majic-ansible-roles Changeset

Changeset - 24c957d877de

Parent rev.

Child rev.

[Not reviewed]

0 5 2

Branko Majic (branko) - 9 years ago 2017-04-09 17:56:30
branko@majic.rs

MAR-96: Fixed indentation for code listing in testsite documentation for generating the SSH keys. Added an extra "workstation" machine to test site meant to be used for testing Debian 9 Stretch compatibility. Moved testing of "extra_backup_patterns" into the new workstation machine.

7 files changed with 53 insertions and 17 deletions:

docs/testsite.rst

testsite/group_vars/backup.yml

testsite/group_vars/mail.yml

testsite/group_vars/workstation.yml

testsite/hosts

testsite/playbooks/site.yml

testsite/playbooks/ws.yml

0 comments (0 inline, 0 general)

docs/testsite.rst

➞

Show inline comments

    include the full CA chain used for LDAP server.
 . Generate SSH keys to be used by the backup server and backup clients:
   .. code-block:: shell
     mkdir ssh
     ssh-keygen -f ssh/backup_server_dsa_key -N '' -t dsa
     ssh-keygen -f ssh/backup_server_rsa_key -N '' -t rsa
     ssh-keygen -f ssh/backup_server_ed25519_key -N '' -t ed25519
     ssh-keygen -f ssh/backup_server_ecdsa_key -N '' -t ecdsa
     ssh-keygen -f ssh/mail.example.com -N ''
     ssh-keygen -f ssh/ldap.example.com -N ''
     ssh-keygen -f ssh/xmpp.example.com -N ''
     ssh-keygen -f ssh/web.example.com -N ''
     ssh-keygen -f ssh/backup.example.com -N ''
      mkdir ssh
      ssh-keygen -f ssh/backup_server_dsa_key -N '' -t dsa
      ssh-keygen -f ssh/backup_server_rsa_key -N '' -t rsa
      ssh-keygen -f ssh/backup_server_ed25519_key -N '' -t ed25519
      ssh-keygen -f ssh/backup_server_ecdsa_key -N '' -t ecdsa
      ssh-keygen -f ssh/mail.example.com -N ''
      ssh-keygen -f ssh/ldap.example.com -N ''
      ssh-keygen -f ssh/xmpp.example.com -N ''
      ssh-keygen -f ssh/web.example.com -N ''
      ssh-keygen -f ssh/backup.example.com -N ''
      ssh-keygen -f ssh/ws01.example.com -N ''
 . Set-up a local GnuPG keyring that will contain the necessary encryption and
    signing keys for the backup clients::
      mkdir ./backup_keyring
      chmod 700 ./backup_keyring
      Key-Type:RSA
      Key-Length:1024
      Name-Real:backup.example.com
      Expire-Date:0
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:ws01.example.com
      Expire-Date:0
      %commit
      EOF
 . Generate the preseed files:
   .. code-block:: shell
      ansible-playbook playbooks/preseed.yml
 . Install all servers using the generated preseed files.
 . Install all servers using the generated preseed files. All servers except
    ``ws01.example.com`` are supposed to be running *Debian 8 Jessie*. The server
    ``ws01.example.com`` is meant to run *Debian 9 Stretch* (althogh, Debian
    Jessie should function as well).
 . Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to
     remove old entries if you are redoing the process). You can easily obtain all
     the necessary fingerprints with command (don't forget to modify domain if you
     need to):
     .. code-block:: shell
       ssh-keyscan -t ed25519 mail.example.com ldap.example.com xmpp.example.com web.example.com backup.example.com $(resolveip -s mail.example.com) $(resolveip -s ldap.example.com) $(resolveip -s xmpp.example.com) $(resolveip -s web.example.com) $(resolveip -s backup.example.com)
+      ssh-keyscan -t ed25519 mail.example.com ldap.example.com xmpp.example.com web.example.com backup.example.com ws01.example.com $(resolveip -s mail.example.com) $(resolveip -s ldap.example.com) $(resolveip -s xmpp.example.com) $(resolveip -s web.example.com) $(resolveip -s backup.example.com) $(resolveip -s ws01.example.com)
 . Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
     environment for Ansible runs on all servers:
     .. code-block:: shell

testsite/group_vars/backup.yml

➞

Show inline comments

@@ @@ -20,12 +20,15 @@ backup_clients: @@
   - server: xmpp.{{ testsite_domain }}
     public_key: "{{ lookup('file', inventory_dir + '/ssh/xmpp.' + testsite_domain + '.pub') }}"
     ip: 10.32.64.16
   - server: backup.{{ testsite_domain }}
     public_key: "{{ lookup('file', inventory_dir + '/ssh/backup.' + testsite_domain + '.pub') }}"
     ip: 127.0.0.1
   - server: ws01.{{ testsite_domain }}
     public_key: "{{ lookup('file', inventory_dir + '/ssh/ws01.' + testsite_domain + '.pub') }}"
     ip: 10.32.64.22
 backup_host_ssh_private_keys:
   dsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key') }}"
   rsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key') }}"
   ed25519: "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key') }}"
   ecdsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key') }}"

testsite/group_vars/mail.yml

➞

Show inline comments

@@ @@ -25,17 +25,15 @@ smtp_rbl: @@
 mail_postmaster: postmaster@{{ testsite_domain }}
 smtp_allow_relay_from:
   - ldap.{{ testsite_domain }}
   - xmpp.{{ testsite_domain }}
   - web.{{ testsite_domain }}
   - ws01.{{ testsite_domain }}
 imap_max_user_connections_per_ip: 50
 mail_server_tls_protocols:
   - TLSv1.2
   - TLSv1.1
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA:!aNULL:!MD5:!EXPORT"
 extra_backup_patterns:
   - "/root"
@@ \ No newline at end of file @@

testsite/group_vars/workstation.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 smtp_relay_host: mail.{{ testsite_domain }}
 smtp_relay_truststore: "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 extra_backup_patterns:
   - "/root"
   - "/home/admin"
@@ \ No newline at end of file @@

testsite/hosts

➞

Show inline comments

@@ @@ -13,12 +13,16 @@ mail.example.com @@
 [web]
 web.example.com
 [backup]
 backup.example.com
 [workstation]
 ws01.example.com
 [testsite:children]
 ldap
 xmpp
 mail
 web
 backup
@@ \ No newline at end of file @@
 backup
 workstation
@@ \ No newline at end of file @@

testsite/playbooks/site.yml

➞

Show inline comments

@@ @@ -2,7 +2,8 @@ @@
 - include: preseed.yml
 - include: ldap.yml
 - include: xmpp.yml
 - include: mail.yml
 - include: web.yml
 - include: backup.yml
@@ \ No newline at end of file @@
 - include: backup.yml
 - include: ws.yml
@@ \ No newline at end of file @@

testsite/playbooks/ws.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 - hosts: workstation
   remote_user: ansible
   become: yes
   roles:
     - common
     - mail_forwarder

0 comments (0 inline, 0 general)