From ffd25caef09cc7a7d7b79c0ea2a9834e48d2e995 Mon Sep 17 00:00:00 2001
From: shahaan <shahaan@gmail.com>
Date: Thu, 18 Jun 2015 14:35:45 +1000
Subject: [PATCH] Karaage 3.1.17 related changes
---
roles/OpenVPN-Client/vars/main.yml | 1 +
roles/OpenVPN-Server/vars/main.yml | 1 +
roles/easy-rsa-certificate/vars/main.yml | 1 +
roles/easy-rsa-certificate/vars/meta/main.yml | 5 +
.../vars/tasks/buildCert.yml | 113 +++++++++++++
.../easy-rsa-certificate/vars/tasks/main.yml | 3 +
roles/easy-rsa-certificate/vars/vars/main.yml | 1 +
.../easy-rsa-certificate/vars/vars/readme.txt | 7 +
roles/easy-rsa-common/defaults/main.yml | 1 +
roles/easy-rsa-common/tasks/yumList.yml | 10 +-
roles/ldapserver/vars/meta/main.yml | 3 +
.../ldapserver/vars/tasks/karaageSpecific.yml | 14 ++
roles/ldapserver/vars/tasks/main.yml | 157 ++++++++++++++++++
.../vars/templates/accounts_ldif.j2 | 2 +
roles/ldapserver/vars/templates/acls_ldif.j2 | 6 +
.../ldapserver/vars/templates/binddn_ldif.j2 | 5 +
.../vars/templates/default_ppolicy_ldif.j2 | 19 +++
.../ldapserver/vars/templates/groups_ldif.j2 | 2 +
roles/ldapserver/vars/templates/ldap.conf.j2 | 16 ++
.../ldapserver/vars/templates/manager_ldif.j2 | 10 ++
.../ppolicy_accountsAndGroups.ldif.j2 | 14 ++
.../vars/templates/ppolicy_moduleload_ldif.j2 | 5 +
.../vars/templates/ppolicy_overlay_ldif.j2 | 7 +
.../vars/templates/pwpolicies_ldif.j2 | 4 +
roles/ldapserver/vars/templates/root_ldif.j2 | 5 +
roles/ldapserver/vars/templates/ssl_ldif.j2 | 9 +
.../vars/templates/tls_settings.ldif.j2 | 4 +
.../vars/vars/CentOS_6.5_x86_64.yml | 5 +
.../vars/vars/CentOS_6.6_x86_64.yml | 5 +
roles/ldapserver/vars/vars/main.yml | 7 +
roles/nfs-client/vars/main.yml | 5 +
roles/nfs-server/defaults/main.yml | 6 +
roles/nfs-server/defaults/readme.txt | 4 +
roles/nfs-server/tasks/main.yml | 1 -
roles/nfs-server/tasks/mkFilesystem.yml | 4 +-
roles/syncExports/tasks/addExports.yml | 5 +
roles/syncExports/vars/main.yml | 3 +
vars/karaageVars.yml | 27 +++
38 files changed, 491 insertions(+), 6 deletions(-)
create mode 120000 roles/OpenVPN-Client/vars/main.yml
create mode 120000 roles/OpenVPN-Server/vars/main.yml
create mode 120000 roles/easy-rsa-certificate/vars/main.yml
create mode 100644 roles/easy-rsa-certificate/vars/meta/main.yml
create mode 100644 roles/easy-rsa-certificate/vars/tasks/buildCert.yml
create mode 100644 roles/easy-rsa-certificate/vars/tasks/main.yml
create mode 120000 roles/easy-rsa-certificate/vars/vars/main.yml
create mode 100644 roles/easy-rsa-certificate/vars/vars/readme.txt
create mode 120000 roles/easy-rsa-common/defaults/main.yml
create mode 100644 roles/ldapserver/vars/meta/main.yml
create mode 100644 roles/ldapserver/vars/tasks/karaageSpecific.yml
create mode 100644 roles/ldapserver/vars/tasks/main.yml
create mode 100644 roles/ldapserver/vars/templates/accounts_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/acls_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/binddn_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/default_ppolicy_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/groups_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/ldap.conf.j2
create mode 100644 roles/ldapserver/vars/templates/manager_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/ppolicy_accountsAndGroups.ldif.j2
create mode 100644 roles/ldapserver/vars/templates/ppolicy_moduleload_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/ppolicy_overlay_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/pwpolicies_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/root_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/ssl_ldif.j2
create mode 100644 roles/ldapserver/vars/templates/tls_settings.ldif.j2
create mode 100644 roles/ldapserver/vars/vars/CentOS_6.5_x86_64.yml
create mode 100644 roles/ldapserver/vars/vars/CentOS_6.6_x86_64.yml
create mode 100644 roles/ldapserver/vars/vars/main.yml
