forked from infra/ansible
Merge branch 'master' of kishi/infra into master
This commit is contained in:
commit
8c1d0d5f6d
@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
|
|||||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||||
|
|
||||||
ldap_ca: /etc/ldap/ssl/BKCA.crt
|
|
||||||
ldap_uri: ldaps://ldap.binary.kitchen/
|
ldap_uri: ldaps://ldap.binary.kitchen/
|
||||||
ldap_host: ldap.binary.kitchen
|
ldap_host: ldap.binary.kitchen
|
||||||
ldap_base: dc=binary-kitchen,dc=de
|
ldap_base: dc=binary-kitchen,dc=de
|
||||||
|
@ -8,3 +8,6 @@
|
|||||||
|
|
||||||
- name: update-initramfs
|
- name: update-initramfs
|
||||||
command: update-initramfs -u -k all
|
command: update-initramfs -u -k all
|
||||||
|
|
||||||
|
- name: update-ca-certificates
|
||||||
|
command: update-ca-certificates
|
||||||
|
@ -50,14 +50,16 @@
|
|||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
|
|
||||||
- name: Create LDAP certificate directory
|
- name: Create BKCA certificate directory
|
||||||
file: path=/etc/ldap/ssl state=directory
|
file: path=/usr/local/share/ca-certificates state=directory
|
||||||
|
|
||||||
|
- name: Copy BKCA certificate
|
||||||
|
copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
|
||||||
|
notify: update-ca-certificates
|
||||||
|
|
||||||
- name: Create LDAP client config
|
- name: Create LDAP client config
|
||||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||||
|
|
||||||
- name: Copy LDAP certificate
|
|
||||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
|
||||||
|
|
||||||
- name: Disable hibernation/resume
|
- name: Disable hibernation/resume
|
||||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||||
|
@ -27,8 +27,14 @@
|
|||||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||||
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
|
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
|
||||||
|
|
||||||
- name: Create LDAP certificate directory
|
- name: Create BKCA certificate directory
|
||||||
file: path=/etc/ldap/ssl state=directory
|
file: path="{{ item }}" state=directory
|
||||||
|
loop:
|
||||||
|
- "/etc/ssl/certs"
|
||||||
|
- "/usr/local/etc/ssl/certs"
|
||||||
|
|
||||||
- name: Copy LDAP certificate
|
- name: Copy BKCA certificate
|
||||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
copy: src=BKCA.crt dest="{{ item }}/BKCA.crt" mode=0444
|
||||||
|
loop:
|
||||||
|
- "/etc/ssl/certs"
|
||||||
|
- "/usr/local/etc/ssl/certs"
|
||||||
|
@ -13,5 +13,7 @@ URI {{ ldap_uri }}
|
|||||||
#DEREF never
|
#DEREF never
|
||||||
|
|
||||||
# TLS certificates (needed for GnuTLS)
|
# TLS certificates (needed for GnuTLS)
|
||||||
TLS_CACERT /etc/ldap/ssl/BKCA.crt
|
TLS_REQCERT demand
|
||||||
|
TLS_CACERTDIR /etc/ssl/certs
|
||||||
|
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@
|
|||||||
"searchAttributes": ["cn", "uid"],
|
"searchAttributes": ["cn", "uid"],
|
||||||
"usernameField": "cn",
|
"usernameField": "cn",
|
||||||
"useridField": "uid",
|
"useridField": "uid",
|
||||||
"tlsca": "/etc/ldap/ssl/BKCA.crt"
|
"tlsca": "/etc/ssl/certs/ca-certificates.crt"
|
||||||
},
|
},
|
||||||
"email": false
|
"email": false
|
||||||
}
|
}
|
||||||
|
@ -32,4 +32,5 @@ base shadow {{ nslcd_base_shadow }}
|
|||||||
|
|
||||||
# SSL options
|
# SSL options
|
||||||
tls_reqcert demand
|
tls_reqcert demand
|
||||||
tls_cacertfile {{ ldap_ca }}
|
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
|
||||||
|
tls_cacertdir /etc/ssl/certs
|
||||||
|
@ -102,11 +102,8 @@
|
|||||||
- postfix/virtual-alias
|
- postfix/virtual-alias
|
||||||
notify: Run postmap
|
notify: Run postmap
|
||||||
|
|
||||||
- name: Ensure postfix chroot has an LDAP CA directory
|
- name: Ensure postfix chroot has an up2date ca-certificates.crt file
|
||||||
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
|
copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
- name: Ensure postfix chroot has the LDAP CA file
|
|
||||||
copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
|
|
||||||
|
|
||||||
- name: Ensure postfix certificates are available
|
- name: Ensure postfix certificates are available
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||||
|
@ -43,10 +43,10 @@ dnpass = {{ ldap_bindpw }}
|
|||||||
#sasl_authz_id =
|
#sasl_authz_id =
|
||||||
|
|
||||||
# Use TLS to connect to the LDAP server.
|
# Use TLS to connect to the LDAP server.
|
||||||
tls = no
|
tls = yes
|
||||||
# TLS options, currently supported only with OpenLDAP:
|
# TLS options, currently supported only with OpenLDAP:
|
||||||
tls_ca_cert_file = {{ ldap_ca }}
|
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||||
#tls_ca_cert_dir =
|
tls_ca_cert_dir = /etc/ssl/certs
|
||||||
#tls_cipher_suite =
|
#tls_cipher_suite =
|
||||||
# TLS cert/key is used only if LDAP server requires a client certificate.
|
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||||
#tls_cert_file =
|
#tls_cert_file =
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
server_host = {{ ldap_uri }}
|
server_host = {{ ldap_uri }}
|
||||||
tls_ca_cert_file = {{ ldap_ca }}
|
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||||
tls_require_cert = yes
|
tls_require_cert = yes
|
||||||
bind = yes
|
bind = yes
|
||||||
bind_dn = {{ ldap_binddn }}
|
bind_dn = {{ ldap_binddn }}
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
server_host = {{ ldap_uri }}
|
server_host = {{ ldap_uri }}
|
||||||
tls_ca_cert_file = {{ ldap_ca }}
|
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||||
tls_require_cert = yes
|
tls_require_cert = yes
|
||||||
bind = yes
|
bind = yes
|
||||||
bind_dn = {{ ldap_binddn }}
|
bind_dn = {{ ldap_binddn }}
|
||||||
|
@ -67,7 +67,8 @@ access to *
|
|||||||
|
|
||||||
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
||||||
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
||||||
TLSCACertificateFile {{ ldap_ca }}
|
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
|
||||||
|
TLSCACertificatePath /etc/ssl/certs
|
||||||
TLSCipherSuite NORMAL
|
TLSCipherSuite NORMAL
|
||||||
TLSVerifyClient never
|
TLSVerifyClient never
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user