majic-ansible-roles Changeset

Changeset - 96e9f230a669

Parent rev.

Child rev.

[Not reviewed]

0 13 0

Branko Majic (branko) - 9 years ago 2015-04-19 02:09:07
branko@majic.rs

MAR-10: Updated server roles to deploy private key and certificate. Updated documentation and test site configuration as well.

13 files changed with 109 insertions and 96 deletions:

.gitignore

docs/rolereference.rst

docs/testsite.rst

roles/ldap_server/tasks/main.yml

roles/mail_server/tasks/main.yml

roles/mail_server/templates/99-local.conf.j2

roles/mail_server/templates/main.cf.j2

roles/prosody/tasks/main.yml

roles/prosody/templates/prosody.cfg.lua.j2

testsite/group_vars/all.yml

testsite/group_vars/ldap.yml

testsite/group_vars/mail.yml

testsite/group_vars/xmpp.yml

0 comments (0 inline, 0 general)

.gitignore

➞

Show inline comments

@@ @@ -3,4 +3,4 @@ @@
 tmp/
 docs/_build/
 testsite/preseed_files/
-testsite/certs/
+testsite/tls/

docs/rolereference.rst

➞

Show inline comments

@@ @@ -358,6 +358,7 @@ destination machine. @@
 The role implements the following:
 * Deploys LDAP TLS private key and certificate.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with
@@ @@ -395,15 +396,13 @@ Parameters @@
     description and syntax.
   **tls_certificate** (string, mandatory)
     Path to *X.509* certificate (on server itself) that should be used as server
     certificate for TLS connections. The certificate file should be provided in
     ``PEM`` format. If file does not exist, no TLS will be set-up.
     Path to file on Ansible host that contains the X.509 certificate used for
     TLS for LDAP service. The file will be copied to directory
     ``/etc/ssl/certs/``.
   **tls_key** (string, mandatory)
     Path to private key (on server itself) that should be used as server's
     private key for TLS connections. The private key should correspond to
     certificate listed in option ``tls_certificate``. The key file should be
     provided in ``PEM`` format. If file does not exist, no TLS will be set-up.
     Path to file on Ansible host that contains the private key used for TLS for
     LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
   **ssf** (number, mandatory)
     Minimum *Security Strength Factor* to require from all incoming
     domain: "example.com"
     organization: "Example Corporation"
     log_level: 256
     tls_certificate: /etc/ssl/certs/ldap.example.com.pem
     tls_key: /etc/ssl/private/ldap.example.com.pem
     tls_certificate: ~/tls/ldap.example.com_ldap.pem
     tls_key: ~/tls/ldap.example.com_ldap.key
     ssf: 128
   ldap_permissions:
@@ @@ -502,6 +501,7 @@ destination machine. @@
 The role implements the following:
 * Sets-up the Prosody apt repository.
 * Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
@@ @@ -530,15 +530,12 @@ Parameters @@
   (i.e. ``john.doe@example.com``).
 **prosody_tls_key** (string, mandatory)
   Path to private key (on server itself) that should be used as server's private
   key for TLS connections. The private key should correspond to certificate
   listed in option ``prosody_tls_certificate``. The key file should be provided
   in ``PEM`` format.
   Path to file on Ansible host that contains the private key used for TLS for
   XMPP service. The file will be copied to directory ``/etc/ssl/private/``.
 **prosody_tls_certificate** (string, mandatory)
   Path to *X.509* certificate (on server itself) that should be used as server
   certificate for TLS connections. The certificate file should be provided in
   ``PEM`` format.
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 **prosody_domains** (list, mandatory)
   List of domains that are served by this Prosody instance. Each item is a
@@ @@ -615,6 +612,7 @@ The role implements the following: @@
 * Installs rsync.
 * Adds the Wheezy backports repository.
 * Deploys IMAP/SMTP TLS private keys and certificates.
 * Installs and configures Dovecot (from backports), Postfix, ClamAV, and ClamAV
   Milter.
 * Purges Exim4 configuration (just in case).
@@ @@ -681,19 +679,22 @@ Parameters @@
   GID of the user that owns all the mail files.
 **imap_tls_certificate** (string, mandatory)
   Path to file that contains the X.509 certificate used for TLS for IMAP and
   ManageSieve services.
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for IMAP and ManageSieve services. The file will be copied to directory
   ``/etc/ssl/certs/``.
 **imap_tls_key** (string, mandatory)
   Path to file that contains the private key used for TLS for IMAP and
   ManageSieve services.
   Path to file on Ansible host that contains the private key used for TLS for
   IMAP and ManageSieve services. The file will be copied to directory
   ``/etc/ssl/private/``.
 **smtp_tls_certificate** (string, mandatory)
   Path to file that contains the X.509 certificate used for TLS for SMTP
   service.
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 **smtp_tls_key** (string, mandatory)
   Path to file that contains the private key used for TLS for SMTP service.
   Path to file on Ansible host that contains the private key used for TLS for
   SMTP service. The file will be copied to directory ``/etc/ssl/private/``.
 **imap_folder_separator** (string, mandatory)
   Character used for separating the IMAP folders when clients are requesting
   mail_user_uid: 5000
   mail_user_gid: 5000
   imap_tls_certificate: /etc/ssl/certs/mail.example.com_imap.pem
   imap_tls_key: /etc/ssl/private/mail.example.com_imap.pem
   smtp_tls_certificate: /etc/ssl/certs/mail.example.com_smtp.pem
   smtp_tls_key: /etc/ssl/private/mail.example.com_smtp.pem
   imap_tls_certificate: ~/tls/mail.example.com_imap.pem
   imap_tls_key: ~/tls/mail.example.com_imap.key
   smtp_tls_certificate: ~/tls/mail.example.com_smtp.pem
   smtp_tls_key: ~/tls/mail.example.com_smtp.key
   imap_folder_separator: /
   smtp_rbl:
     - bl.spamcop.net

docs/testsite.rst

➞

Show inline comments

@@ @@ -38,22 +38,46 @@ site.yml @@
 In order to deploy the test site, the following steps would normally be taken:
 . Generate the preseed files:
 . Create TLS private keys (relative to top level directory):
    - ``testsite/tls/mail.example.com_imap.key``
    - ``testsite/tls/mail.example.com_smtp.key``
    - ``testsite/tls/xmpp.example.com_xmpp.key``
    - ``testsite/tls/ldap.example.com_ldap.key``
 . Issue TLS certificates corresponding to the generated TLS private keys (make
    sure to use correct FQDN for DNS subject alternative name):
    - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should
      be ``mail.example.com``)
    - ``testsite/tls/mail.example.com_smtp.pem`` (subject alternative name should
      be ``mail.example.com``)
    - ``testsite/tls/xmpp.example.com_xmpp.pem`` (subject alternative name should
      be ``xmpp.example.com``)
    - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should
      be ``ldap.example.com``)
 . Create ``PEM`` truststore file which contains all CA certificates that form
    CA chain for the issued end entity certificates from previous step at
    location ``testsite/tls/example_ca_chain.crt``. It is very important to
    include the CA chain used for LDAP server.
 . Generate the preseed files:
   .. code-block:: shell
     ansible-playbook playbooks/preseed.yml
-. Install all servers using the generated preseed files.
+. Install all servers using the generated preseed files.
-. Invoke the ``bootstrap.yml`` playbook for every server, one by one. For
+. Invoke the ``bootstrap.yml`` playbook for every server, one by one. For
    example:
   .. code-block:: shell
     ansible-playbook -k -e server=ldap.example.com playbooks/bootstrap.yml
-. Finally, apply configuration on all servers:
+. Finally, apply configuration on all servers:
   .. code-block:: shell
   ``admin``. The SSH key stored in it will be read from location
   ``~/.ssh/id_rsa`` (i.e. from home directory of user running the Ansible
   commands).
 * The TLS truststore can be found in location ``certs/example_ca_chain.crt``
   relative to the ``testsite`` sub-directory.
 Additionally, some manual steps may be required to have a fully functioning
 system:
 * On ``ldap.example.com``, you should manually install the TLS private key and
   certificate ing locations ``/etc/ssl/private/ldap.example.com.pem``
   (*root:ldap, 640*) and ``/etc/ssl/certs/ldap.example.com.pem`` (*root:root,
 *), respectively. After that, re-run the ``site.yml`` playbook in order to
   re-configure OpenLDAP server to use it.
 * On ``xmpp.example.com``:
   * Create TLS private key for XMPP in location
     ``/etc/ssl/private/xmpp.example.com.pem`` (*root:prosody, 640*).
   * Create TLS certificate for XMPP in location
     ``/etc/ssl/certs/xmpp.example.com.pem`` (*root:root, 644*).
   * After all files are in place, re-run the ``site.yml`` playbook in order to
     restart necessary services etc.
 * On ``mail.example.com``, you should manually install the TLS private key and
   certificate in locations ``/etc/ssl/private/mail.example.com.pem``
   (*root:ldap, 640*) and ``/etc/ssl/certs/mail.example.com.pem`` (*root:root,
 *), respectively. After that, restart the servics ``dovecot`` and
   ``postfix``.
 * On ``mail.example.com``:
   * Create TLS private key for SMTP in location
     ``/etc/ssl/private/mail.example.com_smtp.pem`` (*root:openldap, 640*).
   * Create TLS certificate for SMTP in location
     ``/etc/ssl/certs/mail.example.com_smtp.pem`` (*root:root, 644*).
   * Create TLS private key for IMAP in location
     ``/etc/ssl/private/mail.example.com_imap.pem`` (*root:openldap, 640*).
   * Create TLS certificate for IMAP in location
     ``/etc/ssl/certs/mail.example.com_imap.pem`` (*root:root, 644*).
   * After all files are in place, re-run the ``site.yml`` playbook in order to
     restart necessary services etc.
 For more details on how the playbooks and configuration have been implemented,
 feel free to browse the test site files (in directory ``testsite``).