create mode 100644 roles/nfs-client/vars/main.yml
create mode 100644 roles/nfs-server/defaults/main.yml
create mode 100644 roles/nfs-server/defaults/readme.txt
create mode 100644 roles/syncExports/vars/main.yml
create mode 100644 vars/karaageVars.yml
diff --git a/roles/OpenVPN-Client/vars/main.yml b/roles/OpenVPN-Client/vars/main.yml
new file mode 120000
index 0000000..0d79d56
--- /dev/null
+++ b/roles/OpenVPN-Client/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/OpenVPN-Server/vars/main.yml b/roles/OpenVPN-Server/vars/main.yml
new file mode 120000
index 0000000..0d79d56
--- /dev/null
+++ b/roles/OpenVPN-Server/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-certificate/vars/main.yml b/roles/easy-rsa-certificate/vars/main.yml
new file mode 120000
index 0000000..0d79d56
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-certificate/vars/meta/main.yml b/roles/easy-rsa-certificate/vars/meta/main.yml
new file mode 100644
index 0000000..fb87b08
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/meta/main.yml
@@ -0,0 +1,5 @@
+---
+allow_duplicates: yes
+dependencies:
+ - {role: easy-rsa-common }
+
diff --git a/roles/easy-rsa-certificate/vars/tasks/buildCert.yml b/roles/easy-rsa-certificate/vars/tasks/buildCert.yml
new file mode 100644
index 0000000..d71c98a
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/tasks/buildCert.yml
@@ -0,0 +1,113 @@
+---
+- name: "Check client ca certificate"
+ register: ca_cert
+ stat: "path={{ x509_cacert_file }}"
+
+- name: "Check certificate and key"
+ shell: (openssl x509 -noout -modulus -in {{ x509_cert_file }} | openssl md5 ; openssl rsa -noout -modulus -in {{ x509_key_file }} | openssl md5) | uniq | wc -l
+ register: certcheck
+ sudo: true
+
+- name: "Check certificate"
+ register: cert
+ stat: "path={{ x509_cert_file }}"
+ sudo: true
+
+- name: "Check key"
+ register: key
+ stat: "path={{ x509_key_file }}"
+ sudo: true
+
+- name: "Default: we don't need a new certificate"
+ set_fact: needcert=False
+
+- name: "Set need cert if key is missing"
+ set_fact: needcert=True
+ when: key.stat.exists == false
+
+- name: "set needcert if cert is missing or of zero size"
+ set_fact: needcert=True
+ when: cert.stat.exists == false or cert.stat.size == 0
+
+- name: "Delete Zero Sized Ceritificates"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ shell: rm -rf /etc/easy-rsa/2.0/keys/{{ x509_common_name }}.*
+ when: cert is defined and cert.stat.size == 0
+ sudo: true
+
+- name: "set needcert if cert doesn't match key"
+ set_fact: needcert=True
+ when: certcheck.stdout == '2'
+
+
+- name: "Creating Keypair"
+ shell: "echo noop when using easy-rsa"
+ when: needcert
+
+- name: "Creating CSR"
+ shell: " cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ x509_csr_args }} {{ x509_common_name }}"
+ when: needcert
+ sudo: true
+
+- name: "Create node tmp directory"
+ delegate_to: 127.0.0.1
+ shell: "mkdir -p /tmp/{{ inventory_hostname }} ; chmod 755 /tmp/{{ inventory_hostname }}"
+ when: x509_ca_server != inventory_hostname
+
+- name: "Copy CSR to ansible host"
+ fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr dest=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.csr fail_on_missing=yes validate_md5=yes flat=yes"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy CSR to CA"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.csr dest=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr force=yes"
+ when: needcert and x509_ca_server != inventory_hostname
+ sudo: true
+
+- name: "Sign Certificate"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ shell: "cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\" ;\"$EASY_RSA\"/pkitool --sign {{ x509_sign_args }} {{ x509_common_name }}"
+ when: needcert
+ sudo: true
+
