343 lignes
9,4 Kio
YAML
343 lignes
9,4 Kio
YAML
---
|
|
# This will deploy OpenLDAP and FusionDirectory on the mailserver
|
|
- hosts: auth.example.com
|
|
user: root
|
|
|
|
vars_files:
|
|
- vars/all.yml
|
|
- vars/secrets.yml
|
|
|
|
tasks:
|
|
|
|
- name: Prepate /etc/hosts
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
insertafter: '^127.0.1.1 '
|
|
line: "{{ item }}"
|
|
with_items:
|
|
- "127.0.2.1 mail.{{ domain }} mail"
|
|
- "127.0.3.1 auth.{{ domain }} auth"
|
|
|
|
- name: Setup OpenLDAP and Dependencies
|
|
apt:
|
|
name: "{{ item }}"
|
|
state: present
|
|
update_cache: yes
|
|
with_items:
|
|
- ldap-utils
|
|
- gnutls-bin
|
|
- ca-certificates
|
|
- python-ldap
|
|
- python3-ldap
|
|
|
|
- name: debconf configuration for slapd
|
|
debconf:
|
|
name: slapd
|
|
question: "{{ item.question }}"
|
|
value: "{{ item.value }}"
|
|
vtype: "{{ item.vtype }}"
|
|
with_items:
|
|
- { question: slapd/no_configuration, value: False, vtype: boolean }
|
|
- { question: slapd/domain, value: "{{ domain }}", vtype: string }
|
|
- { question: shared/organization, value: "{{ organization }}", vtype: string }
|
|
- { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
|
|
- { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
|
|
- { question: slapd/backend, value: MDB, vtype: select }
|
|
- { question: slapd/purge_database, value: False, vtype: boolean }
|
|
- { question: slapd/move_old_database, value: True, vtype: boolean }
|
|
no_log: True
|
|
|
|
- name: install slapd
|
|
apt:
|
|
name: slapd
|
|
state: present
|
|
|
|
- name: Create the ROOT CA store
|
|
file:
|
|
path: /srv/CA
|
|
state: directory
|
|
|
|
- name: Generate the CA Certificate template
|
|
template:
|
|
src: templates/ca-cert.tmpl.j2
|
|
dest: /srv/CA/ca-cert.tmpl
|
|
|
|
- name: Generate the ROOT CA private key
|
|
command: |
|
|
certtool --generate-privkey \
|
|
--outfile {{ domain }}-rootCA.key
|
|
args:
|
|
chdir: /srv/CA
|
|
creates: "/srv/CA/{{ domain }}-rootCA.key"
|
|
|
|
- name: Generate the ROOT CA Certificate
|
|
command: |
|
|
certtool --generate-self-signed \
|
|
--template ca-cert.tmpl \
|
|
--load-privkey {{ domain }}-rootCA.key \
|
|
--outfile {{ domain }}-rootCA.crt
|
|
args:
|
|
chdir: /srv/CA
|
|
creates: "/srv/CA/{{ domain }}-rootCA.crt"
|
|
|
|
- name: Add our ROOT CA as trusted
|
|
copy:
|
|
remote_src: yes
|
|
src: "/srv/CA/{{ domain }}-rootCA.crt"
|
|
dest: /usr/local/share/ca-certificates/
|
|
notify:
|
|
- Update CA Certificates
|
|
|
|
- name: Create the LDAP TLS store
|
|
file:
|
|
path: /etc/ldap/ssl
|
|
owner: openldap
|
|
group: openldap
|
|
state: directory
|
|
|
|
- name: Generate the LDAP Certificate template
|
|
template:
|
|
src: templates/ldap-cert.tmpl.j2
|
|
dest: /srv/CA/ldap-cert.tmpl
|
|
|
|
- name: Generate the LDAP private key
|
|
command: |
|
|
certtool --generate-privkey \
|
|
--outfile {{ domain }}.key
|
|
args:
|
|
chdir: /etc/ldap/ssl
|
|
creates: "/etc/ldap/ssl/{{ domain }}.key"
|
|
|
|
- name: Generate the LDAP Certificate
|
|
command: |
|
|
certtool --generate-certificate \
|
|
--template /srv/CA/ldap-cert.tmpl \
|
|
