Code cleanup with search

2016-07-21 12:50:48 -04:00 · 2016-07-21 12:50:48 -04:00 · 33ef1f65c5
parent 2336fcae1e
commit 33ef1f65c5
2 changed files with 315 additions and 319 deletions
--- a/recipes/client.rb
+++ b/recipes/client.rb
@ -17,16 +17,18 @@
 # limitations under the License.
 #

-include_recipe 'chef-vault'
-
-node.set["freeipa"]["client"] = true
-
 # become aware servers
-freeipa_servers = search("node", "freeipa_server:true")
-freeipa_clients = search("node", "freeipa_client:true")
-freeipa_masters = search("node", "freeipa_master:true")
+if Chef::Config[:solo]
+  Chef::Log.warn('This recipe uses search. Chef solo does not support search.')
+else
+  include_recipe 'chef-vault'
+  node.normal["freeipa"]["client"] = true

-unless freeipa_servers.empty? then
+  freeipa_servers = search("node", "freeipa_server:true")
+  freeipa_clients = search("node", "freeipa_client:true")
+  freeipa_masters = search("node", "freeipa_master:true")
+  
+  unless freeipa_servers.empty? then
    package "ipa-client"
    package "openldap-clients"
    package "dbus"
@ -66,18 +68,19 @@ unless freeipa_servers.empty? then
    # submit csr
    # enable dbus
    # get host cert?
-#  execute "requesting host principal certificate" do 
-#    cmd = "ipa-getcert request -r"
-#    cmd += " -f /tmp/affs-server.crt"
-#    cmd += " -k /tmp/affs-server.key"
-#    cmd += " -N CN= " + node[:fqdn]
-#    cmd += " -K host/" + node[:fqdn]
-#    cmd += " -D " + node[:fqdn]
-#    cmd += " -U id-kp-serverAuth"
-#    puts "DEBUG: #{cmd}"
-#    command cmd
-#  end
+  #  execute "requesting host principal certificate" do 
+  #    cmd = "ipa-getcert request -r"
+  #    cmd += " -f /tmp/affs-server.crt"
+  #    cmd += " -k /tmp/affs-server.key"
+  #    cmd += " -N CN= " + node[:fqdn]
+  #    cmd += " -K host/" + node[:fqdn]
+  #    cmd += " -D " + node[:fqdn]
+  #    cmd += " -U id-kp-serverAuth"
+  #    puts "DEBUG: #{cmd}"
+  #    command cmd
+  #  end
  
    # get http cert?
+  end
 end

--- a/recipes/server.rb
+++ b/recipes/server.rb
@ -22,57 +22,49 @@ include_recipe 'chef-vault'
 node.normal["freeipa"]["server"] = true

 # become aware of clients and servers
-freeipa_servers = search(:node, "freeipa_server:true")
-freeipa_clients = search(:node, "freeipa_client:true")
+if Chef::Config[:solo]
+  Chef::Log.warn('This recipe uses search. Chef solo does not support search.')
+else
+  freeipa_servers = search(:node, "freeipa_server:true")
+  freeipa_clients = search(:node, "freeipa_client:true")

-# gather data bag secrets
-#secret = Chef::EncryptedDataBagItem.load_secret("/home/psi-jack/.chef/encrypted_data_bag_secret")
-#passwords = Chef::EncryptedDataBagItem.load("secrets", "passwords", secret)
-passwords = chef_vault_item("freeipa", 'passwords')
-#ldap_server_admin_pwd = data_bag_item('secrets','ldap_server_admin_pwd')['value']
-#kdc_database_master_key = data_bag_item('secrets','kdc_database_master_key')['value']
-#ipa_user_pwd = data_bag_item('secrets','ipa_user_pwd')['value']
+  # gather data bag secrets
+  passwords = chef_vault_item("freeipa", 'passwords')
  
-# packages
-#package "dbus"
-#package "oddjob"
-#package "ipa-client"
-#package "ipa-server"
-#package "rsync"
-
-package 'ipa-server' do
+  # packages
+  package 'ipa-server' do
    case node["platform"]
    when 'redhat', 'centos'
      package_name 'ipa-server'
    end
    action	:install
-end
+  end
  
-##### Security considerations
-# All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs
-# That kind of sucks, but what are the real consequences?
-# Since they are replicants of each other, this can be justified, since the data is already compromised.
-# Can selinux help mitigate this?
-#include_recipe "ohai"
-#include_recipe "sshroot2rootssh" 
+  ##### Security considerations
+  # All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs
+  # That kind of sucks, but what are the real consequences?
+  # Since they are replicants of each other, this can be justified, since the data is already compromised.
+  # Can selinux help mitigate this?
+  #include_recipe "ohai"
+  #include_recipe "sshroot2rootssh" 
  
