majic-ansible-roles Changeset

Changeset - 70733167cdf8

Parent rev.

Child rev.

[Not reviewed]

8 6 3

Branko Majic (branko) - 9 years ago 2015-08-17 22:31:39
branko@majic.rs

MAR-9: Created small utility playbook in testsite for generating the necessary TLS keys and certificates. Updated testsite configuration to be slightly different (no need for separate chain file I think).

15 files changed with 67 insertions and 198 deletions:

.gitignore

testsite/group_vars/all.yml

testsite/group_vars/ldap.yml

testsite/group_vars/mail.yml

testsite/group_vars/web.yml

testsite/group_vars/xmpp.yml

testsite/playbooks/tls.yml

testsite/tls/ca.cfg

rename

testsite/tls/gnutls_server_certificate.cfg.j2

testsite/tls/templates/mail.example.com_imap.cfg

testsite/tls/templates/mail.example.com_smtp.cfg

testsite/tls/templates/phpinfo.example.com_https.cfg

testsite/tls/templates/web.example.com_https.cfg

testsite/tls/templates/wsgi.example.com_https.cfg

testsite/tls/templates/xmpp.example.com_xmpp.cfg

0 comments (0 inline, 0 general)

.gitignore

➞

Show inline comments

@@ @@ -3,5 +3,9 @@ @@
 tmp/
 docs/_build/
 testsite/preseed_files/
 # Ignore "temporary" files created with the playbook tls.yml (certs, keys, and
 # host config files for GnuTLS - ca.cfg is versioned, though).
 testsite/tls/*.pem
 testsite/tls/*.key
 testsite/tls/*.*_*.cfg
@@ \ No newline at end of file @@

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -39,7 +39,7 @@ common_packages: @@
   - unzip
 ca_certificates:
-  - "{{ inventory_dir }}/tls/example_ca_chain.pem"
+  - "{{ inventory_dir }}/tls/ca.pem"
 incoming_connection_limit: 2/second

testsite/group_vars/ldap.yml

➞

Show inline comments

@@ @@ -4,7 +4,7 @@ local_mail_aliases: @@
   root: "root john.doe@{{ testsite_domain }}"
 smtp_relay_host: mail.{{ testsite_domain }}
-smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
+smtp_relay_truststore: /etc/ssl/certs/ca.pem
 ldap_client_config:
   - comment: Set the base DN
@@ @@ -18,7 +18,7 @@ ldap_client_config: @@
     value: cn=admin,{{ testsite_ldap_base }}
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
-    value: /etc/ssl/certs/example_ca_chain.pem
+    value: /etc/ssl/certs/ca.pem
 ldap_server_config:
   domain: "{{ testsite_domain }}"

testsite/group_vars/mail.yml

➞

Show inline comments

@@ @@ -9,10 +9,10 @@ ldap_client_config: @@
     value: ldap://ldap.{{ testsite_domain }}/
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
-    value: /etc/ssl/certs/example_ca_chain.pem
+    value: /etc/ssl/certs/ca.pem
 mail_ldap_url: ldap://ldap.{{ testsite_domain }}/
-mail_ldap_tls_truststore: /etc/ssl/certs/example_ca_chain.pem
+mail_ldap_tls_truststore: /etc/ssl/certs/ca.pem
 mail_ldap_root_dn: "{{ testsite_ldap_base }}"
 mail_ldap_postfix_password: postfix
 mail_ldap_dovecot_password: dovecot

testsite/group_vars/web.yml

➞

Show inline comments

@@ @@ -9,14 +9,14 @@ ldap_client_config: @@
     value: ldap://ldap.{{ testsite_domain }}/
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
-    value: /etc/ssl/certs/example_ca_chain.pem
+    value: /etc/ssl/certs/ca.pem
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 smtp_relay_host: mail.{{ testsite_domain }}
-smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
+smtp_relay_truststore: /etc/ssl/certs/ca.pem
 https_tls_key: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.key"
 https_tls_certificate: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.pem"