+- name: "Copy the Certificate to ansible host"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt dest=/tmp/{{ inventory_hostname }}/{{ x509_common_name }}.crt fail_on_missing=yes validate_md5=yes flat=yes"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy the CA Certificate to the ansible host"
+ remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
+ delegate_to: "{{ x509_ca_server }}"
+ fetch: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/tmp/{{ inventory_hostname }}/ca.crt fail_on_missing=yes validate_md5=yes flat=yes"
+ sudo: true
+ when: ca_cert.stat.exists == false and x509_ca_server != inventory_hostname
+
+- name: "Make sure the path to the certificate exists"
+ shell: "mkdir -p `dirname {{ x509_cert_file }}` ; chmod 755 `dirname {{ x509_cert_file }}`"
+ sudo: true
+
+- name: "Copy the certificate to the node"
+ copy: "src=/tmp/{{ inventory_hostname }}/{{ x509_common_name }}.crt dest=/tmp/{{ x509_common_name }}.crt force=yes"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy the certificate to the right location"
+ shell: "cp -f /tmp/{{ x509_common_name }}.crt {{ x509_cert_file }}"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
+
+- name: "Copy the CA certificate to the node"
+ copy: "src=/tmp/{{ inventory_hostname }}/ca.crt dest={{ x509_cacert_file }}"
+ sudo: true
+ when: ca_cert.stat.exists == false and x509_ca_server != inventory_hostname
+
+- name: "Copy the key to the correct location"
+ shell: "mkdir -p `dirname {{ x509_key_file }}` ; chmod 700 `dirname {{ x509_key_file }}` ; cp /etc/easy-rsa/2.0/keys/{{ x509_common_name }}.key {{ x509_key_file }}"
+ sudo: true
+ when: needcert and x509_ca_server != inventory_hostname
diff --git a/roles/easy-rsa-certificate/vars/tasks/main.yml b/roles/easy-rsa-certificate/vars/tasks/main.yml
new file mode 100644
index 0000000..475415c
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+-
+ include: buildCert.yml
diff --git a/roles/easy-rsa-certificate/vars/vars/main.yml b/roles/easy-rsa-certificate/vars/vars/main.yml
new file mode 120000
index 0000000..0d79d56
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/vars/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-certificate/vars/vars/readme.txt b/roles/easy-rsa-certificate/vars/vars/readme.txt
new file mode 100644
index 0000000..b590204
--- /dev/null
+++ b/roles/easy-rsa-certificate/vars/vars/readme.txt
@@ -0,0 +1,7 @@
+---
+x509_key_file: "/etc/ssl/private/server.key"
+x509_cert_file: "/etc/ssl/certs/server.crt"
+x509_cacert_file: "/etc/ssl/certs/ca.crt"
+x509_csr_args: ""
+x509_sign_args: "{{ x509_csr_args }}"
+x509_common_name: "{{ ansible_fqdn }}"
diff --git a/roles/easy-rsa-common/defaults/main.yml b/roles/easy-rsa-common/defaults/main.yml
new file mode 120000
index 0000000..0d79d56
--- /dev/null
+++ b/roles/easy-rsa-common/defaults/main.yml
@@ -0,0 +1 @@
+readme.txt
\ No newline at end of file
diff --git a/roles/easy-rsa-common/tasks/yumList.yml b/roles/easy-rsa-common/tasks/yumList.yml
index fe7e95d..54c5f91 100644
--- a/roles/easy-rsa-common/tasks/yumList.yml
+++ b/roles/easy-rsa-common/tasks/yumList.yml
@@ -3,10 +3,14 @@
name: "Install these yum packages"
with_items:
- gcc
- - rsync
- make
- tcsh
- bind-utils
- - openssl-devel
- - nfs-utils
yum: "name={{ item }} state=present"
+-
+ name: "Setting hostname"
+ shell: sysctl kernel.hostname={{ inventory_hostname }}
+
+-
+ name: "Restarting Network"
+ service: name=network state=restarted
diff --git a/roles/ldapserver/vars/meta/main.yml b/roles/ldapserver/vars/meta/main.yml
new file mode 100644
index 0000000..46f5a23
--- /dev/null
+++ b/roles/ldapserver/vars/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: easy-rsa-certificate, x509_csr_args: "--server" }
diff --git a/roles/ldapserver/vars/tasks/karaageSpecific.yml b/roles/ldapserver/vars/tasks/karaageSpecific.yml
new file mode 100644
index 0000000..63ca884
--- /dev/null
+++ b/roles/ldapserver/vars/tasks/karaageSpecific.yml
