1
0
forked from infra/ansible

slapd: use LE certificate via dns

This commit is contained in:
Markus 2019-03-25 19:05:31 +01:00
parent 3471c0ca34
commit 606851de76
6 changed files with 41 additions and 3 deletions

View File

@ -2,6 +2,9 @@
acertmgr_mode: webdir
acme_dnskey_file: /etc/acme/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
dns_axfr_ips:
- 216.218.133.2
- 2001:470:600::2
@ -86,6 +89,8 @@ root_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETMJ1JTX+xKC7ML8Or+8wunwy1rjIkp7MfeZLzLIyvP tomoto"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd rudi@helheim"
slapd_san: ldap.binary.kitchen
snmp_allowed:
- 172.23.2.5
- 172.23.2.6

View File

@ -1,8 +1,5 @@
---
acme_dnskey_file: /etc/acme/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
dhcpd_failover: true
dhcpd_primary: 172.23.2.3
dhcpd_secondary: 172.23.2.4

View File

@ -1,4 +1,7 @@
---
- name: Run acertmgr
command: /opt/acertmgr/acertmgr.py
- name: Restart slapd
service: name=slapd state=restarted

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: acertmgr }

View File

@ -31,5 +31,16 @@
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/srv.key -out /etc/ldap/ssl/srv.crt -days 730 -subj "/CN={{ slapd_hostname }}" creates=/etc/ldap/ssl/srv.crt
notify: Restart slapd
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ slapd_hostname }}"
- "{{ slapd_san }}"
- name: Configure certificate manager for slapd
template: src=certs.j2 dest=/etc/acme/domains.d/{{ slapd_hostname }}.conf
notify: Run acertmgr
- name: Start slapd
service: name=slapd state=started enabled=yes

View File

@ -0,0 +1,18 @@
---
{{ slapd_hostname }} {{ slapd_san }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/ldap/ssl/srv.key
user: openldap
group: openldap
perm: '400'
format: key
action: '/usr/sbin/service slapd restart'
- path: /etc/ldap/ssl/srv.crt
user: openldap
group: openldap
perm: '400'
format: crt,ca
action: '/usr/sbin/service slapd restart'