttributes": ["cn", "uid"],
|
"searchAttributes": ["cn", "uid"],
|
||||||
"usernameField": "cn",
|
"usernameField": "cn",
|
||||||
"useridField": "uid",
|
"useridField": "uid",
|
||||||
"tlsca": "/etc/ldap/ssl/BKCA.crt"
|
|
||||||
},
|
},
|
||||||
"email": false
|
"email": false
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,4 +32,3 @@ base shadow {{ nslcd_base_shadow }}
|
||||||
|
|
||||||
# SSL options
|
# SSL options
|
||||||
tls_reqcert demand
|
tls_reqcert demand
|
||||||
tls_cacertfile {{ ldap_ca }}
|
|
||||||
|
|
|
@ -105,9 +105,6 @@
|
||||||
- name: Ensure postfix chroot has an LDAP CA directory
|
- name: Ensure postfix chroot has an LDAP CA directory
|
||||||
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
|
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
|
||||||
|
|
||||||
- name: Ensure postfix chroot has the LDAP CA file
|
|
||||||
copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
|
|
||||||
|
|
||||||
- name: Ensure postfix certificates are available
|
- name: Ensure postfix certificates are available
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||||
notify: Restart postfix
|
notify: Restart postfix
|
||||||
|
|
|
@ -43,9 +43,9 @@ dnpass = {{ ldap_bindpw }}
|
||||||
#sasl_authz_id =
|
#sasl_authz_id =
|
||||||
|
|
||||||
# Use TLS to connect to the LDAP server.
|
# Use TLS to connect to the LDAP server.
|
||||||
tls = no
|
tls = yes
|
||||||
# TLS options, currently supported only with OpenLDAP:
|
# TLS options, currently supported only with OpenLDAP:
|
||||||
tls_ca_cert_file = {{ ldap_ca }}
|
#tls_ca_cert_file =
|
||||||
#tls_ca_cert_dir =
|
#tls_ca_cert_dir =
|
||||||
#tls_cipher_suite =
|
#tls_cipher_suite =
|
||||||
# TLS cert/key is used only if LDAP server requires a client certificate.
|
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
server_host = {{ ldap_uri }}
|
server_host = {{ ldap_uri }}
|
||||||
tls_ca_cert_file = {{ ldap_ca }}
|
|
||||||
tls_require_cert = yes
|
tls_require_cert = yes
|
||||||
bind = yes
|
bind = yes
|
||||||
bind_dn = {{ ldap_binddn }}
|
bind_dn = {{ ldap_binddn }}
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
server_host = {{ ldap_uri }}
|
server_host = {{ ldap_uri }}
|
||||||
tls_ca_cert_file = {{ ldap_ca }}
|
|
||||||
tls_require_cert = yes
|
tls_require_cert = yes
|
||||||
bind = yes
|
bind = yes
|
||||||
bind_dn = {{ ldap_binddn }}
|
bind_dn = {{ ldap_binddn }}
|
||||||
|
|
|
@ -67,7 +67,6 @@ access to *
|
||||||
|
|
||||||
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
||||||
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
||||||
TLSCACertificateFile {{ ldap_ca }}
|
|
||||||
TLSCipherSuite NORMAL
|
TLSCipherSuite NORMAL
|
||||||
TLSVerifyClient never
|
TLSVerifyClient never
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue