majic-ansible-roles Changeset

Changeset - 881a85f08e22

Parent rev.

Child rev.

[Not reviewed]

0 7 2

Branko Majic (branko) - 10 years ago 2016-01-05 17:19:18
branko@majic.rs

MAR-44: Added another global parameter for controlling deployment of backup configs for roles. Implemented backup support for the LDAP server role. Updated testsite configuration, moving the backup configuration to be global.

9 files changed with 69 insertions and 17 deletions:

docs/rolereference.rst

roles/ldap_server/defaults/main.yml

roles/ldap_server/files/backup_patterns

roles/ldap_server/meta/main.yml

roles/ldap_server/tasks/backup.yml

roles/ldap_server/tasks/main.yml

testsite/group_vars/all.yml

testsite/group_vars/backup.yml

testsite/group_vars/web.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

 .. _rolereference:
 Role Reference
 ==============
 Common parameters
 -----------------
 A number of common parameters are used by all of the roles during
 deployment. This section lists such parameters.
 **enable_backup** (boolean, optional, ``False``)
   If set to ``True``, and the role supports backups, server will be configured
   for back-up of role's data. See role description for more details on what is
   backed-up and if the option is available. Just keep in mind that if you enable
   this globally, all the roles will be running backup-specific tasks. If the
   option has been enabled, the ``backup_client`` role will be included
   automatically (see the role reference for details on parameters that need to
   be provided in the case).
 **tls_private_key_dir** (string, optional if paths to private keys for all roles are explicitly specified)
   Path to directory on Ansible host that contains the private keys used by
   services deployed by various roles. When TLS key path is not explicitly
   defined in a role, this is the directory where the TLS key will be looked-up
   during Ansible run. Expected filename pattern is ``FQDN_SERVICE.key`` (for
   example, ``mail.example.com_smtp.key`` or ``xmpp.example.com_xmpp.key``).
 **tls_certificate_dir** (string, optional if paths to certificate files for all roles are explicitly specified)
   Path to directory on Ansible host that contains the X.509 certificate files
   used by services deployed by various roles. When X.509 certificate path is not
   explicitly defined in a role, this is the directory where the X.509
   certificate will be looked-up during Ansible run. Expected filename pattern is
@@ @@ -430,24 +439,35 @@ The role implements the following: @@
   attribute will update corresponding group as well.
 * Creates a basic directory structure used by most of the other roles.
 * Creates a basic directory structure used by the mail server role.
 * Creates login entries for services that need to consume LDAP directory data in
   some way.
 * Creates user-supplied groups in LDAP.
 * Configures permissions.
 * Creates LDAP entries.
 * Configures firewall to allow incoming connections to the LDAP server.
 * Sets the LDAP server administrator's password.
 Backups
 ~~~~~~~
 If the backup for this role has been enabled, the following paths are backed-up:
 **/srv/backup/slapd.bak**
   Dump of the LDAP database. LDAP database dump is created every day at 01:45 in
   the morning. This does *not* include the dump of the config database
   (``cn=config``).
 Parameters
 ~~~~~~~~~~
 **ldap_admin_password** (string, mandatory)
   Password for the default administrator account of LDAP server (the
   ``cn=admin,DOMAIN`` entry/user).
 **ldap_entries** (list, optional, ``[]``)
   List of entries that should be kept in the LDAP directory. Each item is a
   dictionary describing a single LDAP entry, with all of its attributes
   listed. The keys in this dictionary should be the attribute names. The values
   should be either strings, for setting a single attribute value, or a list of

roles/ldap_server/defaults/main.yml

➞

Show inline comments

 ---
 enable_backup: False
 ldap_entries: []
 ldap_server_domain: "{{ ansible_domain }}"
 # Internal value, base DN.
 ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
 ldap_server_organization: "Private"
 ldap_server_log_level: 256
 ldap_server_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_ldap.pem"
 ldap_server_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_ldap.key"
 ldap_server_ssf: 128
 ldap_server_consumers: []
 ldap_server_groups: []
 ldap_permissions:

roles/ldap_server/files/backup_patterns

➞

Show inline comments

		new file 100644
		/srv/backup/slapd.bak
		\ No newline at end of file

roles/ldap_server/meta/main.yml

➞

Show inline comments

 ---
 dependencies:
   - ldap_client
@@ \ No newline at end of file @@
   - ldap_client
   - role: backup_client
     when: enable_backup
@@ \ No newline at end of file @@

