ssl certs - one task or two for IMAP and http?

[Dan Langille]

At present, I have two tasks:

This one installs ssl certs for the host in question:

ssl-certificates/tasks/main.yml

---

  - name: certs

    copy: src={{item.file}} dest=/usr/local/etc/ssl/ owner=root group=www mode={{item.chmod}} backup=yes

    with_items:

      - { file: 'hosts/{{ inventory_hostname }}/{{ inventory_hostname }}.crt',            chmod: '644' }

      - { file: 'hosts/{{ inventory_hostname }}/{{ inventory_hostname }}.nopassword.key', chmod: '600' }

This one is specific to dovecot, the IMAP server:

dovecot/tasks/main.yml 

---

  - name: certs

    copy: src={{item.file}} dest=/usr/local/etc/ssl/ owner=root group=www mode={{item.chmod}} backup=yes

    with_items:

      - { file: 'CA/StartSSL/ca.pem',                                                           chmod: '644' }

      - { file: 'hosts/{{ inventory_hostname_short }}/server.pem',                              chmod: '644' }

      - { file: 'hosts/{{ inventory_hostname_short }}/{{ inventory_hostname }}.nopassword.key', chmod: '600' }

The key difference is dovecot takes a server.pem file (i.e. the usual host cert with the intermediate cert concatenated to it), hence the different recipes.

I had wanted to keep all the ssl certs in one place (i.e. ssl-certificates/files/....) but the different requirements

of dovecot and others are keeping that goal elusive.

Mind you, I have multiple web servers which use the ssl-certificates role, and just one imap server.

I think I'll just keep them separate unless there's an interesting but simple solution.

Thanks.

[Michael DeHaan]

Unrelated, but here might be a possible tip to make a cleaner playbook:

vars:

  cert_path: "{{ hosts/{{ inventory_hostname }}/{{ inventory_hostname }}.crt"

  key_path: "hosts/{{ inventory_hostname }}/{{ inventory_hostname }}.nopassword.key"

  certs:

     - path: "{{ cert_path }}"

       mode: '644'

     - path: "{{ key_path }}"

       mode: '600'

tasks:

  - name: certs

    copy: src={{item.path}} dest=/usr/local/etc/ssl/ owner=root group=www mode={{item.mode}} backup=yes

    with_items: certs

I would tend to suggest your cert setup for dovecot to be in the dovecot role though, and other apps in their own.

That way if something decides to get split out later, it's a little bit more organized.

My two cents -- but there may be some reasons for organizing it differently.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c6cf4b4d-53e4-43be-98d0-d59ff33bd8f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.