From 61e6cfb817896458b89bc92ac001e36920e7bd0b 2016-05-03 17:18:53
From: Branko Majic <branko@majic.rs>
Date: 2016-05-03 17:18:53
Subject: [PATCH] MAR-51: Fixed documentation for ansible_key parameter in preseed role. Updated ca_certificates parameter in common role to accept key-value pairs of filenames and certificates to put on remote host (so lookups/inventory can be utilised in more flexible manner). Updated backup_client role to fail if it is not possible to extract encryption key IDs from deployed keys. Moved purging of Exim4 configuration files from handlers to tasks (more robust, and still idempotent). All documentation has been updated as well.

---

diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 98c4a5f4f205df9e8f9aea15f72db1247aa3019a..7dbaf3b928dba46fc3a05635fc5edb48b3aeb63f 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -150,7 +150,7 @@ defaults to be used for all servers, and then overrides it for one server:
 
   ---
 
-  ansible_key: /root/ansible/private.key
+  ansible_key: {{ lookup('file', '~/.ssh/id_rsa.pub') }}
   preseed_country: UK
   preseed_directory: /var/www/preseed
   preseed_keymap: UK
@@ -325,11 +325,10 @@ Parameters
   server. Each element of the list should be a simple string denoting the name
   of the package.
 
-**ca_certificates** (list, optional, ``[]``)
-  List of additional CA certificate files that should be deployed on the
-  server. Each element of the list should be a filepath to a CA certificate file
-  on originating (Ansible) host that should be copied to destination
-  server.
+**ca_certificates** (list, optional, ``{}``)
+  Dictionary containing the CA certificates to deploy. Keys are filenames to be
+  used when placing a certificate file in directory ``/etc/ssl/certs/``, while
+  values are corresponding content to be placed in the file.
 
 **incoming_connection_limit** (string, optional, ``3/second``)
   Rate at which the incoming ICMP echo-request packages and new TCP connections
@@ -375,7 +374,7 @@ packages on all servers:
     - debconf-utils
 
   ca_certificates:
-    - ../certs/truststore.pem
+    "truststore.pem": "{{ lookup('file', '../certs/truststore.pem') }}"
 
   incoming_connection_limit: 2/second
 
diff --git a/docs/usage.rst b/docs/usage.rst
index ecfc0984d1dcecb5f25da43d0cff6003532cb543..f2688f709d8722b660b01a3cdcedae6c394c558c 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -607,7 +607,7 @@ one up first. This includes both the LDAP *server* and *client* configuration.
       tls_private_key_dir: "~/mysite/tls/"
       tls_certificate_dir: "~/mysite/tls/"
       ca_certificates:
-         - "~/mysite/tls/truststore.pem"
+         "truststore.pem": "{{ lookup('file', '~/mysite/tls/truststore.pem') }}"
 
 8. And now as finishing touch, simply run the playbooks again::
 
diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml
index c02cf3d7df6c6b4908da4157ccb9cd3f32d31dbe..5acf961f69e373dda6a99d189a8e7111ac038d7a 100644
--- a/roles/backup_client/tasks/main.yml
+++ b/roles/backup_client/tasks/main.yml
@@ -37,12 +37,14 @@
   shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'"
   register: backup_encryption_key_id
   changed_when: False
+  failed_when: backup_encryption_key_id.stdout == ""
 
 - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
   shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'"
   register: backup_additional_encryption_keys_ids
   when: backup_additional_encryption_keys
   changed_when: False
+  failed_when: backup_additional_encryption_keys_ids.stdout == ""
 
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index df3c20e26d035424d2a459ffeb2b37c4bb929b8e..65a7ef0de0758a98541dc78b86dfd98d0cb8a088 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -4,6 +4,6 @@ enable_backup: False
 common_packages: []
 os_users: []
 os_groups: []
-ca_certificates: []
+ca_certificates: {}
 incoming_connection_limit: 3/second
 incoming_connection_limit_burst: 9
\ No newline at end of file
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 845dba94c350224d87745bcc2c6dd9a26ee4369e..51e5d54615fe8ad1222e62ba3d5bc0349d28fdd0 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -63,8 +63,8 @@
     - Restart SSH
 
 - name: Deploy CA certificates
-  copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root
-  with_items: ca_certificates
+  copy: content="{{ item.value }}" dest="/etc/ssl/certs/{{ item.key }}" mode=644 owner=root group=root
+  with_dict: ca_certificates
   notify:
     - Update CA certificate cache
 
diff --git a/roles/mail_forwarder/handlers/main.yml b/roles/mail_forwarder/handlers/main.yml
index ef33ee95cca4a6187cf7bb801d0a34a70c80a2b9..32356d6aedaa46976368141fbfe2cf77c26c95a4 100644
--- a/roles/mail_forwarder/handlers/main.yml
+++ b/roles/mail_forwarder/handlers/main.yml
@@ -1,8 +1,5 @@
 ---
 
-- name: Purge Exim configuration
-  apt: name="exim4*" state=absent purge=yes
-
 - name: Rebuild mail aliases
   command: /usr/bin/newaliases
 
diff --git a/roles/mail_forwarder/tasks/main.yml b/roles/mail_forwarder/tasks/main.yml
index ac2af0284e2a611241210a82c9bc82b15f3540d4..e29c19a42cfd9046db9e85098bd0ee0ae82e9a24 100644
--- a/roles/mail_forwarder/tasks/main.yml
+++ b/roles/mail_forwarder/tasks/main.yml
@@ -2,8 +2,9 @@
 
 - name: Install Postfix
   apt: name="postfix" state=installed
-  notify:
-    - Purge Exim configuration
+
+- name: Purge Exim configuration
+  apt: name="exim4*" state=absent purge=yes
 
 - name: Deploy Postfix main configuration
   template: src="main.cf.j2" dest="/etc/postfix/main.cf"
diff --git a/roles/mail_server/handlers/main.yml b/roles/mail_server/handlers/main.yml
index 139af3eaf1ad8125777298081ea6d84c3025474b..059dbba606abaa235f70bcf526d8b5817fd82667 100644
--- a/roles/mail_server/handlers/main.yml
+++ b/roles/mail_server/handlers/main.yml
@@ -1,8 +1,5 @@
 ---
 
-- name: Purge Exim configuration
-  apt: name="exim4*" state=absent purge=yes
-
 - name: Restart Postfix
   service: name="postfix" state=restarted
 
diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml
index 6de1d770fd3ee77669ff67d539dd68cc0e7202ce..a4f4fb2b9a80c0e2c0a094079edebc2160c09ed6 100644
--- a/roles/mail_server/tasks/main.yml
+++ b/roles/mail_server/tasks/main.yml
@@ -16,8 +16,9 @@
   with_items:
     - postfix
     - postfix-ldap
-  notify:
-    - Purge Exim configuration
+
+- name: Purge Exim configuration
+  apt: name="exim4*" state=absent purge=yes
 
 - name: Allow Postfix user to traverse the directory with TLS private keys
   user: name=postfix append=yes groups=ssl-cert
diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml
index 0aa3174506c97cec9337feae67249c52bef097e5..d3f3f02b715362ffc71de53c998518e8d3ed5656 100644
--- a/testsite/group_vars/all.yml
+++ b/testsite/group_vars/all.yml
@@ -41,7 +41,7 @@ common_packages:
   - unzip
 
 ca_certificates:
-  - "{{ inventory_dir }}/tls/ca.pem"
+  "ca.pem": "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 
 incoming_connection_limit: 2/second