majic-ansible-roles Changeset

@@ -229,12 +229,13 @@ First of all, let's set-up some basic directory structure and configuration:

   variables, SSH keys, X.509 artefacts (for TLS), and GnuPG keyring

   (we'll get to this later)::

     mkdir ~/mysite/playbooks/

     mkdir ~/mysite/group_vars/

     mkdir ~/mysite/ssh/

     mkdir ~/mysite/tls/

     mkdir ~/mysite/gnupg/

5. Create SSH private/public key pair that will be used by Ansible for

   connecting to destination servers, as well as for some roles::

     ssh-keygen -f ~/.ssh/id_rsa -N ''

@@ -259,28 +260,24 @@ safe environment (possibly encrypted until needed), while the X.509

certificates should be issued by a relevant certification

authority. You can choose to roll-out your own CA, use one of the

public CAs, or perhaps go for a mix of both.

For the purpose of this guide, we'll set-up a small simple local CA to

issue all the necessary certificates, and we'll generate the private

keys and issue server certificates on the go as needed.

keys and issue server certificates on the go as needed, storing them

all under the ``~/mysite/tls/`` directory.

So, let us make a slight detour to create a CA of our own:

1. First off, install a couple more tools on the Ansible server. We

   will be using ``certtool`` for our improvised CA needs (run this as

   ``root``)::

     apt-get install -y gnutls-bin

2. Create directory where the private keys and certificates will be

   stored at (you can switch back to the ``ansible`` user now)::

     mkdir ~/mysite/tls/

3. Create a template for the ``certtool`` so it would know what

2. Create a template for the ``certtool`` so it would know what

   extensions and content to have in the CA certificate:

   :file:`~/mysite/tls/ca.cfg`

::

      organization = "Example Inc."

@@ -288,19 +285,19 @@ So, let us make a slight detour to create a CA of our own:

      cn = "Example Inc. Test Site CA"

      expiration_days = 1825

ca

      cert_signing_key

      crl_signing_key

4. Almost there... Now let us generate the CA private key and

3. Almost there... Now let us generate the CA private key and

   self-signed certificate::

     certtool --sec-param high --generate-privkey --outfile ~/mysite/tls/ca.key

     certtool --template ~/mysite/tls/ca.cfg --generate-self-signed --load-privkey ~/mysite/tls/ca.key --outfile ~/mysite/tls/ca.pem

5. And just one more small tweak - we need to provide a truststore PEM

4. And just one more small tweak - we need to provide a truststore PEM

   file containing all CA certificates in the chain for services to be

   able to connect to each-other (where necessary). In this particular

   case we have a super-simple hierarchy (root CA is also issuing the

   end entity certificates), so simply make a copy of the ``ca.pem``::

     cp ~/mysite/tls/ca.pem ~/mysite/tls/truststore.pem

@@ -629,14 +626,14 @@ one up first. This includes both the LDAP *server* and *client* configuration.

::

---

      ldap_admin_password: admin

      ldap_server_organization: "Example Inc."

      ldap_server_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_ldap.pem') }}"

      ldap_server_tls_key: "{{ lookup('file', 'tls/comms.example.com_ldap.key') }}"

      ldap_server_tls_certificate: "{{ lookup('file', '~/mysite/tls/comms.example.com_ldap.pem') }}"

      ldap_server_tls_key: "{{ lookup('file', '~/mysite/tls/comms.example.com_ldap.key') }}"

4. Phew. That was... Well, actually, easy :) Technically, only the

   LDAP admin password and TLS certificate/key *must* be set, but it

   is nice to have organisation explicitly specified as well (instead

   of using whatever Debian picks as default). Let us add the LDAP

   client configuration next. We will start off with global LDAP

@@ -774,22 +771,22 @@ role.

