testsite/tls/*.pem

testsite/tls/*.key

mail.yml

  This playbook sets-up the mail server. It is included in ``site.yml``.

web.yml

  This playbook sets-up the web server. It is included in ``site.yml``.

xmpp.yml

  This playbook sets-up the XMPP server. It is included in ``site.yml``.

1. If you do not wish to have the hassle of creating the private keys and

   issuing certificates, run the following commands to get this done for you

   automatically, and skip to step 5 (otherwise follow steps 2 through 4):

   .. code-block:: shell

     certtool --sec-param high --generate-privkey --outfile tls/example_ca.key

     certtool --template tls/templates/example_ca.cfg --generate-self-signed --load-privkey tls/example_ca.key --outfile tls/example_ca.pem

     cp tls/example_ca.pem tls/example_ca_chain.pem

     for template in tls/templates/*.cfg; do

         entity_basename="$(basename "$template" .cfg)"

         [[ $entity_basename == example_ca ]] && continue

         certtool --sec-param normal --generate-privkey --outfile "tls/$entity_basename.key"

         certtool --generate-certificate \

           --load-ca-privkey "tls/example_ca.key" \

           --load-ca-certificate "tls/example_ca.pem" \

           --template "$template" \

           --load-privkey "tls/${entity_basename}.key" \

           --outfile "tls/${entity_basename}.pem"

     done

2. Create TLS private keys (relative to top level directory):

   - ``testsite/tls/web.example.com_https.key``

   - ``testsite/tls/phpfino.example.com_https.key``

   - ``testsite/tls/wsgi.example.com_https.key``

3. Issue TLS certificates corresponding to the generated TLS private keys (make

   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

     be ``web.example.com``)

   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

     be ``web.example.com``)

   - ``testsite/tls/phpinffo.example.com_https.pem`` (subject alternative name

     should be ``phpinfo.example.com``)

   - ``testsite/tls/wsgi.example.com_https.pem`` (subject alternative name

     should be ``wsgi.example.com``)

4. Create ``PEM`` truststore file which contains all CA certificates that form

5. Generate the preseed files:

6. Install all servers using the generated preseed files.

7. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to

      ssh-keyscan mail.example.com ldap.example.com xmpp.example.com web.example.com

8. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic

9. Finally, apply configuration on all servers:

<?php

phpinfo();

?>

---

dependencies:

  - role: php_website

    admin: admin

    fqdn: phpinfo.example.com

    php_rewrite_urls:

      - ^(.*) /index.php

    uid: 2000

    https_tls_key: "{{ inventory_dir }}/tls/phpinfo.example.com_https.key"

    https_tls_certificate: "{{ inventory_dir }}/tls/phpinfo.example.com_https.pem"

---

- name: Create directory for hosting the application

  file: dest="/var/www/phpinfo.example.com/htdocs/" state=directory

        owner="admin" group="web-phpinfo_example_com" mode=2750

- name: Deploy the index.php

  copy: src="index.php" dest="/var/www/phpinfo.example.com/htdocs/index.php"

        owner="admin" group="web-phpinfo_example_com" mode=640

---

#fqdn: wsgi.example.com

#!/usr/bin/env python

def application(environ, start_response):

    status = '200 OK'

    output = 'Hello, world one!'

    response_headers = [('Content-type', 'text/plain'),

                        ('Content-Length', str(len(output)))]

    start_response(status, response_headers)

    return [output]

---

dependencies:

  - role: wsgi_website

    admin: admin

    fqdn: wsgi.example.com

    uid: 2001

    wsgi_application: wsgi:application

    static_locations:

      - /static/

    https_tls_key: "{{ inventory_dir }}/tls/wsgi.example.com_https.key"

    https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.example.com_https.pem"

---

- name: Create directroy for storing code

  file: dest="/var/www/wsgi.example.com/code/" state=directory

        owner="admin" group="web-wsgi_example_com" mode=2750

- name: Deploy WSGI application

  copy: src="hello.wsgi" dest="/var/www/wsgi.example.com/code/wsgi.py"

        owner="admin" group="web-wsgi_example_com" mode=640

  notify:

    - Restart website wsgi.example.com

    - web_server

    - phpinfo

    - wsgihello

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = "SE"

# The common name of the certificate owner.

cn = "Example Inc. Test Site CA"

# In how many days, counting from today, this certificate will expire.

expiration_days = 1825

# X.509 v3 extensions

# Whether this is a CA certificate or not

ca

# Whether this key will be used to sign other certificates.

cert_signing_key

# Whether this key will be used to sign CRLs.

crl_signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. LDAP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "ldap.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. IMAP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "mail.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. SMTP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "mail.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. PHP Info Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "phpinfo.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. Web Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "web.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. WSGI Hello World Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "wsgi.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key

# X.509 Certificate options

#

# DN options

# The organization of the subject.

organization = "Example Inc."

# The country of the subject. Two letter code.

country = SE

# The common name of the certificate owner.

cn = "Exampe Inc. XMPP Server"

# In how many days, counting from today, this certificate will expire.

expiration_days = 365

# X.509 v3 extensions

# A dnsname in case of a WWW server.

dns_name = "xmpp.example.com"

# Whether this certificate will be used for a TLS server

tls_www_server

# Whether this certificate will be used to sign data (needed

# in TLS DHE ciphersuites).

signing_key