From 32f61f233098c4a1621b15b996668d5f528e14c7 2016-06-17 18:48:32 From: Branko Majic Date: 2016-06-17 18:48:32 Subject: [PATCH] Noticket: Fixed documentation and examples for CA certificate deployment in common role. Fixed usage instructions, mainly some syntax changes and more explicit listing of parameters and such. Fixed path to truststore file for mail_forwarder role. Fixed testsite configurtion for CA certificates. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 2c89f31ccb64b159b0d7503596abe15ee056c46e..dbb071afbd11710c81c84b1f0bdc22835ed7071a 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -251,7 +251,7 @@ The role implements the following: can reach them provided they have appropriate read/write rights on the file itself, and provided they know the exact path of the file. * Deploys CA certificate files, normally used for truststore purposes, to - ``/etc/ssl/certs/``. + ``/usr/local/share/ca-certificates/``. * Installs ``ferm`` (for iptables management), configuring a basic firewall which allows ICMP echo requests (PING), incoming connection on TCP port 22 (SSH), and also introduces rate-limitting for incoming ICMP echo request @@ -328,9 +328,10 @@ Parameters of the package. **ca_certificates** (list, optional, ``{}``) - Dictionary containing the CA certificates to deploy. Keys are filenames to be - used when placing a certificate file in directory ``/etc/ssl/certs/``, while - values are corresponding content to be placed in the file. + Dictionary containing the CA certificates to deploy. Keys are base filenames + (**without extension**) to be used when placing a certificate file in + directory ``/usr/local/share/ca-certificates/``, while values are + corresponding content to be placed in the file. **incoming_connection_limit** (string, optional, ``3/second``) Rate at which the incoming ICMP echo-request packages and new TCP connections @@ -392,7 +393,7 @@ packages on all servers: - debconf-utils ca_certificates: - "truststore.pem": "{{ lookup('file', '../certs/truststore.pem') }}" + "truststore": "{{ lookup('file', '../certs/truststore.pem') }}" incoming_connection_limit: 2/second diff --git a/docs/usage.rst b/docs/usage.rst index 8dc0e1893806f5d7c3f4d0be3ad5b6d4c9d0e3a2..7288917f6dfbe111994e2729711b36abc9f2dbe6 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -114,7 +114,7 @@ packages, and to prepare the environment a bit on the Ansible server: 1. Install the necessary system packages (using the ``root`` account):: - apt-get install -y virtualenv virtualenvwrapper git python-pip python-dev + apt-get install -y virtualenv virtualenvwrapper git python-pip python-dev libffi-dev libssl-dev 2. Set-up the virtual environment (using the ``ansible`` account): @@ -128,7 +128,7 @@ packages, and to prepare the environment a bit on the Ansible server: mkdir ~/mysite/ mkvirtualenv -a ~/mysite/ mysite - pip install -U pip + pip install -U pip setuptools pip install 'ansible~=2.1' @@ -607,7 +607,7 @@ one up first. This includes both the LDAP *server* and *client* configuration. tls_private_key_dir: "~/mysite/tls/" tls_certificate_dir: "~/mysite/tls/" ca_certificates: - "truststore.pem": "{{ lookup('file', '~/mysite/tls/truststore.pem') }}" + "truststore": "{{ lookup('file', '~/mysite/tls/truststore.pem') }}" 8. And now as finishing touch, simply run the playbooks again:: @@ -710,21 +710,23 @@ role. # Create first a couple of user entries. Don't forget to set the # "mail" attribute for them. - dn: uid=johndoe,ou=people,dc=example,dc=com - objectClass: - - inetOrgPerson - uid: johndoe - cn: John Doe - sn: Doe - userPassword: johndoe - mail: john.doe@example.com + attributes: + objectClass: + - inetOrgPerson + uid: johndoe + cn: John Doe + sn: Doe + userPassword: johndoe + mail: john.doe@example.com - dn: uid=janedoe,ou=people,dc=example,dc=com - objectClass: - - inetOrgPerson - uid: janedoe - cn: Jane Doe - sn: Doe - userPassword: janedoe - mail: jane.doe@example.com + attributes: + objectClass: + - inetOrgPerson + uid: janedoe + cn: Jane Doe + sn: Doe + userPassword: janedoe + mail: jane.doe@example.com # Now, let's add the two users to the mail group. Observe that we use # the "state: append" option. This is a bit of a cheat since the @@ -733,22 +735,25 @@ role. # the group, and instead add the attributes to it (in this case we add # the two users from above). - dn: cn=mail,ou=groups,dc=example,dc=com - uniqueMember: - - uid=johndoe,ou=people,dc=example,dc=com - - uid=janedoe,ou=people,dc=example,dc=com state: append + attributes: + uniqueMember: + - uid=johndoe,ou=people,dc=example,dc=com + - uid=janedoe,ou=people,dc=example,dc=com # Let's register our domain in LDAP directory. - dn: dc=example.com,ou=domains,ou=mail,ou=services,dc=example,dc=com - objectClass: dNSDomain - dc: "example.com" + attributes: + objectClass: dNSDomain + dc: "example.com" # Finally, for the lolz, let's also add the standard postmaster alias # for our domain. - dn: cn=postmaster@example.com,ou=aliases,ou=mail,ou=services,dc=example,dc=com - objectClass: nisMailAlias - cn: postmaster@example.com - rfc822MailMember: john.doe@example.com + attributes: + objectClass: nisMailAlias + cn: postmaster@example.com + rfc822MailMember: john.doe@example.com 5. Once again, before we apply the configuration, we must make sure the necessary TLS private keys and certificates are available. In this particular @@ -997,10 +1002,11 @@ role. # the group, and instead add the attributes to it (in this case we add # the two users). - dn: cn=xmpp,ou=groups,dc=example,dc=com - uniqueMember: - - uid=johndoe,ou=people,dc=example,dc=com - - uid=janedoe,ou=people,dc=example,dc=com state: append + attributes: + uniqueMember: + - uid=johndoe,ou=people,dc=example,dc=com + - uid=janedoe,ou=people,dc=example,dc=com 5. Do you know what comes next? Yes! Create some more TLS private keys and certificates, this time for our XMPP server ;) @@ -1276,6 +1282,7 @@ Before we start, here is a couple of useful pointers regarding the # uid/gid usage, this is useful. Take note that below value is used # for both the dedicated uid and gid for application user. uid: 2000 + admin_uid: 3000 # And this role sets up a new dedicated database for our web # application. - role: database @@ -1521,12 +1528,14 @@ on the safe side: # Again, not mandatory, but it is good to have some sort of policy # for assigning UIDs. uid: 2001 + admin_uid: 3001 # These are additional packages that should be installed in the # virtual environment. virtualenv_packages: - - pillow - - wiki - - MySQL-python + - pillow + - django==1.8.13 + - wiki + - MySQL-python # This is the name of the WSGI application to # serve. wiki_example_com.wsgi will be the Python "module" that is # accesed, while application is the object instantiated within it (the @@ -2033,6 +2042,11 @@ Genie*. So let's fix that one. file. Take into account that you can use pretty much any globbing pattern supported by Duplicity. + .. warning:: + + Make sure the addition is properly aligned in the yaml file to previous + role dependency definitions. + :file:`~/mysite/roles/tbg/meta/main.yml` :: diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2 index 3ac8ccdd36ba5a0d4a07a748c35a0edf121ad7a3..3b2ee72c8f991afc5be0fa1e453881da406798b9 100644 --- a/roles/mail_forwarder/templates/main.cf.j2 +++ b/roles/mail_forwarder/templates/main.cf.j2 @@ -24,7 +24,7 @@ smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level=verify -smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore +smtp_tls_CAfile=/etc/ssl/certs/smtp_relay_truststore.pem # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml index f07efee641c1354efe591ee4bd668a64624b831a..874b64cc4cc013cb950fe776d58bfa35e3f162f5 100644 --- a/testsite/group_vars/all.yml +++ b/testsite/group_vars/all.yml @@ -41,7 +41,7 @@ common_packages: - unzip ca_certificates: - "ca.pem": "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}" + "ca": "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}" incoming_connection_limit: 2/second