From 67c517ce9e2e89b4fa1bb984def25af4f335de93 Mon Sep 17 00:00:00 2001
From: shahaan <shahaan@gmail.com>
Date: Mon, 29 Jun 2015 11:26:54 +1000
Subject: [PATCH] Some Changes to install Karaage on Jessie, see new files...

---
 buildKaraage3.x.yml                           | 21 ++++++++++++++++---
 .../easy-rsa-certificate/tasks/buildCert.yml  |  8 +++----
 .../easy-rsa-common/tasks/installEasyRsa.yml  | 14 +++++++++++--
 .../tasks/installEasyRsaSource.yml            | 21 +++++++++++++++++++
 roles/easy-rsa-common/tasks/main.yml          |  2 +-
 roles/karaage3.1.17/tasks/karaage.yml         |  4 +---
 .../templates/client-ldap.conf.j2             |  2 +-
 roles/karaage3.1.17/templates/settings.py.j2  |  2 +-
 roles/ldapserver/tasks/main.yml               | 21 +++++++++----------
 roles/ldapserver/templates/ldap.conf.j2       | 16 ++++++++++++++
 roles/ldapserver/templates/manager_ldif2.j2   |  2 +-
 .../ldapserver/templates/tls_settings.ldif.j2 |  4 ++++
 roles/ldapserver/vars/CentOS_6.5_x86_64.yml   |  3 +++
 roles/ldapserver/vars/Debian_8.0_x86_64.yml   |  9 ++++++++
 vars/karaageVars.yml                          |  3 +--
 15 files changed, 103 insertions(+), 29 deletions(-)
 create mode 100644 roles/easy-rsa-common/tasks/installEasyRsaSource.yml
 create mode 100644 roles/ldapserver/templates/ldap.conf.j2
 create mode 100644 roles/ldapserver/templates/tls_settings.ldif.j2
 create mode 100644 roles/ldapserver/vars/Debian_8.0_x86_64.yml

diff --git a/buildKaraage3.x.yml b/buildKaraage3.x.yml
index e3002a92..8bc0c3e1 100644
--- a/buildKaraage3.x.yml
+++ b/buildKaraage3.x.yml
@@ -1,17 +1,32 @@
 ---
 -
   hosts: ldap-server
+  pre_tasks:
+    - sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
+      ignore_errors: yes
+    - service: name=network state=restarted
+      when: ansible_os_family == 'Redhat'
   roles:
-#   - easy-rsa-CA
-#   - ldapserver
+   - easy-rsa-CA
+   - easy-rsa-certificate
+   - ldapserver
   sudo: true
+  vars:
+   - x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
   vars_files:
    - vars/karaageVars.yml
 - 
   hosts: karaage-server
+  pre_tasks:
+    - sysctl: name=kernel.hostname value={{ inventory_hostname }} state=present
+      ignore_errors: yes
+    - service: name=network state=restarted
+      when: ansible_os_family == 'Redhat'
   roles:
-#    - easy-rsa-certificate
+    - easy-rsa-certificate
     - karaage3.1.17
   sudo: true
+  vars:
+   - x509_ca_server: "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
   vars_files:
    - vars/karaageVars.yml
diff --git a/roles/easy-rsa-certificate/tasks/buildCert.yml b/roles/easy-rsa-certificate/tasks/buildCert.yml
index 32f5a06f..3ad709de 100644
--- a/roles/easy-rsa-certificate/tasks/buildCert.yml
+++ b/roles/easy-rsa-certificate/tasks/buildCert.yml
@@ -62,28 +62,28 @@
 
 - name: "Copy CSR to CA"
   remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
   copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.csr dest=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr force=yes"
   when: needcert
   sudo: true
 
 - name: "Sign Certificate"
   remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
   shell:    "cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\" ;\"$EASY_RSA\"/pkitool --sign {{ x509_sign_args }} {{ x509_common_name }}"
   when: needcert
   sudo: true
 
 - name: "Copy the Certificate to ansible host"
   remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
   fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt dest=/tmp/{{ inventory_hostname }}/{{ x509_common_name }}.crt fail_on_missing=yes validate_md5=yes flat=yes"
   sudo: true
   when: needcert
 
 - name: "Copy the CA Certificate to the ansible host"
   remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
-  delegate_to: "{{ x509_ca_server }}"
+  delegate_to: "{{ hostvars[x509_ca_server]['ansible_fqdn'] }}"
   fetch: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/tmp/{{ inventory_hostname }}/ca.crt fail_on_missing=yes validate_md5=yes flat=yes"
   sudo: true
   when: "ca_cert.stat.exists == false"
diff --git a/roles/easy-rsa-common/tasks/installEasyRsa.yml b/roles/easy-rsa-common/tasks/installEasyRsa.yml
index e66e88a2..367f597a 100644
--- a/roles/easy-rsa-common/tasks/installEasyRsa.yml
+++ b/roles/easy-rsa-common/tasks/installEasyRsa.yml
@@ -6,7 +6,7 @@
   when: ansible_os_family == 'RedHat'
 - 
   name: "Installing easy-rsa"
-  apt: "name=openvpn state=present update_cache=yes"
+  apt: "name=easy-rsa state=present"
   sudo: True
   when: ansible_os_family == 'Debian'
 - 
@@ -22,7 +22,17 @@
   args:
     creates: /etc/easy-rsa
   sudo: True
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and ansible_distribution_release != 'jessie'
+  register: installed
+- 
+  name: "Create /etc/easy-rsa/2.0 for Jessie"
+  file: path=/etc/easy-rsa/2.0 state=directory mode=0755
+  when: ansible_os_family == 'Debian' and ansible_distribution_release == 'jessie'
+- 
+  name: "Moving easy-rsa to /etc"
+  shell: "cp -rf /usr/share/easy-rsa/* /etc/easy-rsa/2.0/"
+  sudo: True
+  when: ansible_os_family == 'Debian' and ansible_distribution_release == 'jessie'
   register: installed
 
 - name: "Clean all"
diff --git a/roles/easy-rsa-common/tasks/installEasyRsaSource.yml b/roles/easy-rsa-common/tasks/installEasyRsaSource.yml
new file mode 100644
index 00000000..922cdf2d
--- /dev/null
+++ b/roles/easy-rsa-common/tasks/installEasyRsaSource.yml
@@ -0,0 +1,21 @@
+---
+
+-
+ name: Download easy-rsa 2.2.2
+ get_url: url=https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz dest=/tmp/2.2.2.tar.gz
+-
+ name: Untar the source
+ shell: tar xvfz 2.2.2.tar.gz chdir=/tmp creates=/tmp/easy-rsa-2.2.2
+- 
+  name: "Moving easy-rsa to /etc"
+  shell: cp -rf /tmp/easy-rsa-2.2.2/easy-rsa /etc/ creates=/etc/easy-rsa
+  sudo: True
+  register: installed
+
+- name: "Clean all"
+  shell: " cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/clean-all"
+  args:
+    creates: "/etc/easy-rsa/2.0/keys/"
+  when: installed|changed
+  sudo: true
+ 
diff --git a/roles/easy-rsa-common/tasks/main.yml b/roles/easy-rsa-common/tasks/main.yml
index 619f8806..ac26ed83 100644
--- a/roles/easy-rsa-common/tasks/main.yml
+++ b/roles/easy-rsa-common/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
 -
-  include: installEasyRsa.yml
+  include: installEasyRsaSource.yml
 -
   include: copyConfigurationFile.yml
diff --git a/roles/karaage3.1.17/tasks/karaage.yml b/roles/karaage3.1.17/tasks/karaage.yml
index ecd157bd..c2f3f58a 100644
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -53,6 +53,7 @@
  with_items:
   - python-kgusage
   - karaage-cluster-tools
+  - karaage3-celery
 -
  name: "Set Secret Key"
  lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = 'imkaraage'" state=present
@@ -69,9 +70,6 @@
  name: Templating ldap.conf
  template: src=client-ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
  when: ansible_fqdn != "{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
--
- name: Add missing ldap entries
- shell: kg-manage migrate_ldap
 -
  name: "Reloading apache"
  service: name=apache2 state=reloaded
diff --git a/roles/karaage3.1.17/templates/client-ldap.conf.j2 b/roles/karaage3.1.17/templates/client-ldap.conf.j2
index f9c9128b..01dfd6ba 100644
--- a/roles/karaage3.1.17/templates/client-ldap.conf.j2
+++ b/roles/karaage3.1.17/templates/client-ldap.conf.j2
@@ -6,7 +6,7 @@
 # This file should be world readable but not world writable.
 
 #BASE	dc=example,dc=com
-#URI	ldap://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %} ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}
+URI	ldap://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %} ldaps://{% for host in groups['ldap-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}
 
 #SIZELIMIT	12
 #TIMELIMIT	15
diff --git a/roles/karaage3.1.17/templates/settings.py.j2 b/roles/karaage3.1.17/templates/settings.py.j2
index aa072761..90b9cf6c 100644
--- a/roles/karaage3.1.17/templates/settings.py.j2
+++ b/roles/karaage3.1.17/templates/settings.py.j2
@@ -40,7 +40,7 @@ STATICFILES_STORAGE = 'pipeline.storage.PipelineStorage'
 #
 # default: HTTP_HOST = FQDN hostname
 #
-HTTP_HOST = "{% for host in groups['karaage-server'] %}{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
+HTTP_HOST = "{{ x509_common_name }}"
 
 # A list of strings representing the host/domain names that this Django site
 # can serve. This is a security measure to prevent an attacker from poisoning
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index ceb1f227..ff18a2e3 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -1,7 +1,6 @@
 ---
 
 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
-
 - name: install system packages apt
   apt: name={{ item }} state=installed update_cache=true
   sudo: true
@@ -15,7 +14,7 @@
   when: ansible_os_family == 'RedHat'
 
 - name: hash password
-  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
+  command: /usr//sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
   register: ldapManagerHash
 
 - name: hash binddn password
@@ -142,42 +141,42 @@
 
 
 - name: initialise server ssl
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config 
+  shell: /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config 
   sudo: true
   when: tlsConfigured|failed
 
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
   sudo: true
   when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
   sudo: true
   ignore_errors: true
   when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
   sudo: true
   when: managerConfigured|failed
 
 - name: initialise server acls
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  shell:  /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
   sudo: true
   when: aclConfigured|failed
 
 - name: add DIT root
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
   when: ditConfigured|failed
 
 - name: add Accounts OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
   when: accountsConfigured|failed
 
 - name: add Groups OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
   when: groupsConfigured|failed
 
 - name: add binddn
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
+  shell: /usr/bin/ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
   sudo: true
   when: binddnConfigured|failed
diff --git a/roles/ldapserver/templates/ldap.conf.j2 b/roles/ldapserver/templates/ldap.conf.j2
new file mode 100644
index 00000000..a6c19aac
--- /dev/null
+++ b/roles/ldapserver/templates/ldap.conf.j2
@@ -0,0 +1,16 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+URI {{ ldapURI }}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	{{ x509_cacert_file }}
diff --git a/roles/ldapserver/templates/manager_ldif2.j2 b/roles/ldapserver/templates/manager_ldif2.j2
index 48f43a07..ee4592d2 100644
--- a/roles/ldapserver/templates/manager_ldif2.j2
+++ b/roles/ldapserver/templates/manager_ldif2.j2
@@ -1,4 +1,4 @@
 dn: {{ dbname }},cn=config
 changetype: modify
-add: olcRootPW
+replace: olcRootPW
 olcRootPW: {{ ldapManagerHash.stdout }}
diff --git a/roles/ldapserver/templates/tls_settings.ldif.j2 b/roles/ldapserver/templates/tls_settings.ldif.j2
new file mode 100644
index 00000000..5a73e779
--- /dev/null
+++ b/roles/ldapserver/templates/tls_settings.ldif.j2
@@ -0,0 +1,4 @@
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcSecurity
+olcSecurity: tls=1
diff --git a/roles/ldapserver/vars/CentOS_6.5_x86_64.yml b/roles/ldapserver/vars/CentOS_6.5_x86_64.yml
index f7898718..ae41ae86 100644
--- a/roles/ldapserver/vars/CentOS_6.5_x86_64.yml
+++ b/roles/ldapserver/vars/CentOS_6.5_x86_64.yml
@@ -3,3 +3,6 @@
   - openldap-servers
   - openldap-clients
   - openssl
+ dbname: olcDatabase={2}bdb
+ ldapuser: ldap
+ ldapgroup: ldap
diff --git a/roles/ldapserver/vars/Debian_8.0_x86_64.yml b/roles/ldapserver/vars/Debian_8.0_x86_64.yml
new file mode 100644
index 00000000..feca8e7d
--- /dev/null
+++ b/roles/ldapserver/vars/Debian_8.0_x86_64.yml
@@ -0,0 +1,9 @@
+---
+ system_packages:
+  - slapd
+  - ldap-utils
+  - openssl
+
+ ldapuser: openldap
+ ldapgroup: openldap
+ dbname: olcDatabase={1}mdb
diff --git a/vars/karaageVars.yml b/vars/karaageVars.yml
index 74df5062..fd417ba8 100644
--- a/vars/karaageVars.yml
+++ b/vars/karaageVars.yml
@@ -13,7 +13,6 @@ ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
 ldapBase: "dc=monash,dc=edu,dc=au"
 ldapURI: "{% for host in groups['ldap-server'] %}ldaps://{{ hostvars[host]['ansible_fqdn'] }}{% endfor %}"
 smtp_smarthost: "{{ ansible_hostname }}"
-x509_ca_server: "vm-118-138-240-183.erc.monash.edu.au"
 ldapManagerPassword: "imldap"
 ldapBindDNPassword: "imbinddn"
 domain: "erc.monash.edu.au"
@@ -24,4 +23,4 @@ x509_cert_file: "/etc/ssl/certs/server.crt"
 x509_cacert_file: "/etc/ssl/certs/ca.crt"
 x509_csr_args: ""
 x509_sign_args: "{{ x509_csr_args }}"
-x509_common_name: "{{ ansible_fqdn }}"
+x509_common_name: "{{ inventory_hostname }}"
-- 
GitLab