Majic Projects
Majic Ansible Roles
Go to the previous open issue
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
icon_project.png Majic Ansible Roles / Closed Feature request MAR-10 Deploy TLS private keys and certificates to servers
action_vote_minus_faded.png
0
Votes
action_vote_plus_faded.png
Go to the next issue (open or closed)
Go to the next open issue
This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Feature request
  • Category
    Not determined
  • Targetted for
    1.0.0
  • Status
    Closed
  • Progress
  • Priority
    Not determined
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    Not estimated
  • Time spent
    1 day
    Click here to see time logged against this issue
Issue details
  • Resolution
    RESOLVED
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Description
Currently the private keys and certificates are assumed to be deployed to servers manually by the system administrator.

This means that the procedure for setting-up a site (let's say the sample testsite) is roughly:

# Bootstrap servers via bootstrap.yml.
# Set-up servers via site.yml.
# Deploy the necessary private keys/certificates.
# Re-run site.yml

This feels a bit awkward, and it might not even serve any good purpose. Instead of a set-up like this, it would be better to deploy both private keys and certificates via Ansible.

This makes Ansible a bit of a bigger target, but on the other hand the private keys normally need to be backed-up somewhere anyway, and the backup system is no smaller target. With some smart encryption the risk to files on Ansible host might be minimal.

In general, a single truststore for all roles should be enough. This means the truststore should be deployed as part of the common role. The remaining roles should simply point their own configurations etc to this truststore. Eventually the application should take care of copying the truststore to desired destination, if it needs it in chroot etc.

For private key/certificates, each application should take care of its own.

This way the optimal separation between roles should be achievable, with minimal duplication.

Current roles that would need to be updated (the list should be verified before starting work):

* LDAP Client
* LDAP Server
* Prosody
* Mail Server
* Mail Forwarder
Todos (0 / 0)
Issue created