Changed ssh generation to pre-keyed vault for streamlined setup.
This commit is contained in:
parent
718f810b8b
commit
8cca9e32aa
3 changed files with 82 additions and 13 deletions
|
@ -3,7 +3,7 @@ source "https://supermarket.chef.io"
|
||||||
metadata
|
metadata
|
||||||
|
|
||||||
cookbook 'chef-vault'
|
cookbook 'chef-vault'
|
||||||
cookbook 'ohai'
|
#cookbook 'ohai'
|
||||||
cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
|
#cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
|
||||||
cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'
|
#cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'
|
||||||
|
|
||||||
|
|
|
@ -4,10 +4,10 @@ maintainer_email 'psi-jack@linux-help.org'
|
||||||
license 'GPLv3'
|
license 'GPLv3'
|
||||||
description 'Installs/Configures freeipa'
|
description 'Installs/Configures freeipa'
|
||||||
long_description 'Installs/Configures freeipa'
|
long_description 'Installs/Configures freeipa'
|
||||||
version '0.1.6'
|
version '0.1.7'
|
||||||
issues_url 'http://git.linux-help.org/Linux-Help/freeipa/issues'
|
issues_url 'http://git.linux-help.org/Linux-Help/freeipa/issues'
|
||||||
source_url 'http://git.linux-help.org/Linux-Help/freeipa'
|
source_url 'http://git.linux-help.org/Linux-Help/freeipa'
|
||||||
|
|
||||||
depends 'ohai'
|
|
||||||
depends 'chef-vault'
|
depends 'chef-vault'
|
||||||
depends 'sshroot2rootssh'
|
#depends 'ohai'
|
||||||
|
#depends 'sshroot2rootssh'
|
||||||
|
|
|
@ -54,7 +54,7 @@ end
|
||||||
# Since they are replicants of each other, this can be justified, since the data is already compromised.
|
# Since they are replicants of each other, this can be justified, since the data is already compromised.
|
||||||
# Can selinux help mitigate this?
|
# Can selinux help mitigate this?
|
||||||
#include_recipe "ohai"
|
#include_recipe "ohai"
|
||||||
include_recipe "sshroot2rootssh"
|
#include_recipe "sshroot2rootssh"
|
||||||
|
|
||||||
##### Replication
|
##### Replication
|
||||||
# We're going to have to
|
# We're going to have to
|
||||||
|
@ -85,7 +85,7 @@ if freeipa_masters.empty? then
|
||||||
cmd += " -r " + node["domain"].upcase
|
cmd += " -r " + node["domain"].upcase
|
||||||
cmd += " -n " + node["domain"]
|
cmd += " -n " + node["domain"]
|
||||||
cmd += " -p " + passwords['ldap_server_admin_pwd']
|
cmd += " -p " + passwords['ldap_server_admin_pwd']
|
||||||
cmd += " -P " + passwords['kdc_database_master_key']
|
#cmd += " -P " + passwords['kdc_database_master_key']
|
||||||
cmd += " -a " + passwords['ipa_user_pwd']
|
cmd += " -a " + passwords['ipa_user_pwd']
|
||||||
cmd += " -N "
|
cmd += " -N "
|
||||||
cmd += " -U "
|
cmd += " -U "
|
||||||
|
@ -113,12 +113,42 @@ if freeipa_masters.empty? then
|
||||||
# end
|
# end
|
||||||
# end
|
# end
|
||||||
#end
|
#end
|
||||||
|
|
||||||
|
directory "/root/.ssh" do
|
||||||
|
owner "root"
|
||||||
|
group "root"
|
||||||
|
mode "0700"
|
||||||
|
action :create
|
||||||
|
end
|
||||||
|
|
||||||
|
file "/root/.ssh/id_rsa" do
|
||||||
|
content passwords["ssh-pvt"]
|
||||||
|
owner "root"
|
||||||
|
group "root"
|
||||||
|
mode "0600"
|
||||||
|
end
|
||||||
|
|
||||||
|
file "/root/.ssh/id_rsa.pub" do
|
||||||
|
content passwords["ssh-pub"]
|
||||||
|
owner "root"
|
||||||
|
group "root"
|
||||||
|
mode "0600"
|
||||||
|
end
|
||||||
|
|
||||||
|
ruby_block "add public key to authorized_keys" do
|
||||||
|
block do
|
||||||
|
file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
|
||||||
|
file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
|
||||||
|
file.write_file
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
node.normal["freeipa"]["master"] = true
|
node.normal["freeipa"]["master"] = true
|
||||||
|
|
||||||
#elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
|
#elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
|
||||||
elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
|
#elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
|
||||||
