diff --git a/Berksfile b/Berksfile index 3187b76..f55968e 100644 --- a/Berksfile +++ b/Berksfile @@ -3,7 +3,7 @@ source "https://supermarket.chef.io" metadata cookbook 'chef-vault' -cookbook 'ohai' -cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey' -cookbook 'sshroot2rootssh', path: '../sshroot2rootssh' +#cookbook 'ohai' +#cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey' +#cookbook 'sshroot2rootssh', path: '../sshroot2rootssh' diff --git a/metadata.rb b/metadata.rb index c7e12a1..2afdebf 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,10 +4,10 @@ maintainer_email 'psi-jack@linux-help.org' license 'GPLv3' description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa' -version '0.1.6' +version '0.1.7' issues_url 'http://git.linux-help.org/Linux-Help/freeipa/issues' source_url 'http://git.linux-help.org/Linux-Help/freeipa' -depends 'ohai' depends 'chef-vault' -depends 'sshroot2rootssh' +#depends 'ohai' +#depends 'sshroot2rootssh' diff --git a/recipes/server.rb b/recipes/server.rb index 21d3b6f..731da59 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -54,7 +54,7 @@ end # Since they are replicants of each other, this can be justified, since the data is already compromised. # Can selinux help mitigate this? #include_recipe "ohai" -include_recipe "sshroot2rootssh" +#include_recipe "sshroot2rootssh" ##### Replication # We're going to have to @@ -85,7 +85,7 @@ if freeipa_masters.empty? then cmd += " -r " + node["domain"].upcase cmd += " -n " + node["domain"] cmd += " -p " + passwords['ldap_server_admin_pwd'] - cmd += " -P " + passwords['kdc_database_master_key'] + #cmd += " -P " + passwords['kdc_database_master_key'] cmd += " -a " + passwords['ipa_user_pwd'] cmd += " -N " cmd += " -U " @@ -113,12 +113,42 @@ if freeipa_masters.empty? then # end # end #end + + directory "/root/.ssh" do + owner "root" + group "root" + mode "0700" + action :create + end + + file "/root/.ssh/id_rsa" do + content passwords["ssh-pvt"] + owner "root" + group "root" + mode "0600" + end + + file "/root/.ssh/id_rsa.pub" do + content passwords["ssh-pub"] + owner "root" + group "root" + mode "0600" + end + + ruby_block "add public key to authorized_keys" do + block do + file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys") + file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"]) + file.write_file + end + end node.normal["freeipa"]["master"] = true #elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then -elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) && - (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then +#elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) && +# (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then +elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then ### Subsequent Replica Nodes # check to see if slave is setup to replicat from master @@ -127,7 +157,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value execute "prepare replica from master" do cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}" + cmd += " " + node["fqdn"] command cmd + sensitive true not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg" #notifies :run, 'execute[rsyncing freeipa replication data]', :immediately end @@ -145,7 +177,7 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value cmd += ":/var/lib/ipa/replica-info-#{node['fqdn']}.gpg" cmd += " /var/lib/ipa/" command cmd - notifies :run, 'execute[joining freeipa cluster]', :immediately + #notifies :run, 'execute[joining freeipa cluster]', :immediately end execute "joining freeipa cluster" do @@ -157,8 +189,8 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value cmd += " --unattended --mkhomedir --skip-conncheck" cmd += " /var/lib/ipa/replica-info-#{node['fqdn']}.gpg" command cmd - sensitive true - action :nothing + #sensitive true + #action :nothing notifies :run, 'execute[copying CA private key]', :immediately end @@ -186,6 +218,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value end end + +### Admin Password for LWRP +# file '/etc/ipa/admin.password' do content passwords['ipa_user_pwd'] owner 'root' @@ -194,6 +229,40 @@ file '/etc/ipa/admin.password' do sensitive true end + +### SSH key for IPA server communications +# +directory "/root/.ssh" do + owner "root" + group "root" + mode "0700" + action :create +end + +file "/root/.ssh/id_rsa" do + content passwords["ssh-pvt"] + owner "root" + group "root" + mode "0600" +end + +file "/root/.ssh/id_rsa.pub" do + content passwords["ssh-pub"] + owner "root" + group "root" + mode "0600" +end + +ruby_block "add public key to authorized_keys" do + block do + file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys") + file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"]) + file.write_file + end +end + + + ##### services # enable all the default services recommended by the freeipa docs