From bb862c8405f9979125961a2408ec01add8503128 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Fri, 15 Apr 2016 20:33:23 +0200
Subject: [PATCH] library/roles/openldap-server: Support for ssl when
 letsencrypt is enabled using the letsencrypt-acme-tool role.

---
 letsencrypt-acmetool-client/defaults/main.yml |  1 +
 .../templates/letsencrypt-default.j2          |  1 +
 openldap-server/defaults/main.yml             |  4 +++
 openldap-server/files/olcSSL.ldif             | 13 ++++++++
 .../files/openldap-letsencrypt-acme.sh        | 32 +++++++++++++++++++
 openldap-server/handlers/main.yml             |  5 +++
 openldap-server/tasks/main.yml                |  3 ++
 .../tasks/openldap-letsencrypt.yml            | 22 +++++++++++++
 .../tasks/openldap_initializazion.yml         |  5 ++-
 9 files changed, 83 insertions(+), 3 deletions(-)
 create mode 100644 openldap-server/files/olcSSL.ldif
 create mode 100644 openldap-server/files/openldap-letsencrypt-acme.sh
 create mode 100644 openldap-server/tasks/openldap-letsencrypt.yml

diff --git a/letsencrypt-acmetool-client/defaults/main.yml b/letsencrypt-acmetool-client/defaults/main.yml
index 9614a13..80d5cb0 100644
--- a/letsencrypt-acmetool-client/defaults/main.yml
+++ b/letsencrypt-acmetool-client/defaults/main.yml
@@ -5,6 +5,7 @@ letsencrypt_acme_debian_repo: 'deb http://ppa.launchpad.net/hlandau/rhea/ubuntu
 letsencrypt_acme_debian_repo_key: '9862409EF124EC763B84972FF5AC9651EDB58DFA'
 letsencrypt_acme_user: acme
 letsencrypt_acme_user_home: /var/lib/acme
+letsencrypt_acme_log_dir: /var/log/acme
 
 letsencrypt_acme_command: acmetool
 letsencrypt_acme_command_opts: '--batch --xlog.syslog --xlog.severity=info'
diff --git a/letsencrypt-acmetool-client/templates/letsencrypt-default.j2 b/letsencrypt-acmetool-client/templates/letsencrypt-default.j2
index beeb111..b8ba756 100644
--- a/letsencrypt-acmetool-client/templates/letsencrypt-default.j2
+++ b/letsencrypt-acmetool-client/templates/letsencrypt-default.j2
@@ -1,3 +1,4 @@
 LE_EMAIL={{ letsencrypt_acme_email }}
 LE_SERVICES_SCRIPT_DIR={{ letsencrypt_acme_services_scripts_dir }}
 LE_CERTS_DIR={{ letsencrypt_acme_certs_dir }}
+LE_LOG_DIR={{ letsencrypt_acme_log_dir }}
diff --git a/openldap-server/defaults/main.yml b/openldap-server/defaults/main.yml
index 6c4e251..2f5a2fd 100644
--- a/openldap-server/defaults/main.yml
+++ b/openldap-server/defaults/main.yml
@@ -22,6 +22,10 @@ openldap_db_dir: /var/lib/ldap
 #  - dyngroup.ldif
 
 openldap_cleaner_cron_job: False
+openldap_letsencrypt_managed: False
+
+openldap_letsencrypt_ldif:
+  - olcSSL.ldif
 
