Changed ssh generation to pre-keyed vault for streamlined setup.

Berksfile

@@ -3,7 +3,7 @@ source "https://supermarket.chef.io"
 metadata
 
 cookbook 'chef-vault'
-cookbook 'ohai'
+#cookbook 'ohai'
-cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
+#cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
-cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'
+#cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'
 

metadata.rb

@@ -4,10 +4,10 @@ maintainer_email 'psi-jack@linux-help.org'
 license          'GPLv3'
 description      'Installs/Configures freeipa'
 long_description 'Installs/Configures freeipa'
-version          '0.1.6'
+version          '0.1.7'
 issues_url       'http://git.linux-help.org/Linux-Help/freeipa/issues'
 source_url       'http://git.linux-help.org/Linux-Help/freeipa'
 
-depends 'ohai'
 depends 'chef-vault'
-depends 'sshroot2rootssh'
+#depends 'ohai'
+#depends 'sshroot2rootssh'

recipes/server.rb

@@ -54,7 +54,7 @@ end
 # Since they are replicants of each other, this can be justified, since the data is already compromised.
 # Can selinux help mitigate this?
 #include_recipe "ohai"
-include_recipe "sshroot2rootssh" 
+#include_recipe "sshroot2rootssh" 
 
 ##### Replication
 # We're going to have to 
@@ -85,7 +85,7 @@ if freeipa_masters.empty? then
     cmd +=	" -r " + node["domain"].upcase
     cmd +=	" -n " + node["domain"]
     cmd +=	" -p " + passwords['ldap_server_admin_pwd']
-    cmd +=	" -P " + passwords['kdc_database_master_key']
+    #cmd +=	" -P " + passwords['kdc_database_master_key']
     cmd +=	" -a " + passwords['ipa_user_pwd']
     cmd +=	" -N "
     cmd +=	" -U "
@@ -114,11 +114,41 @@ if freeipa_masters.empty? then
   #  end
   #end
   
+  directory "/root/.ssh" do
+    owner	"root"
+    group	"root"
+    mode	"0700"
+    action	:create
+  end
+
+  file "/root/.ssh/id_rsa" do
+    content	passwords["ssh-pvt"]
+    owner	"root"
+    group	"root"
+    mode	"0600"
+  end
+
+  file "/root/.ssh/id_rsa.pub" do
+    content	passwords["ssh-pub"]
+    owner	"root"
+    group	"root"
+    mode	"0600"
+  end
+
+  ruby_block "add public key to authorized_keys" do
+    block do
+      file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
+      file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
+      file.write_file
+    end
+  end
+
   node.normal["freeipa"]["master"] = true
 
 #elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
-elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
+#elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
-      (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
+#      (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
+elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then
   ### Subsequent Replica Nodes 
 
   # check to see if slave is setup to replicat from master
@@ -127,7 +157,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
 
   execute "prepare replica from master" do
     cmd =	"ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}"
+    cmd +=	" " + node["fqdn"]
     command	cmd
+    sensitive	true
     not_if	"ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
     #notifies :run, 'execute[rsyncing freeipa replication data]', :immediately
   end
@@ -145,7 +177,7 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
     cmd +=	":/var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
     cmd +=	" /var/lib/ipa/"
     command	cmd
-    notifies	:run, 'execute[joining freeipa cluster]', :immediately
+    #notifies	:run, 'execute[joining freeipa cluster]', :immediately
   end
 
   execute "joining freeipa cluster" do
@@ -157,8 +189,8 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
     cmd +=	" --unattended --mkhomedir --skip-conncheck"
     cmd +=	" /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
     command	cmd
-    sensitive	true
+    #sensitive	true
-    action 	:nothing
+    #action 	:nothing
     notifies	:run, 'execute[copying CA private key]', :immediately
   end
 
@@ -186,6 +218,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
   end
 end
 
+
+### Admin Password for LWRP
+#
 file '/etc/ipa/admin.password' do
   content	passwords['ipa_user_pwd']
   owner		'root'
@@ -194,6 +229,40 @@ file '/etc/ipa/admin.password' do
   sensitive	true
 end
 
+
+### SSH key for IPA server communications
+#
+directory "/root/.ssh" do
+  owner	"root"
+  group	"root"
+  mode	"0700"
+  action	:create
+end
+
+file "/root/.ssh/id_rsa" do
+  content	passwords["ssh-pvt"]
+  owner	"root"
+  group	"root"
+  mode	"0600"
+end
+
+file "/root/.ssh/id_rsa.pub" do
+  content	passwords["ssh-pub"]
+  owner	"root"
+  group	"root"
+  mode	"0600"
+end
+
+ruby_block "add public key to authorized_keys" do
+  block do
+    file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
+    file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
+    file.write_file
+  end
+end
+
+
+
 ##### services
 # enable all the default services recommended by the freeipa docs