@@ -0,0 +1,14 @@
+---
+-
+ name: Adding default ppolicy schema
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif
+-
+ name: templating tls settings
+ template: src=tls_settings.ldif.j2 dest=/tmp/tls_settings.ldif mode=600
+-
+ name: initialise server ssl
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// < /tmp/tls_settings.ldif
+ sudo: true
+-
+ name: templating ldap.conf
+ template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=600
diff --git a/roles/ldapserver/vars/tasks/main.yml b/roles/ldapserver/vars/tasks/main.yml
new file mode 100644
index 0000000..a5ec4d6
--- /dev/null
+++ b/roles/ldapserver/vars/tasks/main.yml
@@ -0,0 +1,157 @@
+---
+
+- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+
+- name: install system packages apt
+ apt: name={{ item }} state=installed update_cache=true
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+ yum: name={{ item }} state=installed
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'RedHat'
+
+- name: hash password
+ command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
+ register: ldapManagerHash
+
+- name: hash binddn password
+ command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
+ register: ldapBindDNHash
+
+- name: template ssl.ldif
+ template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
+
+- name: template manager.ldif
+ template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
+ sudo: true
+
+- name: template binddn.ldif
+ template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
+ sudo: true
+
+- name: template root.ldif
+ template: src=root_ldif.j2 dest=/tmp/root.ldif
+
+- name: template accounts.ldif
+ template: src=accounts_ldif.j2 dest=/tmp/accounts.ldif
+
+- name: template groups.ldif
+ template: src=groups_ldif.j2 dest=/tmp/groups.ldif
+
+- name: template acls.ldif
+ template: src=acls_ldif.j2 dest=/tmp/acls.ldif
+
+- name: template ppolicy_moduleload.ldif
+ template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+
+- name: template ppolicy_overlay.ldif
+ template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
+
+- name: template pwpolices.ldif
+ template: src=pwpolicies_ldif.j2 dest=/tmp/pwpolicies.ldif
+
+- name: template default_ppolicy.ldif
+ template: src=default_ppolicy_ldif.j2 dest=/tmp/default_ppolicy.ldif
+
+
+- name: copy cert
+ command: cp /etc/ssl/certs/server.crt /etc/openldap/certs/ldapcert.pem
+ sudo: true
+
+- name: copy cacert
+ command: cp /etc/ssl/certs/ca.crt /etc/openldap/certs/cacert.pem
+ sudo: true
+
+- name: copy key
+ command: cp /etc/ssl/private/server.key /etc/openldap/certs/ldapkey.pem
+ sudo: true
+
+- name: chmod key
+ file: path=/etc/openldap/certs/ldapkey.pem owner={{ ldapuser }} group={{ ldapgroup }} mode=600
+ sudo: true
+
+- name: enable ssl centos
+ lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
+ sudo: true
+ when: ansible_os_family == 'RedHat'
+
+- name: start ldap
+ service: name=slapd state=restarted
+ sudo: true
+
+- name: check TLS config
+ shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem'"
+ ignore_errors: true
+ sudo: true
+ register: tlsConfigured
+
+- name: check Manager config
+ shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
+ ignore_errors: true
+ sudo: true
+ register: managerConfigured
+
+# slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
+- name: check ACL config
+ shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
+ ignore_errors: true
+ sudo: true
+ register: aclConfigured
+
+
+- name: check DIT config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+ ignore_errors: true
+ register: ditConfigured
+
+- name: check Accounts config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+ ignore_errors: true
+ register: accountsConfigured
+
+- name: check Groups config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
+ ignore_errors: true