      # Setting uid/gid is optional, but you might have a policy on how to

      # assign UIDs and GIDs, so it is convenient to be able to change this.

      mail_user_uid: 5000

      mail_user_gid: 5000

      # Set private keys and certificates to use for the IMAP service.

      imap_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_imap.pem') }}"

      imap_tls_key: "{{ lookup('file', 'tls/comms.example.com_imap.key') }}"

      imap_tls_certificate: "{{ lookup('file', '~/mysite/tls/comms.example.com_imap.pem') }}"

      imap_tls_key: "{{ lookup('file', '~/mysite/tls/comms.example.com_imap.key') }}"

      # Set private keys and certificates to use for the SMTP service.

      smtp_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_smtp.pem') }}"

      smtp_tls_key: "{{ lookup('file', 'tls/comms.example.com_smtp.key') }}"

      smtp_tls_certificate: "{{ lookup('file', '~/mysite/tls/comms.example.com_smtp.pem') }}"

      smtp_tls_key: "{{ lookup('file', '~/mysite/tls/comms.example.com_smtp.key') }}"

      # Set the X.509 certificate truststore to use for validating the

      # LDAP server certificate.

      mail_ldap_tls_truststore: "{{ lookup('file', 'tls/truststore.pem') }}"

      mail_ldap_tls_truststore: "{{ lookup('file', '~/mysite/tls/truststore.pem') }}"

3. There are two distinct mail services that need to access the LDAP directory -

   *Postfix* (serving as an SMTP server), and *Dovecot* (serving as an IMAP

   server). These two need their own dedicated LDAP entries on the LDAP server in

   order to log-in. Luckily, it is easy to create such entries through the options

   provided by the LDAP server role. In addition to this, the Postfix and Dovecot

@@ -1059,14 +1056,14 @@ role.

2. Configure the role.

   :file:`~/mysite/group_vars/communications.yml`

::

      # Set the TLS private key and certificate.

      xmpp_server_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_xmpp.pem') }}"

      xmpp_server_tls_key: "{{ lookup('file', 'tls/comms.example.com_xmpp.key') }}"

      xmpp_tls_certificate: "{{ lookup('file', '~/mysite/tls/comms.example.com_xmpp.pem') }}"

      xmpp_tls_key: "{{ lookup('file', '~/mysite/tls/comms.example.com_xmpp.key') }}"

      # Set one of the users to also be an XMPP administrator.

      xmpp_administrators:

        - john.doe@example.com

      # Unfortunately, XMPP can't look-up domains via LDAP, so we need to be

@@ -1237,14 +1234,14 @@ Nginx.

   :file:`~/mysite/group_vars/web.yml`

::

---

      default_https_tls_certificate: "{{ lookup('file', 'tls/www.example.com_https.pem') }}"

      default_https_tls_key: "{{ lookup('file', 'tls/www.example.com_https.key') }}"

      default_https_tls_certificate: "{{ lookup('file', '~/mysite/tls/www.example.com_https.pem') }}"

      default_https_tls_key: "{{ lookup('file', '~/mysite/tls/www.example.com_https.key') }}"

      web_default_title: "Welcome to default page!"

      web_default_message: "Nothing to see here, move along..."

3. The only thing left now is to create the TLS private key/certificate pair

   that should be used for default virtual host.

@@ -1415,14 +1412,14 @@ Before we start, here is a couple of useful pointers regarding the

        # Ok, so this role helps us set-up Nginx virtual host for serving our

        # app.

        - role: php_website

          # Our virtual host will for PHP website will respond to this name.

          fqdn: tbg.example.com

          # TLS key and certificate to use for the virtual host.

          https_tls_certificate: "{{ lookup('file', 'tls/tbg.example.com_https.pem') }}"

          https_tls_key: "{{ lookup('file', 'tls/tbg.example.com_https.key') }}"

          https_tls_certificate: "{{ lookup('file', '~/mysite/tls/tbg.example.com_https.pem') }}"

          https_tls_key: "{{ lookup('file', '~/mysite/tls/tbg.example.com_https.key') }}"

          # Some additional packages are required in order to deploy and use TBG.

          packages:

            - php-gd

            - php-curl

            - php-mbstring

            - php-xml

@@ -1733,14 +1730,14 @@ on the safe side:

---

      dependencies:

        - role: wsgi_website

          fqdn: wiki.example.com

          # TLS key and certificate to use for the virtual host.

          https_tls_certificate: "{{ lookup('file', 'tls/wiki.example.com_https.pem') }}"

          https_tls_key: "{{ lookup('file', 'tls/wiki.example.com_https.key') }}"

          https_tls_certificate: "{{ lookup('file', '~/mysite/tls/wiki.example.com_https.pem') }}"

          https_tls_key: "{{ lookup('file', '~/mysite/tls/wiki.example.com_https.key') }}"

          # In many cases you need to have some development packages available

          # in order to build Python packages installed via pip

          packages:

            - build-essential

            - python3-dev

            - libjpeg62-turbo