--load-privkey {{ domain }}.key \
|
|
--outfile {{ domain }}.crt \
|
|
--load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
|
|
--load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
|
|
args:
|
|
chdir: /etc/ldap/ssl
|
|
creates: "/etc/ldap/ssl/{{ domain }}.crt"
|
|
|
|
- name: Set the correct ownership on the LDAP cert/key pair
|
|
file:
|
|
path: "/etc/ldap/ssl/{{ item }}"
|
|
owner: openldap
|
|
group: openldap
|
|
with_items:
|
|
- "{{ domain }}.key"
|
|
- "{{ domain }}.crt"
|
|
|
|
- name: Create the custom_ldifs store
|
|
file:
|
|
path: /etc/ldap/custom_ldifs
|
|
owner: openldap
|
|
group: openldap
|
|
state: directory
|
|
|
|
- name: Create the olcSSL.ldif file (LDAP TLS Configuration)
|
|
template:
|
|
src: templates/olcSSL.ldif.j2
|
|
dest: /etc/ldap/custom_ldifs/olcSSL.ldif
|
|
owner: openldap
|
|
group: openldap
|
|
notify:
|
|
- Apply olcSSL.ldif
|
|
- Restart slapd
|
|
|
|
- name: Add an apt key by id from a keyserver
|
|
apt_key:
|
|
keyserver: keys.gnupg.net
|
|
id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
|
|
|
|
- name: Add the Fusiondirectory repo
|
|
apt_repository:
|
|
repo: "{{ item }}"
|
|
state: present
|
|
with_items:
|
|
- 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
|
|
- 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
|
|
|
|
- name: Install FusionDirectory, dependencies and plugins
|
|
apt:
|
|
name: "{{ item }}"
|
|
update_cache: yes
|
|
state: present
|
|
with_items:
|
|
- apache2
|
|
- libapache2-mod-php
|
|
- php-ldap
|
|
- php-intl
|
|
- php-pear
|
|
- php-mbstring
|
|
- fusiondirectory
|
|
- fusiondirectory-schema
|
|
- fusiondirectory-plugin-ldapdump
|
|
- fusiondirectory-plugin-ldapmanager
|
|
- fusiondirectory-plugin-dsa
|
|
- fusiondirectory-plugin-dsa-schema
|
|
- fusiondirectory-plugin-systems
|
|
- fusiondirectory-plugin-systems-schema
|
|
notify:
|
|
- Apply FusionDirectory Schema
|
|
- Apply FusionDirectory Plugins Schema
|
|
|
|
- name: Calculate FusionDirectory Configuration hash
|
|
stat:
|
|
path: /var/cache/fusiondirectory/class.cache
|
|
get_md5: yes
|
|
register: fd_config_hash
|
|
|
|
- name: Generate the Initial FusionDirectory configuration
|
|
template:
|
|
src: templates/fd-init-config.ldif.j2
|
|
dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
|
|
notify:
|
|
- Initialize FusionDirectory Configuration
|
|
|
|
- name: Migrate FusionDirectory Object Classes
|
|
template:
|
|
src: templates/fd-migrate-object-classes.ldif.j2
|
|
dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
|
|
notify:
|
|
- Migrate Object Classes
|
|
|
|
- name: Create an empty ldap.conf file
|
|
file:
|
|
path: /etc/ldap/ldap.conf
|
|
state: touch
|
|
notify:
|
|
- Generate FusionDirectory SuperUser and OUs
|
|
|
|
- name: Set FusionDirectory SuperUser Password
|
|
command: |
|
|
true
|
|
notify:
|
|
- Set SuperUser Password
|
|
no_log: True
|
|
|
|
- name: Migrate FusionDirectory Defaults ACLs
|
|
template:
|
|
src: templates/fd-migrate-default-acl.ldif.j2
|
|
dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
|
|
notify:
|
|
- Migrate Default ACLs
|
|
|
|
