diff --git a/roles/OpenVPN-Client/vars/main.yml b/roles/OpenVPN-Client/vars/main.yml
new file mode 120000
index 0000000000000000000000000000000000000000..0d79d56d9fbcc141687a5879eb653e3e8a6db563
--- /dev/null
+++ b/roles/OpenVPN-Client/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/OpenVPN-Server/vars/main.yml b/roles/OpenVPN-Server/vars/main.yml
new file mode 120000
index 0000000000000000000000000000000000000000..0d79d56d9fbcc141687a5879eb653e3e8a6db563
--- /dev/null
+++ b/roles/OpenVPN-Server/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-certificate/vars/main.yml b/roles/easy-rsa-certificate/vars/main.yml
new file mode 120000
index 0000000000000000000000000000000000000000..0d79d56d9fbcc141687a5879eb653e3e8a6db563
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-certificate/vars/meta/main.yml b/roles/easy-rsa-certificate/vars/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fb87b0894c8bb8124740abb184a4c19f142d922b
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/meta/main.yml
@@ -0,0 +1,5 @@
+---
+allow_duplicates: yes
+dependencies:
+ - {role: easy-rsa-common }
+
diff --git a/roles/easy-rsa-certificate/vars/tasks/buildCert.yml b/roles/easy-rsa-certificate/vars/tasks/buildCert.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d71c98a30aefe14bb7fff65f12462da9462c5e3d
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/tasks/buildCert.yml
@@ -0,0 +1,113 @@
+---
+- name: "Check client ca certificate"
+ register: ca_cert
+ stat: "path={{ x509_cacert_file }}"
+
+- name: "Check certificate and key"
+ shell: (openssl x509 -noout -modulus -in {{ x509_cert_file }} | openssl md5 ; openssl rsa -noout -modulus -in {{ x509_key_file }} | openssl md5) | uniq | wc -l
+ register: certcheck
+ sudo: true
+
+- name: "Check certificate"
+ register: cert
+ stat: "path={{ x509_cert_file }}"
+ sudo: true
+
+- name: "Check key"
+ register: key
+ stat: "path={{ x509_key_file }}"
+ sudo: true
+
+- name: "Default: we don't need a new certificate"
+ set_fact: needcert=False
+
+- name: "Set need cert if key is missing"
+ set_fact: needcert=True
+ when: key.stat.exists == false
+
+- name: "set needcert if cert is missing or of zero size"
+ set_fact: needcert=True
+ when: cert.stat.exists == false or cert.stat.size == 0
+
+- name: "Delete Zero Sized Ceritificates"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ shell: rm -rf /etc/easy-rsa/2.0/keys/{{ x509_common_name }}.*
+ when: cert is defined and cert.stat.size == 0
+ sudo: true
+
+- name: "set needcert if cert doesn't match key"
+ set_fact: needcert=True
+ when: certcheck.stdout == '2'
+
+
+- name: "Creating Keypair"
+ shell: "echo noop when using easy-rsa"
+ when: needcert
+
+- name: "Creating CSR"
+ shell: " cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ x509_csr_args }} {{ x509_common_name }}"
+ when: needcert
+ sudo: true
+
+- name: "Create node tmp directory"
+ delegate_to: 127.0.0.1
+ shell: "mkdir -p /tmp/{{ inventory_hostname }} ; chmod 755 /tmp/{{ inventory_hostname }}"
+ when: x509_ca_server != inventory_hostname
+
+- name: "Copy CSR to ansible host"
+ fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr dest=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.csr fail_on_missing=yes validate_md5=yes flat=yes"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy CSR to CA"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.csr dest=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr force=yes"
+ when: needcert and x509_ca_server != inventory_hostname
+ sudo: true
+
+- name: "Sign Certificate"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ shell: "cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\" ;\"$EASY_RSA\"/pkitool --sign {{ x509_sign_args }} {{ x509_common_name }}"
+ when: needcert
+ sudo: true
+
+- name: "Copy the Certificate to ansible host"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt dest=/tmp/{{ inventory_hostname }}/{{ x509_common_name }}.crt fail_on_missing=yes validate_md5=yes flat=yes"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy the CA Certificate to the ansible host"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ fetch: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/tmp/{{ inventory_hostname }}/ca.crt fail_on_missing=yes validate_md5=yes flat=yes"
