LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
433 Commits
12 Branches
967 KiB
Tree: 42212333a4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '42212333a4'
${ noResults }
lilik_playbook/roles/ldap/tasks/2_renew_rootpw.yaml

37 lines
867 B
Raw Normal View History

roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
roles/ldap: typos in configuration - `hide_log` was used instead of `no_log`. - password was set to literal `new_passwd.passwd` instead of the variable value.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: typos in configuration - `hide_log` was used instead of `no_log`. - password was set to literal `new_passwd.passwd` instead of the variable value.
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
safer password handling in ldap and nextcloud
4 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.
5 years ago
 
  1. ---

  2. - name: 'renewing admin password - generation'

  3.   gen_passwd: 'length=32'

  4.   register: new_passwd

  5.   no_log: true

  6. 

  7. - name: 'renewing admin password - set fact'

  8.   set_fact:

  9.     ldap_passwd: '{{ new_passwd.passwd }}'

  10.   no_log: true

  11. 

  12. - name: 'renewing admin password - hashing'

  13.   shell: >

  14.     slappasswd

  15.     -o module-load=pw-sha2

  16.     -h "{SSHA512}"

  17.     -s {{ ldap_passwd | quote }}

  18.   register: new_passwd_hash

  19.   no_log: true

  20. 

  21. - name: 'renewing admin password - setting RootPW'

  22.   ldap_attr:

  23.     dn: 'olcDatabase={1}mdb,cn=config'

  24.     name: 'olcRootPW'

  25.     values: >-

  26.       {{ new_passwd_hash.stdout }}

  27.     state: 'exact'

  28.   diff: false

  29.   no_log: true

  30. 

  31. - name: 'renewing admin password - calling ldappasswd'

  32.   ldap_passwd:

  33.     dn: 'cn=admin,{{ ldap_basedn }}'

  34.     passwd: '{{ ldap_passwd }}'

  35.     bind_dn: 'cn=admin,{{ ldap_basedn }}'

  36.     bind_pw: '{{ ldap_passwd }}'

  37. ...