roles/ldap_server/tasks/backup.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 - name: Create directory for storing LDAP database dumps
   file: path="{{ item }}" state=directory
         owner=root group=root mode=700
   with_items:
     - "/srv"
     - "/srv/backup"
 - name: Deploy include patterns to backup
   copy: src="backup_patterns" dest="/etc/duply/main/patterns/ldap_server"
         owner="root" group="root" mode="700"
   notify:
     - Assemble Duply include patterns
 - name: Create crontab entry for creating LDAP database dumps every day at 01:45
   cron: name=ldapdump cron_file=ldapdump hour=1 minute=45
         job="/usr/sbin/slapcat > /srv/backup/slapd.bak"
         state=present user=root

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -153,12 +153,16 @@ @@
   command: ldapwhoami -D "cn=admin,{{ ldap_server_int_basedn }}" -x -y /root/.ldap_admin_password
   register: ldap_admin_password_check
   changed_when: ldap_admin_password_check.rc != 0
   failed_when: False
 - name: Update LDAP admin password
   command: ldappasswd -Y EXTERNAL -H ldapi:/// "cn=admin,{{ ldap_server_int_basedn }}" -T /root/.ldap_admin_password
   when: ldap_admin_password_check.rc != 0
 - name: Remove temporary file with LDAP admin password
   file: path="/root/.ldap_admin_password" state=absent
   changed_when: False
 - name: Enable backup
   include: backup.yml
   when: enable_backup
@@ \ No newline at end of file @@

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -52,12 +52,30 @@ ldap_client_config: @@
   - comment: Set the base DN
     option: BASE
     value: "{{ testsite_ldap_base }}"
   - comment: Set the default URI
     option: URI
     value: ldap://ldap.{{ testsite_domain }}/
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
   - comment: Enforce TLS
     option: TLS_REQCERT
     value: demand
 # Enable and configure backups
 enable_backup: yes
 backup_encryption_keys:
   - "backup.{{ testsite_domain }}"
 backup_signing_key: "{{ ansible_fqdn }}"
 backup_server: "backup.{{ testsite_domain }}"
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key.pub') }}"
 backup_ssh_key: "{{ lookup('file', inventory_dir + '/ssh/' + ansible_fqdn) }}"

testsite/group_vars/backup.yml

➞

Show inline comments

 ---
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 smtp_relay_host: mail.{{ testsite_domain }}
 smtp_relay_truststore: /etc/ssl/certs/ca.pem
 backup_clients:
   - server: web.{{ testsite_domain }}
     uid: 3000
     public_key: "{{ lookup('file', inventory_dir + '/ssh/web.' + testsite_domain + '.pub') }}"
     ip: 10.32.64.18
   - server: mail.{{ testsite_domain }}
     public_key: "{{ lookup('file', inventory_dir + '/ssh/mail.' + testsite_domain + '.pub') }}"
     ip: 10.32.64.15
   - server: ldap.{{ testsite_domain }}
     public_key: "{{ lookup('file', inventory_dir + '/ssh/ldap.' + testsite_domain + '.pub') }}"
     ip: 10.32.64.12
 backup_host_ssh_private_keys:
   dsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key') }}"
   rsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key') }}"
   ed25519: "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key') }}"
   ecdsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key') }}"

testsite/group_vars/web.yml

➞

Show inline comments

@@ @@ -5,27 +5,12 @@ local_mail_aliases: @@
 smtp_relay_host: mail.{{ testsite_domain }}
 smtp_relay_truststore: /etc/ssl/certs/ca.pem
 https_tls_key: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.key"
 https_tls_certificate: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.pem"
 web_default_title: "Welcome to Example Inc."
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
 db_root_password: "root"
 backup_encryption_keys:
   - "backup.{{ testsite_domain }}"
 backup_signing_key: "web.{{ testsite_domain }}"
 backup_server: "backup.{{ testsite_domain }}"
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key.pub') }}"
 backup_ssh_key: "{{ lookup('file', inventory_dir + '/ssh/web.' + testsite_domain) }}"

0 comments (0 inline, 0 general)