+ sudo: true
+ when: ca_cert.stat.exists == false and x509_ca_server != inventory_hostname
+
+- name: "Make sure the path to the certificate exists"
+ shell: "mkdir -p `dirname {{ x509_cert_file }}` ; chmod 755 `dirname {{ x509_cert_file }}`"
+ sudo: true
+
+- name: "Copy the certificate to the node"
+ copy: "src=/tmp/{{ inventory_hostname }}/{{ x509_common_name }}.crt dest=/tmp/{{ x509_common_name }}.crt force=yes"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy the certificate to the right location"
+ shell: "cp -f /tmp/{{ x509_common_name }}.crt {{ x509_cert_file }}"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy the CA certificate to the node"
+ copy: "src=/tmp/{{ inventory_hostname }}/ca.crt dest={{ x509_cacert_file }}"
+ sudo: true
+ when: ca_cert.stat.exists == false and x509_ca_server != inventory_hostname
+
+- name: "Copy the key to the correct location"
+ shell: "mkdir -p `dirname {{ x509_key_file }}` ; chmod 700 `dirname {{ x509_key_file }}` ; cp /etc/easy-rsa/2.0/keys/{{ x509_common_name }}.key {{ x509_key_file }}"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
diff --git a/roles/easy-rsa-certificate/vars/tasks/main.yml b/roles/easy-rsa-certificate/vars/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..475415cc2e1cf8b2d9b7303f530544caf699011e
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+-
+ include: buildCert.yml
diff --git a/roles/easy-rsa-certificate/vars/vars/main.yml b/roles/easy-rsa-certificate/vars/vars/main.yml
new file mode 120000
index 0000000000000000000000000000000000000000..0d79d56d9fbcc141687a5879eb653e3e8a6db563
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-certificate/vars/vars/readme.txt b/roles/easy-rsa-certificate/vars/vars/readme.txt
new file mode 100644
index 0000000000000000000000000000000000000000..b59020414c56eab836ff7d61f866758d9593d551
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/vars/readme.txt
@@ -0,0 +1,7 @@
+---
+x509_key_file: "/etc/ssl/private/server.key"
+x509_cert_file: "/etc/ssl/certs/server.crt"
+x509_cacert_file: "/etc/ssl/certs/ca.crt"
+x509_csr_args: ""
+x509_sign_args: "{{ x509_csr_args }}"
+x509_common_name: "{{ ansible_fqdn }}"
diff --git a/roles/easy-rsa-common/defaults/main.yml b/roles/easy-rsa-common/defaults/main.yml
new file mode 120000
index 0000000000000000000000000000000000000000..0d79d56d9fbcc141687a5879eb653e3e8a6db563
--- /dev/null
+++ b/roles/easy-rsa-common/defaults/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-common/tasks/yumList.yml b/roles/easy-rsa-common/tasks/yumList.yml
index fe7e95dea0716407b5be2c55f82cc9aa6b1bfe01..54c5f91fdab151a0225978849c04d43fd3a8da95 100644
--- a/roles/easy-rsa-common/tasks/yumList.yml
+++ b/roles/easy-rsa-common/tasks/yumList.yml
@@ -3,10 +3,14 @@
name: "Install these yum packages"
with_items:
- gcc
- - rsync
- make
- tcsh
- bind-utils
- - openssl-devel
- - nfs-utils
yum: "name={{ item }} state=present"
+-
+ name: "Setting hostname"
+ shell: sysctl kernel.hostname={{ inventory_hostname }}
+
+-
+ name: "Restarting Network"
+ service: name=network state=restarted
diff --git a/roles/ldapserver/vars/meta/main.yml b/roles/ldapserver/vars/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..46f5a2316b48320534f9e99db594e1bb61d34744
--- /dev/null
+++ b/roles/ldapserver/vars/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: easy-rsa-certificate, x509_csr_args: "--server" }
diff --git a/roles/ldapserver/vars/tasks/karaageSpecific.yml b/roles/ldapserver/vars/tasks/karaageSpecific.yml
new file mode 100644
index 0000000000000000000000000000000000000000..63ca884ac745224685d016f63ed60f686f198bc5
--- /dev/null
+++ b/roles/ldapserver/vars/tasks/karaageSpecific.yml
@@ -0,0 +1,14 @@
+---
+-
+ name: Adding default ppolicy schema
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif
+-
+ name: templating tls settings