+ register: groupsConfigured
+
+- name: check binddn config
+ shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
+ ignore_errors: true
+ register: binddnConfigured
+
+
+- name: initialise server ssl
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
+ sudo: true
+ when: tlsConfigured|failed
+
+- name: initialise server manager
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
+ sudo: true
+ when: managerConfigured|failed
+
+- name: initialise server acls
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+ sudo: true
+ when: aclConfigured|failed
+
+- name: add DIT root
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+ when: ditConfigured|failed
+
+- name: add Accounts OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+ when: accountsConfigured|failed
+
+- name: add Groups OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+ when: groupsConfigured|failed
+
+- name: add binddn
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
+ sudo: true
+ when: binddnConfigured|failed
diff --git a/roles/ldapserver/vars/templates/accounts_ldif.j2 b/roles/ldapserver/vars/templates/accounts_ldif.j2
new file mode 100644
index 0000000..e057dd1
--- /dev/null
+++ b/roles/ldapserver/vars/templates/accounts_ldif.j2
@@ -0,0 +1,2 @@
+dn: {{ ldapUserBase }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/vars/templates/acls_ldif.j2 b/roles/ldapserver/vars/templates/acls_ldif.j2
new file mode 100644
index 0000000..c9df719
--- /dev/null
+++ b/roles/ldapserver/vars/templates/acls_ldif.j2
@@ -0,0 +1,6 @@
+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
+olcAccess: {2}to * by users read by anonymous auth
diff --git a/roles/ldapserver/vars/templates/binddn_ldif.j2 b/roles/ldapserver/vars/templates/binddn_ldif.j2
new file mode 100644
index 0000000..3f2e31b
--- /dev/null
+++ b/roles/ldapserver/vars/templates/binddn_ldif.j2
@@ -0,0 +1,5 @@
+dn: {{ ldapBindDN }}
+objectClass: inetOrgPerson
+cn: binddn
+sn: binddn
+userPassword: {{ ldapBindDNHash.stdout }}
diff --git a/roles/ldapserver/vars/templates/default_ppolicy_ldif.j2 b/roles/ldapserver/vars/templates/default_ppolicy_ldif.j2
new file mode 100644
index 0000000..cc638a2
--- /dev/null
+++ b/roles/ldapserver/vars/templates/default_ppolicy_ldif.j2
@@ -0,0 +1,19 @@
+dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+cn: default
+objectClass: pwdPolicy
+objectClass: top
+objectClass: device
+pwdAllowUserChange: TRUE
+pwdAttribute: 2.5.4.35
+pwdExpireWarning: 604800
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 0
+pwdInHistory: 10
+pwdLockout: TRUE
+pwdLockoutDuration: 3600
+pwdMaxAge: 7776000
+pwdMaxFailure: 5
+pwdMinAge: 3600
+pwdMinLength: 12
+pwdMustChange: FALSE
+pwdSafeModify: FALSE
diff --git a/roles/ldapserver/vars/templates/groups_ldif.j2 b/roles/ldapserver/vars/templates/groups_ldif.j2
new file mode 100644
index 0000000..70386e0
--- /dev/null
+++ b/roles/ldapserver/vars/templates/groups_ldif.j2
@@ -0,0 +1,2 @@
+dn: {{ ldapGroupBase }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/vars/templates/ldap.conf.j2 b/roles/ldapserver/vars/templates/ldap.conf.j2
new file mode 100644
index 0000000..a6c19aa
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ldap.conf.j2
@@ -0,0 +1,16 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE dc=example,dc=com
+URI {{ ldapURI }}
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT {{ x509_cacert_file }}
diff --git a/roles/ldapserver/vars/templates/manager_ldif.j2 b/roles/ldapserver/vars/templates/manager_ldif.j2
new file mode 100644
index 0000000..5cdf021
--- /dev/null
+++ b/roles/ldapserver/vars/templates/manager_ldif.j2
@@ -0,0 +1,10 @@
+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: {{ ldapDomain }}
+-
+replace: olcRootDN
+olcRootDN: {{ ldapManager }}
+-
+add: olcRootPW
+olcRootPW: {{ ldapManagerHash.stdout }}
