majic-ansible-roles Changeset

Changeset - 61e6cfb81789

Parent rev.

Child rev.

[Not reviewed]

0 10 0

Branko Majic (branko) - 8 years ago 2016-05-03 17:18:53
branko@majic.rs

MAR-51: Fixed documentation for ansible_key parameter in preseed role. Updated ca_certificates parameter in common role to accept key-value pairs of filenames and certificates to put on remote host (so lookups/inventory can be utilised in more flexible manner). Updated backup_client role to fail if it is not possible to extract encryption key IDs from deployed keys. Moved purging of Exim4 configuration files from handlers to tasks (more robust, and still idempotent). All documentation has been updated as well.

10 files changed with 19 insertions and 22 deletions:

docs/rolereference.rst

docs/usage.rst

roles/backup_client/tasks/main.yml

roles/common/defaults/main.yml

roles/common/tasks/main.yml

roles/mail_forwarder/handlers/main.yml

roles/mail_forwarder/tasks/main.yml

roles/mail_server/handlers/main.yml

roles/mail_server/tasks/main.yml

testsite/group_vars/all.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

   ---
-  ansible_key: /root/ansible/private.key
+  ansible_key: {{ lookup('file', '~/.ssh/id_rsa.pub') }}
   preseed_country: UK
   preseed_directory: /var/www/preseed
   preseed_keymap: UK
@@ @@ -325,11 +325,10 @@ Parameters @@
   server. Each element of the list should be a simple string denoting the name
   of the package.
 **ca_certificates** (list, optional, ``[]``)
   List of additional CA certificate files that should be deployed on the
   server. Each element of the list should be a filepath to a CA certificate file
   on originating (Ansible) host that should be copied to destination
   server.
 **ca_certificates** (list, optional, ``{}``)
   Dictionary containing the CA certificates to deploy. Keys are filenames to be
   used when placing a certificate file in directory ``/etc/ssl/certs/``, while
   values are corresponding content to be placed in the file.
 **incoming_connection_limit** (string, optional, ``3/second``)
   Rate at which the incoming ICMP echo-request packages and new TCP connections
@@ @@ -375,7 +374,7 @@ packages on all servers: @@
     - debconf-utils
   ca_certificates:
-    - ../certs/truststore.pem
+    "truststore.pem": "{{ lookup('file', '../certs/truststore.pem') }}"
   incoming_connection_limit: 2/second

docs/usage.rst

➞

Show inline comments

       tls_private_key_dir: "~/mysite/tls/"
       tls_certificate_dir: "~/mysite/tls/"
       ca_certificates:
-         - "~/mysite/tls/truststore.pem"
+         "truststore.pem": "{{ lookup('file', '~/mysite/tls/truststore.pem') }}"
 . And now as finishing touch, simply run the playbooks again::

roles/backup_client/tasks/main.yml

➞

Show inline comments

@@ @@ -37,12 +37,14 @@ @@
   shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'"
   register: backup_encryption_key_id
   changed_when: False
   failed_when: backup_encryption_key_id.stdout == ""
 - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
   shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'"
   register: backup_additional_encryption_keys_ids
   when: backup_additional_encryption_keys
   changed_when: False
   failed_when: backup_additional_encryption_keys_ids.stdout == ""
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"

roles/common/defaults/main.yml

➞

Show inline comments

@@ @@ -4,6 +4,6 @@ enable_backup: False @@
 common_packages: []
 os_users: []
 os_groups: []
-ca_certificates: []
+ca_certificates: {}
 incoming_connection_limit: 3/second
 incoming_connection_limit_burst: 9
@@ \ No newline at end of file @@

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -63,8 +63,8 @@ @@
     - Restart SSH
 - name: Deploy CA certificates
   copy: src="{{ item }}" dest="/etc/ssl/certs/{{ item | basename }}" mode=644 owner=root group=root
   with_items: ca_certificates
   copy: content="{{ item.value }}" dest="/etc/ssl/certs/{{ item.key }}" mode=644 owner=root group=root
   with_dict: ca_certificates
   notify:
     - Update CA certificate cache

roles/mail_forwarder/handlers/main.yml

➞

Show inline comments

 ---
 - name: Purge Exim configuration
   apt: name="exim4*" state=absent purge=yes
 - name: Rebuild mail aliases
   command: /usr/bin/newaliases

roles/mail_forwarder/tasks/main.yml

➞

Show inline comments

@@ @@ -2,8 +2,9 @@ @@
 - name: Install Postfix
   apt: name="postfix" state=installed
   notify:
     - Purge Exim configuration
 - name: Purge Exim configuration
   apt: name="exim4*" state=absent purge=yes
 - name: Deploy Postfix main configuration
   template: src="main.cf.j2" dest="/etc/postfix/main.cf"

roles/mail_server/handlers/main.yml

➞

Show inline comments

 ---
 - name: Purge Exim configuration
   apt: name="exim4*" state=absent purge=yes
 - name: Restart Postfix
   service: name="postfix" state=restarted

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -16,8 +16,9 @@ @@
   with_items:
     - postfix
     - postfix-ldap
   notify:
     - Purge Exim configuration
 - name: Purge Exim configuration
   apt: name="exim4*" state=absent purge=yes
 - name: Allow Postfix user to traverse the directory with TLS private keys
   user: name=postfix append=yes groups=ssl-cert

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -41,7 +41,7 @@ common_packages: @@
   - unzip
 ca_certificates:
-  - "{{ inventory_dir }}/tls/ca.pem"
+  "ca.pem": "{{ lookup('file', inventory_dir + '/tls/ca.pem') }}"
 incoming_connection_limit: 2/second

0 comments (0 inline, 0 general)