+ template: src=tls_settings.ldif.j2 dest=/tmp/tls_settings.ldif mode=600
+-
+ name: initialise server ssl
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// < /tmp/tls_settings.ldif
+ sudo: true
+-
+ name: templating ldap.conf
+ template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=600
diff --git a/roles/ldapserver/vars/tasks/main.yml b/roles/ldapserver/vars/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a5ec4d6992069cba7b5dcc69e2d51c57829d9e29
--- /dev/null
+++ b/roles/ldapserver/vars/tasks/main.yml
@@ -0,0 +1,157 @@
+---
+
+- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+
+- name: install system packages apt
+ apt: name={{ item }} state=installed update_cache=true
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+ yum: name={{ item }} state=installed
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'RedHat'
+
+- name: hash password
+ command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
+ register: ldapManagerHash
+
+- name: hash binddn password
+ command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
+ register: ldapBindDNHash
+
+- name: template ssl.ldif
+ template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
+
+- name: template manager.ldif
+ template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
+ sudo: true
+
+- name: template binddn.ldif
+ template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
+ sudo: true
+
+- name: template root.ldif
+ template: src=root_ldif.j2 dest=/tmp/root.ldif
+
+- name: template accounts.ldif
+ template: src=accounts_ldif.j2 dest=/tmp/accounts.ldif
+
+- name: template groups.ldif
+ template: src=groups_ldif.j2 dest=/tmp/groups.ldif
+
+- name: template acls.ldif
+ template: src=acls_ldif.j2 dest=/tmp/acls.ldif
+
+- name: template ppolicy_moduleload.ldif
+ template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+
+- name: template ppolicy_overlay.ldif
+ template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
+
+- name: template pwpolices.ldif
+ template: src=pwpolicies_ldif.j2 dest=/tmp/pwpolicies.ldif
+
+- name: template default_ppolicy.ldif
+ template: src=default_ppolicy_ldif.j2 dest=/tmp/default_ppolicy.ldif
+
+
+- name: copy cert
+ command: cp /etc/ssl/certs/server.crt /etc/openldap/certs/ldapcert.pem
+ sudo: true
+
+- name: copy cacert
+ command: cp /etc/ssl/certs/ca.crt /etc/openldap/certs/cacert.pem
+ sudo: true
+
+- name: copy key
+ command: cp /etc/ssl/private/server.key /etc/openldap/certs/ldapkey.pem
+ sudo: true
+
+- name: chmod key
+ file: path=/etc/openldap/certs/ldapkey.pem owner={{ ldapuser }} group={{ ldapgroup }} mode=600
+ sudo: true
+
+- name: enable ssl centos
+ lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
+ sudo: true
+ when: ansible_os_family == 'RedHat'
+
+- name: start ldap
+ service: name=slapd state=restarted
+ sudo: true
+
+- name: check TLS config
+ shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem'"
+ ignore_errors: true
+ sudo: true
+ register: tlsConfigured
+
+- name: check Manager config
+ shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
+ ignore_errors: true
+ sudo: true
+ register: managerConfigured
+
+# slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
+- name: check ACL config
+ shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
+ ignore_errors: true
+ sudo: true
+ register: aclConfigured
+
+
+- name: check DIT config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+ ignore_errors: true
+ register: ditConfigured
+
+- name: check Accounts config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+ ignore_errors: true
+ register: accountsConfigured
+
+- name: check Groups config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
+ ignore_errors: true
+ register: groupsConfigured
+
+- name: check binddn config
+ shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
+ ignore_errors: true
+ register: binddnConfigured
+
+
+- name: initialise server ssl
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
+ sudo: true
+ when: tlsConfigured|failed
+
+- name: initialise server manager
