diff --git a/.gitignore b/.gitignore index dd7abe41bf256b903153426dbd41d28895f1fe87..566c89dcce9150960ecda1ec9c38c30c75176ed7 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ tmp/ docs/_build/ testsite/preseed_files/ -testsite/tls/ +testsite/tls/*.pem +testsite/tls/*.key diff --git a/docs/testsite.rst b/docs/testsite.rst index a9ddf29718e7345d91688a1534cfb52845f70132..1f87bd8fd1d648ddba4cc1c0b85cdc513b620e9d 100644 --- a/docs/testsite.rst +++ b/docs/testsite.rst @@ -29,6 +29,9 @@ bootstrap.yml (for bootstrapping fresh nodes) ldap.yml This playbook sets-up the LDAP servers. It is included in ``site.yml``. +mail.yml + This playbook sets-up the mail server. It is included in ``site.yml``. + preseed.yml This playbook sets-up the Debian preseed files. It is included in ``site.yml``. @@ -36,16 +39,46 @@ preseed.yml site.yml This playbook sets-up all servers, including preseed files on local host. +web.yml + This playbook sets-up the web server. It is included in ``site.yml``. + +xmpp.yml + This playbook sets-up the XMPP server. It is included in ``site.yml``. + In order to deploy the test site, the following steps would normally be taken: -1. Create TLS private keys (relative to top level directory): +1. If you do not wish to have the hassle of creating the private keys and + issuing certificates, run the following commands to get this done for you + automatically, and skip to step 5 (otherwise follow steps 2 through 4): + + .. code-block:: shell + + certtool --sec-param high --generate-privkey --outfile tls/example_ca.key + certtool --template tls/templates/example_ca.cfg --generate-self-signed --load-privkey tls/example_ca.key --outfile tls/example_ca.pem + cp tls/example_ca.pem tls/example_ca_chain.pem + for template in tls/templates/*.cfg; do + entity_basename="$(basename "$template" .cfg)" + [[ $entity_basename == example_ca ]] && continue + certtool --sec-param normal --generate-privkey --outfile "tls/$entity_basename.key" + certtool --generate-certificate \ + --load-ca-privkey "tls/example_ca.key" \ + --load-ca-certificate "tls/example_ca.pem" \ + --template "$template" \ + --load-privkey "tls/${entity_basename}.key" \ + --outfile "tls/${entity_basename}.pem" + done + +2. Create TLS private keys (relative to top level directory): - ``testsite/tls/mail.example.com_imap.key`` - ``testsite/tls/mail.example.com_smtp.key`` - ``testsite/tls/xmpp.example.com_xmpp.key`` - ``testsite/tls/ldap.example.com_ldap.key`` + - ``testsite/tls/web.example.com_https.key`` + - ``testsite/tls/phpfino.example.com_https.key`` + - ``testsite/tls/wsgi.example.com_https.key`` -2. Issue TLS certificates corresponding to the generated TLS private keys (make +3. Issue TLS certificates corresponding to the generated TLS private keys (make sure to use correct FQDN for DNS subject alternative name): - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should @@ -56,36 +89,44 @@ In order to deploy the test site, the following steps would normally be taken: be ``xmpp.example.com``) - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should be ``ldap.example.com``) - -3. Create ``PEM`` truststore file which contains all CA certificates that form + - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should + be ``web.example.com``) + - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should + be ``web.example.com``) + - ``testsite/tls/phpinffo.example.com_https.pem`` (subject alternative name + should be ``phpinfo.example.com``) + - ``testsite/tls/wsgi.example.com_https.pem`` (subject alternative name + should be ``wsgi.example.com``) + +4. Create ``PEM`` truststore file which contains all CA certificates that form CA chain for the issued end entity certificates from previous step at location ``testsite/tls/example_ca_chain.pem``. It is very important to include the CA chain used for LDAP server. -4. Generate the preseed files: +5. Generate the preseed files: .. code-block:: shell ansible-playbook playbooks/preseed.yml -5. Install all servers using the generated preseed files. +6. Install all servers using the generated preseed files. -6. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to +7. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to remove old entries if you are redoing the process). You can easily obtain all the necessary fingerprints with command: .. code-block:: shell - ssh-keyscan mail.example.com ldap.example.com xmpp.example.com + ssh-keyscan mail.example.com ldap.example.com xmpp.example.com web.example.com -7. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic +8. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic environment for Ansible runs on all servers: .. code-block:: shell ansible-playbook playbooks/bootstrap.yml -8. Finally, apply configuration on all servers: +9. Finally, apply configuration on all servers: .. code-block:: shell diff --git a/testsite/playbooks/roles/phpinfo/files/index.php b/testsite/playbooks/roles/phpinfo/files/index.php new file mode 100644 index 0000000000000000000000000000000000000000..6480abf34a54d3055b437766be872a13bcebdf7d --- /dev/null +++ b/testsite/playbooks/roles/phpinfo/files/index.php @@ -0,0 +1,5 @@ + \ No newline at end of file diff --git a/testsite/playbooks/roles/phpinfo/meta/main.yml b/testsite/playbooks/roles/phpinfo/meta/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..343d5c7a133c06be6976d2f7a732ff958de49243 --- /dev/null +++ b/testsite/playbooks/roles/phpinfo/meta/main.yml @@ -0,0 +1,11 @@ +--- + +dependencies: + - role: php_website + admin: admin + fqdn: phpinfo.example.com + php_rewrite_urls: + - ^(.*) /index.php + uid: 2000 + https_tls_key: "{{ inventory_dir }}/tls/phpinfo.example.com_https.key" + https_tls_certificate: "{{ inventory_dir }}/tls/phpinfo.example.com_https.pem" diff --git a/testsite/playbooks/roles/phpinfo/tasks/main.yml b/testsite/playbooks/roles/phpinfo/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..44bd5fbefc08cd1c645f79ba10fb9b35b3a3212f --- /dev/null +++ b/testsite/playbooks/roles/phpinfo/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Create directory for hosting the application + file: dest="/var/www/phpinfo.example.com/htdocs/" state=directory + owner="admin" group="web-phpinfo_example_com" mode=2750 + +- name: Deploy the index.php + copy: src="index.php" dest="/var/www/phpinfo.example.com/htdocs/index.php" + owner="admin" group="web-phpinfo_example_com" mode=640 diff --git a/testsite/playbooks/roles/wsgihello/defaults/main.yml b/testsite/playbooks/roles/wsgihello/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..5d90c7502a52c10a4bd7999519aff7d5b8ee3248 --- /dev/null +++ b/testsite/playbooks/roles/wsgihello/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +#fqdn: wsgi.example.com \ No newline at end of file diff --git a/testsite/playbooks/roles/wsgihello/files/hello.wsgi b/testsite/playbooks/roles/wsgihello/files/hello.wsgi new file mode 100644 index 0000000000000000000000000000000000000000..307a0f246d6a171099bc08fee7c8cacdcd34692e --- /dev/null +++ b/testsite/playbooks/roles/wsgihello/files/hello.wsgi @@ -0,0 +1,11 @@ +#!/usr/bin/env python + +def application(environ, start_response): + status = '200 OK' + output = 'Hello, world one!' + + response_headers = [('Content-type', 'text/plain'), + ('Content-Length', str(len(output)))] + start_response(status, response_headers) + + return [output] diff --git a/testsite/playbooks/roles/wsgihello/meta/main.yml b/testsite/playbooks/roles/wsgihello/meta/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..ee933f31666387177625d3164d9b963446ad435c --- /dev/null +++ b/testsite/playbooks/roles/wsgihello/meta/main.yml @@ -0,0 +1,12 @@ +--- + +dependencies: + - role: wsgi_website + admin: admin + fqdn: wsgi.example.com + uid: 2001 + wsgi_application: wsgi:application + static_locations: + - /static/ + https_tls_key: "{{ inventory_dir }}/tls/wsgi.example.com_https.key" + https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.example.com_https.pem" diff --git a/testsite/playbooks/roles/wsgihello/tasks/main.yml b/testsite/playbooks/roles/wsgihello/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..8f31d0969c3e0cd50ddf9302108d4f706ad75600 --- /dev/null +++ b/testsite/playbooks/roles/wsgihello/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Create directroy for storing code + file: dest="/var/www/wsgi.example.com/code/" state=directory + owner="admin" group="web-wsgi_example_com" mode=2750 + +- name: Deploy WSGI application + copy: src="hello.wsgi" dest="/var/www/wsgi.example.com/code/wsgi.py" + owner="admin" group="web-wsgi_example_com" mode=640 + notify: + - Restart website wsgi.example.com \ No newline at end of file diff --git a/testsite/playbooks/web.yml b/testsite/playbooks/web.yml index fb67dc715dd57bca1b97372688930d31c7248a95..97fa68b01166bbb17fe4a8601599a577a5dc96c5 100644 --- a/testsite/playbooks/web.yml +++ b/testsite/playbooks/web.yml @@ -7,4 +7,6 @@ - common - ldap_client - mail_forwarder - - web_server \ No newline at end of file + - web_server + - phpinfo + - wsgihello diff --git a/testsite/tls/templates/example_ca.cfg b/testsite/tls/templates/example_ca.cfg new file mode 100644 index 0000000000000000000000000000000000000000..4bc7f29ce772f7c4485f0d3bad1e41aa9575f283 --- /dev/null +++ b/testsite/tls/templates/example_ca.cfg @@ -0,0 +1,26 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = "SE" + +# The common name of the certificate owner. +cn = "Example Inc. Test Site CA" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 1825 + +# X.509 v3 extensions + +# Whether this is a CA certificate or not +ca + +# Whether this key will be used to sign other certificates. +cert_signing_key + +# Whether this key will be used to sign CRLs. +crl_signing_key diff --git a/testsite/tls/templates/ldap.example.com_ldap.cfg b/testsite/tls/templates/ldap.example.com_ldap.cfg new file mode 100644 index 0000000000000000000000000000000000000000..af86c584fb19cc7dd96f2ea847f8202a9d752ecc --- /dev/null +++ b/testsite/tls/templates/ldap.example.com_ldap.cfg @@ -0,0 +1,27 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = SE + +# The common name of the certificate owner. +cn = "Exampe Inc. LDAP Server" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "ldap.example.com" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key diff --git a/testsite/tls/templates/mail.example.com_imap.cfg b/testsite/tls/templates/mail.example.com_imap.cfg new file mode 100644 index 0000000000000000000000000000000000000000..1fdb956d5fd74c5af3f143ab00bd9c2467b4d3a5 --- /dev/null +++ b/testsite/tls/templates/mail.example.com_imap.cfg @@ -0,0 +1,27 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = SE + +# The common name of the certificate owner. +cn = "Exampe Inc. IMAP Server" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "mail.example.com" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key diff --git a/testsite/tls/templates/mail.example.com_smtp.cfg b/testsite/tls/templates/mail.example.com_smtp.cfg new file mode 100644 index 0000000000000000000000000000000000000000..5910ad13a5a88ef1383f89721d58913e38309a43 --- /dev/null +++ b/testsite/tls/templates/mail.example.com_smtp.cfg @@ -0,0 +1,27 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = SE + +# The common name of the certificate owner. +cn = "Exampe Inc. SMTP Server" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "mail.example.com" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key diff --git a/testsite/tls/templates/phpinfo.example.com_https.cfg b/testsite/tls/templates/phpinfo.example.com_https.cfg new file mode 100644 index 0000000000000000000000000000000000000000..6815c7a1d1ae1432b000fd4c91587fb6fe4e040c --- /dev/null +++ b/testsite/tls/templates/phpinfo.example.com_https.cfg @@ -0,0 +1,27 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = SE + +# The common name of the certificate owner. +cn = "Exampe Inc. PHP Info Server" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "phpinfo.example.com" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key diff --git a/testsite/tls/templates/web.example.com_https.cfg b/testsite/tls/templates/web.example.com_https.cfg new file mode 100644 index 0000000000000000000000000000000000000000..823765f8fb76b12e8a508b9536a760f8397e61ff --- /dev/null +++ b/testsite/tls/templates/web.example.com_https.cfg @@ -0,0 +1,27 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = SE + +# The common name of the certificate owner. +cn = "Exampe Inc. Web Server" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "web.example.com" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key diff --git a/testsite/tls/templates/wsgi.example.com_https.cfg b/testsite/tls/templates/wsgi.example.com_https.cfg new file mode 100644 index 0000000000000000000000000000000000000000..e15e9e21e4723527b912b46cb712e6069cd9883c --- /dev/null +++ b/testsite/tls/templates/wsgi.example.com_https.cfg @@ -0,0 +1,27 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = SE + +# The common name of the certificate owner. +cn = "Exampe Inc. WSGI Hello World Server" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "wsgi.example.com" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key diff --git a/testsite/tls/templates/xmpp.example.com_xmpp.cfg b/testsite/tls/templates/xmpp.example.com_xmpp.cfg new file mode 100644 index 0000000000000000000000000000000000000000..ad7b4ed3a372cba044dc66a03899fbbafc527812 --- /dev/null +++ b/testsite/tls/templates/xmpp.example.com_xmpp.cfg @@ -0,0 +1,27 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Example Inc." + +# The country of the subject. Two letter code. +country = SE + +# The common name of the certificate owner. +cn = "Exampe Inc. XMPP Server" + +# In how many days, counting from today, this certificate will expire. +expiration_days = 365 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "xmpp.example.com" + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key