majic-ansible-roles Changeset

Changeset - b3d83bcce226

Parent rev.

Child rev.

[Not reviewed]

4 6 4

Branko Majic (branko) - 4 years ago 2020-07-26 18:11:39
branko@majic.rs

MAR-162: Make the mail_ldap_tls_truststore, imap_tls_key, imap_tls_certificate, smtp_tls_key, and smtp_tls_certificate parameters mandatory:

- Dropped the defaults from mail_server role.
- Updated group variables in role tests.
- Changed the key/certificate file extensions to be more descriptive.
- Updated role reference documentation.
- Updated usage instructions to include the mandatory parameters.

10 files changed with 28 insertions and 18 deletions:

docs/rolereference.rst

docs/usage.rst

roles/mail_server/defaults/main.yml

roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.cert.pem

rename

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key.pem

rename

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.cert.pem

rename

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key.pem

rename

roles/mail_server/molecule/default/tests/test_mandatory.py

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1102,7 +1102,7 @@ Parameters @@
   LDAP URL that should be used for connecting to the LDAP server for doing
   domain/user look-ups.
-**mail_ldap_tls_truststore** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}``)
+**mail_ldap_tls_truststore** (string, mandatory)
   X.509 certificate chain used for issuing certificate for the LDAP service. The
   file will be stored in locations ``/etc/ssl/certs/mail_ldap_tls_truststore.pem``
   and ``/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem``.
@@ @@ -1147,11 +1147,11 @@ Parameters @@
   value can be considered rather low, since two devices (computer and phone)
   will easily reach it.
-**imap_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_imap.pem') }}``)
+**imap_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for IMAP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_imap.pem``.
-**imap_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_imap.key') }}``)
+**imap_tls_key** (string, mandatory)
   Private key used for TLS for IMAP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_imap.key``.
@@ @@ -1162,11 +1162,11 @@ Parameters @@
   recipients/aliases, while the value provided should be a space-separated list
   of mail addresses (or local users) where the mails should be forwarded.
-**smtp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_smtp.pem') }}``)
+**smtp_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for SMTP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_smtp.pem``.
-**smtp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_smtp.key') }}``)
+**smtp_tls_key** (string, mandatory)
   Private key used for TLS for SMTP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_smtp.key``.

docs/usage.rst

➞

Show inline comments

@@ @@ -776,6 +776,18 @@ role. @@
       mail_user_uid: 5000
       mail_user_gid: 5000
       # Set private keys and certificates to use for the IMAP service.
       imap_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_imap.pem') }}"
       imap_tls_key: "{{ lookup('file', 'tls/comms.example.com_imap.key') }}"
       # Set private keys and certificates to use for the SMTP service.
       smtp_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_smtp.pem') }}"
       smtp_tls_key: "{{ lookup('file', 'tls/comms.example.com_smtp.key') }}"
       # Set the X.509 certificate truststore to use for validating the
       # LDAP server certificate.
       mail_ldap_tls_truststore: "{{ lookup('file', 'tls/truststore.pem') }}"
 . There are two distinct mail services that need to access the LDAP directory -
    *Postfix* (serving as an SMTP server), and *Dovecot* (serving as an IMAP
    server). These two need their own dedicated LDAP entries on the LDAP server in

roles/mail_server/defaults/main.yml

➞

Show inline comments

 ---
 enable_backup: false
 mail_ldap_tls_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}"
 mail_user: vmail
 imap_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_imap.pem') }}"
 imap_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_imap.key') }}"
 smtp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_smtp.pem') }}"
 smtp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_smtp.key') }}"
 imap_folder_separator: "/"
 smtp_rbl: []
 mail_postmaster: "postmaster@{{ ansible_domain }}"

roles/mail_server/molecule/default/group_vars/parameters-mandatory.yml

➞

Show inline comments

@@ @@ -2,12 +2,15 @@ @@
 mail_ldap_base_dn: dc=local
 mail_ldap_url: ldap://ldap-server/
 mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/truststore.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
 # Common parameters (general, not role).
 tls_certificate_dir: tests/data/x509/
 tls_private_key_dir: tests/data/x509/
 imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.cert.pem') }}"
 imap_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_imap.key.pem') }}"
 smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.cert.pem') }}"
 smtp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_smtp.key.pem') }}"
 # common
 ca_certificates:

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 mail_ldap_base_dn: dc=local
 mail_ldap_url: ldap://ldap-server/
-mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
+mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/truststore.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
 mail_server_tls_protocols:

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.cert.pem

➞

Show inline comments

file renamed from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.pem to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.cert.pem

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key.pem

➞

Show inline comments

file renamed from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_imap.key.pem

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.cert.pem

➞

Show inline comments

file renamed from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.pem to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.cert.pem

roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key.pem

➞

Show inline comments

file renamed from roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key to roles/mail_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_smtp.key.pem

roles/mail_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -21,28 +21,28 @@ def test_smtp_tls_files(host): @@
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
         assert tls_file.content_string == open("tests/data/x509/%s_smtp.key" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_smtp.key.pem" % hostname, "r").read().rstrip()
         tls_file = host.file('/etc/ssl/certs/%s_smtp.pem' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
         assert tls_file.content_string == open("tests/data/x509/%s_smtp.pem" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_smtp.cert.pem" % hostname, "r").read().rstrip()
         tls_file = host.file('/etc/ssl/private/%s_imap.key' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
         assert tls_file.content_string == open("tests/data/x509/%s_imap.key" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_imap.key.pem" % hostname, "r").read().rstrip()
         tls_file = host.file('/etc/ssl/certs/%s_imap.pem' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
         assert tls_file.content_string == open("tests/data/x509/%s_imap.pem" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_imap.cert.pem" % hostname, "r").read().rstrip()
 def test_certificate_validity_check_configuration(host):

0 comments (0 inline, 0 general)