majic-ansible-roles Changeset

Changeset - 18cd76ec050d

Parent rev.

Child rev.

[Not reviewed]

0 25 0

Branko Majic (branko) - 8 years ago 2016-05-04 16:09:47
branko@majic.rs

MAR-51: Replaced referencing of local files for TLS keys and certificates with actual values. Documentation has been updated throughout to reflect this in both role reference and usage instructions.

25 files changed with 118 insertions and 122 deletions:

docs/rolereference.rst

roles/ldap_server/defaults/main.yml

roles/ldap_server/tasks/main.yml

roles/mail_server/defaults/main.yml

roles/mail_server/tasks/main.yml

roles/mail_server/templates/99-local.conf.j2

roles/mail_server/templates/main.cf.j2

roles/php_website/defaults/main.yml

roles/php_website/tasks/main.yml

roles/php_website/templates/nginx_site.j2

roles/web_server/defaults/main.yml

roles/web_server/tasks/main.yml

roles/web_server/templates/nginx-default.j2

roles/wsgi_website/defaults/main.yml

roles/wsgi_website/tasks/main.yml

roles/wsgi_website/templates/nginx_site.j2

roles/xmpp_server/defaults/main.yml

roles/xmpp_server/tasks/main.yml

roles/xmpp_server/templates/prosody.cfg.lua.j2

testsite/group_vars/ldap.yml

testsite/group_vars/mail.yml

testsite/group_vars/web.yml

testsite/group_vars/xmpp.yml

testsite/playbooks/roles/phpinfo/meta/main.yml

testsite/playbooks/roles/wsgihello/meta/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -21,14 +21,14 @@ deployment. This section lists such parameters. @@
 **tls_private_key_dir** (string, optional if paths to private keys for all roles are explicitly specified)
   Path to directory on Ansible host that contains the private keys used by
   services deployed by various roles. When TLS key path is not explicitly
   defined in a role, this is the directory where the TLS key will be looked-up
   during Ansible run. Expected filename pattern is ``FQDN_SERVICE.key`` (for
   example, ``mail.example.com_smtp.key`` or ``xmpp.example.com_xmpp.key``).
   services deployed by various roles. When TLS keys are not explicitly defined
   in a role, this is the directory where the TLS key will be looked-up during
   Ansible run. Expected filename pattern is ``FQDN_SERVICE.key`` (for example,
   ``mail.example.com_smtp.key`` or ``xmpp.example.com_xmpp.key``).
 **tls_certificate_dir** (string, optional if paths to certificate files for all roles are explicitly specified)
   Path to directory on Ansible host that contains the X.509 certificate files
-  used by services deployed by various roles. When X.509 certificate path is not
   used by services deployed by various roles. When X.509 certificate is not
   explicitly defined in a role, this is the directory where the X.509
   certificate will be looked-up during Ansible run. Expected filename pattern is
   ``FQDN_SERVICE.pem`` (for example, ``mail.example.com_smtp.pem`` or
@@ @@ -575,13 +575,13 @@ Parameters @@
   <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value
   description and syntax.
 **ldap_server_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_ldap.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for LDAP service. The file will be copied to directory ``/etc/ssl/certs/``.
 **ldap_server_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_ldap.pem') }}``)
   X.509 certificate used for TLS for LDAP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_ldap.pem``.
 **ldap_server_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_ldap.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
 **ldap_server_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_ldap.key') }}``)
   Private key used for TLS for LDAP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_ldap.key``.
 **ldap_server_ssf** (number, optional, ``128``)
   Minimum *Security Strength Factor* to require from all incoming
   ldap_server_domain: "example.com"
   ldap_server_organization: "Example Corporation"
   ldap_server_log_level: 256
   ldap_server_tls_certificate: ~/tls/ldap.example.com_ldap.pem
   ldap_server_tls_key: ~/tls/ldap.example.com_ldap.key
   ldap_server_tls_certificate: "{{ lookup('file', '~/tls/ldap.example.com_ldap.pem') }}"
   ldap_server_tls_key: "{{ lookup('file', '~/tls/ldap.example.com_ldap.key') }}"
   ldap_server_ssf: 128
   ldap_permissions:
@@ @@ -726,13 +726,13 @@ Parameters @@
   Fully qualified domain name, hostname, or IP address of the LDAP server used
   for user authentication and listing.
 **xmpp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_xmpp.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 **xmpp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_xmpp.pem') }}``)
   X.509 certificate used for TLS for XMPP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``.
 **xmpp_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_xmpp.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   XMPP service. The file will be copied to directory ``/etc/ssl/private/``.
 **xmpp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_xmpp.key') }}``)
   Private key used for TLS for XMPP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``.
 Examples
   xmpp_ldap_server: ldap.example.com
   # These are default key and certificate that generated during Prosody
   # installation. Possibly you want to deploy your own.
   xmpp_tls_key: /etc/prosody/certs/localhost.key
   xmpp_tls_certificate: /etc/prosody/certs/localhost.crt
   xmpp_tls_key: "{{ lookup('file', '/etc/prosody/certs/localhost.key') }}"
   xmpp_tls_certificate: "{{ lookup('file', '/etc/prosody/certs/localhost.crt') }}"
 Mail Server
@@ @@ -864,23 +864,21 @@ Parameters @@
 **mail_user_gid** (integer, optional, ``whatever OS picks``)
   GID of the user that owns all the mail files.
 **imap_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_imap.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for IMAP and ManageSieve services. The file will be copied to directory
   ``/etc/ssl/certs/``.
 **imap_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_imap.pem') }}``)
   X.509 certificate used for TLS for IMAP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_imap.pem``.
 **imap_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_imap.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   IMAP and ManageSieve services. The file will be copied to directory
   ``/etc/ssl/private/``.
 **imap_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_imap.key') }}``)
   Private key used for TLS for IMAP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_imap.key``.
