majic-ansible-roles Changeset

Changeset - 76ed37089b33

Parent rev.

Child rev.

[Not reviewed]

0 12 0

Branko Majic (branko) - 9 years ago 2015-04-13 01:08:03
branko@majic.rs

MAR-10: Added support for deploying CA certificates to role 'common'. Make sure symlink truststore is deployed as file in Postfix chroot (for role mail_server). Small fix in handlers for role common (ls command is not necessary). Updated testsite configuration and documentation to refer to correct CA certificate file (for trust chain).

12 files changed with 40 insertions and 21 deletions:

.gitignore

docs/rolereference.rst

docs/testsite.rst

roles/common/defaults/main.yml

roles/common/handlers/main.yml

roles/common/tasks/main.yml

roles/ldap_client/tasks/main.yml

roles/mail_server/tasks/main.yml

testsite/group_vars/all.yml

testsite/group_vars/ldap.yml

testsite/group_vars/mail.yml

testsite/group_vars/xmpp.yml

0 comments (0 inline, 0 general)

.gitignore

➞

Show inline comments

@@ @@ -2,4 +2,5 @@ @@
 *~
 tmp/
 docs/_build/
 testsite/preseed_files/
@@ \ No newline at end of file @@
 testsite/preseed_files/
 testsite/certs/

