From 4d7a6793ec95776d1fb41f67a80f0377e181bd09 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Fri, 23 Feb 2024 17:39:26 -0700 Subject: [PATCH] Added the "all" role, for all hosts. This eliminates duplicate code from all (other) roles, installing the institute certificate authority. Originally intended to ensure the institute CA was installed before OpenVPN needed it. OpenVPN actually just needed the /usr/local/share/ca-certificates/ file (not update-ca-certificates execution). --- README.org | 154 ++++++++++++------------------- playbooks/site.yml | 4 + roles_t/all/handlers/main.yml | 3 + roles_t/all/tasks/main.yml | 14 +++ roles_t/campus/handlers/main.yml | 4 - roles_t/campus/tasks/main.yml | 10 -- roles_t/core/handlers/main.yml | 4 - roles_t/core/tasks/main.yml | 10 -- roles_t/front/handlers/main.yml | 4 - roles_t/front/tasks/main.yml | 10 -- 10 files changed, 80 insertions(+), 137 deletions(-) create mode 100644 roles_t/all/handlers/main.yml create mode 100644 roles_t/all/tasks/main.yml diff --git a/README.org b/README.org index 3e01f0d..0864bfc 100644 --- a/README.org +++ b/README.org @@ -1237,6 +1237,58 @@ information, see the Gate role's [[netplan-gate][Configure Netplan]] task.) At this point Gate was ready for provisioning with Ansible. +* The All Role + +The ~all~ role contains tasks that are executed on all of the +institute's servers. At the moment there is just the one. + +** Include Particulars + +The ~all~ role's task contains a reference to a common institute +particular, the institute's ~domain_name~, a variable found in the +=public/vars.yml= file. Thus the first task of the ~all~ role is to +include the variables defined in this file (described in [[*The Particulars][The +Particulars]]). The code block below is the first to tangle into +[[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]]. + +#+CAPTION: [[file:roles/front/tasks/main.yml][=roles/all/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes +--- +- name: Include public variables. + include_vars: ../public/vars.yml + tags: accounts +#+END_SRC + +** Trust Institute Certificate Authority + +All servers should recognize the institute's Certificate Authority as +trustworthy, so its certificate is added to the set of trusted CAs on +each host. More information about how the small institute manages its +X.509 certificates is available in [[*Keys][Keys]]. + +#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/all/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/all/tasks/main.yml :mkdirp yes + +- name: Trust the institute CA. + become: yes + copy: + src: ../Secret/CA/pki/ca.crt + dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt + mode: u=r,g=r,o=r + owner: root + group: root + notify: Update CAs. +#+END_SRC + +#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/all/handlers/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/all/handlers/main.yml :mkdirp yes + +- name: Update CAs. + become: yes + command: update-ca-certificates +#+END_SRC + + * The Front Role The ~front~ role installs and configures the services expected on the @@ -1261,14 +1313,9 @@ certificates signed by the institute CA. ** Include Particulars -The ~front~ role's tasks contain references to several common -institute particulars, variables in the public and private =vars.yml= -files and the institute membership roll in =private/members.yml=. The -first ~front~ role tasks are to include these files (described in [[*The Particulars][The -Particulars]] and [[*Account Management][Account Management]]). - -The code block below is the first to tangle into -[[file:roles/front/tasks/main.yml][=roles/front/tasks/main.yml=]]. +The first task, as in [[*The All Role][The All Role]], is to include the institute +particulars. The ~front~ role refers to private variables and the +membership roll, so these are included was well. #+CAPTION: [[file:roles/front/tasks/main.yml][=roles/front/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :mkdirp yes @@ -1524,35 +1571,6 @@ recipient" replies. The [[*Account Management][Account Management]] chapter des tags: accounts #+END_SRC -** Trust Institute Certificate Authority - -Front should recognize the institute's Certificate Authority as -trustworthy, so its certificate is added to Front's set of trusted -CAs. More information about how the small institute manages its -X.509 certificates is available in [[*Keys][Keys]]. - -#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml - -- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. -#+END_SRC - -#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml - -- name: Update CAs. - become: yes - command: update-ca-certificates -#+END_SRC - ** Install Server Certificate The servers on Front use the same certificate (and key) to @@ -2947,35 +2965,6 @@ describes the ~members~ and ~usernames~ variables. tags: accounts #+END_SRC -** Trust Institute Certificate Authority - -Core should recognize the institute's Certificate Authority as -trustworthy, so its certificate