majic-ansible-roles Changeset

Changeset - 0ad9410c243a

Parent rev.

Child rev.

[Not reviewed]

0 5 0

Branko Majic (branko) - 9 years ago 2015-04-19 18:50:06
branko@majic.rs

MAR-10: Deploy CA certificates to /etc/ssl/certs/ only, otherwise some weird issues can happen in case update-ca-certificates does not run. Plus is it more straightforward. Deploy TLS private key/cert a bit later for all roles in order to have the necessary groups available. Fixed a wrong notify.

5 files changed with 46 insertions and 36 deletions:

docs/rolereference.rst

roles/common/tasks/main.yml

roles/ldap_server/tasks/main.yml

roles/mail_server/tasks/main.yml

roles/prosody/tasks/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -201,8 +201,7 @@ The role implements the following: @@
   can reach them provided they have appropriate read/write rights on the file
   itself, and provided they know the exact path of the file.
 * Deploys CA certificate files, normally used for truststore purposes, to
   ``/usr/local/share/ca-certificates/``, updating the TLS cache at
   ``/etc/ssl/certs/`` along the way.
   ``/etc/ssl/certs/``.
 Parameters
@@ @@ -252,8 +251,7 @@ Parameters @@
   List of additional CA certificate files that should be deployed on the
   server. Each element of the list should be a filepath to a CA certificate file
   on originating (Ansible) host that should be copied to destination
   server. Combinations of multiple CA certificates in the same file can be
   specified as well. File names should end with ``.crt`` or ``.pem``.
   server.
 Examples

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -51,7 +51,7 @@ @@
   file: path=/etc/ssl/private/ mode=o+x
 - name: Deploy CA certificates
-  copy: src="{{ item }}" dest="/usr/local/share/ca-certificates/{{ item | basename | regex_replace('(?i)\.pem$', '.crt') }}" mode=644 owner=root group=root
+  copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root
   with_items: ca_certificates
   notify:
     - Update CA certificate cache
@@ \ No newline at end of file @@

roles/ldap_server/tasks/main.yml

➞

Show inline comments

 ---
 - name: Deploy LDAP TLS private key
   copy: dest="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}" src="{{ ldap_server_config.tls_key }}"
         mode=640 owner=root group=openldap
 - name: Deploy LDAP TLS certificate
   copy: dest="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" src="{{ ldap_server_config.tls_certificate }}"
         mode=644 owner=root group=root
 - name: Set domain for slapd
   debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_config.domain }}"
@@ @@ -34,6 +26,18 @@ @@
 - name: Change log level for slapd
   ldap_entry: dn=cn=config state=replaceattributes olcLogLevel="{{ ldap_server_config.log_level }}"
 - name: Deploy LDAP TLS private key
   copy: dest="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}" src="{{ ldap_server_config.tls_key }}"
         mode=640 owner=root group=openldap
   notify:
     - Restart slapd
 - name: Deploy LDAP TLS certificate
   copy: dest="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" src="{{ ldap_server_config.tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart slapd
 - name: Configure TLS for slapd
   ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}"
   notify:

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -6,19 +6,39 @@ @@
 - name: Add backports repository
   apt_repository: repo="deb http://http.debian.net/debian wheezy-backports main" state=present
 - name: Install Dovecot packages
   apt: name="{{ item }}" state=installed default_release="wheezy-backports"
   with_items:
     - dovecot-imapd
     - dovecot-ldap
     - dovecot-sieve
     - dovecot-managesieved
 - name: Install Postfix packages
   apt: name="{{ item }}" state=installed
   with_items:
     - postfix
     - postfix-ldap
   notify:
     - Purge Exim configuration
 - name: Deploy SMTP TLS private key
   copy: dest="/etc/ssl/private/{{ smtp_tls_key | basename }}" src="{{ smtp_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart Postfix
 - name: Deploy SMTP TLS certificate
   copy: dest="/etc/ssl/certs/{{ smtp_tls_certificate | basename }}" src="{{ smtp_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Postfix
 - name: Deploy IMAP TLS private key
   copy: dest="/etc/ssl/private/{{ imap_tls_key | basename }}" src="{{ imap_tls_key }}"
         mode=640 owner=root group=root
   notify:
-    - Restart Postfix
+    - Restart Dovecot
 - name: Deploy IMAP TLS certificate
   copy: dest="/etc/ssl/certs/{{ imap_tls_certificate | basename }}" src="{{ imap_tls_certificate }}"
@@ @@ -26,22 +46,6 @@ @@
   notify:
     - Restart Dovecot
 - name: Install Dovecot packages
   apt: name="{{ item }}" state=installed default_release="wheezy-backports"
   with_items:
     - dovecot-imapd
     - dovecot-ldap
     - dovecot-sieve
     - dovecot-managesieved
 - name: Install Postfix packages
   apt: name="{{ item }}" state=installed
   with_items:
     - postfix
     - postfix-ldap
   notify:
     - Purge Exim configuration
 - name: Install SWAKS
   apt: name="swaks" state=installed

roles/prosody/tasks/main.yml

➞

Show inline comments

@@ @@ -11,19 +11,23 @@ @@
 - name: Add Prosody repository
   apt_repository: repo="deb http://packages.prosody.im/debian wheezy main" state=present
 - name: Install Lua LDAP library
   apt: name=lua-ldap state=installed
 - name: Install Prosody
   apt: name=prosody state=installed
 - name: Deploy XMPP TLS private key
   copy: dest="/etc/ssl/private/{{ prosody_tls_key | basename }}" src="{{ prosody_tls_key }}"
         mode=640 owner=root group=prosody
   notify:
     - Restart Prosody
 - name: Deploy XMPP TLS certificate
   copy: dest="/etc/ssl/certs/{{ prosody_tls_certificate | basename }}" src="{{ prosody_tls_certificate }}"
         mode=644 owner=root group=root
 - name: Install Lua LDAP library
   apt: name=lua-ldap state=installed
 - name: Install Prosody
   apt: name=prosody state=installed
   notify:
     - Restart Prosody
 - name: Set-up directory for storing additional Prosody modules
   file: path=/usr/local/lib/prosody/modules/ state=directory mode=755 owner=root group=root

0 comments (0 inline, 0 general)