 **smtp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 **smtp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_smtp.pem') }}``)
   X.509 certificate used for TLS for SMTP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_smtp.pem``.
 **smtp_tls_key** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   SMTP service. The file will be copied to directory ``/etc/ssl/private/``.
 **smtp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_smtp.key') }}``)
   Private key used for TLS for SMTP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_smtp.key``.
 **imap_folder_separator** (string, optional, ``/``)
   Character used for separating the IMAP folders when clients are requesting
   mail_user_uid: 5000
   mail_user_gid: 5000
   imap_tls_certificate: ~/tls/mail.example.com_imap.pem
   imap_tls_key: ~/tls/mail.example.com_imap.key
   smtp_tls_certificate: ~/tls/mail.example.com_smtp.pem
   smtp_tls_key: ~/tls/mail.example.com_smtp.key
   imap_tls_certificate: "{{ lookup('file', '~/tls/mail.example.com_imap.pem') }}"
   imap_tls_key: "{{ lookup('file', '~/tls/mail.example.com_imap.key') }}"
   smtp_tls_certificate: "{{ lookup('file', '~/tls/mail.example.com_smtp.pem') }}"
   smtp_tls_key: "{{ lookup('file', '~/tls/mail.example.com_smtp.key') }}"
   imap_folder_separator: /
   smtp_rbl:
     - bl.spamcop.net
@@ @@ -1041,15 +1039,13 @@ Parameters @@
   Specify if HTTPS should be enforced for the default virtual host or not. If
   enforced, clients connecting via plaintext will be redirected to HTTPS.
 **default_https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_https.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   HTTPS service. The file will be copied to directory
   ``/etc/ssl/private/``. This key is used for the default virrtual host.
 **default_https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_https.pem') }}``)
   X.509 certificate used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_https.pem``.
 **default_https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_https.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for HTTPS service. The file will be copied to directory
   ``/etc/ssl/certs/``. This certificate is used for the default virrtual host.
 **default_https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}``)
   Private key used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_https.key``.
 **web_default_title** (string, optional, ``Welcome``)
   Title for the default web page shown to users (if no other vhosts were matched).
   ---
   default_https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"
   default_https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"
   default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.example.com_https.key') }}"
   default_https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/web.example.com_https.pem') }}"
   web_default_title: "Welcome to Example Inc."
   web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
@@ @@ -1159,13 +1155,13 @@ Parameters @@
   succession, until the first match, or until it runs out of matches, when a
   client requests an URI pointing to directory.
 **https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ fqdn }}_https.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
 **https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}``)
   X.509 certificate used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ fqdn }}_https.pem``.
 **https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ fqdn }}_https.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
 **https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}``)
   Private key used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ fqdn }}_https.key``.
 **php_file_regex** (string, optional, ``\.php$``)
   Regular expression used for determining which file should be interepted via
@@ @@ -1222,8 +1218,8 @@ running *ownCloud* and *The Bug Genie* applications): @@
         - php5-json
         - php5-mysql
         - php5-curl
       https_tls_key: "{{ inventory_dir }}/tls/cloud.example.com_https.key"
       https_tls_certificate: "{{ inventory_dir }}/tls/cloud.example.com_https.pem"
       https_tls_key: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.key') }}"
       https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.pem') }}"
     - role: php_website
       admin: admin
       deny_files_regex:
@@ @@ -1232,8 +1228,8 @@ running *ownCloud* and *The Bug Genie* applications): @@
         - ^(.*) /index.php?url=$1
       fqdn: tbg.example.com
       uid: 2007
       https_tls_key: "{{ inventory_dir }}/tls/tbg.example.com_https.key"
       https_tls_certificate: "{{ inventory_dir }}/tls/tbg.example.com_https.pem"
       https_tls_key: "{{ lookup('file', inventory_dir + '/tls/tbg.example.com_https.key') }}"
       https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/tbg.example.com_https.pem') }}"
 WSGI Website
@@ @@ -1322,13 +1318,13 @@ Parameters @@
   for calculating the user/group name for dedicated website user, as well as
   home directory of the website user (where data/code should be stored at).
 **https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ fqdn }}_https.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
 **https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}``)
   X.509 certificate used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ fqdn }}_https.pem``.
 **https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ fqdn }}_https.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
 **https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}``)
   Private key used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ fqdn }}_https.key``.
 **packages** (list, optional, ``[]``)
   A list of additional packages to install for this particular WSGI
@@ @@ -1384,8 +1380,8 @@ running a bare Django project): @@
       virtualenv_packages:
         - django
       wsgi_application: django_example_com.wsgi:application
       https_tls_key: "{{ inventory_dir }}/tls/wsgi.example.com_https.key"
       https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.example.com_https.pem"
       https_tls_key: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.key') }}"
       https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.pem') }}"
 Database Server