diff --git a/roles/ldapserver/vars/templates/ppolicy_accountsAndGroups.ldif.j2 b/roles/ldapserver/vars/templates/ppolicy_accountsAndGroups.ldif.j2
new file mode 100644
index 0000000..1adb4c4
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ppolicy_accountsAndGroups.ldif.j2
@@ -0,0 +1,14 @@
+dn: ou=policies,dc=example,dc=org
+objectClass: organizationalUnit
+
+dn: ou=Accounts,dc=example,dc=org
+objectClass: organizationalUnit
+
+dn: ou=Groups,dc=example,dc=org
+objectClass: organizationalUnit
+
+dn: cn=default,ou=policies,dc=example,dc=org
+objectClass: top
+objectClass: device
+objectClass: pwdPolicy
+pwdAttribute: userPassword
diff --git a/roles/ldapserver/vars/templates/ppolicy_moduleload_ldif.j2 b/roles/ldapserver/vars/templates/ppolicy_moduleload_ldif.j2
new file mode 100644
index 0000000..084cc60
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ppolicy_moduleload_ldif.j2
@@ -0,0 +1,5 @@
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: /usr/lib64/openldap/
+olcModuleLoad: ppolicy.la
diff --git a/roles/ldapserver/vars/templates/ppolicy_overlay_ldif.j2 b/roles/ldapserver/vars/templates/ppolicy_overlay_ldif.j2
new file mode 100644
index 0000000..942c69c
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ppolicy_overlay_ldif.j2
@@ -0,0 +1,7 @@
+dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
+olcOverlay: ppolicy
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: FALSE
+olcPPolicyDefault: cn=default,ou=pwpolicies,{{ ldapDomain }}
diff --git a/roles/ldapserver/vars/templates/pwpolicies_ldif.j2 b/roles/ldapserver/vars/templates/pwpolicies_ldif.j2
new file mode 100644
index 0000000..1f0b93c
--- /dev/null
+++ b/roles/ldapserver/vars/templates/pwpolicies_ldif.j2
@@ -0,0 +1,4 @@
+dn: ou=pwpolicies,{{ ldapDomain }}
+objectClass: organizationalUnit
+objectClass: top
+ou: pwpolicies
diff --git a/roles/ldapserver/vars/templates/root_ldif.j2 b/roles/ldapserver/vars/templates/root_ldif.j2
new file mode 100644
index 0000000..c3a43f3
--- /dev/null
+++ b/roles/ldapserver/vars/templates/root_ldif.j2
@@ -0,0 +1,5 @@
+dn: {{ ldapDomain }}
+objectClass: dcObject
+objectClass: organization
+o: {{ ansible_domain }}
+description: root
diff --git a/roles/ldapserver/vars/templates/ssl_ldif.j2 b/roles/ldapserver/vars/templates/ssl_ldif.j2
new file mode 100644
index 0000000..9d7d804
--- /dev/null
+++ b/roles/ldapserver/vars/templates/ssl_ldif.j2
@@ -0,0 +1,9 @@
+dn: cn=config
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem
diff --git a/roles/ldapserver/vars/templates/tls_settings.ldif.j2 b/roles/ldapserver/vars/templates/tls_settings.ldif.j2
new file mode 100644
index 0000000..5a73e77
--- /dev/null
+++ b/roles/ldapserver/vars/templates/tls_settings.ldif.j2
@@ -0,0 +1,4 @@
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcSecurity
+olcSecurity: tls=1
diff --git a/roles/ldapserver/vars/vars/CentOS_6.5_x86_64.yml b/roles/ldapserver/vars/vars/CentOS_6.5_x86_64.yml
new file mode 100644
index 0000000..f789871
--- /dev/null
+++ b/roles/ldapserver/vars/vars/CentOS_6.5_x86_64.yml
@@ -0,0 +1,5 @@
+---
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/ldapserver/vars/vars/CentOS_6.6_x86_64.yml b/roles/ldapserver/vars/vars/CentOS_6.6_x86_64.yml
new file mode 100644
index 0000000..f789871
--- /dev/null
+++ b/roles/ldapserver/vars/vars/CentOS_6.6_x86_64.yml
@@ -0,0 +1,5 @@
+---
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/ldapserver/vars/vars/main.yml b/roles/ldapserver/vars/vars/main.yml
new file mode 100644
index 0000000..b62f382
--- /dev/null
+++ b/roles/ldapserver/vars/vars/main.yml
@@ -0,0 +1,7 @@
+---
+ ldapuser: ldap
+ ldapgroup: ldap
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/nfs-client/vars/main.yml b/roles/nfs-client/vars/main.yml
new file mode 100644
index 0000000..6d24638
--- /dev/null
+++ b/roles/nfs-client/vars/main.yml
@@ -0,0 +1,5 @@
+---
+# This is a list of exports, individual entry for each mount.