-##### Replication
-# We're going to have to 
-# a) detect any new freeipa_servers
-# b) generate ipa-replica-prepare output for them
-# c) copy the configs to them
+  ##### Replication
+  # We're going to have to 
+  # a) detect any new freeipa_servers
+  # b) generate ipa-replica-prepare output for them
+  # c) copy the configs to them
  
-### Behavor
-# First node sets special attribute "master"
-# First node configures itself with newly generated crypto
+  ### Behavor
+  # First node sets special attribute "master"
+  # First node configures itself with newly generated crypto
  
-# Subsequent nodes comes up
-# Subsequent nodes try to to scp their fqdn's configuration from master
-# Subsequent nodes negotiate for master
+  # Subsequent nodes comes up
+  # Subsequent nodes try to to scp their fqdn's configuration from master
+  # Subsequent nodes negotiate for master
  
-# negotiate for master
-freeipa_masters = search(:node, "freeipa_master:true")
-if freeipa_masters.empty? then
+  # negotiate for master
+  freeipa_masters = search(:node, "freeipa_master:true")
+  if freeipa_masters.empty? then
    ##### Do master stuff
  
    # write better tests to see if freeipa is already set up.
@ -145,10 +137,10 @@ if freeipa_masters.empty? then
  
    node.normal["freeipa"]["master"] = true
  
-#elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
-#elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
-#      (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
-elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then
+  #elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
+  #elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
+  #      (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
+  elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then
    ### Subsequent Replica Nodes 
  
    # check to see if slave is setup to replicat from master
@ -216,91 +208,92 @@ elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) t
      end
      action	:nothing
    end
-end
+  end


-### Admin Password for LWRP
-#
-file '/etc/ipa/admin.password' do
+  ### Admin Password for LWRP
+  #
+  file '/etc/ipa/admin.password' do
    content	passwords['ipa_user_pwd']
    owner		'root'
    group		'root'
    mode		'0600'
    sensitive	true
-end
+  end
  
  
-### SSH key for IPA server communications
-#
-directory "/root/.ssh" do
+  ### SSH key for IPA server communications
+  #
+  directory "/root/.ssh" do
    owner		"root"
    group		"root"
    mode		"0700"
    action	:create
-end
+  end
  
-file "/root/.ssh/id_rsa" do
+  file "/root/.ssh/id_rsa" do
    content	passwords["ssh-pvt"]
    owner		"root"
    group		"root"
    mode		"0600"
    sensitive	true
-end
+  end
  
-file "/root/.ssh/id_rsa.pub" do
+  file "/root/.ssh/id_rsa.pub" do
    content	passwords["ssh-pub"]
    owner		"root"
    group		"root"
    mode		"0600"
    sensitive	true
-end
+  end
  
-ruby_block "add public key to authorized_keys" do
+  ruby_block "add public key to authorized_keys" do
    block do
      file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
      file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
      file.write_file
    end
-end
+  end
  
  
  
-##### services
-# enable all the default services recommended by the freeipa docs
+  ##### services
+  # enable all the default services recommended by the freeipa docs
  
-#service "dirsrv" do
-#  service_name	"dirsrv@#{node[:domain].upcase.gsub(".", "-")}"
-#  action	[:enable,:start]
-#end
+  #service "dirsrv" do
+  #  service_name	"dirsrv@#{node[:domain].upcase.gsub(".", "-")}"
+  #  action	[:enable,:start]
+  #end
  
-#service "krb5kdc" do
-#  only_if	service[:dirsrv] => running
-#  action	[:enable,:start]
-#end
+  #service "krb5kdc" do
+  #  only_if	service[:dirsrv] => running
+  #  action	[:enable,:start]
+  #end
  
-#template "/etc/httpd/conf.d/ipa.conf" do
-#  source "ipa.conf.erb"
-#  mode 0644
-#  notifies :restart, "service[httpd]"
-#end
+  #template "/etc/httpd/conf.d/ipa.conf" do
+  #  source "ipa.conf.erb"
+  #  mode 0644
+  #  notifies :restart, "service[httpd]"
+  #end
  
-service "httpd" do
+  service "httpd" do
    action	[:enable,:start]
-end
+  end
  
-#service "ipa_kpasswd" do
-#  action [:enable,:start]
-#end
+  #service "ipa_kpasswd" do
+  #  action [:enable,:start]
+  #end
  
-service "ipa" do
+  service "ipa" do
    action	[:enable,:start]
+  end
+  
+  #service "messagebus" do
+  #  action [:enable,:start]
+  #end
+  #
+  #service "oddjobd" do
+  #  action [:enable,:start]
+  #end
 end

-#service "messagebus" do
-#  action [:enable,:start]
-#end
-#
-#service "oddjobd" do
-#  action [:enable,:start]
-#end
-