diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 2c89f31ccb64b159b0d7503596abe15ee056c46e..dbb071afbd11710c81c84b1f0bdc22835ed7071a 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -251,7 +251,7 @@ The role implements the following: can reach them provided they have appropriate read/write rights on the file itself, and provided they know the exact path of the file. * Deploys CA certificate files, normally used for truststore purposes, to - ``/etc/ssl/certs/``. + ``/usr/local/share/ca-certificates/``. * Installs ``ferm`` (for iptables management), configuring a basic firewall which allows ICMP echo requests (PING), incoming connection on TCP port 22 (SSH), and also introduces rate-limitting for incoming ICMP echo request @@ -328,9 +328,10 @@ Parameters of the package. **ca_certificates** (list, optional, ``{}``) - Dictionary containing the CA certificates to deploy. Keys are filenames to be - used when placing a certificate file in directory ``/etc/ssl/certs/``, while - values are corresponding content to be placed in the file. + Dictionary containing the CA certificates to deploy. Keys are base filenames + (**without extension**) to be used when placing a certificate file in + directory ``/usr/local/share/ca-certificates/``, while values are + corresponding content to be placed in the file. **incoming_connection_limit** (string, optional, ``3/second``) Rate at which the incoming ICMP echo-request packages and new TCP connections @@ -392,7 +393,7 @@ packages on all servers: - debconf-utils ca_certificates: - "truststore.pem": "{{ lookup('file', '../certs/truststore.pem') }}" + "truststore": "{{ lookup('file', '../certs/truststore.pem') }}" incoming_connection_limit: 2/second diff --git a/docs/usage.rst b/docs/usage.rst index 8dc0e1893806f5d7c3f4d0be3ad5b6d4c9d0e3a2..7288917f6dfbe111994e2729711b36abc9f2dbe6 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -114,7 +114,7 @@ packages, and to prepare the environment a bit on the Ansible server: 1. Install the necessary system packages (using the ``root`` account):: - apt-get install -y virtualenv virtualenvwrapper git python-pip python-dev + apt-get install -y virtualenv virtualenvwrapper git python-pip python-dev libffi-dev libssl-dev 2. Set-up the virtual environment (using the ``ansible`` account): @@ -128,7 +128,7 @@ packages, and to prepare the environment a bit on the Ansible server: mkdir ~/mysite/ mkvirtualenv -a ~/mysite/ mysite - pip install -U pip + pip install -U pip setuptools pip install 'ansible~=2.1' @@ -607,7 +607,7 @@ one up first. This includes both the LDAP *server* and *client* configuration. tls_private_key_dir: "~/mysite/tls/" tls_certificate_dir: "~/mysite/tls/" ca_certificates: - "truststore.pem": "{{ lookup('file', '~/mysite/tls/truststore.pem') }}" + "truststore": "{{ lookup('file', '~/mysite/tls/truststore.pem') }}" 8. And now as finishing touch, simply run the playbooks again:: @@ -710,21 +710,23 @@ role. # Create first a couple of user entries. Don't forget to set the # "mail" attribute for them. - dn: uid=johndoe,ou=people,dc=example,dc=com - objectClass: - - inetOrgPerson - uid: johndoe - cn: John Doe - sn: Doe - userPassword: johndoe - mail: john.doe@example.com + attributes: + objectClass: + - inetOrgPerson + uid: johndoe + cn: John Doe + sn: Doe + userPassword: johndoe + mail: john.doe@example.com - dn: uid=janedoe,ou=people,dc=example,dc=com - objectClass: - - inetOrgPerson - uid: janedoe - cn: Jane Doe - sn: Doe - userPassword: janedoe - mail: jane.doe@example.com + attributes: + objectClass: + - inetOrgPerson + uid: janedoe + cn: Jane Doe + sn: Doe + userPassword: janedoe + mail: jane.doe@example.com # Now, let's add the two users to the mail group. Observe that we use # the "state: append" option. This is a bit of a cheat since the @@ -733,22 +735,25 @@ role. # the group, and instead add the attributes to it (in this case we add # the two users from above). - dn: cn=mail,ou=groups,dc=example,dc=com - uniqueMember: - - uid=johndoe,ou=people,dc=example,dc=com - - uid=janedoe,ou=people,dc=example,dc=com state: append + attributes: + uniqueMember: + - uid=johndoe,ou=people,dc=example,dc=com + - uid=janedoe,ou=people,dc=example,dc=com # Let's register our domain in LDAP directory. - dn: dc=example.com,ou=domains,ou=mail,ou=services,dc=example,dc=com - objectClass: dNSDomain - dc: "example.com" + attributes: + objectClass: dNSDomain + dc: "example.com" # Finally, for the lolz, let's also add the standard postmaster alias # for our domain. - dn: cn=postmaster@example.com,ou=aliases,ou=mail,ou=services,dc=example,dc=com - objectClass: nisMailAlias - cn: postmaster@example.com - rfc822MailMember: john.doe@example.com + attributes: + objectClass: nisMailAlias + cn: postmaster@example.com + rfc822MailMember: john.doe@example.com 5. Once again, before we apply the configuration, we must make sure the necessary TLS private keys and certificates are available. In this particular @@ -997,10 +1002,11 @@ role. # the group, and instead add the attributes to it (in this case we add # the two users). - dn: cn=xmpp,ou=groups,dc=example,dc=com - uniqueMember: - - uid=johndoe,ou=people,dc=example,dc=com - - uid=janedoe,ou=people,dc=example,dc=com state: append + attributes: + uniqueMember: + - uid=johndoe,ou=people,dc=example,dc=com + - uid=janedoe,ou=people,dc=example,dc=com 5. Do you know what comes next? Yes! Create some more TLS private keys and certificates, this time for our XMPP server ;) @@ -1276,6 +1282,7 @@ Before we start, here is a couple of useful pointers regarding the # uid/gid usage, this is useful. Take note that below value is used # for both the dedicated uid and gid for application user. uid: 2000 + admin_uid: 3000 # And this role sets up a new dedicated database for our web # application. - role: database @@ -1521,12 +1528,14 @@ on the safe side: # Again, not mandatory, but it is good to have some sort of policy # for assigning UIDs. uid: 2001 + admin_uid: 3001 # These are additional packages that should be installed in the # virtual environment. virtualenv_packages: - - pillow - - wiki - - MySQL-python + - pillow + - django==1.8.13 + - wiki + - MySQL-python # This is the name of the WSGI application to # serve. wiki_example_com.wsgi will be the Python "module" that is # accesed, while application is the object instantiated within it (the @@ -2033,6 +2042,11 @@ Genie*. So let's fix that one. file. Take into account that you can use pretty much any globbing pattern supported by Duplicity. + .. warning:: + + Make sure the addition is properly aligned in the yaml file to previous + role dependency definitions. + :file:`~/mysite/roles/tbg/meta/main.yml` :: diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2 index 3ac8ccdd36ba5a0d4a07a748c35a0edf121ad7a3..3b2ee72c8f991afc5be0fa1e453881da406798b9 100644 --- a/roles/mail_forwarder/templates/main.cf.j2 +++ b/roles/mail_forwarder/templates/main.cf.j2 @@ -24,7 +24,7 @@ smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level=verify -smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore +smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore.pem # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml index f07efee641c1354efe591ee4bd668a64624b831a..874b64cc4cc013cb950fe776d58bfa35e3f162f5 100644 --- a/testsite/group_vars/all.yml +++ b/testsite/group_vars/all.yml @@ -41,7 +41,7 @@ common_packages: - unzip ca_certificates: - "ca.pem": "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}" + "ca": "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}" incoming_connection_limit: 2/second