[chef] small business server via chef - true way

[Vladimir Skubriev < >]

Earlier we used the Zentyal small business server. But because it very 
buggy, we want to learn chef and using it for automation setuping server 
and workstations.

For example this software delete one half of our users in ldap catalog 
after minor update and after this we decided that chef is very robust.

Now we want to setup next services:

1. Openldap + Kerberos kadmind and kdc at the same server. + Sudoldap
2. DNS bind view 2 views for intranet and internet.
3. DHCP with dynamic updates of bind zones.
4. Firewall iptables with forwarding rules for share our localnet 
services, for example redmine, internal's ftps and others to the world
5. Samba share with ldap users lookup and kerberos negotiate authentication.
6. NFS - no problems that’s very easy i think.
7. NTP clients and server. - no problems that’s very easy i think.
8. OpenVPN server with server-bridge configuration
And may be any more in future of course

Due to this servers roles i must writing recipes for a each component. 
Sometimes i use community cookbook, but sometimes i can't using 
community cookbooks because we use very specific configuration of some 
services.

For example openldap. Openldap community cookbook used eliminated 
components for example libnss-ldap instead of libnss-ldapd. And many 
other things do not satisfy our requirements.

What is best practic for this reason: "Community cookbook do not satisfy 
requirements"? One of the know to me method using chef-edit, may be 
there are other methods ?

Suppose I write their own recipes and cookbooks for setup 
openldap+kerberos+sudoldap. What's next?

Suppose I want to change my configuration, ldap schema, add user, etc. I 
must consider this at the planning phase? I think will be a lot of work 
due this.

I call this primary components of a it infrastructure if a System kernel.

System kernel for our network contains the following components: 
openldap, sudo-ldap modifications, kerberos kdc + kadmind, dns, dhcp.

May be this is way to nowhere. Maybe system kernel should not be 
configured via chef because will be a lot of work ?

May be using chef only with simple components, ntp, apt, nfs ?

On good way we want save all data in one place. I thought that happen to 
use chef in all infrastructure. But now i'am starting count a work time 
for release this - and start to get nervous.

Because, as I can not understand how it all right to associate. I learch 
chef only one with a half a week. I think that this is impossible to 
create a zentyal via only chef one person.

While on the other hand I understand that nothing complicated. But the 
question that asks me to specific deadlines.

Next i want to say, that I manually write recipes to up openldap with 
sudo-ldap and kerberos kdc, kadmind. for a last week.

I dont't understand where i can keep users with passwords. Leaders did 
not want me to store passwords in the cleartext. Of course this is not 
true way. But kerberos need this when creating pricipials.

I don't know about ldap password. May be you can write to the database 
password hashes. With kerberos this is impossible. So do not get to use 
the kerberos if leaders don't want to store cleartext password despite 
chef data bags encryption.

Next i have a question about ideas about configuration of bind+ dhcpd + 
firewall included data bags vs attributes vs mysql database. What do 
think about this?

Data necessary for this is: computer names, mac addresses, ip addresses etc.

And what is the goal of a recipes must be for me?

Configuring all from scratch with users, computers and etc options from 
the "database" on the empty server if current server is dies ?

Is this this is a true way? It may be easier to throw the discs to the 
new(reserve) hardware, and fix some configs?

Of course in future I have any more questions.

I think that this goal is very common in many organizations in the 
world. I would like to hear your opinion about my work and goals.

In perspective in the long term if it works I would create a separate 
repository for the project, so that everyone could use my achievements 
and participated in the creation of "Chef small business server project"

Unless of course you have not overpersuade.

Thank you very much. Sorry for bad english.

--
Best regards,

CVision Lab System Administrator
Vladmir Skubriev