roles/ldap_server/defaults/main.yml

➞

Show inline comments

@@ @@ -7,8 +7,8 @@ ldap_server_domain: "{{ ansible_domain }}" @@
 ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
 ldap_server_organization: "Private"
 ldap_server_log_level: 256
 ldap_server_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_ldap.pem"
 ldap_server_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_ldap.key"
 ldap_server_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_ldap.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_ldap.key') }}"
 ldap_server_ssf: 128
 ldap_server_consumers: []
 ldap_server_groups: []

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -49,19 +49,19 @@ @@
   when: ldap_misc_schema_present.stdout == ""
 - name: Deploy LDAP TLS private key
-  copy: dest="/etc/ssl/private/{{ ldap_server_tls_key | basename }}" src="{{ ldap_server_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" content="{{ ldap_server_tls_key }}"
         mode=640 owner=root group=openldap
   notify:
     - Restart slapd
 - name: Deploy LDAP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" src="{{ ldap_server_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" content="{{ ldap_server_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart slapd
 - name: Configure TLS for slapd (includes hardening)
-  ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_tls_key | basename }}"
+  ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
               olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
   notify:
     - Restart slapd

roles/mail_server/defaults/main.yml

➞

Show inline comments

@@ @@ -3,10 +3,10 @@ @@
 enable_backup: False
 mail_ldap_tls_truststore: "/etc/ssl/certs/truststore.pem"
 mail_user: vmail
 imap_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_imap.pem"
 imap_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_imap.key"
 smtp_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.pem"
 smtp_tls_key: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.key"
 imap_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_imap.pem') }}"
 imap_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_imap.key') }}"
 smtp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_smtp.pem') }}"
 smtp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_smtp.key') }}"
 imap_folder_separator: "/"
 smtp_rbl: []
 mail_postmaster: "postmaster@{{ ansible_domain }}"

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -27,25 +27,25 @@ @@
   user: name=dovecot append=yes groups=ssl-cert
 - name: Deploy SMTP TLS private key
-  copy: dest="/etc/ssl/private/{{ smtp_tls_key | basename }}" src="{{ smtp_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_smtp.key" content="{{ smtp_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart Postfix
 - name: Deploy SMTP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ smtp_tls_certificate | basename }}" src="{{ smtp_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem" content="{{ smtp_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Postfix
 - name: Deploy IMAP TLS private key
-  copy: dest="/etc/ssl/private/{{ imap_tls_key | basename }}" src="{{ imap_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_imap.key" content="{{ imap_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart Dovecot
 - name: Deploy IMAP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ imap_tls_certificate | basename }}" src="{{ imap_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem" content="{{ imap_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Dovecot

roles/mail_server/templates/99-local.conf.j2

➞

Show inline comments

@@ @@ -29,8 +29,8 @@ service auth { @@
+}
 # TLS configuration.
 ssl_cert = </etc/ssl/certs/{{ imap_tls_certificate | basename }}
 ssl_key = </etc/ssl/private/{{ imap_tls_key | basename }}
 ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
 ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
 ssl_protocols = TLSv1.2
 ssl_cipher_list = DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT
 ssl = required