 # Set slapd_admin_pwd in a vault file
 slapd_debconf_params:
diff --git a/openldap-server/files/olcSSL.ldif b/openldap-server/files/olcSSL.ldif
new file mode 100644
index 0000000..774febc
--- /dev/null
+++ b/openldap-server/files/olcSSL.ldif
@@ -0,0 +1,13 @@
+dn: cn=config
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/pki/openldap/chain.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/pki/openldap/privkey.pem
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/pki/openldap/cert.pem
+-
+add: olcTLSCACertificatePath
+olcTLSCACertificatePath: /etc/ssl/certs
+
diff --git a/openldap-server/files/openldap-letsencrypt-acme.sh b/openldap-server/files/openldap-letsencrypt-acme.sh
new file mode 100644
index 0000000..05b4fe6
--- /dev/null
+++ b/openldap-server/files/openldap-letsencrypt-acme.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
+LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME
+LE_LOG_DIR=/var/log/acme
+OPENLDAP_CERTDIR=/etc/pki/openldap
+DATE=$( date )
+
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> $LE_LOG_DIR/openldap.log
+
+if [ -f /etc/default/letsencrypt ] ; then
+    . /etc/default/letsencrypt
+else
+    echo "No letsencrypt default file" >> $LE_LOG_DIR/openldap.log
+fi
+
+mkdir -p $OPENLDAP_CERTDIR
+chown openldap:openldap $OPENLDAP_CERTDIR
+chmod 500 $OPENLDAP_CERTDIR
+echo "Copying the new certificate files" >> $LE_LOG_DIR/openldap.log
+cp $LE_CERTS_DIR/cert $OPENLDAP_CERTDIR/cert.pem
+cp $LE_CERTS_DIR/chain $OPENLDAP_CERTDIR/chain.pem
+cp $LE_CERTS_DIR/privkey $OPENLDAP_CERTDIR/privkey.pem
+chown openldap $OPENLDAP_CERTDIR/privkey.pem
+chmod 400 $OPENLDAP_CERTDIR/privkey.pem
+
+echo "Restart the openldap service" >> $LE_LOG_DIR/openldap.log
+service slapd restart >/dev/null 2>&1
+echo "Done." >> $LE_LOG_DIR/openldap.log
+
+exit 0
diff --git a/openldap-server/handlers/main.yml b/openldap-server/handlers/main.yml
index e69de29..70a74d5 100644
--- a/openldap-server/handlers/main.yml
+++ b/openldap-server/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart openldap
+  service: name=slapd state=restarted
+  when: openldap_service_enabled
+
diff --git a/openldap-server/tasks/main.yml b/openldap-server/tasks/main.yml
index f2a15d3..9985733 100644
--- a/openldap-server/tasks/main.yml
+++ b/openldap-server/tasks/main.yml
@@ -4,5 +4,8 @@
   when: openldap_service_enabled
 - include: openldap_maintenance.yml
   when: openldap_service_enabled
+- include: openldap-letsencrypt.yml
+  when: openldap_letsencrypt_managed
+
   
   
diff --git a/openldap-server/tasks/openldap-letsencrypt.yml b/openldap-server/tasks/openldap-letsencrypt.yml
new file mode 100644
index 0000000..c224bbc
--- /dev/null
+++ b/openldap-server/tasks/openldap-letsencrypt.yml
@@ -0,0 +1,22 @@
+---
+- name: Install a script that fix the letsencrypt certificates for openldap and then reload the service
+  copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550
+  when:
+    - openldap_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]
+
+- name: Copy the SSL ldif on the ldap server
+  copy: src=olcSSL.ldif dest=/etc/ldap/olcSSL.ldif
+  when:
+    - openldap_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]
+
+- name: Enable the openldap ssl configuration
+  shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/olcSSL.ldif ; touch /etc/ldap/.olcSSL.ldif.installed
+  args:
+    creates: /etc/ldap/.olcSSL.ldif.installed
+  notify: Restart openldap 
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]
+
diff --git a/openldap-server/tasks/openldap_initializazion.yml b/openldap-server/tasks/openldap_initializazion.yml
index 30c3717..99f3180 100644
--- a/openldap-server/tasks/openldap_initializazion.yml
+++ b/openldap-server/tasks/openldap_initializazion.yml
@@ -29,11 +29,10 @@
   tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
 
 - name: Install some additional schemas
-  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
   args:
     creates: '/etc/ldap/schema/{{ item }}.installed'
-  with_items: '{{ openldap_additional_schemas }}'
-  when: openldap_additional_schemas is defined
+  with_items: '{{ openldap_additional_schemas | default([]) }}'
   tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]