- name: Fix Permissions for the FusionDirectory Configuration
|
|
template:
|
|
src: templates/fusiondirectory.conf.j2
|
|
dest: /etc/fusiondirectory/fusiondirectory.conf
|
|
notify:
|
|
- Fix FusionDirectory Configuration Permisions
|
|
|
|
- name: Apply FusionDirectory Service Accounts ACL
|
|
template:
|
|
src: templates/fd-service_accounts_acl.ldif.j2
|
|
dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
|
|
notify:
|
|
- Apply Service Accounts ACL
|
|
|
|
|
|
- name: Create a .well-known directory
|
|
file:
|
|
path: /var/www/html/.well-known
|
|
state: directory
|
|
owner: www-data
|
|
group: www-data
|
|
|
|
- name: Deploy the Apache VirtualHosts for FusionDirectory
|
|
template:
|
|
src: "templates/fd-vhost{{ item }}.j2"
|
|
dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
|
|
with_items:
|
|
- ".conf"
|
|
- "-ssl.conf"
|
|
notify:
|
|
- Enable the Apache HTTP VirtualHost
|
|
- Disable the Default Apache VirtualHost
|
|
- Restart Apache
|
|
|
|
handlers:
|
|
|
|
- name: Update CA Certificates
|
|
command: update-ca-certificates
|
|
|
|
- name: Apply olcSSL.ldif
|
|
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
|
|
args:
|
|
chdir: /etc/ldap/custom_ldifs
|
|
|
|
- name: Restart slapd
|
|
service:
|
|
name: slapd
|
|
state: restarted
|
|
|
|
- name: Apply FusionDirectory Schema
|
|
command: fusiondirectory-insert-schema
|
|
|
|
- name: Apply FusionDirectory Plugins Schema
|
|
command: |
|
|
fusiondirectory-insert-schema \
|
|
-i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
|
|
with_items:
|
|
- dsa-fd-conf
|
|
- service-fd
|
|
- systems-fd-conf
|
|
- systems-fd
|
|
|
|
- name: Initialize FusionDirectory Configuration
|
|
command: |
|
|
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
|
|
args:
|
|
chdir: /etc/ldap/custom_ldifs
|
|
no_log: True
|
|
|
|
- name: Migrate Object Classes
|
|
command: |
|
|
ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
|
|
args:
|
|
chdir: /etc/ldap/custom_ldifs
|
|
no_log: True
|
|
|
|
- name: Generate FusionDirectory SuperUser and OUs
|
|
shell: |
|
|
yes '{{ fd_admin }}' | \
|
|
fusiondirectory-setup --yes --check-ldap
|
|
|
|
- name: Set SuperUser Password
|
|
command: |
|
|
ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
|
|
no_log: True
|
|
|
|
- name: Migrate Default ACLs
|
|
command: |
|
|
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
|
|
args:
|
|
chdir: /etc/ldap/custom_ldifs
|
|
no_log: True
|
|
|
|
- name: Fix FusionDirectory Configuration Permisions
|
|
command: fusiondirectory-setup --yes --check-config
|
|
|
|
- name: Apply Service Accounts ACL
|
|
command: |
|
|
ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
|
|
args:
|
|
chdir: /etc/ldap/custom_ldifs
|
|
|
|
- name: Enable the Apache HTTP VirtualHost
|
|
file:
|
|
src: "/etc/apache2/sites-available/{{ domain }}.conf"
|
|
dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
|
|
state: link
|
|
|
|
- name: Disable the Default Apache VirtualHost
|
|
file:
|
|
path: /etc/apache2/sites-enabled/000-default.conf
|
|
state: absent
|
|
|
|
- name: Restart Apache
|
|
service:
|
|
name: apache2
|
|
state: restarted
|