Unrelated, but here might be a possible tip to make a cleaner playbook:
vars:
cert_path: "{{ hosts/{{ inventory_hostname }}/{{ inventory_hostname
}}.crt"
key_path: "hosts/{{ inventory_hostname }}/{{ inventory_hostname
}}.nopassword.key"
certs:
- path: "{{ cert_path }}"
mode: '644'
- path: "{{ key_path }}"
mode: '600'
tasks:
- name: certs
copy: src={{item.path}} dest=/usr/local/etc/ssl/ owner=root group=www
mode={{item.mode}} backup=yes
with_items: certs
I would tend to suggest your cert setup for dovecot to be in the dovecot
role though, and other apps in their own.
That way if something decides to get split out later, it's a little bit
more organized.
My two cents -- but there may be some reasons for organizing it differently.
On Sun, Sep 28, 2014 at 3:01 PM, Dan Langille <[email protected]>
wrote:
> At present, I have two tasks:
>
> This one installs ssl certs for the host in question:
>
>
> ssl-certificates/tasks/main.yml
> ---
> - name: certs
> copy: src={{item.file}} dest=/usr/local/etc/ssl/ owner=root group=www
> mode={{item.chmod}} backup=yes
> with_items:
> - { file: 'hosts/{{ inventory_hostname }}/{{ inventory_hostname
> }}.crt', chmod: '644' }
> - { file: 'hosts/{{ inventory_hostname }}/{{ inventory_hostname
> }}.nopassword.key', chmod: '600' }
>
>
> This one is specific to dovecot, the IMAP server:
>
> dovecot/tasks/main.yml
> ---
> - name: certs
> copy: src={{item.file}} dest=/usr/local/etc/ssl/ owner=root group=www
> mode={{item.chmod}} backup=yes
> with_items:
> - { file: 'CA/StartSSL/ca.pem',
> chmod: '644' }
> - { file: 'hosts/{{ inventory_hostname_short }}/server.pem',
> chmod: '644' }
> - { file: 'hosts/{{ inventory_hostname_short }}/{{
> inventory_hostname }}.nopassword.key', chmod: '600' }
>
> The key difference is dovecot takes a server.pem file (i.e. the usual host
> cert with the intermediate cert concatenated to it), hence the different
> recipes.
>
> I had wanted to keep all the ssl certs in one place (i.e.
> ssl-certificates/files/....) but the different requirements
> of dovecot and others are keeping that goal elusive.
>
> Mind you, I have multiple web servers which use the ssl-certificates role,
> and just one imap server.
>
> I think I'll just keep them separate unless there's an interesting but
> simple solution.
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/c6cf4b4d-53e4-43be-98d0-d59ff33bd8f1%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/c6cf4b4d-53e4-43be-98d0-d59ff33bd8f1%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgz38DZ6tUT6tZKUjo2JQPQnhHNr8wXdmJst3m5aYsKaXQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
