majic-ansible-roles Changeset

Changeset - 284ed92d40bb

Parent rev.

Child rev.

[Not reviewed]

0 5 0

Branko Majic (branko) - 11 years ago 2015-04-25 17:02:58
branko@majic.rs

MAR-10: Fixed truststore filename in docs for test site. Install the ssl-cert package explicitly, and allow server processes to access their keys by adding them to group ssl-cert instead.

5 files changed with 17 insertions and 5 deletions:

docs/testsite.rst

roles/common/tasks/main.yml

roles/ldap_server/tasks/main.yml

roles/mail_server/tasks/main.yml

roles/prosody/tasks/main.yml

0 comments (0 inline, 0 general)

docs/testsite.rst

➞

Show inline comments

      be ``xmpp.example.com``)
    - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should
      be ``ldap.example.com``)
 . Create ``PEM`` truststore file which contains all CA certificates that form
    CA chain for the issued end entity certificates from previous step at
-   location ``testsite/tls/example_ca_chain.crt``. It is very important to
+   location ``testsite/tls/example_ca_chain.pem``. It is very important to
    include the CA chain used for LDAP server.
 . Generate the preseed files:
   .. code-block:: shell

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -10,12 +10,15 @@ @@
 - name: Set home directory mask
   lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'
 - name: Install sudo
   apt: name=sudo state=present
 - name: Install ssl-cert package
   apt: name=ssl-cert state=present
 - name: Install common packages
   apt: name="{{ item }}" state="present"
   with_items: common_packages
 - name: Set-up operating system groups
   group: name="{{ item.name }}" gid="{{ item.gid }}" state=present
@@ @@ -44,14 +47,11 @@ @@
 - name: Disable remote login authentication via password
   lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
   notify:
     - Restart SSH
 - name: Allow users to traverse directories to TLS private key files
   file: path=/etc/ssl/private/ mode=o+x
 - name: Deploy CA certificates
   copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root
   with_items: ca_certificates
   notify:
     - Update CA certificate cache
@@ \ No newline at end of file @@
     - Update CA certificate cache

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -6,12 +6,15 @@ @@
 - name: Set organisation for slapd
   debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_config.organization }}"
 - name: Install slapd
   apt: name=slapd state=installed
 - name: Allow OpenLDAP user to traverse the directory with TLS private keys
   user: name=openldap append=yes groups=ssl-cert
 - name: Install Python LDAP bindings
   apt: name=python-ldap state=installed
 - name: Enable slapd service
   service: name=slapd enabled=yes state=started

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -19,12 +19,18 @@ @@
   with_items:
     - postfix
     - postfix-ldap
   notify:
     - Purge Exim configuration
 - name: Allow Postfix user to traverse the directory with TLS private keys
   user: name=postfix append=yes groups=ssl-cert
 - name: Allow Dovecot user to traverse the directory with TLS private keys
   user: name=dovecot append=yes groups=ssl-cert
 - name: Deploy SMTP TLS private key
   copy: dest="/etc/ssl/private/{{ smtp_tls_key | basename }}" src="{{ smtp_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart Postfix

roles/prosody/tasks/main.yml

➞

Show inline comments

@@ @@ -14,12 +14,15 @@ @@
 - name: Install Lua LDAP library
   apt: name=lua-ldap state=installed
 - name: Install Prosody
   apt: name=prosody state=installed
 - name: Allow Prosody user to traverse the directory with TLS private keys
   user: name=prosody append=yes groups=ssl-cert
 - name: Deploy XMPP TLS private key
   copy: dest="/etc/ssl/private/{{ prosody_tls_key | basename }}" src="{{ prosody_tls_key }}"
         mode=640 owner=root group=prosody
   notify:
     - Restart Prosody

0 comments (0 inline, 0 general)