roles/ldap_server/tasks/main.yml

➞

Show inline comments

 ---
 - name: Deploy LDAP TLS private key
   copy: dest="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}" src="{{ ldap_server_config.tls_key }}"
         mode=640 owner=root group=openldap
 - name: Deploy LDAP TLS certificate
   copy: dest="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" src="{{ ldap_server_config.tls_certificate }}"
         mode=644 owner=root group=root
 - name: Set domain for slapd
   debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_config.domain }}"
@@ @@ -26,17 +34,8 @@ @@
 - name: Change log level for slapd
   ldap_entry: dn=cn=config state=replaceattributes olcLogLevel="{{ ldap_server_config.log_level }}"
 - name: Check if TLS private key is available
   stat: path="{{ ldap_server_config.tls_key }}"
   register: tls_key
 - name: Check if TLS certificate is available
   stat: path="{{ ldap_server_config.tls_key }}"
   register: tls_certificate
 - name: Configure TLS for slapd
   ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="{{ ldap_server_config.tls_certificate }}" olcTLSCertificateKeyFile="{{ ldap_server_config.tls_key }}"
   when: tls_key.stat.exists and tls_certificate.stat.exists
   ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}"
   notify:
     - Restart slapd

roles/mail_server/tasks/main.yml

➞

Show inline comments

@@ @@ -6,6 +6,26 @@ @@
 - name: Add backports repository
   apt_repository: repo="deb http://http.debian.net/debian wheezy-backports main" state=present
 - name: Deploy SMTP TLS private key
   copy: dest="/etc/ssl/private/{{ smtp_tls_key | basename }}" src="{{ smtp_tls_key }}"
         mode=640 owner=root group=root
 - name: Deploy SMTP TLS certificate
   copy: dest="/etc/ssl/certs/{{ smtp_tls_certificate | basename }}" src="{{ smtp_tls_certificate }}"
         mode=644 owner=root group=root
 - name: Deploy IMAP TLS private key
   copy: dest="/etc/ssl/private/{{ imap_tls_key | basename }}" src="{{ imap_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart Postfix
 - name: Deploy IMAP TLS certificate
   copy: dest="/etc/ssl/certs/{{ imap_tls_certificate | basename }}" src="{{ imap_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Dovecot
 - name: Install Dovecot packages
   apt: name="{{ item }}" state=installed default_release="wheezy-backports"
   with_items:

roles/mail_server/templates/99-local.conf.j2

➞

Show inline comments

@@ @@ -29,8 +29,8 @@ service auth { @@
+}
 # TLS configuration.
 ssl_cert = <{{ imap_tls_certificate }}
 ssl_key = <{{ imap_tls_key }}
 ssl_cert = </etc/ssl/certs/{{ imap_tls_certificate | basename }}
 ssl_key = </etc/ssl/private/{{ imap_tls_key | basename }}
 ssl = required
 # Mail delivery.