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

@@ @@ -52,8 +52,8 @@ smtpd_sasl_auth_enable = no @@
 # TLS configuration.
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 smtpd_tls_cert_file = /etc/ssl/certs/{{ smtp_tls_certificate | basename }}
 smtpd_tls_key_file = /etc/ssl/private/{{ smtp_tls_key | basename }}
 smtpd_tls_cert_file = /etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem
 smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

roles/php_website/defaults/main.yml

➞

Show inline comments

@@ @@ -8,5 +8,5 @@ php_file_regex: \.php$ @@
 php_rewrite_urls: []
 rewrites: []
 admin: "web-{{ fqdn | replace('.', '_') }}"
 https_tls_certificate: "{{ tls_certificate_dir }}/{{ fqdn }}_https.pem"
 https_tls_key: "{{ tls_private_key_dir }}/{{ fqdn }}_https.key"
 https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}"
 https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}"

roles/php_website/tasks/main.yml

➞

Show inline comments

@@ @@ -33,13 +33,13 @@ @@
     - Restart php5-fpm
 - name: Deploy nginx TLS private key for website
-  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ fqdn }}_https.key" content="{{ https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
-  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ fqdn }}_https.pem" content="{{ https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx

roles/php_website/templates/nginx_site.j2

➞

Show inline comments

@@ @@ -23,8 +23,8 @@ server { @@
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;
     ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
     ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
     {% if rewrites -%}
     # Generic URL rewrites.

roles/web_server/defaults/main.yml

➞

Show inline comments

 ---
 default_enforce_https: True
 default_https_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_https.key"
 default_https_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_https.pem"
 default_https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_https.pem') }}"
 default_https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}"
 web_default_title: "Welcome"
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

roles/web_server/tasks/main.yml

➞

Show inline comments

@@ @@ -9,13 +9,13 @@ @@
     - Restart nginx
 - name: Deploy nginx TLS private key
-  copy: dest="/etc/ssl/private/{{ default_https_tls_key | basename }}" src="{{ default_https_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_https.key" content="{{ default_https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate
-  copy: dest="/etc/ssl/certs/{{ default_https_tls_certificate | basename }}" src="{{ default_https_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" content="{{ default_https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx

roles/web_server/templates/nginx-default.j2

➞

Show inline comments

@@ @@ -25,8 +25,8 @@ server { @@
     # HTTPS (TLS) configuration.
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
     ssl_certificate_key /etc/ssl/private/{{ default_https_tls_key | basename }};
     ssl_certificate /etc/ssl/certs/{{ default_https_tls_certificate | basename }};
     ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}_https.pem;
     # Set-up the serving of default page.
     root /var/www/default/;

roles/wsgi_website/defaults/main.yml

➞

Show inline comments

@@ @@ -7,5 +7,5 @@ static_locations: [] @@
 use_paste: False
 virtualenv_packages: []
 admin: "web-{{ fqdn | replace('.', '_') }}"
 https_tls_certificate: "{{ tls_certificate_dir }}/{{ fqdn }}_https.pem"
 https_tls_key: "{{ tls_private_key_dir }}/{{ fqdn }}_https.key"
 https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}"
 https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}"

roles/wsgi_website/tasks/main.yml

➞

Show inline comments

@@ @@ -82,13 +82,13 @@ @@
         owner="{{ admin }}" group="{{ user }}" mode="2750"
 - name: Deploy nginx TLS private key for website
-  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ fqdn }}_https.key" content="{{ https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
-  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ fqdn }}_https.pem" content="{{ https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx

roles/wsgi_website/templates/nginx_site.j2

➞

Show inline comments

@@ @@ -22,8 +22,8 @@ server { @@
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;
     ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
     ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
     {% if rewrites -%}
     # Site rewrites.

roles/xmpp_server/defaults/main.yml

➞

Show inline comments

@@ @@ -2,5 +2,5 @@ @@
 enable_backup: False
 xmpp_domains: "{{ ansible_domain }}"
 xmpp_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_xmpp.pem"
 xmpp_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_xmpp.key"
 xmpp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_xmpp.pem') }}"
 xmpp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_xmpp.key') }}"

roles/xmpp_server/tasks/main.yml

➞

Show inline comments

@@ @@ -24,13 +24,13 @@ @@
   user: name=prosody append=yes groups=ssl-cert
 - name: Deploy XMPP TLS private key
-  copy: dest="/etc/ssl/private/{{ xmpp_tls_key | basename }}" src="{{ xmpp_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key" content="{{ xmpp_tls_key }}"
         mode=640 owner=root group=prosody
   notify:
     - Restart Prosody
 - name: Deploy XMPP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ xmpp_tls_certificate | basename }}" src="{{ xmpp_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem" content="{{ xmpp_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Prosody

