Some Changes to install Karaage on Jessie, see new files...

67c517ce · Shahaan Ayyub · f86b7cad · 67c517ce · 67c517ce · 67c517ce
Commit 67c517ce authored 9 years ago by Shahaan Ayyub
--- a/buildKaraage3.x.yml
+++ b/buildKaraage3.x.yml
 ---
 -
  hosts: ldap-server
+  pre_tasks:
+    - sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
+      ignore_errors: yes
+    - service: name=network state=restarted
+      when: ansible_os_family == 'Redhat'
  roles:
-#   - easy-rsa-CA
-#   - ldapserver
+   - easy-rsa-CA
+   - easy-rsa-certificate
+   - ldapserver
  sudo: true
+  vars:
+   - x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
  vars_files:
   - vars/karaageVars.yml
 - 
  hosts: karaage-server
+  pre_tasks:
+    - sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
+      ignore_errors: yes
+    - service: name=network state=restarted
+      when: ansible_os_family == 'Redhat'
  roles:
-#    - easy-rsa-certificate
+    - easy-rsa-certificate
    - karaage3.1.17
  sudo: true
+  vars:
+   - x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
  vars_files:
   - vars/karaageVars.yml
--- a/roles/easy-rsa-certificate/tasks/buildCert.yml
+++ b/roles/easy-rsa-certificate/tasks/buildCert.yml
@@ -62,28 +62,28 @@

 - name: "Copy CSR to CA"
  remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
  copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.csr dest=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr force=yes"
  when: needcert
  sudo: true

 - name: "Sign Certificate"
  remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
  shell:    "cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\" ;\"$EASY_RSA\"/pkitool --sign {{ x509_sign_args }} {{ x509_common_name }}"
  when: needcert
  sudo: true

 - name: "Copy the Certificate to ansible host"
  remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
  fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt dest=/tmp/{{ inventory_hostname }}/{{ x509_common_name }}.crt fail_on_missing=yes validate_md5=yes flat=yes"
  sudo: true
  when: needcert

 - name: "Copy the CA Certificate to the ansible host"
  remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
  fetch: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/tmp/{{ inventory_hostname }}/ca.crt fail_on_missing=yes validate_md5=yes flat=yes"
  sudo: true
  when: "ca_cert.stat.exists == false"

--- a/roles/easy-rsa-common/tasks/installEasyRsa.yml
+++ b/roles/easy-rsa-common/tasks/installEasyRsa.yml
@@ -6,7 +6,7 @@
  when: ansible_os_family == 'RedHat'
 - 
  name: "Installing easy-rsa"
-  apt: "name=openvpn state=present update_cache=yes"
+  apt: "name=easy-rsa state=present"
  sudo: True
  when: ansible_os_family == 'Debian'
 - 
@@ -22,7 +22,17 @@
  args:
    creates: /etc/easy-rsa
  sudo: True
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and ansible_distribution_release != 'jessie'
+  register: installed
+- 
+  name: "Create /etc/easy-rsa/2.0 for Jessie"
+  file: path=/etc/easy-rsa/2.0 state=directory mode=0755
+  when: ansible_os_family == 'Debian' and ansible_distribution_release == 'jessie'
+- 
+  name: "Moving easy-rsa to /etc"
+  shell: "cp -rf /usr/share/easy-rsa/* /etc/easy-rsa/2.0/"
+  sudo: True
+  when: ansible_os_family == 'Debian' and ansible_distribution_release == 'jessie'
  register: installed

 - name: "Clean all"

--- a/roles/easy-rsa-common/tasks/installEasyRsaSource.yml
+++ b/roles/easy-rsa-common/tasks/installEasyRsaSource.yml
+---
+
+-
+ name: Download easy-rsa 2.2.2
+ get_url: url=https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz dest=/tmp/2.2.2.tar.gz
+-
+ name: Untar the source
+ shell: tar xvfz 2.2.2.tar.gz chdir=/tmp creates=/tmp/easy-rsa-2.2.2
+- 
+  name: "Moving easy-rsa to /etc"
+  shell: cp -rf /tmp/easy-rsa-2.2.2/easy-rsa /etc/ creates=/etc/easy-rsa
+  sudo: True
+  register: installed
+
+- name: "Clean all"
+  shell: " cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/clean-all"
+  args:
+    creates: "/etc/easy-rsa/2.0/keys/"
+  when: installed|changed
+  sudo: true
+ 
--- a/roles/easy-rsa-common/tasks/main.yml
+++ b/roles/easy-rsa-common/tasks/main.yml
 ---
 -
-  include: installEasyRsa.yml
+  include: installEasyRsaSource.yml
 -
  include: copyConfigurationFile.yml
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -53,6 +53,7 @@
 with_items:
  - python-kgusage
  - karaage-cluster-tools
+  - karaage3-celery
 -
 name: "Set Secret Key"
 lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = 'imkaraage'" state=present
@@ -69,9 +70,6 @@
 name: Templating ldap.conf
 template: src=client-ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
 when: ansible_fqdn != "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
-
- name: Add missing ldap entries
- shell: kg-manage migrate_ldap
 -
 name: "Reloading apache"
 service: name=apache2 state=reloaded
--- a/roles/karaage3.1.17/templates/client-ldap.conf.j2
+++ b/roles/karaage3.1.17/templates/client-ldap.conf.j2
@@ -6,7 +6,7 @@
 # This file should be world readable but not world writable.

 #BASE	dc=example,dc=com
-#URI	ldap://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %} ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}
+URI	ldap://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %} ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}

 #SIZELIMIT	12
 #TIMELIMIT	15

--- a/roles/karaage3.1.17/templates/settings.py.j2
+++ b/roles/karaage3.1.17/templates/settings.py.j2
@@ -40,7 +40,7 @@ STATICFILES_STORAGE = 'pipeline.storage.PipelineStorage'
 #
 # default: HTTP_HOST = FQDN hostname
 #
-HTTP_HOST = "{% for host in groups['karaage-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+HTTP_HOST = "{{ x509_common_name }}"

 # A list of strings representing the host/domain names that this Django site
 # can serve. This is a security measure to prevent an attacker from poisoning

--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
 ---

 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
-
 - name: install system packages apt
  apt: name={{ item }} state=installed update_cache=true
  sudo: true
@@ -15,7 +14,7 @@
  when: ansible_os_family == 'RedHat'

 - name: hash password
-  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
+  command: /usr//sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
  register: ldapManagerHash

 - name: hash binddn password
@@ -142,42 +141,42 @@


 - name: initialise server ssl
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config 
+  shell: /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config 
  sudo: true
  when: tlsConfigured|failed

 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
  sudo: true
  when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
  sudo: true
  ignore_errors: true
  when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
  sudo: true
  when: managerConfigured|failed

 - name: initialise server acls
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
  sudo: true
  when: aclConfigured|failed

 - name: add DIT root
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
  when: ditConfigured|failed

 - name: add Accounts OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
  when: accountsConfigured|failed

 - name: add Groups OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
  when: groupsConfigured|failed

 - name: add binddn
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
  sudo: true
  when: binddnConfigured|failed
--- a/roles/ldapserver/templates/ldap.conf.j2
+++ b/roles/ldapserver/templates/ldap.conf.j2
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+URI {{ ldapURI }}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	{{ x509_cacert_file }}
--- a/roles/ldapserver/templates/manager_ldif2.j2
+++ b/roles/ldapserver/templates/manager_ldif2.j2
 dn: {{ dbname }},cn=config
 changetype: modify
-add: olcRootPW
+replace: olcRootPW
 olcRootPW: {{ ldapManagerHash.stdout }}
--- a/roles/ldapserver/templates/tls_settings.ldif.j2
+++ b/roles/ldapserver/templates/tls_settings.ldif.j2
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcSecurity
+olcSecurity: tls=1
--- a/roles/ldapserver/vars/CentOS_6.5_x86_64.yml
+++ b/roles/ldapserver/vars/CentOS_6.5_x86_64.yml
@@ -3,3 +3,6 @@
  - openldap-servers
  - openldap-clients
  - openssl
+ dbname: olcDatabase={2}bdb
+ ldapuser: ldap
+ ldapgroup: ldap
--- a/roles/ldapserver/vars/Debian_8.0_x86_64.yml
+++ b/roles/ldapserver/vars/Debian_8.0_x86_64.yml
+---
+ system_packages:
+  - slapd
+  - ldap-utils
+  - openssl
+
+ ldapuser: openldap
+ ldapgroup: openldap
+ dbname: olcDatabase={1}mdb
--- a/vars/karaageVars.yml
+++ b/vars/karaageVars.yml
@@ -13,7 +13,6 @@ ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
 ldapBase: "dc=monash,dc=edu,dc=au"
 ldapURI: "{% for host in groups['ldap-server'] %}ldaps://{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
 smtp_smarthost: "{{ ansible_hostname }}"
-x509_ca_server: "vm-118-138-240-183.erc.monash.edu.au"
 ldapManagerPassword: "imldap"
 ldapBindDNPassword: "imbinddn"
 domain: "erc.monash.edu.au"
@@ -24,4 +23,4 @@ x509_cert_file: "/etc/ssl/certs/server.crt"
 x509_cacert_file: "/etc/ssl/certs/ca.crt"
 x509_csr_args: ""
 x509_sign_args: "{{ x509_csr_args }}"
-x509_common_name: "{{ ansible_fqdn }}"
+x509_common_name: "{{ inventory_hostname }}"