majic-ansible-roles Changeset

Changeset - c56a03a698ee

Parent rev.

Child rev.

[Not reviewed]

0 1 0

Branko Majic (branko) - 10 years ago 2015-08-17 23:56:22
branko@majic.rs

MAR-9: Updated documentation to describe how to change the domain in test site. Updated instructions for generating the TLS keys and certificates (via playbook) in test site.

1 file changed with 38 insertions and 31 deletions:

docs/testsite.rst

0 comments (0 inline, 0 general)

docs/testsite.rst

➞

Show inline comments

 files, through bootstrap process for new nodes, and onto deployment of all
 remaining roles.
 By default, the test site uses domain ``example.com``, but it has been designed
 so it is easy to set your own domain (see below in step-by-step
 instructions). Some changes may be necessary to listed commands in that case
 (i.e. replace every occurance of ``example.com`` with your own domain).
 All example commands listed within this section should be ran from within the
 ``testsite`` directory in order to have proper environment available for
 playbook runs.
@@ @@ -47,29 +52,29 @@ xmpp.yml @@
 In order to deploy the test site, the following steps would normally be taken:
 . If you do not wish to have the hassle of creating the private keys and
    issuing certificates, run the following commands to get this done for you
    automatically, and skip to step 5 (otherwise follow steps 2 through 4):
 . As mentioned in introduction, default domain used by test site is
    ``example.com``. To change it, perform the following steps (otherwise, just
    skip to step 2):
    a. Update the file ``hosts``. Simply replace all occurances of
       ``example.com`` with your chosen domain.
    b. Update the file ``group_vars/all.yml``, changing the value of variable
       ``testsite_domain``. This value will then be used to calculate some of
       derived values, like LDAP base DN (which will be set to something along
       the lines of ``dc=example,dc=com`` or
       ``dc=your,dc=domain,dc=components``).
 . If you do not wish to have the hassle of creating the private keys and
    issuing certificates, there is a small playbook that can help you with
    this. Just run the ``tls.yml`` playbook, and skip to step 6 (otherwise follow
    steps 3 through 5):
    .. code-block:: shell
      certtool --sec-param high --generate-privkey --outfile tls/example_ca.key
      certtool --template tls/templates/example_ca.cfg --generate-self-signed --load-privkey tls/example_ca.key --outfile tls/example_ca.pem
      cp tls/example_ca.pem tls/example_ca_chain.pem
      for template in tls/templates/*.cfg; do
          entity_basename="$(basename "$template" .cfg)"
          [[ $entity_basename == example_ca ]] && continue
          certtool --sec-param normal --generate-privkey --outfile "tls/$entity_basename.key"
          sleep 1
          certtool --generate-certificate \
            --load-ca-privkey "tls/example_ca.key" \
            --load-ca-certificate "tls/example_ca.pem" \
            --template "$template" \
            --load-privkey "tls/${entity_basename}.key" \
            --outfile "tls/${entity_basename}.pem"
      done
 . Create TLS private keys (relative to top level directory):
      ansible-playbook playbooks/tls.yml
 . Create TLS private keys (relative to top level directory), making sure to
    change domain in filenames if necessary:
    - ``testsite/tls/mail.example.com_imap.key``
    - ``testsite/tls/mail.example.com_smtp.key``
    - ``testsite/tls/phpfino.example.com_https.key``
    - ``testsite/tls/wsgi.example.com_https.key``
 . Issue TLS certificates corresponding to the generated TLS private keys (make
    sure to use correct FQDN for DNS subject alternative name):
 . Issue TLS certificates corresponding to the generated TLS private keys
    (correct FQDN for DNS subject alternative name **must** be used), making sure
    to change domain in filenames if necessary:
    - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should
      be ``mail.example.com``)
    - ``testsite/tls/wsgi.example.com_https.pem`` (subject alternative name
      should be ``wsgi.example.com``)
-. Create ``PEM`` truststore file which contains all CA certificates that form
+. Create ``PEM`` truststore file which contains all CA certificates that form
    CA chain for the issued end entity certificates from previous step at
    location ``testsite/tls/example_ca_chain.pem``. It is very important to
    include the CA chain used for LDAP server.
    location ``testsite/tls/ca.pem``. It is very important to
    include the full CA chain used for LDAP server.
-. Generate the preseed files:
+. Generate the preseed files:
   .. code-block:: shell
     ansible-playbook playbooks/preseed.yml
-. Install all servers using the generated preseed files.
+. Install all servers using the generated preseed files.
-. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to
+. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to
    remove old entries if you are redoing the process). You can easily obtain all
    the necessary fingerprints with command:
    the necessary fingerprints with command (don't forget to modify domain if you
    need to):
    .. code-block:: shell
       ssh-keyscan mail.example.com ldap.example.com xmpp.example.com web.example.com
-. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
+. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
    environment for Ansible runs on all servers:
   .. code-block:: shell
     ansible-playbook playbooks/bootstrap.yml
-. Finally, apply configuration on all servers:
+. Finally, apply configuration on all servers:
   .. code-block:: shell

0 comments (0 inline, 0 general)