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
+ sudo: true
+ when: managerConfigured|failed
+
+- name: initialise server acls
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+ sudo: true
+ when: aclConfigured|failed
+
+- name: add DIT root
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+ when: ditConfigured|failed
+
+- name: add Accounts OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+ when: accountsConfigured|failed
+
+- name: add Groups OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+ when: groupsConfigured|failed
+
+- name: add binddn
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
+ sudo: true
+ when: binddnConfigured|failed
diff --git a/roles/ldapserver/vars/templates/accounts_ldif.j2 b/roles/ldapserver/vars/templates/accounts_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e057dd1b491e270f831b3d4b79e803ae4c3560a7
--- /dev/null
+++ b/roles/ldapserver/vars/templates/accounts_ldif.j2
@@ -0,0 +1,2 @@
+dn: {{ ldapUserBase }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/vars/templates/acls_ldif.j2 b/roles/ldapserver/vars/templates/acls_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c9df71971300ed28b1a06cff14f346c36dca8524
--- /dev/null
+++ b/roles/ldapserver/vars/templates/acls_ldif.j2
@@ -0,0 +1,6 @@
+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
+olcAccess: {2}to * by users read by anonymous auth
diff --git a/roles/ldapserver/vars/templates/binddn_ldif.j2 b/roles/ldapserver/vars/templates/binddn_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..3f2e31b68f556fb535f3ca06cb189d45f48077d3
--- /dev/null
+++ b/roles/ldapserver/vars/templates/binddn_ldif.j2
@@ -0,0 +1,5 @@
+dn: {{ ldapBindDN }}
+objectClass: inetOrgPerson
+cn: binddn
+sn: binddn
+userPassword: {{ ldapBindDNHash.stdout }}
diff --git a/roles/ldapserver/vars/templates/default_ppolicy_ldif.j2 b/roles/ldapserver/vars/templates/default_ppolicy_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cc638a27e219461a3b033eee4701d53ca594bff3
--- /dev/null
+++ b/roles/ldapserver/vars/templates/default_ppolicy_ldif.j2
@@ -0,0 +1,19 @@
+dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+cn: default
+objectClass: pwdPolicy
+objectClass: top
+objectClass: device
+pwdAllowUserChange: TRUE
+pwdAttribute: 2.5.4.35
+pwdExpireWarning: 604800
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 0
+pwdInHistory: 10
+pwdLockout: TRUE
+pwdLockoutDuration: 3600
+pwdMaxAge: 7776000
+pwdMaxFailure: 5
+pwdMinAge: 3600
+pwdMinLength: 12
+pwdMustChange: FALSE
+pwdSafeModify: FALSE
diff --git a/roles/ldapserver/vars/templates/groups_ldif.j2 b/roles/ldapserver/vars/templates/groups_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..70386e0f9290e627b128dc7b92834d114bf714c1
--- /dev/null
+++ b/roles/ldapserver/vars/templates/groups_ldif.j2
@@ -0,0 +1,2 @@
+dn: {{ ldapGroupBase }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/vars/templates/ldap.conf.j2 b/roles/ldapserver/vars/templates/ldap.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a6c19aac7e1de7c9885a021b821d72ef785f96dc
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ldap.conf.j2
@@ -0,0 +1,16 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE dc=example,dc=com
+URI {{ ldapURI }}
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT {{ x509_cacert_file }}
diff --git a/roles/ldapserver/vars/templates/manager_ldif.j2 b/roles/ldapserver/vars/templates/manager_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5cdf02169cbc2dc0e6cffc01122349fbc1cac325
--- /dev/null
+++ b/roles/ldapserver/vars/templates/manager_ldif.j2
@@ -0,0 +1,10 @@
+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: {{ ldapDomain }}
+-
+replace: olcRootDN
+olcRootDN: {{ ldapManager }}
+-
+add: olcRootPW
+olcRootPW: {{ ldapManagerHash.stdout }}
diff --git a/roles/ldapserver/vars/templates/ppolicy_accountsAndGroups.ldif.j2 b/roles/ldapserver/vars/templates/ppolicy_accountsAndGroups.ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1adb4c4fbf581bf2badcefdf8ee2841da5075987
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ppolicy_accountsAndGroups.ldif.j2