(node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
|
# (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
|
||||||
|
elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then
|
||||||
### Subsequent Replica Nodes
|
### Subsequent Replica Nodes
|
||||||
|
|
||||||
# check to see if slave is setup to replicat from master
|
# check to see if slave is setup to replicat from master
|
||||||
|
@ -127,7 +157,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
|
||||||
|
|
||||||
execute "prepare replica from master" do
|
execute "prepare replica from master" do
|
||||||
cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}"
|
cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}"
|
||||||
|
cmd += " " + node["fqdn"]
|
||||||
command cmd
|
command cmd
|
||||||
|
sensitive true
|
||||||
not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
|
not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0]['fqdn']} test -f /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
|
||||||
#notifies :run, 'execute[rsyncing freeipa replication data]', :immediately
|
#notifies :run, 'execute[rsyncing freeipa replication data]', :immediately
|
||||||
end
|
end
|
||||||
|
@ -145,7 +177,7 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
|
||||||
cmd += ":/var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
|
cmd += ":/var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
|
||||||
cmd += " /var/lib/ipa/"
|
cmd += " /var/lib/ipa/"
|
||||||
command cmd
|
command cmd
|
||||||
notifies :run, 'execute[joining freeipa cluster]', :immediately
|
#notifies :run, 'execute[joining freeipa cluster]', :immediately
|
||||||
end
|
end
|
||||||
|
|
||||||
execute "joining freeipa cluster" do
|
execute "joining freeipa cluster" do
|
||||||
|
@ -157,8 +189,8 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
|
||||||
cmd += " --unattended --mkhomedir --skip-conncheck"
|
cmd += " --unattended --mkhomedir --skip-conncheck"
|
||||||
cmd += " /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
|
cmd += " /var/lib/ipa/replica-info-#{node['fqdn']}.gpg"
|
||||||
command cmd
|
command cmd
|
||||||
sensitive true
|
#sensitive true
|
||||||
action :nothing
|
#action :nothing
|
||||||
notifies :run, 'execute[copying CA private key]', :immediately
|
notifies :run, 'execute[copying CA private key]', :immediately
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -186,6 +218,9 @@ elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
### Admin Password for LWRP
|
||||||
|
#
|
||||||
file '/etc/ipa/admin.password' do
|
file '/etc/ipa/admin.password' do
|
||||||
content passwords['ipa_user_pwd']
|
content passwords['ipa_user_pwd']
|
||||||
owner 'root'
|
owner 'root'
|
||||||
|
@ -194,6 +229,40 @@ file '/etc/ipa/admin.password' do
|
||||||
sensitive true
|
sensitive true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
### SSH key for IPA server communications
|
||||||
|
#
|
||||||
|
directory "/root/.ssh" do
|
||||||
|
owner "root"
|
||||||
|
group "root"
|
||||||
|
mode "0700"
|
||||||
|
action :create
|
||||||
|
end
|
||||||
|
|
||||||
|
file "/root/.ssh/id_rsa" do
|
||||||
|
content passwords["ssh-pvt"]
|
||||||
|
owner "root"
|
||||||
|
group "root"
|
||||||
|
mode "0600"
|
||||||
|
end
|
||||||
|
|
||||||
|
file "/root/.ssh/id_rsa.pub" do
|
||||||
|
content passwords["ssh-pub"]
|
||||||
|
owner "root"
|
||||||
|
group "root"
|
||||||
|
mode "0600"
|
||||||
|
end
|
||||||
|
|
||||||
|
ruby_block "add public key to authorized_keys" do
|
||||||
|
block do
|
||||||
|
file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
|
||||||
|
file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
|
||||||
|
file.write_file
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
##### services
|
##### services
|
||||||
# enable all the default services recommended by the freeipa docs
|
# enable all the default services recommended by the freeipa docs
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue