|
- ---
- # This will deploy OpenLDAP and FusionDirectory on the mailserver
- - hosts: auth.example.com
- user: root
-
- vars_files:
- - vars/all.yml
- - vars/secrets.yml
-
- tasks:
-
- - name: Prepate /etc/hosts
- lineinfile:
- path: /etc/hosts
- insertafter: '^127.0.1.1 '
- line: "{{ item }}"
- with_items:
- - "127.0.2.1 mail.{{ domain }} mail"
- - "127.0.3.1 auth.{{ domain }} auth"
-
- - name: Setup OpenLDAP and Dependencies
- apt:
- name: "{{ item }}"
- state: present
- update_cache: yes
- with_items:
- - ldap-utils
- - gnutls-bin
- - ca-certificates
- - python-ldap
- - python3-ldap
-
- - name: debconf configuration for slapd
- debconf:
- name: slapd
- question: "{{ item.question }}"
- value: "{{ item.value }}"
- vtype: "{{ item.vtype }}"
- with_items:
- - { question: slapd/no_configuration, value: False, vtype: boolean }
- - { question: slapd/domain, value: "{{ domain }}", vtype: string }
- - { question: shared/organization, value: "{{ organization }}", vtype: string }
- - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
- - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
- - { question: slapd/backend, value: MDB, vtype: select }
- - { question: slapd/purge_database, value: False, vtype: boolean }
- - { question: slapd/move_old_database, value: True, vtype: boolean }
- no_log: True
-
- - name: install slapd
- apt:
- name: slapd
- state: present
-
- - name: Create the ROOT CA store
- file:
- path: /srv/CA
- state: directory
-
- - name: Generate the CA Certificate template
- template:
- src: templates/ca-cert.tmpl.j2
- dest: /srv/CA/ca-cert.tmpl
-
- - name: Generate the ROOT CA private key
- command: |
- certtool --generate-privkey \
- --outfile {{ domain }}-rootCA.key
- args:
- chdir: /srv/CA
- creates: "/srv/CA/{{ domain }}-rootCA.key"
-
- - name: Generate the ROOT CA Certificate
- command: |
- certtool --generate-self-signed \
- --template ca-cert.tmpl \
- --load-privkey {{ domain }}-rootCA.key \
- --outfile {{ domain }}-rootCA.crt
- args:
- chdir: /srv/CA
- creates: "/srv/CA/{{ domain }}-rootCA.crt"
-
- - name: Add our ROOT CA as trusted
- copy:
- remote_src: yes
- src: "/srv/CA/{{ domain }}-rootCA.crt"
- dest: /usr/local/share/ca-certificates/
- notify:
- - Update CA Certificates
-
- - name: Create the LDAP TLS store
- file:
- path: /etc/ldap/ssl
- owner: openldap
- group: openldap
- state: directory
-
- - name: Generate the LDAP Certificate template
- template:
- src: templates/ldap-cert.tmpl.j2
- dest: /srv/CA/ldap-cert.tmpl
-
- - name: Generate the LDAP private key
- command: |
- certtool --generate-privkey \
- --outfile {{ domain }}.key
- args:
- chdir: /etc/ldap/ssl
- creates: "/etc/ldap/ssl/{{ domain }}.key"
-
- - name: Generate the LDAP Certificate
- command: |
- certtool --generate-certificate \
- --template /srv/CA/ldap-cert.tmpl \
- --load-privkey {{ domain }}.key \
- --outfile {{ domain }}.crt \
- --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
- --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
- args:
- chdir: /etc/ldap/ssl
- creates: "/etc/ldap/ssl/{{ domain }}.crt"
-
- - name: Set the correct ownership on the LDAP cert/key pair
- file:
- path: "/etc/ldap/ssl/{{ item }}"
- owner: openldap
- group: openldap
- with_items:
- - "{{ domain }}.key"
- - "{{ domain }}.crt"
-
- - name: Create the custom_ldifs store
- file:
- path: /etc/ldap/custom_ldifs
- owner: openldap
- group: openldap
- state: directory
-
- - name: Create the olcSSL.ldif file (LDAP TLS Configuration)
- template:
- src: templates/olcSSL.ldif.j2
- dest: /etc/ldap/custom_ldifs/olcSSL.ldif
- owner: openldap
- group: openldap
- notify:
- - Apply olcSSL.ldif
- - Restart slapd
-
- - name: Add an apt key by id from a keyserver
- apt_key:
- keyserver: keys.gnupg.net
- id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
-
- - name: Add the Fusiondirectory repo
- apt_repository:
- repo: "{{ item }}"
- state: present
- with_items:
- - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
- - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
-
- - name: Install FusionDirectory, dependencies and plugins
- apt:
- name: "{{ item }}"
- update_cache: yes
- state: present
- with_items:
- - apache2
- - libapache2-mod-php
- - php-ldap
- - php-intl
- - php-pear
- - php-mbstring
- - fusiondirectory
- - fusiondirectory-schema