@@ -0,0 +1,14 @@
+dn: ou=policies,dc=example,dc=org
+objectClass: organizationalUnit
+
+dn: ou=Accounts,dc=example,dc=org
+objectClass: organizationalUnit
+
+dn: ou=Groups,dc=example,dc=org
+objectClass: organizationalUnit
+
+dn: cn=default,ou=policies,dc=example,dc=org
+objectClass: top
+objectClass: device
+objectClass: pwdPolicy
+pwdAttribute: userPassword
diff --git a/roles/ldapserver/vars/templates/ppolicy_moduleload_ldif.j2 b/roles/ldapserver/vars/templates/ppolicy_moduleload_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..084cc60366dc216b2c24ae1a3d5ef29cdf5e4957
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ppolicy_moduleload_ldif.j2
@@ -0,0 +1,5 @@
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: /usr/lib64/openldap/
+olcModuleLoad: ppolicy.la
diff --git a/roles/ldapserver/vars/templates/ppolicy_overlay_ldif.j2 b/roles/ldapserver/vars/templates/ppolicy_overlay_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..942c69c71ac8ab1c0a52e0079a25054e04a69f38
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ppolicy_overlay_ldif.j2
@@ -0,0 +1,7 @@
+dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
+olcOverlay: ppolicy
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: FALSE
+olcPPolicyDefault: cn=default,ou=pwpolicies,{{ ldapDomain }}
diff --git a/roles/ldapserver/vars/templates/pwpolicies_ldif.j2 b/roles/ldapserver/vars/templates/pwpolicies_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1f0b93cd844eea2f418ab6b20a3704c7dbf2e386
--- /dev/null
+++ b/roles/ldapserver/vars/templates/pwpolicies_ldif.j2
@@ -0,0 +1,4 @@
+dn: ou=pwpolicies,{{ ldapDomain }}
+objectClass: organizationalUnit
+objectClass: top
+ou: pwpolicies
diff --git a/roles/ldapserver/vars/templates/root_ldif.j2 b/roles/ldapserver/vars/templates/root_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c3a43f303bc6f61eff0ecad531fbe96b0fa80e4a
--- /dev/null
+++ b/roles/ldapserver/vars/templates/root_ldif.j2
@@ -0,0 +1,5 @@
+dn: {{ ldapDomain }}
+objectClass: dcObject
+objectClass: organization
+o: {{ ansible_domain }}
+description: root
diff --git a/roles/ldapserver/vars/templates/ssl_ldif.j2 b/roles/ldapserver/vars/templates/ssl_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..9d7d804385cc6b167bc9c9ca24b7c6fb41ebc7f4
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ssl_ldif.j2
@@ -0,0 +1,9 @@
+dn: cn=config
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem
diff --git a/roles/ldapserver/vars/templates/tls_settings.ldif.j2 b/roles/ldapserver/vars/templates/tls_settings.ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5a73e7793912133dfc13cdf16661fa115c68d36c
--- /dev/null
+++ b/roles/ldapserver/vars/templates/tls_settings.ldif.j2
@@ -0,0 +1,4 @@
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcSecurity
+olcSecurity: tls=1
diff --git a/roles/ldapserver/vars/vars/CentOS_6.5_x86_64.yml b/roles/ldapserver/vars/vars/CentOS_6.5_x86_64.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7898718dcef361447091f6a9b474a6505bd3343
--- /dev/null
+++ b/roles/ldapserver/vars/vars/CentOS_6.5_x86_64.yml
@@ -0,0 +1,5 @@
+---
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/ldapserver/vars/vars/CentOS_6.6_x86_64.yml b/roles/ldapserver/vars/vars/CentOS_6.6_x86_64.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7898718dcef361447091f6a9b474a6505bd3343
--- /dev/null
+++ b/roles/ldapserver/vars/vars/CentOS_6.6_x86_64.yml
@@ -0,0 +1,5 @@
+---
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/ldapserver/vars/vars/main.yml b/roles/ldapserver/vars/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b62f382c04ae4705ff66027ca48862d011d757c1
--- /dev/null
+++ b/roles/ldapserver/vars/vars/main.yml
@@ -0,0 +1,7 @@
+---
+ ldapuser: ldap
+ ldapgroup: ldap
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/nfs-client/vars/main.yml b/roles/nfs-client/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6d2463864499fabc55babf845364212e3a93988e
--- /dev/null
+++ b/roles/nfs-client/vars/main.yml
@@ -0,0 +1,5 @@
+---
+# This is a list of exports, individual entry for each mount.
