Merge pull request #106 from CVL-GitHub/hpcidbranch3

(1) ssl.conf boken debian 8, removed; (2) fixed ldapserver https for …

roles/easy-rsa-common/defaults/readme.txt

@@ -5,4 +5,4 @@ cityName: "Melbourne"
 organizationName: "Monash University"
 emailAddress: "default@default.org"
 organizationUnit: "defaultUnit"
-
+keySize: "512"

roles/karaage3.1.17/tasks/apacheDebian.yml

@@ -6,9 +6,7 @@
   - apache2
   - apache2-dev
  sudo: true
--
- name: "Setting default site"
- lineinfile: dest=/etc/apache2/sites-available/000-default.conf regexp="#ServerName" line="ServerName {{ ansible_nodename }}" backrefs=yes
+
 -
  name: "Setting default-ssl site"
  lineinfile: dest=/etc/apache2/sites-available/default-ssl.conf  regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
@@ -16,6 +14,7 @@
   - { regexp : "^\\s+SSLCertificateFile", line : "		SSLCertificateFile {{ x509_cert_file }}" }
   - { regexp : "SSLCertificateKeyFile", line : "		SSLCertificateKeyFile {{ x509_key_file }}" }
   - { regexp : "SSLCACertificateFile", line : "		SSLCACertificateFile {{ x509_cacert_file }}" }
+ sudo: true
 -
  name: "Templating default-ssl site"
  template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
@@ -24,11 +23,7 @@
  name: "Templating default site"
  template: src=default.j2 dest=/etc/apache2/sites-available/000-default.conf owner=www-data group=www-data
  sudo: true
--
- name: "Templating ssl configuration"
- template: src=ssl.conf.j2 dest=/etc/apache2/mods-available/ssl.conf owner=www-data group=www-data
- sudo: true
- notify: restart apache2
+
 -
  name: "Enable ssl module"
  apache2_module: state=present name=ssl
@@ -38,6 +33,7 @@
  name: "Enable default-ssl site"
  shell: a2ensite default-ssl
  sudo: true
+ notify: restart apache2
 
 -
  name: "Starting Apache2"

roles/karaage3.1.17/tasks/karaage.yml

@@ -133,11 +133,6 @@
     - karaage-software
     - karaage-usage
     - karaage-cluster-tools
--
- name: "Set Secret Key"
- lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = 'imkaraage'" state=present
- sudo: true
-
 -
  # TODO: Fix it
  name: "Check DB tables has been created or not"

roles/karaage3.1.17/templates/settings.py.j2

@@ -79,8 +79,8 @@ ADMINS = (
 MANAGERS = ADMINS
 
 {% if defaultProject is defined and defaultMachineCategory is defined %}
-DEFAULT_PROJECT_PID = {{ defaultProject }}
-DEFAULT_MACHINE_CATEGORY_NAME = {{ defaultMachineCategory }}
+DEFAULT_PROJECT_PID = "{{ defaultProject }}"
+DEFAULT_MACHINE_CATEGORY_NAME = "{{ defaultMachineCategory }}"
 {% endif %}
 
 # A dictionary containing the settings for all databases to be used with
@@ -168,7 +168,12 @@ LANGUAGE_CODE = 'en-au'
 
 # A secret key for a particular Django installation. This is used to provide
 # cryptographic signing, and should be set to a unique, unpredictable value.
-SECRET_KEY = ''
+{% if karaageSecretKey is defined %}
+SECRET_KEY = '{{ karaageSecretKey }}'
+{% else %}
+SECRET_KEY = 'default_ZT8VsL5CoURmUbui2hDrmEK0AwPvtR5h'
+{% endif %}
+
 
 # A data structure containing configuration information. The contents of this
 # data structure will be passed as the argument to the configuration method

roles/karaage3.1.17/templates/ssl.conf.j2

@@ -75,7 +75,7 @@ SSLCryptoDevice builtin
 
 # General setup for the virtual host, inherited from global configuration
 #DocumentRoot "/var/www/html"
-#ServerName www.example.com:443
+ServerName {{ ansible_nodename }}.{{ ansible_domain }}:443
 
 # Use separate log files for the SSL virtual host; note that LogLevel
 # is not inherited from httpd.conf.

roles/ldapserver/tasks/main.yml

@@ -98,6 +98,11 @@
   sudo: true
   when: ansible_os_family == 'RedHat' and ansible_distribution_major_version < '7'
 