roles/mail_server/templates/main.cf.j2

➞

Show inline comments

@@ @@ -50,8 +50,8 @@ smtpd_sasl_auth_enable = yes @@
 # TLS configuration.
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 smtpd_tls_cert_file = {{ smtp_tls_certificate }}
 smtpd_tls_key_file = {{ smtp_tls_key }}
 smtpd_tls_cert_file = /etc/ssl/certs/{{ smtp_tls_certificate | basename }}
 smtpd_tls_key_file = /etc/ssl/private/{{ smtp_tls_key | basename }}
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

roles/prosody/tasks/main.yml

➞

Show inline comments

@@ @@ -11,6 +11,14 @@ @@
 - name: Add Prosody repository
   apt_repository: repo="deb http://packages.prosody.im/debian wheezy main" state=present
 - name: Deploy XMPP TLS private key
   copy: dest="/etc/ssl/private/{{ prosody_tls_key | basename }}" src="{{ prosody_tls_key }}"
         mode=640 owner=root group=prosody
 - name: Deploy XMPP TLS certificate
   copy: dest="/etc/ssl/certs/{{ prosody_tls_certificate | basename }}" src="{{ prosody_tls_certificate }}"
         mode=644 owner=root group=root
 - name: Install Lua LDAP library
   apt: name=lua-ldap state=installed

roles/prosody/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -42,8 +42,8 @@ allow_registration = false; @@
 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
   key = "{{ prosody_tls_key }}";
   certificate = "{{ prosody_tls_certificate }}";
   key = "/etc/ssl/private/{{ prosody_tls_key | basename }}";
   certificate = "/etc/ssl/certs/{{ prosody_tls_certificate | basename }}";
+}
 -- Ports on which to have direct TLS/SSL.

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -25,4 +25,4 @@ common_packages: @@
   - debconf-utils
 ca_certificates:
   - ../certs/example_ca_chain.pem
@@ \ No newline at end of file @@
   - "{{ inventory_dir }}/tls/example_ca_chain.pem"
@@ \ No newline at end of file @@

testsite/group_vars/ldap.yml

➞

Show inline comments

@@ @@ -23,8 +23,8 @@ ldap_server_config: @@
   domain: "example.com"
   organization: "Example Inc."
   log_level: 256
   tls_certificate: /etc/ssl/certs/ldap.example.com.pem
   tls_key: /etc/ssl/private/ldap.example.com.pem
   tls_certificate: "{{ inventory_dir }}/tls/ldap.example.com_ldap.pem"
   tls_key: "{{ inventory_dir }}/tls/ldap.example.com_ldap.key"
   ssf: 128
 ldap_permissions:

testsite/group_vars/mail.yml

➞

Show inline comments

@@ @@ -21,10 +21,10 @@ mail_user: vmail @@
 mail_user_uid: 5000
 mail_user_gid: 5000
 imap_tls_certificate: /etc/ssl/certs/mail.example.com_imap.pem
 imap_tls_key: /etc/ssl/private/mail.example.com_imap.pem
 smtp_tls_certificate: /etc/ssl/certs/mail.example.com_smtp.pem
 smtp_tls_key: /etc/ssl/private/mail.example.com_smtp.pem
 imap_tls_certificate: "{{ inventory_dir }}/tls/mail.example.com_imap.pem"
 imap_tls_key: "{{ inventory_dir }}/tls/mail.example.com_imap.key"
 smtp_tls_certificate: "{{ inventory_dir }}/tls/mail.example.com_smtp.pem"
 smtp_tls_key: "{{ inventory_dir }}/tls/mail.example.com_smtp.key"
 imap_folder_separator: /
 smtp_rbl:
   - bl.spamcop.net

testsite/group_vars/xmpp.yml

➞

Show inline comments

@@ @@ -22,9 +22,9 @@ smtp_relay_host: mail.example.com @@
 prosody_administrators:
   - john.doe@example.com
-prosody_tls_key: /etc/ssl/private/xmpp.example.com.pem
+prosody_tls_key: "{{ inventory_dir }}/tls/xmpp.example.com_xmpp.key"
-prosody_tls_certificate: /etc/ssl/certs/xmpp.example.com.pem
+prosody_tls_certificate: "{{ inventory_dir }}/tls/xmpp.example.com_xmpp.pem"
 prosody_domains:
   - example.com

0 comments (0 inline, 0 general)