Changed ssh generation to pre-keyed vault for streamlined setup.

This commit is contained in:
Eric Renfro 2016-07-21 12:30:59 -04:00
parent 718f810b8b
commit 8cca9e32aa
3 changed files with 82 additions and 13 deletions

View file

@ -3,7 +3,7 @@ source "https://supermarket.chef.io"
metadata metadata
cookbook 'chef-vault' cookbook 'chef-vault'
cookbook 'ohai' #cookbook 'ohai'
cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey' #cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
cookbook 'sshroot2rootssh', path: '../sshroot2rootssh' #cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'

View file

@ -4,10 +4,10 @@ maintainer_email 'psi-jack@linux-help.org'
license 'GPLv3' license 'GPLv3'
description 'Installs/Configures freeipa' description 'Installs/Configures freeipa'
long_description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa'
version '0.1.6' version '0.1.7'
issues_url 'http://git.linux-help.org/Linux-Help/freeipa/issues' issues_url 'http://git.linux-help.org/Linux-Help/freeipa/issues'
source_url 'http://git.linux-help.org/Linux-Help/freeipa' source_url 'http://git.linux-help.org/Linux-Help/freeipa'
depends 'ohai'
depends 'chef-vault' depends 'chef-vault'
depends 'sshroot2rootssh' #depends 'ohai'
#depends 'sshroot2rootssh'

View file

@ -54,7 +54,7 @@ end
# Since they are replicants of each other, this can be justified, since the data is already compromised. # Since they are replicants of each other, this can be justified, since the data is already compromised.
# Can selinux help mitigate this? # Can selinux help mitigate this?
#include_recipe "ohai" #include_recipe "ohai"
include_recipe "sshroot2rootssh" #include_recipe "sshroot2rootssh"
##### Replication ##### Replication
# We're going to have to # We're going to have to
@ -85,7 +85,7 @@ if freeipa_masters.empty? then
cmd += " -r " + node["domain"].upcase cmd += " -r " + node["domain"].upcase
cmd += " -n " + node["domain"] cmd += " -n " + node["domain"]
cmd += " -p " + passwords['ldap_server_admin_pwd'] cmd += " -p " + passwords['ldap_server_admin_pwd']
cmd += " -P " + passwords['kdc_database_master_key'] #cmd += " -P " + passwords['kdc_database_master_key']
cmd += " -a " + passwords['ipa_user_pwd'] cmd += " -a " + passwords['ipa_user_pwd']
cmd += " -N " cmd += " -N "
cmd += " -U " cmd += " -U "
@ -113,12 +113,42 @@ if freeipa_masters.empty? then
# end # end
# end # end
#end #end
directory "/root/.ssh" do
owner "root"
group "root"
mode "0700"
action :create
end
file "/root/.ssh/id_rsa" do
content passwords["ssh-pvt"]
owner "root"
group "root"
mode "0600"
end
file "/root/.ssh/id_rsa.pub" do
content passwords["ssh-pub"]
owner "root"
group "root"
mode "0600"
end
ruby_block "add public key to authorized_keys" do
block do
file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
file.write_file
end
end
node.normal["freeipa"]["master"] = true node.normal["freeipa"]["master"] = true
#elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then #elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) && #elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
(node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then # (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then
### Subsequent Replica Nodes ### Subsequent Replica Nodes
# check to see if slave is setup to replicat from master # check to see if slave is setup to replicat from master
@ -127,7 +157,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
execute "prepare replica from master" do execute "prepare replica from master" do
cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}" cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}"
cmd += " " + node["fqdn"]
command cmd command cmd
sensitive true
not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg" not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
#notifies :run, 'execute[rsyncing freeipa replication data]', :immediately #notifies :run, 'execute[rsyncing freeipa replication data]', :immediately
end end
@ -145,7 +177,7 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
cmd += ":/var/lib/ipa/replica-info-#{node['fqdn']}.gpg" cmd += ":/var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
cmd += " /var/lib/ipa/" cmd += " /var/lib/ipa/"
command cmd command cmd
notifies :run, 'execute[joining freeipa cluster]', :immediately #notifies :run, 'execute[joining freeipa cluster]', :immediately
end end
execute "joining freeipa cluster" do execute "joining freeipa cluster" do
@ -157,8 +189,8 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
cmd += " --unattended --mkhomedir --skip-conncheck" cmd += " --unattended --mkhomedir --skip-conncheck"
cmd += " /var/lib/ipa/replica-info-#{node['fqdn']}.gpg" cmd += " /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
command cmd command cmd
sensitive true #sensitive true
action :nothing #action :nothing
notifies :run, 'execute[copying CA private key]', :immediately notifies :run, 'execute[copying CA private key]', :immediately
end end
@ -186,6 +218,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
end end
end end
### Admin Password for LWRP
#
file '/etc/ipa/admin.password' do file '/etc/ipa/admin.password' do
content passwords['ipa_user_pwd'] content passwords['ipa_user_pwd']
owner 'root' owner 'root'
@ -194,6 +229,40 @@ file '/etc/ipa/admin.password' do
sensitive true sensitive true
end end
### SSH key for IPA server communications
#
directory "/root/.ssh" do
owner "root"
group "root"
mode "0700"
action :create
end
file "/root/.ssh/id_rsa" do
content passwords["ssh-pvt"]
owner "root"
group "root"
mode "0600"
end
file "/root/.ssh/id_rsa.pub" do
content passwords["ssh-pub"]
owner "root"
group "root"
mode "0600"
end
ruby_block "add public key to authorized_keys" do
block do
file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
file.write_file
end
end
##### services ##### services
# enable all the default services recommended by the freeipa docs # enable all the default services recommended by the freeipa docs