+exportList:
+ - { name : '/mnt/test-nfs', src : '/mnt',fstype : 'nfs', opts : 'vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock' , interface : 'tun0', srvopts: 'rw,sync,root_squash' }
+ - { name : '/mnt/test-volume', src : '/mnt/vdc',fstype : 'nfs', opts : 'vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock' , interface : 'tun0', srvopts: 'rw,sync,root_squash' }
diff --git a/roles/nfs-server/defaults/main.yml b/roles/nfs-server/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f451f21cb4da0e1d012e0ebb709946b186679d45
--- /dev/null
+++ b/roles/nfs-server/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+mkFileSystems:
+ - { fstype : 'ext4', dev : '/dev/vdc', opts: '' }
+mntFileSystems:
+ - { name: '/mnt/vdc', src: '/dev/vdc', mntopts: 'loop', fstype : 'ext4'}
+configDiskDevice: true
diff --git a/roles/nfs-server/defaults/readme.txt b/roles/nfs-server/defaults/readme.txt
new file mode 100644
index 0000000000000000000000000000000000000000..9561db2c7df216e32f77a1f63f4f2f17d261dc28
--- /dev/null
+++ b/roles/nfs-server/defaults/readme.txt
@@ -0,0 +1,4 @@
+---
+mkFileSystems:
+ - { fstype : 'ext4', dev : '/dev/vdc', opts: '' }
+configDiskDevice: true
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
index 3e60a572484f4ba692e7884469d80acc1315f1de..29b98a51f78f9679387544cdcec27a1711a2383d 100644
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@@ -1,4 +1,3 @@
---
- include: mkFilesystem.yml
-- include: fileSymbolicLink.yml
- include: startServer.yml
diff --git a/roles/nfs-server/tasks/mkFilesystem.yml b/roles/nfs-server/tasks/mkFilesystem.yml
index ae917f2316d93db93782ab4ade20a71144db9dc2..5b924729bdb62401696bf776bd4fc9e853447d93 100644
--- a/roles/nfs-server/tasks/mkFilesystem.yml
+++ b/roles/nfs-server/tasks/mkFilesystem.yml
@@ -6,8 +6,8 @@
when: configDiskDevice
- name: Mount device
- mount: name={{ item.name }} src={{ item.dev }} fstype={{ item.fstype }} opts={{ item.mntopts }} state=mounted
- with_items: mkFileSystems
+ mount: name={{ item.name }} src={{ item.src }} fstype={{ item.fstype }} opts={{ item.mntopts }} state=mounted
+ with_items: mntFileSystems
sudo: true
when: configDiskDevice
diff --git a/roles/syncExports/tasks/addExports.yml b/roles/syncExports/tasks/addExports.yml
index d3723e786ef615eb1224bfb4ce0b435ed74fdc1f..24a1bada01269026bdf87db4973c8b4b72922ee8 100644
--- a/roles/syncExports/tasks/addExports.yml
+++ b/roles/syncExports/tasks/addExports.yml
@@ -5,3 +5,8 @@
run_once: true
sudo: true
notify: "Reload exports"
+- name: "Restart the NFS server"
+ service: "name=nfs state=restarted"
+ delegate_to: "{{ nfs_server }}"
+ run_once: true
+ sudo: true
diff --git a/roles/syncExports/vars/main.yml b/roles/syncExports/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9394537ddd47683d7a380d424b95175d6982ba5c
--- /dev/null
+++ b/roles/syncExports/vars/main.yml
@@ -0,0 +1,3 @@
+---
+groupList:
+ - { name : 'computeNodes', interface : 'tun0' }
diff --git a/vars/karaageVars.yml b/vars/karaageVars.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cdb16e0e0490e795783842d13651f77fdc28963f
--- /dev/null
+++ b/vars/karaageVars.yml
@@ -0,0 +1,27 @@
+---
+countryName: "AU"
+reginalName: "Victoria"
+cityName: "Melbourne"
+organizationName: "Monash University"
+emailAddress: "shahaan@gmail.com"
+organizationUnit: "defaultUnit"
+ldapDomain: "dc=monash,dc=edu,dc=au"
+ldapManager: "cn=admin,dc=monash,dc=edu,dc=au"
+ldapBindDN: "cn=ldapuser,ou=users,dc=monash,dc=edu,dc=au"
+ldapUserBase: "ou=users,dc=monash,dc=edu,dc=au"
+ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
+ldapBase: "dc=monash,dc=edu,dc=au"
+ldapURI: "{% for host in groups['ldap-server'] %}ldaps://{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+smtp_smarthost: "{{ ansible_hostname }}"
+x509_ca_server: "vm-118-138-240-183.erc.monash.edu.au"
+ldapManagerPassword: "imldap"
+ldapBindDNPassword: "imbinddn"
+domain: "erc.monash.edu.au"
+karaage_sql_password: "imkaraage"
+mysql_root_password: "immysql"
+x509_key_file: "/etc/ssl/private/server.key"
+x509_cert_file: "/etc/ssl/certs/server.crt"
+x509_cacert_file: "/etc/ssl/certs/ca.crt"
+x509_csr_args: ""
+x509_sign_args: "{{ x509_csr_args }}"
+x509_common_name: "{{ ansible_fqdn }}"