- - fusiondirectory-plugin-ldapdump
- - fusiondirectory-plugin-ldapmanager
- - fusiondirectory-plugin-dsa
- - fusiondirectory-plugin-dsa-schema
- - fusiondirectory-plugin-systems
- - fusiondirectory-plugin-systems-schema
- notify:
- - Apply FusionDirectory Schema
- - Apply FusionDirectory Plugins Schema
-
- - name: Calculate FusionDirectory Configuration hash
- stat:
- path: /var/cache/fusiondirectory/class.cache
- get_md5: yes
- register: fd_config_hash
-
- - name: Generate the Initial FusionDirectory configuration
- template:
- src: templates/fd-init-config.ldif.j2
- dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
- notify:
- - Initialize FusionDirectory Configuration
-
- - name: Migrate FusionDirectory Object Classes
- template:
- src: templates/fd-migrate-object-classes.ldif.j2
- dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
- notify:
- - Migrate Object Classes
-
- - name: Create an empty ldap.conf file
- file:
- path: /etc/ldap/ldap.conf
- state: touch
- notify:
- - Generate FusionDirectory SuperUser and OUs
-
- - name: Set FusionDirectory SuperUser Password
- command: |
- true
- notify:
- - Set SuperUser Password
- no_log: True
-
- - name: Migrate FusionDirectory Defaults ACLs
- template:
- src: templates/fd-migrate-default-acl.ldif.j2
- dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
- notify:
- - Migrate Default ACLs
-
- - name: Fix Permissions for the FusionDirectory Configuration
- template:
- src: templates/fusiondirectory.conf.j2
- dest: /etc/fusiondirectory/fusiondirectory.conf
- notify:
- - Fix FusionDirectory Configuration Permisions
-
- - name: Apply FusionDirectory Service Accounts ACL
- template:
- src: templates/fd-service_accounts_acl.ldif.j2
- dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
- notify:
- - Apply Service Accounts ACL
-
-
- - name: Create a .well-known directory
- file:
- path: /var/www/html/.well-known
- state: directory
- owner: www-data
- group: www-data
-
- - name: Deploy the Apache VirtualHosts for FusionDirectory
- template:
- src: "templates/fd-vhost{{ item }}.j2"
- dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
- with_items:
- - ".conf"
- - "-ssl.conf"
- notify:
- - Enable the Apache HTTP VirtualHost
- - Disable the Default Apache VirtualHost
- - Restart Apache
-
- handlers:
-
- - name: Update CA Certificates
- command: update-ca-certificates
-
- - name: Apply olcSSL.ldif
- command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
- args:
- chdir: /etc/ldap/custom_ldifs
-
- - name: Restart slapd
- service:
- name: slapd
- state: restarted
-
- - name: Apply FusionDirectory Schema
- command: fusiondirectory-insert-schema
-
- - name: Apply FusionDirectory Plugins Schema
- command: |
- fusiondirectory-insert-schema \
- -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
- with_items:
- - dsa-fd-conf
- - service-fd
- - systems-fd-conf
- - systems-fd
-
- - name: Initialize FusionDirectory Configuration
- command: |
- ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
- args:
- chdir: /etc/ldap/custom_ldifs
- no_log: True
-
- - name: Migrate Object Classes
- command: |
- ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
- args:
- chdir: /etc/ldap/custom_ldifs
- no_log: True
-
- - name: Generate FusionDirectory SuperUser and OUs
- shell: |
- yes '{{ fd_admin }}' | \
- fusiondirectory-setup --yes --check-ldap
-
- - name: Set SuperUser Password
- command: |
- ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
- no_log: True
-
- - name: Migrate Default ACLs
- command: |
- ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
- args:
- chdir: /etc/ldap/custom_ldifs
- no_log: True
-
- - name: Fix FusionDirectory Configuration Permisions
- command: fusiondirectory-setup --yes --check-config
-
- - name: Apply Service Accounts ACL
- command: |
- ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
- args:
- chdir: /etc/ldap/custom_ldifs
-
- - name: Enable the Apache HTTP VirtualHost
- file:
- src: "/etc/apache2/sites-available/{{ domain }}.conf"
- dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
- state: link
-
- - name: Disable the Default Apache VirtualHost
- file:
- path: /etc/apache2/sites-enabled/000-default.conf
- state: absent
-
- - name: Restart Apache
- service:
- name: apache2
- state: restarted
|