LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
327 Commits
12 Branches
967 KiB
Tree: 0f75220c72
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0f75220c72'
${ noResults }
lilik_playbook/roles/ldap/README.md

68 lines
2.1 KiB
Raw Normal View History

Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
 
  1. # Role: ldap

  2. 

  3. Set-up a LDAP server
  4. 

  5. ## Configuration variables

  6. 

  7. | Name                   | Description                                                 |
  8. |------------------------|-------------------------------------------------------------|
  9. | `ldap_domain`          | Dot-form domain name. [`$domain`]                           |
  10. | `ldap_organization`*   | Organization (i.e.: `'LILiK'`).                             |
  11. | `x509_subject_prefix`* | X.509 TLS Cert Subject (i.e: `'/ST=IT/L=Firenze/O=LILiK'`). |
  12. | `x509_ldap_suffix`*    | The same in LDAP form (i.e: `'o=LILiK,l=Firenze/st=IT'`).   |
  13. | `server_fqdn`*         | Required for TLS certificate. [`'$hostname.dmz.$domain'`]   |
  14. | `virtual_domains`      | Required with `check_tree`: list of vds to init.            |
  15. | `ldap_tls_enabled`     | Enables TLS, requires a *ca_manager*. [`true`]              |
  16. | `renew_rootdn_pw`      | Create a new random password for RooDN. [`true`]            |
  17. | `check_tree`           | Deploy initial tree configuration. [`true`]                 |
  18. 

  19. 

  20. **Note:** If `ldap_tls_enabled` the *ca_manager* host should be configured
  21. and TLS Root CA should be set in vars.
  22. 

  23. ## Minimal example

  24. 

  25. group_vars/all.yaml:
  26. 

  27. 	---
  28. 	domain: 'example.com'
  29. 	x509_subject_prefix: '/C=IT/L=Firenze/O=LILiK'
  30. 	x509_ldap_suffix: 'o=LILiK,l=Firenze,st=IT'
  31. 	user_ca_keys:
  32. 	  - "ssh-ed25519 ################### CA"
  33. 	tls_root_ca: |
  34. 	  -----BEGIN CERTIFICATE-----
  35. 	  ###########################
  36. 	  -----END CERTIFICATE-----
  37. 

  38. hosts:
  39. 

  40. 	vm_gateay             ansible_host=10.0.2.1   ansible_user=root
  41. 	authorities_request   ansible_host=10.0.1.8   ansible_user=request
  42. 	host1                 ansible_host=10.0.1.1   ansible_user=root
  43. 	ldap1              ansible_host=10.0.2.2   ansible_user=root    ansible_lxc_host=host1
  44. 

  45. playbook.yaml:
  46. 

  47. 	---
  48. 	# Configure LDAP on a Physical Host
  49. 	- hosts: 'host'
  50.       roles:
  51. 	    - role: ldap
  52. 		  #ldap_domain: '{{ domain }}'
  53. 		  #server_fqdn: '{{ ansible_hostname }}.dmz.{{ domain }}'
  54. 		  ldap_organization: 'Example'
  55. 		  virtual_domains:
  56. 		    - 'example.com'
  57. 

  58. Command line:
  59. 

  60. 	ansible-playbook -i hosts playbook.yaml
  61. 

  62. 

  63. ## Requirements

  64. 

  65. On Ansible controller:
  66. 

  67. - tasks/ca-dialog.yaml
  68.