Files @ 57667a2c528b
Branch filter:

Location: majic-ansible-roles/docs/testsite.rst

57667a2c528b 4.6 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
branko
MAR-4: Updated instructions for setting-up the TLS stuff on mail server (keys, certs).
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
.. _testsite:

Test Site
=========

*Majic Ansible Roles* comes with a small sample test site configuration which
demonstrates use of every role. This test site also serves as starting point for
developing new roles etc, and can be used for testing regressions/breakages.

The test site covers everything, starting from generating the Debian preseed
files, through bootstrap process for new nodes, and onto deployment of all
remaining roles.

All example commands listed within this section should be ran from within the
``testsite`` directory in order to have proper environment available for
playbook runs.

A number of playbooks is provided out of the box:

bootstrap.yml (for bootstrapping a new node)
  This playbook can be used for bootstrapping a new node. This playbook expects
  that a server name is passed via extra variables in CLI. The server name has
  to be included in the hosts file, of course. For example:

  .. code-block:: shell

    ansible-playbook -k -e server=ldap.example.com playbooks/bootstrap.yml

ldap.yml
  This playbook sets-up the LDAP servers. It is included in ``site.yml``.

preseed.yml
  This playbook sets-up the Debian preseed files. It is included in
  ``site.yml``.

site.yml
  This playbook sets-up all servers, including preseed files on local host.

In order to deploy the test site, the following steps would normally be taken:

1. Generate the preseed files:

  .. code-block:: shell

    ansible-playbook playbooks/preseed.yml

2. Install all servers using the generated preseed files.

3. Invoke the ``bootstrap.yml`` playbook for every server, one by one. For
   example:

  .. code-block:: shell

    ansible-playbook -k -e server=ldap.example.com playbooks/bootstrap.yml

4. Finally, apply configuration on all servers:

  .. code-block:: shell

    ansible-playbook playbooks/site.yml

The playbooks and configurations for test site make a couple of assumptions:

* Each server will be set-up with an operating system user ``admin``, capable of
  running the sudo commands.
* The password for operating system user ``admin`` is hard-coded to ``admin``.
* An SSH ``authorized_keys`` file is set-up for the operating system user
  ``admin``. The SSH key stored in it will be read from location
  ``~/.ssh/id_rsa`` (i.e. from home directory of user running the Ansible
  commands).

Additionally, some manual steps may be required to have a fully functioning
system:

* On ``ldap.example.com``, you should manually install the TLS private key and
  certificate ing locations ``/etc/ssl/private/ldap.example.com.pem``
  (*root:ldap, 640*) and ``/etc/ssl/certs/ldap.example.com.pem`` (*root:root,
  644*), respectively. After that, re-run the ``site.yml`` playbook in order to
  re-configure OpenLDAP server to use it.

* On ``xmpp.example.com``:

  * Create TLS private key for XMPP in location
    ``/etc/ssl/private/xmpp.example.com.pem`` (*root:prosody, 640*).
  * Create TLS certificate for XMPP in location
    ``/etc/ssl/certs/xmpp.example.com.pem`` (*root:root, 644*).
  * Install a truststore that contains the CA certifciate which has issued the
    LDAP certificate in location ``/etc/ssl/certs/truststore.pem`` (*root:root,
    644*).
  * After all files are in place, re-run the ``site.yml`` playbook in order to
    restart necessary services etc.

* On ``mail.example.com``, you should manually install the TLS private key and
  certificate in locations ``/etc/ssl/private/mail.example.com.pem``
  (*root:ldap, 640*) and ``/etc/ssl/certs/mail.example.com.pem`` (*root:root,
  644*), respectively. You should also install a truststore that contains the CA
  certifciate which has issued the LDAP certificate in location
  ``/etc/ssl/certs/truststore.pem`` (*root:root, 644*). After that, restart the
  servics ``dovecot`` and ``postfix``.

* On ``mail.example.com``:

  * Create TLS private key for SMTP in location
    ``/etc/ssl/private/mail.example.com_smtp.pem`` (*root:openldap, 640*).
  * Create TLS certificate for SMTP in location
    ``/etc/ssl/certs/mail.example.com_smtp.pem`` (*root:root, 644*).
  * Create TLS private key for IMAP in location
    ``/etc/ssl/private/mail.example.com_imap.pem`` (*root:openldap, 640*).
  * Create TLS certificate for IMAP in location
    ``/etc/ssl/certs/mail.example.com_imap.pem`` (*root:root, 644*).
  * Install a truststore that contains the CA certifciate which has issued the
    LDAP certificate in location ``/etc/ssl/certs/truststore.pem`` (*root:root,
    644*).
  * After all files are in place, re-run the ``site.yml`` playbook in order to
    restart necessary services etc.

For more details on how the playbooks and configuration have been implemented,
feel free to browse the test site files (in directory ``testsite``).
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.