diff --git a/docs/testsite.rst b/docs/testsite.rst index 0aaafa6f1b8004717d32624a817af498043d9c60..e952323fff92d0c885b7b3144324d467f12f6249 100644 --- a/docs/testsite.rst +++ b/docs/testsite.rst @@ -59,7 +59,7 @@ In order to deploy the test site, the following steps would normally be taken: 3. Create ``PEM`` truststore file which contains all CA certificates that form CA chain for the issued end entity certificates from previous step at - location ``testsite/tls/example_ca_chain.crt``. It is very important to + location ``testsite/tls/example_ca_chain.pem``. It is very important to include the CA chain used for LDAP server. 4. Generate the preseed files: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 9d1d80a20e5031abece9bca51715995de13970de..4d560b588b072e0380ef263df12f37449bf130c2 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -13,6 +13,9 @@ - name: Install sudo apt: name=sudo state=present +- name: Install ssl-cert package + apt: name=ssl-cert state=present + - name: Install common packages apt: name="{{ item }}" state="present" with_items: common_packages @@ -47,11 +50,8 @@ notify: - Restart SSH -- name: Allow users to traverse directories to TLS private key files - file: path=/etc/ssl/private/ mode=o+x - - name: Deploy CA certificates copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root with_items: ca_certificates notify: - - Update CA certificate cache \ No newline at end of file + - Update CA certificate cache diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 7fe8698a44f9d7f605e841711ffffce3c5db99d9..63e6860f73bf6e14429b76cd27ad2d42a974804f 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -9,6 +9,9 @@ - name: Install slapd apt: name=slapd state=installed +- name: Allow OpenLDAP user to traverse the directory with TLS private keys + user: name=openldap append=yes groups=ssl-cert + - name: Install Python LDAP bindings apt: name=python-ldap state=installed diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml index ef143af7f26462903d33f826731c1353fbb899a4..c853b940e3ccb0e799a7320cf4a2e1096d57930a 100644 --- a/roles/mail_server/tasks/main.yml +++ b/roles/mail_server/tasks/main.yml @@ -22,6 +22,12 @@ notify: - Purge Exim configuration +- name: Allow Postfix user to traverse the directory with TLS private keys + user: name=postfix append=yes groups=ssl-cert + +- name: Allow Dovecot user to traverse the directory with TLS private keys + user: name=dovecot append=yes groups=ssl-cert + - name: Deploy SMTP TLS private key copy: dest="/etc/ssl/private/{{ smtp_tls_key | basename }}" src="{{ smtp_tls_key }}" mode=640 owner=root group=root diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml index 10004e4b76b6c0f0d5ba78140cf833019b3a526a..596c50c343544b0ddcdaeb4d203765bbc6112776 100644 --- a/roles/prosody/tasks/main.yml +++ b/roles/prosody/tasks/main.yml @@ -17,6 +17,9 @@ - name: Install Prosody apt: name=prosody state=installed +- name: Allow Prosody user to traverse the directory with TLS private keys + user: name=prosody append=yes groups=ssl-cert + - name: Deploy XMPP TLS private key copy: dest="/etc/ssl/private/{{ prosody_tls_key | basename }}" src="{{ prosody_tls_key }}" mode=640 owner=root group=prosody