+- name: enable ssl centos 7
+  lineinfile: regexp="^SLAPD_URLS=" state=present line="SLAPD_URLS='ldaps:/// ldapi:/// ldap:///'" dest=/etc/sysconfig/slapd
+  sudo: true
+  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
+
 - name: start ldap
   service: name=slapd state=restarted
   sudo: true

roles/mysql/tasks/mysql_server.yml

@@ -61,8 +61,18 @@
   sudo: true
   when: ansible_os_family == "RedHat"
 
+- name: "Add my.cnf security"
+  lineinfile: dest=/etc/my.cnf line="{{ item }}" insertafter="symbolic-links=0"
+  with_items:
+    - 'log_warnings = 2'
+    - 'log_error = /var/log/mysql/error.log'
+  sudo: true
+  notify: Restart MySQL
+  when: ansible_os_family == "RedHat"
+
+
 - name: "Editing my.cnf"
-  lineinfile: dest=/etc/my.cnf  line="{{ item }}"
+  lineinfile: dest=/etc/my.cnf line="{{ item }}"
   with_items:
     - '[client]'
     - 'default-character-set = utf8'

roles/mysql/templates/mysql.cnf.j2

@@ -2,6 +2,8 @@
 character_set_server=utf8
 default-storage-engine = innodb
 sql_mode = STRICT_ALL_TABLES
+log_warnings = 2
+log_error = /var/log/mysql/error.log
 
 [client]
 default-character-set = utf8

roles/shibboleth-sp/handlers/main.yml

+---
+- name: "Restarting Apache"  
+  service: name=apache2 state=restarted
+  sudo: true
+
+- name: "Restarting shibboleth"  
+  service: name=shibd state=restarted
+  sudo: true
+

roles/shibboleth-sp/tasks/shibbolethConfig.yml

@@ -2,11 +2,13 @@
 -
  name: "Copying the metadata.aaf.xml and aaf-metadata-cert.pem"
  template: src="{{ item }}.j2" dest="/etc/shibboleth/{{ item }}" mode=0644
+ sudo: true
  with_items:
   - metadata.aaf.xml
   - aaf-metadata-cert.pem
 - 
   name: "Setting shibboleth2.xml sp.example.org"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -17,6 +19,7 @@
   
 - 
   name: "Setting shibboleth2.xml handlerSSL"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -26,6 +29,7 @@
 
 - 
   name: "Setting shibboleth2.xml supportContact"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -35,6 +39,7 @@
 
 - 
   name: "Enabling MetadataProvider"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -43,6 +48,7 @@
    
 - 
   name: "Enabling MetadataProvider"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -50,6 +56,7 @@
    replace: '</MetadataProvider>'
 - 
   name: "Setting shibboleth2.xml Federation URI"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -58,6 +65,7 @@
    
 - 
   name: "Setting shibboleth2.xml backingFilePath"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -66,6 +74,7 @@
    
 - 
   name: "Setting shibboleth2.xml aaf Certificate"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -74,6 +83,7 @@
    
 - 
   name: "Setting shibboleth2.xml AAF Discovery URL"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -82,6 +92,7 @@
    
 - 
   name: "Setting shibboleth2.xml Credential Resolver"
+  sudo: true
   replace: 
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
@@ -90,20 +101,26 @@
 
 -
  name: "Templating attribute-map.xml"
+ sudo: true
  template:
  args:
    src: attribute-map.xml.j2
    dest: /etc/shibboleth/attribute-map.xml
+ notify:
+   - Restarting Apache
+   - Restarting shibboleth
 -
- name: "Restarting Apache"
+ name: "Starting Apache"
+ sudo: true
  service:
  args:
   name: apache2
-  state: restarted
+  state: started
 
 -
- name: "Restarting shibboleth"
+ name: "Starting shibboleth"
+ sudo: true
  service:
  args:
   name: shibd
-  state: restarted
+  state: started

roles/shibboleth-sp/tasks/shibbolethPrerequisites.yml

 ---
 -
  name: Install base packages - Debian
+ sudo: true
  apt: name={{ item }} state=present
  with_items:
   - shibboleth-sp2-schemas 

templates/easy-rsa/vars.j2

@@ -50,7 +50,7 @@ export PKCS11_PIN="dummy"
 # down TLS negotiation performance
 # as well as the one-time DH parms
 # generation process.
-export KEY_SIZE=512
+export KEY_SIZE={{ keySize }}
 
 # In how many days should the root CA key expire?
 export CA_EXPIRE=3650