--- # This will deploy OpenLDAP and FusionDirectory on the mailserver - hosts: auth.example.com user: root vars_files: - vars/all.yml - vars/secrets.yml tasks: - name: Prepate /etc/hosts lineinfile: path: /etc/hosts insertafter: '^127.0.1.1 ' line: "{{ item }}" with_items: - "127.0.2.1 mail.{{ domain }} mail" - "127.0.3.1 auth.{{ domain }} auth" - name: Setup OpenLDAP and Dependencies apt: name: "{{ item }}" state: present update_cache: yes with_items: - ldap-utils - gnutls-bin - ca-certificates - python-ldap - python3-ldap - name: debconf configuration for slapd debconf: name: slapd question: "{{ item.question }}" value: "{{ item.value }}" vtype: "{{ item.vtype }}" with_items: - { question: slapd/no_configuration, value: False, vtype: boolean } - { question: slapd/domain, value: "{{ domain }}", vtype: string } - { question: shared/organization, value: "{{ organization }}", vtype: string } - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password } - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password } - { question: slapd/backend, value: MDB, vtype: select } - { question: slapd/purge_database, value: False, vtype: boolean } - { question: slapd/move_old_database, value: True, vtype: boolean } no_log: True - name: install slapd apt: name: slapd state: present - name: Create the ROOT CA store file: path: /srv/CA state: directory - name: Generate the CA Certificate template template: src: templates/ca-cert.tmpl.j2 dest: /srv/CA/ca-cert.tmpl - name: Generate the ROOT CA private key command: | certtool --generate-privkey \ --outfile {{ domain }}-rootCA.key args: chdir: /srv/CA creates: "/srv/CA/{{ domain }}-rootCA.key" - name: Generate the ROOT CA Certificate command: | certtool --generate-self-signed \ --template ca-cert.tmpl \ --load-privkey {{ domain }}-rootCA.key \ --outfile {{ domain }}-rootCA.crt args: chdir: /srv/CA creates: "/srv/CA/{{ domain }}-rootCA.crt" - name: Add our ROOT CA as trusted copy: remote_src: yes src: "/srv/CA/{{ domain }}-rootCA.crt" dest: /usr/local/share/ca-certificates/ notify: - Update CA Certificates - name: Create the LDAP TLS store file: path: /etc/ldap/ssl owner: openldap group: openldap state: directory - name: Generate the LDAP Certificate template template: src: templates/ldap-cert.tmpl.j2 dest: /srv/CA/ldap-cert.tmpl - name: Generate the LDAP private key command: | certtool --generate-privkey \ --outfile {{ domain }}.key args: chdir: /etc/ldap/ssl creates: "/etc/ldap/ssl/{{ domain }}.key" - name: Generate the LDAP Certificate command: | certtool --generate-certificate \ --template /srv/CA/ldap-cert.tmpl \ --load-privkey {{ domain }}.key \ --outfile {{ domain }}.crt \ --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt args: chdir: /etc/ldap/ssl creates: "/etc/ldap/ssl/{{ domain }}.crt" - name: Set the correct ownership on the LDAP cert/key pair file: path: "/etc/ldap/ssl/{{ item }}" owner: openldap group: openldap with_items: - "{{ domain }}.key" - "{{ domain }}.crt" - name: Create the custom_ldifs store file: path: /etc/ldap/custom_ldifs owner: openldap group: openldap state: directory - name: Create the olcSSL.ldif file (LDAP TLS Configuration) template: src: templates/olcSSL.ldif.j2 dest: /etc/ldap/custom_ldifs/olcSSL.ldif owner: openldap group: openldap notify: - Apply olcSSL.ldif - Restart slapd - name: Add an apt key by id from a keyserver apt_key: keyserver: keys.gnupg.net id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF - name: Add the Fusiondirectory repo apt_repository: repo: "{{ item }}" state: present with_items: - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main' - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main' - name: Install FusionDirectory, dependencies and plugins apt: name: "{{ item }}" update_cache: yes state: present with_items: - apache2 - libapache2-mod-php - php-ldap - php-intl - php-pear - php-mbstring - fusiondirectory - fusiondirectory-schema - fusiondirectory-plugin-ldapdump - fusiondirectory-plugin-ldapmanager - fusiondirectory-plugin-dsa - fusiondirectory-plugin-dsa-schema - fusiondirectory-plugin-systems - fusiondirectory-plugin-systems-schema notify: - Apply FusionDirectory Schema - Apply FusionDirectory Plugins Schema - name: Calculate FusionDirectory Configuration hash stat: path: /var/cache/fusiondirectory/class.cache get_md5: yes register: fd_config_hash - name: Generate the Initial FusionDirectory configuration template: src: templates/fd-init-config.ldif.j2 dest: /etc/ldap/custom_ldifs/fd-init-config.ldif notify: - Initialize FusionDirectory Configuration - name: Migrate FusionDirectory Object Classes template: src: templates/fd-migrate-object-classes.ldif.j2 dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif notify: - Migrate Object Classes - name: Create an empty ldap.conf file file: path: /etc/ldap/ldap.conf state: touch notify: - Generate FusionDirectory SuperUser and OUs - name: Set FusionDirectory SuperUser Password command: | true notify: - Set SuperUser Password no_log: True - name: Migrate FusionDirectory Defaults ACLs template: src: templates/fd-migrate-default-acl.ldif.j2 dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif notify: - Migrate Default ACLs - name: Fix Permissions for the FusionDirectory Configuration template: src: templates/fusiondirectory.conf.j2 dest: /etc/fusiondirectory/fusiondirectory.conf notify: - Fix FusionDirectory Configuration Permisions - name: Apply FusionDirectory Service Accounts ACL template: src: templates/fd-service_accounts_acl.ldif.j2 dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif notify: - Apply Service Accounts ACL - name: Create a .well-known directory file: path: /var/www/html/.well-known state: directory owner: www-data group: www-data - name: Deploy the Apache VirtualHosts for FusionDirectory template: src: "templates/fd-vhost{{ item }}.j2" dest: "/etc/apache2/sites-available/{{domain}}{{ item }}" with_items: - ".conf" - "-ssl.conf" notify: - Enable the Apache HTTP VirtualHost - Disable the Default Apache VirtualHost - Restart Apache handlers: - name: Update CA Certificates command: update-ca-certificates - name: Apply olcSSL.ldif command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif args: chdir: /etc/ldap/custom_ldifs - name: Restart slapd service: name: slapd state: restarted - name: Apply FusionDirectory Schema command: fusiondirectory-insert-schema - name: Apply FusionDirectory Plugins Schema command: | fusiondirectory-insert-schema \ -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema with_items: - dsa-fd-conf - service-fd - systems-fd-conf - systems-fd - name: Initialize FusionDirectory Configuration command: | ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif args: chdir: /etc/ldap/custom_ldifs no_log: True - name: Migrate Object Classes command: | ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif args: chdir: /etc/ldap/custom_ldifs no_log: True - name: Generate FusionDirectory SuperUser and OUs shell: | yes '{{ fd_admin }}' | \ fusiondirectory-setup --yes --check-ldap - name: Set SuperUser Password command: | ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }} no_log: True - name: Migrate Default ACLs command: | ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif args: chdir: /etc/ldap/custom_ldifs no_log: True - name: Fix FusionDirectory Configuration Permisions command: fusiondirectory-setup --yes --check-config - name: Apply Service Accounts ACL command: | ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif args: chdir: /etc/ldap/custom_ldifs - name: Enable the Apache HTTP VirtualHost file: src: "/etc/apache2/sites-available/{{ domain }}.conf" dest: "/etc/apache2/sites-enabled/{{ domain }}.conf" state: link - name: Disable the Default Apache VirtualHost file: path: /etc/apache2/sites-enabled/000-default.conf state: absent - name: Restart Apache service: name: apache2 state: restarted