is added to Core's set of trusted -CAs. More information about how the small institute manages its -X.509 certificates is available in [[*Keys][Keys]]. - -#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml - -- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. -#+END_SRC - -#+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml - -- name: Update CAs. - become: yes - command: update-ca-certificates -#+END_SRC - ** Install Server Certificate The servers on Core use the same certificate (and key) to authenticate @@ -5289,35 +5278,6 @@ these groups speeds up debugging. groups: root,adm #+END_SRC -** Trust Institute Certificate Authority - -Campus hosts should recognize the institute's Certificate Authority as -trustworthy, so its certificate is added to the host's set of trusted -CAs. (For more information about how the small institute manages its -keys, certificates and passwords, see [[*Keys][Keys]].) - -#+CAPTION: [[file:roles_t/campus/tasks/main.yml][=roles_t/campus/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/campus/tasks/main.yml - -- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. -#+END_SRC - -#+CAPTION: [[file:roles_t/campus/handlers/main.yml][=roles_t/campus/handlers/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/campus/handlers/main.yml - -- name: Update CAs. - become: yes - command: update-ca-certificates -#+END_SRC - ** Install Unattended Upgrades The institute prefers to install security updates as soon as possible. @@ -5591,6 +5551,10 @@ the example inventory: [[file:hosts][=hosts=]]. #+CAPTION: [[file:playbooks/site.yml][=playbooks/site.yml=]] #+BEGIN_SRC conf :tangle playbooks/site.yml :mkdirp yes --- +- name: Configure All + hosts: all + roles: [ all ] + - name: Configure Front hosts: front roles: [ front ] diff --git a/playbooks/site.yml b/playbooks/site.yml index 0aa8866..e127476 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -1,4 +1,8 @@ --- +- name: Configure All + hosts: all + roles: [ all ] + - name: Configure Front hosts: front roles: [ front ] diff --git a/roles_t/all/handlers/main.yml b/roles_t/all/handlers/main.yml new file mode 100644 index 0000000..3ba4265 --- /dev/null +++ b/roles_t/all/handlers/main.yml @@ -0,0 +1,3 @@ +- name: Update CAs. + become: yes + command: update-ca-certificates diff --git a/roles_t/all/tasks/main.yml b/roles_t/all/tasks/main.yml new file mode 100644 index 0000000..16b0e95 --- /dev/null +++ b/roles_t/all/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Include public variables. + include_vars: ../public/vars.yml + tags: accounts + +- name: Trust the institute CA. + become: yes + copy: + src: ../Secret/CA/pki/ca.crt + dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt + mode: u=r,g=r,o=r + owner: root + group: root + notify: Update CAs. diff --git a/roles_t/campus/handlers/main.yml b/roles_t/campus/handlers/main.yml index c929d42..75255bd 100644 --- a/roles_t/campus/handlers/main.yml +++ b/roles_t/campus/handlers/main.yml @@ -15,10 +15,6 @@ service: systemd-timesyncd state: restarted -- name: Update CAs. - become: yes - command: update-ca-certificates - - name: Restart Postfix. become: yes systemd: diff --git a/roles_t/campus/tasks/main.yml b/roles_t/campus/tasks/main.yml index e185415..fa8e838 100644 --- a/roles_t/campus/tasks/main.yml +++ b/roles_t/campus/tasks/main.yml @@ -80,16 +80,6 @@ append: yes groups: root,adm -- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. - - name: Install basic software. become: yes apt: pkg=unattended-upgrades diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml index 418014a..e5bd621 100644 --- a/roles_t/core/handlers/main.yml +++ b/roles_t/core/handlers/main.yml @@ -29,10 +29,6 @@ service: bind9 state: reloaded -- name: Update CAs. - become: yes - command: update-ca-certificates - - name: Restart Postfix. become: yes systemd: diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index bbf3053..d305321 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -302,16 +302,6 @@ when: members[item].status != 'current' tags: accounts -- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. - - name: Install server certificate/key. become: yes copy: diff --git a/roles_t/front/handlers/main.yml b/roles_t/front/handlers/main.yml index 1b4abd2..8870c6f 100644 --- a/roles_t/front/handlers/main.yml +++ b/roles_t/front/handlers/main.yml @@ -9,10 +9,6 @@ service: ssh state: reloaded -- name: Update CAs. - become: yes - command: update-ca-certificates - - name: Restart Postfix. become: yes systemd: diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index d30366e..b8b3a56 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -134,16 +134,6 @@ when: members[item].status != 'current' tags: accounts -- name: Trust the institute CA. - become: yes - copy: - src: ../Secret/CA/pki/ca.crt - dest: /usr/local/share/ca-certificates/{{ domain_name }}.crt - mode: u=r,g=r,o=r - owner: root - group: root - notify: Update CAs. - - name: Install server certificate/key. become: yes copy: -- 2.25.1