At this point Gate was ready for provisioning with Ansible.
+* The All Role
+
+The ~all~ role contains tasks that are executed on all of the
+institute's servers. At the moment there is just the one.
+
+** Include Particulars
+
+The ~all~ role's task contains a reference to a common institute
+particular, the institute's ~domain_name~, a variable found in the
+=public/vars.yml= file. Thus the first task of the ~all~ role is to
+include the variables defined in this file (described in [[*The Particulars][The
+Particulars]]). The code block below is the first to tangle into
+[[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]].
+
+#+CAPTION: [[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes
+---
+- name: Include public variables.
+ include_vars: ../public/vars.yml
+ tags: accounts
+#+END_SRC
+
+** Trust Institute Certificate Authority
+
+All servers should recognize the institute's Certificate Authority as
+trustworthy, so its certificate is added to the set of trusted CAs on
+each host. More information about how the small institute manages its
+X.509 certificates is available in [[*Keys][Keys]].
+
+#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/all/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes
+
+- name: Trust the institute CA.
+ become: yes
+ copy:
+ src: ../Secret/CA/pki/ca.crt
+ dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
+ mode: u=r,g=r,o=r
+ owner: root
+ group: root
+ notify: Update CAs.
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/all/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/all/handlers/main.yml :mkdirp yes
+
+- name: Update CAs.
+ become: yes
+ command: update-ca-certificates
+#+END_SRC
+
+
* The Front Role
The ~front~ role installs and configures the services expected on the
** Include Particulars
-The ~front~ role's tasks contain references to several common
-institute particulars, variables in the public and private =vars.yml=
-files and the institute membership roll in =private/members.yml=. The
-first ~front~ role tasks are to include these files (described in [[*The Particulars][The
-Particulars]] and [[*Account Management][Account Management]]).
-
-The code block below is the first to tangle into
-[[file:roles/front/tasks/main.yml][=roles/front/tasks/main.yml=]].
+The first task, as in [[*The All Role][The All Role]], is to include the institute
+particulars. The ~front~ role refers to private variables and the
+membership roll, so these are included was well.
#+CAPTION: [[file:roles/front/tasks/main.yml][=roles/front/tasks/main.yml=]]
#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :mkdirp yes
tags: accounts
#+END_SRC
-** Trust Institute Certificate Authority
-
-Front should recognize the institute's Certificate Authority as
-trustworthy, so its certificate is added to Front's set of trusted
-CAs. More information about how the small institute manages its
-X.509 certificates is available in [[*Keys][Keys]].
-
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
-
-- name: Trust the institute CA.
- become: yes
- copy:
- src: ../Secret/CA/pki/ca.crt
- dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
- mode: u=r,g=r,o=r
- owner: root
- group: root
- notify: Update CAs.
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
-
-- name: Update CAs.
- become: yes
- command: update-ca-certificates
-#+END_SRC
-
** Install Server Certificate
The servers on Front use the same certificate (and key) to
tags: accounts
#+END_SRC
-** Trust Institute Certificate Authority
-
-Core should recognize the institute's Certificate Authority as
-trustworthy, so its certificate is added to Core's set of trusted
-CAs. More information about how the small institute manages its
-X.509 certificates is available in [[*Keys][Keys]].
-
-#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml
-
-- name: Trust the institute CA.
- become: yes
- copy:
- src: ../Secret/CA/pki/ca.crt
- dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
- mode: u=r,g=r,o=r
- owner: root
- group: root
- notify: Update CAs.
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml
-
-- name: Update CAs.
- become: yes
- command: update-ca-certificates
-#+END_SRC
-
** Install Server Certificate
The servers on Core use the same certificate (and key) to authenticate
groups: root,adm
#+END_SRC
-** Trust Institute Certificate Authority
-
-Campus hosts should recognize the institute's Certificate Authority as
-trustworthy, so its certificate is added to the host's set of trusted
-CAs. (For more information about how the small institute manages its
-keys, certificates and passwords, see [[*Keys][Keys]].)
-
-#+CAPTION: [[file:roles_t/campus/tasks/main.yml][=roles_t/campus/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/campus/tasks/main.yml
-
-- name: Trust the institute CA.
- become: yes
- copy:
- src: ../Secret/CA/pki/ca.crt
- dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt
- mode: u=r,g=r,o=r
- owner: root
- group: root
- notify: Update CAs.
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/campus/handlers/main.yml][=roles_t/campus/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/campus/handlers/main.yml
-
-- name: Update CAs.
- become: yes
- command: update-ca-certificates
-#+END_SRC
-
** Install Unattended Upgrades
The institute prefers to install security updates as soon as possible.
#+CAPTION: [[file:playbooks/site.yml][=playbooks/site.yml=]]
#+BEGIN_SRC conf :tangle playbooks/site.yml :mkdirp yes
---
+- name: Configure All
+ hosts: all
+ roles: [ all ]
+
- name: Configure Front
hosts: front
roles: [ front ]
projects / Institute / commitdiff