forked from infra/ansible
Change BKCA to a system CA for migration to Let's Encrypt
This commit is contained in:
parent
1a511a9faf
commit
482d67ebb1
@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
|
||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||
|
||||
ldap_ca: /etc/ldap/ssl/BKCA.crt
|
||||
ldap_uri: ldaps://ldap.binary.kitchen/
|
||||
ldap_host: ldap.binary.kitchen
|
||||
ldap_base: dc=binary-kitchen,dc=de
|
||||
|
||||
@ -8,3 +8,6 @@
|
||||
|
||||
- name: update-initramfs
|
||||
command: update-initramfs -u -k all
|
||||
|
||||
- name: update-ca-certificates
|
||||
command: update-ca-certificates
|
||||
|
||||
@ -50,14 +50,16 @@
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
||||
- name: Create LDAP certificate directory
|
||||
file: path=/etc/ldap/ssl state=directory
|
||||
- name: Create BKCA certificate directory
|
||||
file: path=/usr/local/share/ca-certificates state=directory
|
||||
|
||||
- name: Copy BKCA certificate
|
||||
copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
|
||||
notify: update-ca-certificates
|
||||
|
||||
- name: Create LDAP client config
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||
|
||||
- name: Copy LDAP certificate
|
||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
|
||||
@ -27,8 +27,14 @@
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
|
||||
|
||||
- name: Create LDAP certificate directory
|
||||
file: path=/etc/ldap/ssl state=directory
|
||||
- name: Create BKCA certificate directory
|
||||
file: path="{{ item }}" state=directory
|
||||
loop:
|
||||
- "/etc/ssl/certs"
|
||||
- "/usr/local/etc/ssl/certs"
|
||||
|
||||
- name: Copy LDAP certificate
|
||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||
- name: Copy BKCA certificate
|
||||
copy: src=BKCA.crt dest="{{ item }}/BKCA.crt" mode=0444
|
||||
loop:
|
||||
- "/etc/ssl/certs"
|
||||
- "/usr/local/etc/ssl/certs"
|
||||
|
||||
@ -13,5 +13,7 @@ URI {{ ldap_uri }}
|
||||
#DEREF never
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_CACERT /etc/ldap/ssl/BKCA.crt
|
||||
TLS_REQCERT demand
|
||||
TLS_CACERTDIR /etc/ssl/certs
|
||||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@
|
||||
"searchAttributes": ["cn", "uid"],
|
||||
"usernameField": "cn",
|
||||
"useridField": "uid",
|
||||
"tlsca": "/etc/ldap/ssl/BKCA.crt"
|
||||
"tlsca": "/etc/ssl/certs/ca-certificates.crt"
|
||||
},
|
||||
"email": false
|
||||
}
|
||||
|
||||
@ -32,4 +32,5 @@ base shadow {{ nslcd_base_shadow }}
|
||||
|
||||
# SSL options
|
||||
tls_reqcert demand
|
||||
tls_cacertfile {{ ldap_ca }}
|
||||
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
|
||||
tls_cacertdir /etc/ssl/certs
|
||||
|
||||
@ -102,11 +102,8 @@
|
||||
- postfix/virtual-alias
|
||||
notify: Run postmap
|
||||
|
||||
- name: Ensure postfix chroot has an LDAP CA directory
|
||||
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
|
||||
|
||||
- name: Ensure postfix chroot has the LDAP CA file
|
||||
copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
|
||||
- name: Ensure postfix chroot has an up2date ca-certificates.crt file
|
||||
copy: remote_src=yes src=/etc/ssl/certs/ca-certificates.crt dest=/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
- name: Ensure postfix certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||
|
||||
@ -43,10 +43,10 @@ dnpass = {{ ldap_bindpw }}
|
||||
#sasl_authz_id =
|
||||
|
||||
# Use TLS to connect to the LDAP server.
|
||||
tls = no
|
||||
tls = yes
|
||||
# TLS options, currently supported only with OpenLDAP:
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
#tls_ca_cert_dir =
|
||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
tls_ca_cert_dir = /etc/ssl/certs
|
||||
#tls_cipher_suite =
|
||||
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||
#tls_cert_file =
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
server_host = {{ ldap_uri }}
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
tls_require_cert = yes
|
||||
bind = yes
|
||||
bind_dn = {{ ldap_binddn }}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
server_host = {{ ldap_uri }}
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
tls_require_cert = yes
|
||||
bind = yes
|
||||
bind_dn = {{ ldap_binddn }}
|
||||
|
||||
@ -67,7 +67,8 @@ access to *
|
||||
|
||||
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
||||
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
||||
TLSCACertificateFile {{ ldap_ca }}
|
||||
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
|
||||
TLSCACertificatePath /etc/ssl/certs
|
||||
TLSCipherSuite NORMAL
|
||||
TLSVerifyClient never
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user