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -42,8 +42,8 @@ allow_registration = false; @@
 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
   key = "/etc/ssl/private/{{ xmpp_tls_key | basename }}";
   certificate = "/etc/ssl/certs/{{ xmpp_tls_certificate | basename }}";
   key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";
   certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";
   prosody = "tlsv1_2";
   ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;"
+}

testsite/group_vars/ldap.yml

➞

Show inline comments

@@ @@ -42,8 +42,8 @@ ldap_server_groups: @@
     state: absent
 ldap_server_organization: "Example Inc."
 ldap_server_log_level: 256
 ldap_server_tls_certificate: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.pem"
 ldap_server_tls_key: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.key"
 ldap_server_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/ldap.' + testsite_domain + '_ldap.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', inventory_dir + '/tls/ldap.' + testsite_domain + '_ldap.key') }}"
 ldap_server_ssf: 128
 ldap_permissions:

testsite/group_vars/mail.yml

➞

Show inline comments

@@ @@ -10,10 +10,10 @@ mail_user: vmail @@
 mail_user_uid: 5000
 mail_user_gid: 5000
 imap_tls_certificate: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_imap.pem"
 imap_tls_key: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_imap.key"
 smtp_tls_certificate: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_smtp.pem"
 smtp_tls_key: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_smtp.key"
 imap_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.pem') }}"
 imap_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.key') }}"
 smtp_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.pem') }}"
 smtp_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.key') }}"
 imap_folder_separator: /
 smtp_rbl:
   - bl.spamcop.net

testsite/group_vars/web.yml

➞

Show inline comments

@@ @@ -7,8 +7,8 @@ smtp_relay_host: mail.{{ testsite_domain }} @@
 smtp_relay_truststore: /etc/ssl/certs/ca.pem
 default_https_tls_key: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.key"
 default_https_tls_certificate: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.pem"
 default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.key') }}"
 default_https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.pem') }}"
 web_default_title: "Welcome to Example Inc."
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

testsite/group_vars/xmpp.yml

➞

Show inline comments

@@ @@ -10,9 +10,9 @@ smtp_relay_truststore: /etc/ssl/certs/ca.pem @@
 xmpp_administrators:
   - john.doe@{{ testsite_domain }}
-xmpp_tls_key: "{{ inventory_dir }}/tls/xmpp.{{ testsite_domain }}_xmpp.key"
+xmpp_tls_key: "{{ lookup('file', inventory_dir + '/tls/xmpp.' + testsite_domain + '_xmpp.key') }}"
-xmpp_tls_certificate: "{{ inventory_dir }}/tls/xmpp.{{ testsite_domain }}_xmpp.pem"
+xmpp_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/xmpp.' + testsite_domain + '_xmpp.pem') }}"
 xmpp_domains:
   - "{{ testsite_domain }}"

testsite/playbooks/roles/phpinfo/meta/main.yml

➞

Show inline comments

@@ @@ -8,8 +8,8 @@ dependencies: @@
       - ^(.*) /index.php
     uid: 2000
     enforce_https: False
     https_tls_key: "{{ inventory_dir }}/tls/phpinfo.{{ testsite_domain }}_https.key"
     https_tls_certificate: "{{ inventory_dir }}/tls/phpinfo.{{ testsite_domain }}_https.pem"
     https_tls_key: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.key') }}"
     https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.pem') }}"
   - role: database
     db_name: phpinfo_{{ testsite_domain_underscores }}
     db_password: phpinfo_{{ testsite_domain_underscores }}
@@ \ No newline at end of file @@

testsite/playbooks/roles/wsgihello/meta/main.yml

➞

Show inline comments

@@ @@ -8,8 +8,8 @@ dependencies: @@
     wsgi_application: wsgi:application
     static_locations:
       - /static/
     https_tls_key: "{{ inventory_dir }}/tls/wsgi.{{ testsite_domain }}_https.key"
     https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.{{ testsite_domain }}_https.pem"
     https_tls_key: "{{ lookup('file', inventory_dir + '/tls/wsgi.' + testsite_domain + '_https.key') }}"
     https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/wsgi.' + testsite_domain + '_https.pem') }}"
   - role: database
     db_name: wsgi_{{ testsite_domain_underscores }}
     db_password: wsgi_{{ testsite_domain_underscores }}
@@ \ No newline at end of file @@

0 comments (0 inline, 0 general)