+exportList:
+ - { name : '/mnt/test-nfs', src : '/mnt',fstype : 'nfs', opts : 'vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock' , interface : 'tun0', srvopts: 'rw,sync,root_squash' }
+ - { name : '/mnt/test-volume', src : '/mnt/vdc',fstype : 'nfs', opts : 'vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock' , interface : 'tun0', srvopts: 'rw,sync,root_squash' }
diff --git a/roles/nfs-server/defaults/main.yml b/roles/nfs-server/defaults/main.yml
new file mode 100644
index 0000000..f451f21
--- /dev/null
+++ b/roles/nfs-server/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+mkFileSystems:
+ - { fstype : 'ext4', dev : '/dev/vdc', opts: '' }
+mntFileSystems:
+ - { name: '/mnt/vdc', src: '/dev/vdc', mntopts: 'loop', fstype : 'ext4'}
+configDiskDevice: true
diff --git a/roles/nfs-server/defaults/readme.txt b/roles/nfs-server/defaults/readme.txt
new file mode 100644
index 0000000..9561db2
--- /dev/null
+++ b/roles/nfs-server/defaults/readme.txt
@@ -0,0 +1,4 @@
+---
+mkFileSystems:
+ - { fstype : 'ext4', dev : '/dev/vdc', opts: '' }
+configDiskDevice: true
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
index 3e60a57..29b98a5 100644
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@@ -1,4 +1,3 @@
---
- include: mkFilesystem.yml
-- include: fileSymbolicLink.yml
- include: startServer.yml
diff --git a/roles/nfs-server/tasks/mkFilesystem.yml b/roles/nfs-server/tasks/mkFilesystem.yml
index ae917f2..5b92472 100644
--- a/roles/nfs-server/tasks/mkFilesystem.yml
+++ b/roles/nfs-server/tasks/mkFilesystem.yml
@@ -6,8 +6,8 @@
when: configDiskDevice
- name: Mount device
- mount: name={{ item.name }} src={{ item.dev }} fstype={{ item.fstype }} opts={{ item.mntopts }} state=mounted
- with_items: mkFileSystems
+ mount: name={{ item.name }} src={{ item.src }} fstype={{ item.fstype }} opts={{ item.mntopts }} state=mounted
+ with_items: mntFileSystems
sudo: true
when: configDiskDevice
diff --git a/roles/syncExports/tasks/addExports.yml b/roles/syncExports/tasks/addExports.yml
index d3723e7..24a1bad 100644
--- a/roles/syncExports/tasks/addExports.yml
+++ b/roles/syncExports/tasks/addExports.yml
@@ -5,3 +5,8 @@
run_once: true
sudo: true
notify: "Reload exports"
+- name: "Restart the NFS server"
+ service: "name=nfs state=restarted"
+ delegate_to: "{{ nfs_server }}"
+ run_once: true
+ sudo: true
diff --git a/roles/syncExports/vars/main.yml b/roles/syncExports/vars/main.yml
new file mode 100644
index 0000000..9394537
--- /dev/null
+++ b/roles/syncExports/vars/main.yml
@@ -0,0 +1,3 @@
+---
+groupList:
+ - { name : 'computeNodes', interface : 'tun0' }
diff --git a/vars/karaageVars.yml b/vars/karaageVars.yml
new file mode 100644
index 0000000..cdb16e0
--- /dev/null
+++ b/vars/karaageVars.yml
@@ -0,0 +1,27 @@
+---
+countryName: "AU"
+reginalName: "Victoria"
+cityName: "Melbourne"
+organizationName: "Monash University"
+emailAddress: "shahaan@gmail.com"
+organizationUnit: "defaultUnit"
+ldapDomain: "dc=monash,dc=edu,dc=au"
+ldapManager: "cn=admin,dc=monash,dc=edu,dc=au"
+ldapBindDN: "cn=ldapuser,ou=users,dc=monash,dc=edu,dc=au"
+ldapUserBase: "ou=users,dc=monash,dc=edu,dc=au"
+ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
+ldapBase: "dc=monash,dc=edu,dc=au"
+ldapURI: "{% for host in groups['ldap-server'] %}ldaps://{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+smtp_smarthost: "{{ ansible_hostname }}"
+x509_ca_server: "vm-118-138-240-183.erc.monash.edu.au"
+ldapManagerPassword: "imldap"
+ldapBindDNPassword: "imbinddn"
+domain: "erc.monash.edu.au"
+karaage_sql_password: "imkaraage"
+mysql_root_password: "immysql"
+x509_key_file: "/etc/ssl/private/server.key"
+x509_cert_file: "/etc/ssl/certs/server.crt"
+x509_cacert_file: "/etc/ssl/certs/ca.crt"
+x509_csr_args: ""
+x509_sign_args: "{{ x509_csr_args }}"
+x509_common_name: "{{ ansible_fqdn }}"
--
GitLab