testsite/group_vars/xmpp.yml

➞

Show inline comments

@@ @@ -12,14 +12,14 @@ ldap_client_config: @@
     value: cn=admin,{{ testsite_ldap_base }}
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
-    value: /etc/ssl/certs/example_ca_chain.pem
+    value: /etc/ssl/certs/ca.pem
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 smtp_relay_host: mail.{{ testsite_domain }}
-smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
+smtp_relay_truststore: /etc/ssl/certs/ca.pem
 prosody_administrators:
   - john.doe@{{ testsite_domain }}

testsite/playbooks/tls.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 - hosts: preseed
   vars:
     host_tls_info:
       - hostname: ldap
         service: ldap
         name: LDAP
       - hostname: mail
         service: imap
         name: IMAP
       - hostname: mail
         service: smtp
         name: SMTP
       - hostname: phpinfo
         service: https
         name: PHP Info
       - hostname: web
         service: https
         name: Web
       - hostname: wsgi
         service: https
         name: WSGI Hello World
       - hostname: xmpp
         service: xmpp
         name: XMPP
   tasks:
     - name: Create GnuTLS certificate templates for all hosts
       template: src="../tls/gnutls_server_certificate.cfg.j2" dest="../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.cfg"
       with_items: host_tls_info
     - name: Create the CA key
       command: certtool --sec-param high --generate-privkey --outfile ../tls/ca.key
       args:
         creates: ../tls/ca.key
     - name: Create the CA certificate
       command: certtool --template ../tls/ca.cfg --generate-self-signed --load-privkey ../tls/ca.key --outfile ../tls/ca.pem
       args:
         creates: ../tls/ca.pem
     - name: Create private keys for all hosts
       command: certtool --sec-param normal --generate-privkey --outfile "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key"
       with_items: host_tls_info
       args:
         creates: "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key"
     - name: Issue certificates for all hosts
       shell: sleep 1 && certtool --generate-certificate
              --load-ca-privkey "../tls/ca.key" --load-ca-certificate "../tls/ca.pem"
              --template "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.cfg"
              --load-privkey "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.key"
              --outfile "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.pem"
       with_items: host_tls_info
       args:
         creates: "../tls/{{ item.hostname }}.{{ testsite_domain }}_{{ item.service }}.pem"
@@ \ No newline at end of file @@

testsite/tls/ca.cfg

➞

Show inline comments

file renamed from testsite/tls/templates/example_ca.cfg to testsite/tls/ca.cfg

testsite/tls/gnutls_server_certificate.cfg.j2

➞

Show inline comments

@@ @@ -9,7 +9,7 @@ organization = "Example Inc." @@
 country = SE
 # The common name of the certificate owner.
-cn = "Exampe Inc. LDAP Server"
+cn = "Exampe Inc. {{ item.name }} Server"
 # In how many days, counting from today, this certificate will expire.
 expiration_days = 365
@@ @@ -17,7 +17,7 @@ expiration_days = 365 @@
 # X.509 v3 extensions
 # A dnsname in case of a WWW server.
-dns_name = "ldap.example.com"
+dns_name = "{{ item.hostname }}.{{ testsite_domain }}"
 # Whether this certificate will be used for a TLS server
 tls_www_server

testsite/tls/templates/mail.example.com_imap.cfg

➞

Show inline comments

deleted file

testsite/tls/templates/mail.example.com_smtp.cfg

➞

Show inline comments

deleted file

testsite/tls/templates/phpinfo.example.com_https.cfg

➞

Show inline comments

deleted file

testsite/tls/templates/web.example.com_https.cfg

➞

Show inline comments

deleted file

testsite/tls/templates/wsgi.example.com_https.cfg

➞

Show inline comments

deleted file

testsite/tls/templates/xmpp.example.com_xmpp.cfg

➞

Show inline comments

deleted file

0 comments (0 inline, 0 general)