From 76e05de03837e8bd36836e64a8cd51cf1fc5f33b 2015-09-01 23:10:17 From: Branko Majic Date: 2015-09-01 23:10:17 Subject: [PATCH] MAR-19: Fixed documentation for optional TLS key/certificate parameters. Simplified php website role, making some parameters optional. Fixed the optional parameters for TLS for web server role. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 26ed896ff4cd9fd754f87f7a4ff129f8a4272a3e..5b80c3796e005010cbb23c4cfdc627b9a9bc752a 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -486,11 +486,11 @@ Parameters ` for value description and syntax. -**ldap_server_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_ldap.pem``) +**ldap_server_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_ldap.pem``) Path to file on Ansible host that contains the X.509 certificate used for TLS for LDAP service. The file will be copied to directory ``/etc/ssl/certs/``. -**ldap_server_tls_key** (string, optional, ``{{ tls_private_key_dir }}/ansible_facts[host]['fqdn']_ldap.key``) +**ldap_server_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_facts[host]['fqdn'] }}_ldap.key``) Path to file on Ansible host that contains the private key used for TLS for LDAP service. The file will be copied to directory ``/etc/ssl/private/``. @@ -591,11 +591,11 @@ Parameters Prosody. Each item is a string with value equal to XMPP user ID (i.e. ``john.doe@example.com``). -**xmpp_tls_key** (string, optional, ``{{ tls_private_key_dir }}/ansible_facts[host]['fqdn']_xmpp.key``) +**xmpp_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_facts[host]['fqdn'] }}_xmpp.key``) Path to file on Ansible host that contains the private key used for TLS for XMPP service. The file will be copied to directory ``/etc/ssl/private/``. -**xmpp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_xmpp.pem``) +**xmpp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_xmpp.pem``) Path to file on Ansible host that contains the X.509 certificate used for TLS for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``. @@ -741,21 +741,21 @@ Parameters **mail_user_gid** (integer, optional, ``whatever OS picks``) GID of the user that owns all the mail files. -**imap_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_imap.pem``) +**imap_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_imap.pem``) Path to file on Ansible host that contains the X.509 certificate used for TLS for IMAP and ManageSieve services. The file will be copied to directory ``/etc/ssl/certs/``. -**imap_tls_key** (string, optional, ``{{ tls_private_key_dir }}/ansible_facts[host]['fqdn']_imap.key``) +**imap_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_facts[host]['fqdn'] }}_imap.key``) Path to file on Ansible host that contains the private key used for TLS for IMAP and ManageSieve services. The file will be copied to directory ``/etc/ssl/private/``. -**smtp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_smtp.pem``) +**smtp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_smtp.pem``) Path to file on Ansible host that contains the X.509 certificate used for TLS for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``. -**smtp_tls_key** (string, optional, ``{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_smtp.key``) +**smtp_tls_key** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_smtp.key``) Path to file on Ansible host that contains the private key used for TLS for SMTP service. The file will be copied to directory ``/etc/ssl/private/``. @@ -897,11 +897,11 @@ The role implements the following: Parameters ~~~~~~~~~~ -**https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/ansible_facts[host]['fqdn']_web.key``) +**https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_facts[host]['fqdn'] }}_https.key``) Path to file on Ansible host that contains the private key used for TLS for HTTPS service. The file will be copied to directory ``/etc/ssl/private/``. -**https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_web.pem``) +**https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_https.pem``) Path to file on Ansible host that contains the X.509 certificate used for TLS for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``. @@ -977,9 +977,9 @@ The role is implemented with the following layout/logic in mind: Parameters ~~~~~~~~~~ -**admin** (string, mandatory) +**admin** (string, optional, ``web-{{ fqdn | replace('.', '_') }}``) Name of the operating system user in charge of maintaining the website. This - user is capable of making modifications to website configuration anda data + user is capable of making modifications to website configuration and data stored within the website directory. **deny_files_regex** (list, optional) @@ -1000,11 +1000,11 @@ Parameters succession, until the first match, or until it runs out of matches, when a client requests an URI pointing to directory. Default is ``index.php``. -**https_tls_certificate** (string, mandatory) +**https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ fqdn }}_https.pem``) Path to file on Ansible host that contains the X.509 certificate used for TLS for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``. -**https_tls_key** (string, mandatory) +**https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ fqdn }}_https.key``) Path to file on Ansible host that contains the private key used for TLS for HTTPS service. The file will be copied to directory ``/etc/ssl/private/``. @@ -1029,7 +1029,7 @@ Parameters A list of additional packages to install for this particular PHP appliction. This is usually going to be different PHP extensions. -**uid** (integer, mandatory) +**uid** (integer, optional, ``whatever OS picks``) UID/GID (they are set-up to be the same) of the dedicated website user/group. diff --git a/roles/php_website/defaults/main.yml b/roles/php_website/defaults/main.yml index b1877a04bbba9bb79f13584ebaa5e1881f601bf8..7cb0d58cd0efdc0b9d0b765ba759d5b172c50019 100644 --- a/roles/php_website/defaults/main.yml +++ b/roles/php_website/defaults/main.yml @@ -6,3 +6,6 @@ packages: [] php_file_regex: \.php$ php_rewrite_urls: [] rewrites: [] +admin: "web-{{ fqdn | replace('.', '_') }}" +https_tls_certificate: "{{ tls_certificate_dir }}/{{ fqdn }}_https.pem" +https_tls_key: "{{ tls_private_key_dir }}/{{ fqdn }}_https.key" diff --git a/roles/php_website/tasks/main.yml b/roles/php_website/tasks/main.yml index 51b5bd0a27d40127fe3d0c52a729765930961240..205626a41d2efe967f44690cab50286da2a8f00d 100644 --- a/roles/php_website/tasks/main.yml +++ b/roles/php_website/tasks/main.yml @@ -5,14 +5,14 @@ home: "/var/www/{{ fqdn }}" - name: Create PHP website group - group: name="{{ user }}" gid="{{ uid }}" state=present + group: name="{{ user }}" gid="{{ uid | default(omit) }}" state=present - name: Create home directory for the user (avoid populating with skeleton) file: path="{{ home }}" state=directory owner="{{ admin }}" group="{{ user }}" mode=2750 - name: Create PHP website user - user: name="{{ user }}" uid="{{ uid }}" group="{{ user }}" + user: name="{{ user }}" uid="{{ uid | default(omit) }}" group="{{ user }}" system=yes createhome=no state=present - name: Add nginx user to website group diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml index 97742fb1ac917bc7265b365e7824f1458316fb40..49ac94d580feff49d93cec8e6ccc045e785297f9 100644 --- a/roles/web_server/defaults/main.yml +++ b/roles/web_server/defaults/main.yml @@ -1,6 +1,6 @@ --- -https_tls_key: "{{ tls_private_key_dir }}/ansible_facts[host]['fqdn']_web.key" -https_tls_certificate: "{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_web.pem }}" +https_tls_key: "{{ tls_private_key_dir }}/ansible_facts[host]['fqdn']_https.key" +https_tls_certificate: "{{ tls_certificate_dir }}/ansible_facts[host]['fqdn']_https.pem }}" web_default_title: "Welcome" web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."