docs/rolereference.rst

➞

Show inline comments

@@ @@ -200,6 +200,9 @@ The role implements the following: @@
   you put TLS private keys in central location where any operating system user
   can reach them provided they have appropriate read/write rights on the file
   itself, and provided they know the exact path of the file.
 * Deploys CA certificate files, normally used for truststore purposes, to
   ``/usr/local/share/ca-certificates/``, updating the TLS cache at
   ``/etc/ssl/certs/`` along the way.
 Parameters
@@ @@ -245,6 +248,13 @@ Parameters @@
   server. Each element of the list should be a simple string denoting the name
   of the package.
 **ca_certificates** (list, optional)
   List of additional CA certificate files that should be deployed on the
   server. Each element of the list should be a filepath to a CA certificate file
   on originating (Ansible) host that should be copied to destination
   server. Combinations of multiple CA certificates in the same file can be
   specified as well. File names should end with ``.crt`` or ``.pem``.
 Examples
 ~~~~~~~~
@@ @@ -278,6 +288,8 @@ packages on all servers: @@
     - screen
     - debconf-utils
   ca_certificates:
     - ../certs/truststore.pem
 .. _ldap_client:

docs/testsite.rst

➞

Show inline comments

   ``admin``. The SSH key stored in it will be read from location
   ``~/.ssh/id_rsa`` (i.e. from home directory of user running the Ansible
   commands).
 * The TLS truststore can be found in location ``certs/example_ca_chain.crt``
   relative to the ``testsite`` sub-directory.
 Additionally, some manual steps may be required to have a fully functioning
 system:
@@ @@ -84,19 +86,14 @@ system: @@
     ``/etc/ssl/private/xmpp.example.com.pem`` (*root:prosody, 640*).
   * Create TLS certificate for XMPP in location
     ``/etc/ssl/certs/xmpp.example.com.pem`` (*root:root, 644*).
   * Install a truststore that contains the CA certifciate which has issued the
     LDAP certificate in location ``/etc/ssl/certs/truststore.pem`` (*root:root,
 *).
   * After all files are in place, re-run the ``site.yml`` playbook in order to
     restart necessary services etc.
 * On ``mail.example.com``, you should manually install the TLS private key and
   certificate in locations ``/etc/ssl/private/mail.example.com.pem``
   (*root:ldap, 640*) and ``/etc/ssl/certs/mail.example.com.pem`` (*root:root,
 *), respectively. You should also install a truststore that contains the CA
   certifciate which has issued the LDAP certificate in location
   ``/etc/ssl/certs/truststore.pem`` (*root:root, 644*). After that, restart the
   servics ``dovecot`` and ``postfix``.
 *), respectively. After that, restart the servics ``dovecot`` and
   ``postfix``.
 * On ``mail.example.com``:
@@ @@ -108,9 +105,6 @@ system: @@
     ``/etc/ssl/private/mail.example.com_imap.pem`` (*root:openldap, 640*).
   * Create TLS certificate for IMAP in location
     ``/etc/ssl/certs/mail.example.com_imap.pem`` (*root:root, 644*).
   * Install a truststore that contains the CA certifciate which has issued the
     LDAP certificate in location ``/etc/ssl/certs/truststore.pem`` (*root:root,
 *).
   * After all files are in place, re-run the ``site.yml`` playbook in order to
     restart necessary services etc.

roles/common/defaults/main.yml

➞

Show inline comments

@@ @@ -2,4 +2,5 @@ @@
 packages: []
 os_users: []
 os_groups: []
@@ \ No newline at end of file @@
 os_groups: []
 ca_certificates: []
@@ \ No newline at end of file @@

roles/common/handlers/main.yml

➞

Show inline comments

 ---
 - name: Update PAM configuration
   command: /bin/ls
   command: /usr/sbin/pam-auth-update --package
 - name: Restart SSH
   service: name=ssh state=restarted
@@ \ No newline at end of file @@
   service: name=ssh state=restarted
 - name: Update CA certificate cache
   command: /usr/sbin/update-ca-certificates --fresh

roles/common/tasks/main.yml

➞

Show inline comments

@@ @@ -48,4 +48,10 @@ @@
     - Restart SSH
 - name: Allow users to traverse directories to TLS private key files
   file: path=/etc/ssl/private/ mode=o+x
@@ \ No newline at end of file @@
   file: path=/etc/ssl/private/ mode=o+x
 - name: Deploy CA certificates
   copy: src="{{ item }}" dest="/usr/local/share/ca-certificates/{{ item | basename | regex_replace('(?i)\.pem$', '.crt') }}" mode=644 owner=root group=root
   with_items: ca_certificates
   notify:
     - Update CA certificate cache
@@ \ No newline at end of file @@

roles/ldap_client/tasks/main.yml

➞

Show inline comments

@@ @@ -4,4 +4,4 @@ @@
   apt: name=ldap-utils state=installed
 - name: Deploy LDAP client configuration file
   template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=644
@@ \ No newline at end of file @@
   template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=644

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -46,7 +46,7 @@ @@
     - /var/spool/postfix/var/run/clamav
 - name: Copy the LDAP TLS truststore into Postfix chroot
-  command: rsync -pci "{{ mail_ldap_tls_truststore }}" "/var/spool/postfix/{{ mail_ldap_tls_truststore}}"
+  command: rsync -Lpci "{{ mail_ldap_tls_truststore }}" "/var/spool/postfix/{{ mail_ldap_tls_truststore}}"
   register: rsync_result
   changed_when: "rsync_result.stdout != ''"

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -23,3 +23,6 @@ common_packages: @@
   - emacs23-nox
   - screen
   - debconf-utils
 ca_certificates:
   - ../certs/example_ca_chain.pem
@@ \ No newline at end of file @@

testsite/group_vars/ldap.yml

➞

Show inline comments

@@ @@ -17,7 +17,7 @@ ldap_client_config: @@
     value: cn=admin,dc=example,dc=com
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
-    value: /etc/ssl/certs/truststore.pem
+    value: /etc/ssl/certs/example_ca_chain.pem
 ldap_server_config:
   domain: "example.com"

testsite/group_vars/mail.yml

➞

Show inline comments

@@ @@ -9,10 +9,10 @@ ldap_client_config: @@
     value: ldap://ldap.example.com/
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
-    value: /etc/ssl/certs/truststore.pem
+    value: /etc/ssl/certs/example_ca_chain.pem
 mail_ldap_url: ldap://ldap.example.com/
-mail_ldap_tls_truststore: /etc/ssl/certs/truststore.pem
+mail_ldap_tls_truststore: /etc/ssl/certs/example_ca_chain.pem
 mail_ldap_root_dn: dc=example,dc=com
 mail_ldap_postfix_password: postfix
 mail_ldap_dovecot_password: dovecot

testsite/group_vars/xmpp.yml

➞

Show inline comments

@@ @@ -12,7 +12,7 @@ ldap_client_config: @@
     value: cn=admin,dc=example,dc=com
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
-    value: /etc/ssl/certs/truststore.pem
+    value: /etc/ssl/certs/example_ca_chain.pem
 local_mail_aliases:
   root: "root john.doe@example.com"

0 comments (0 inline, 0 general)