Changeset - b4ac65219ef1
Parent rev.
Child rev.
[Not reviewed]
0 3 0
Branko Majic (branko) - 9 years ago 2015-08-25 23:31:59
branko@majic.rs
MAR-34: Small usability improvements, not related to original issue. Improved the ssh-keyscan command a bit to include IP addresses in output as well. Store Ansible retry files locally in the retry directory (relative to testsite).
3 files changed with 5 insertions and 3 deletions:
.gitignore
2
1
docs/testsite.rst
1
1
testsite/ansible.cfg
2
1
0 comments (0 inline, 0 general)
.gitignore
Show inline comments
 
*.pyc
 
*~
 
tmp/
 
docs/_build/
 
testsite/preseed_files/
 

			




	
	
	
		
 
# Ignore "temporary" files created with the playbook tls.yml (certs, keys, and

			




	
	
	
		
 
# host config files for GnuTLS - ca.cfg is versioned, though).

			




	
	
	
		
 
testsite/tls/*.pem

			




	
	
	
		
 
testsite/tls/*.key

			




	
	
	
		
 
testsite/tls/*.*_*.cfg

			




	
	
		
 
\ No newline at end of file

			




	
	
	
		
 
testsite/tls/*.*_*.cfg

			




	
	
	
		
 
testsite/retry/*

			




	
	
		
 
\ No newline at end of file

			




        

    


    
    

    

        

                

                    docs/testsite.rst
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -80,75 +80,75 @@ In order to deploy the test site, the following steps would normally be taken:

			




	
	
	
		
 
   - ``testsite/tls/mail.example.com_smtp.key``

			




	
	
	
		
 
   - ``testsite/tls/xmpp.example.com_xmpp.key``

			




	
	
	
		
 
   - ``testsite/tls/ldap.example.com_ldap.key``

			




	
	
	
		
 
   - ``testsite/tls/web.example.com_https.key``

			




	
	
	
		
 
   - ``testsite/tls/phpfino.example.com_https.key``

			




	
	
	
		
 
   - ``testsite/tls/wsgi.example.com_https.key``

			




	
	
	
		
 

			




	
	
	
		
 
4. Issue TLS certificates corresponding to the generated TLS private keys

			




	
	
	
		
 
   (correct FQDN for DNS subject alternative name **must** be used), making sure

			




	
	
	
		
 
   to change domain in filenames if necessary:

			




	
	
	
		
 

			




	
	
	
		
 
   - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should

			




	
	
	
		
 
     be ``mail.example.com``)

			




	
	
	
		
 
   - ``testsite/tls/mail.example.com_smtp.pem`` (subject alternative name should

			




	
	
	
		
 
     be ``mail.example.com``)

			




	
	
	
		
 
   - ``testsite/tls/xmpp.example.com_xmpp.pem`` (subject alternative name should

			




	
	
	
		
 
     be ``xmpp.example.com``)

			




	
	
	
		
 
   - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should

			




	
	
	
		
 
     be ``ldap.example.com``)

			




	
	
	
		
 
   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

			




	
	
	
		
 
     be ``web.example.com``)

			




	
	
	
		
 
   - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should

			




	
	
	
		
 
     be ``web.example.com``)

			




	
	
	
		
 
   - ``testsite/tls/phpinfo.example.com_https.pem`` (subject alternative name

			




	
	
	
		
 
     should be ``phpinfo.example.com``)

			




	
	
	
		
 
   - ``testsite/tls/wsgi.example.com_https.pem`` (subject alternative name

			




	
	
	
		
 
     should be ``wsgi.example.com``)

			




	
	
	
		
 

			




	
	
	
		
 
5. Create ``PEM`` truststore file which contains all CA certificates that form

			




	
	
	
		
 
   CA chain for the issued end entity certificates from previous step at

			




	
	
	
		
 
   location ``testsite/tls/ca.pem``. It is very important to

			




	
	
	
		
 
   include the full CA chain used for LDAP server.

			




	
	
	
		
 

			




	
	
	
		
 
6. Generate the preseed files:

			




	
	
	
		
 

			




	
	
	
		
 
  .. code-block:: shell

			




	
	
	
		
 

			




	
	
	
		
 
    ansible-playbook playbooks/preseed.yml

			




	
	
	
		
 

			




	
	
	
		
 
7. Install all servers using the generated preseed files.

			




	
	
	
		
 

			




	
	
	
		
 
8. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to

			




	
	
	
		
 
   remove old entries if you are redoing the process). You can easily obtain all

			




	
	
	
		
 
   the necessary fingerprints with command (don't forget to modify domain if you

			




	
	
	
		
 
   need to):

			




	
	
	
		
 

			




	
	
	
		
 
   .. code-block:: shell

			




	
	
	
		
 

			




	
	
	
		
 
      ssh-keyscan mail.example.com ldap.example.com xmpp.example.com web.example.com

			




	
	
	
		
 
      ssh-keyscan mail.example.com ldap.example.com xmpp.example.com web.example.com $(resolveip -s mail.example.com) $(resolveip -s ldap.example.com) $(resolveip -s xmpp.example.com) $(resolveip -s web.example.com)

			




	
	
	
		
 

			




	
	
	
		
 
9. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic

			




	
	
	
		
 
   environment for Ansible runs on all servers:

			




	
	
	
		
 

			




	
	
	
		
 
  .. code-block:: shell

			




	
	
	
		
 

			




	
	
	
		
 
    ansible-playbook playbooks/bootstrap.yml

			




	
	
	
		
 

			




	
	
	
		
 
10. Finally, apply configuration on all servers:

			




	
	
	
		
 

			




	
	
	
		
 
  .. code-block:: shell

			




	
	
	
		
 

			




	
	
	
		
 
    ansible-playbook playbooks/site.yml

			




	
	
	
		
 

			




	
	
	
		
 
The playbooks and configurations for test site make a couple of assumptions:

			




	
	
	
		
 

			




	
	
	
		
 
* Each server will be set-up with an operating system user ``admin``, capable of

			




	
	
	
		
 
  running the sudo commands.

			




	
	
	
		
 
* The password for operating system user ``admin`` is hard-coded to ``admin``.

			




	
	
	
		
 
* An SSH ``authorized_keys`` file is set-up for the operating system user

			




	
	
	
		
 
  ``admin``. The SSH key stored in it will be read from location

			




	
	
	
		
 
  ``~/.ssh/id_rsa.pub`` (i.e. from home directory of user running the Ansible

			




	
	
	
		
 
  commands).

			




	
	
	
		
 

			




	
	
	
		
 
For more details on how the playbooks and configuration have been implemented,

			




	
	
	
		
 
feel free to browse the test site files (in directory ``testsite``).

			




        

    


    
    

    

        

                

                    testsite/ansible.cfg
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
	
		
 
[defaults]

			




	
	
	
		
 

			




	
	
	
		
 
roles_path=../roles

			




	
	
	
		
 
force_handlers = True

			




	
	
		
 
\ No newline at end of file

			




	
	
	
		
 
force_handlers = True

			




	
	
	
		
 
retry_files_save_path = ./retry

			




	
	
		
 
\ No newline at end of file

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.