New vagrant-based development environment

.gitignore

@@ -1 +1,2 @@
-vars/user.yml
+.vagrant
+vagrant_ansible_inventory_default

Vagrantfile

@@ -2,43 +2,28 @@
 # https://github.com/mitchellh/vagrant/blob/master/CHANGELOG.md#130-september-5-2013
 
 Vagrant.configure('2') do |config|
-  config.vm.provider :lxc do |lxc, override|
-    override.vm.box     = 'precise64'
-    override.vm.box_url = 'http://bit.ly/vagrant-lxc-precise64-2013-05-08'
-  end
 
   config.vm.provider :virtualbox do |vbox, override|
-    override.vm.box     = 'precise64'
-    override.vm.box_url = 'http://files.vagrantup.com/precise64.box'
+    override.vm.box = 'wheezy64'
+    override.vm.box_url = 'https://sovereign.lukecyca.com/vagrant/wheezy64.box'
+    vbox.customize ["modifyvm", :id, "--memory", 512]
   end
 
-  boxes = [
-    {
-      :name => 'ansible.local',
-      :forwards => { 22  => 22222,
-                     80  => 80,
-                     25  => 25,
-                     143 => 143,
-                     465 => 465,
-                     993 => 993 }
-    }
-  ]
-
-  boxes.each do |opts|
-    config.vm.hostname = opts[:name]
-
-    opts[:forwards].each do |guest_port, host_port|
-      config.vm.network :forwarded_port, :guest => guest_port, :host => host_port
-    end
-
-    config.vm.provision :shell,
-                        :inline => 'if [ ! -e /root/apt.updated ]; then apt-get update && touch /root/apt.updated ; fi; apt-get install -y python-apt'
-
-    config.vm.provision :ansible do |ansible|
-      ansible.playbook = 'site.yml'
-    end
-
-    config.vm.provision :shell,
-                        :inline => "echo [test] > /vagrant/hosts.autogen && ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | cut -d: -f2 >> /vagrant/hosts.autogen"
+  config.vm.hostname = 'sovereign.local'
+
+  config.vm.network "private_network", ip: "172.16.100.2"
+
+  config.vm.provision :ansible do |ansible|
+    ansible.playbook = 'site.yml'
+    ansible.host_key_checking = false
+
+    # ansible.tags = ['blog']
+    ansible.skip_tags = ['openvpn']
+    # ansible.verbose = 'vvvv'
+
+    # Workaround: https://github.com/mitchellh/vagrant/issues/2174
+    extra_vars = { ansible_ssh_user: 'vagrant', testing: true}
+    ansible.raw_arguments = "--extra-vars=" + extra_vars.map { |k,v| "#{k}=#{v}" }.join(" ")
   end
+
 end

roles/common/files/wildcard_ca.pem

@@ -1,6 +1,20 @@
 -----BEGIN CERTIFICATE-----
-TODO
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-TODO
+MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
+VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
+OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
+b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
+BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
+6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
+yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
+C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
+yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
+xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
+AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
+9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
+AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
+aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
+Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
++0vEpa88MmGGUdXZ4NWI2IYe
 -----END CERTIFICATE-----

roles/common/files/wildcard_private.key

@@ -1,3 +1,27 @@
------BEGIN PRIVATE KEY-----
-TODO
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPob
+ueyI6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4s
+CKrIyw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iap
+ngrrC6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx
+3oY6yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1
+BnmSxdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABAoIBADm/oYAavJ2nif+H
+CNgqDqDhW6CPegqenwbBaihAUzK00CdOM8mmMgt2SdFe3xvGqDssRpwtu3bEROnY
+r3WHreEIQ0gdc8MQhnvat32cLkWk+0MtQUeEpnJ0bzeRJOJEPxs+btu+1wIQvmFy
+uVOWqOq1a6xmwdemcfl0hRwFsdvO00MefOWgJpmBGBTBKuvhg1rUPP8xkHlD98ga
++vpxG0vS5d2vHKa5FxcbbMaV9kxqjsc1Sm79zWlomwdmE5u0dUIIfNV1+VOmPqW2
+tjeD+JDieyX3uOKFpRTk7/5rOJd5hzHukIeUpl0n9mC/mY8lvoFAttszeTEwjkv0
+EhRBjaECgYEA3Rz8AoWJLDC63wfz3mUhtXzFxrxok85cNT35ohT9btnKyLKykvAE
+BCfHeYg8cwFFv0oUXpK9HWOqoJhsYN79+WYA1QE9n0XXAGl1K1/FlKsoAH3h5GAf
+CHGLsq6rEY3ixBmqEiKCWjNXgKeoMg9V/gjTNudWYqLvcsgMoD9vJbkCgYEAyiGi
+QZUa7pGFSa3+kPJo9wx6FylsAVnBluQETZpPdXSB43cTnfUlGj50OHAwFKwD4MP1
+Z+3mTW3+iedpEo3BWs47onanI9DSe6XcUUMXreP+aStJYOkQ3Sl5wr5A61NFF/yr
++bdKEzXNXB5My5hbFLuSUtsXNVmVr6B7pz2wyfsCgYEAiXKyCVM/IPQtxeSoqM+O
+88VbIB4QmAjIcuRSoHmRzO2fy8ChlwuSQ48Cxb51bTwWQkHnhZ6L5pAFCg2WGWWk
+1Pqee8popvCAJSZpCoxfQvpeRGf8Gr3RrKsAnxNLDf94PlSBzwIaq72MoFIYEP5N
+gzuzKEcIAQqt9Fj82ER2cCkCgYEAnaEFC+ffjNRnAUJzF04zlRVh0NY4qAT691Ty
+FiKUfKBS+rRN1Azs1j6GG81BcZ2DmLC4nEfmJdP1gE26nwF1G/9geh3V0hRzUIHU
+Ansz6CO4rwNWwgB/ajmB/uCnd90EMOSWqLLLTZfTglcOxGcYAF8WiQ7aVnx6Qu//
+/jgZuikCgYB10Gf8Wl/TcWVBTwbDbA50VqZpUWXkcF+oo/w4FfI2f74TEQVkIs9m
+4SVhrtSAz3z2tuBEDB8SM2Uwe00/JSrbuOTvGcVTq64LDgH5fL38Hw8+7IvAZEOx
+26mAS685K1pq0HvvCuwzSIAjpo55tso3phG/YxC+DD11DglhL1SpBA==
+-----END RSA PRIVATE KEY-----

roles/common/files/wildcard_public_cert.crt

@@ -1,3 +1,20 @@
 -----BEGIN CERTIFICATE-----
-TODO
+MIIDPjCCAiYCCQDcHVzv6JwhEzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJB
+VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMRowGAYDVQQDFBEqLnNvdmVyZWlnbi5sb2NhbDAeFw0xMzExMDIx
+OTI4NDlaFw0xNDExMDIxOTI4NDlaMGExCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
+b21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAY
+BgNVBAMUESouc292ZXJlaWduLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEArpXru3ZQKl+OVlBar2yziN5ZiVSbt6QYuJtTUmMAfAtGsPobueyI
+6XLG6QcFNCWNqUd3fa15GPYluFA5Ot7bPAoo3UQXJvM9n/tQ2YWPjPgxaV4sCKrI
+yw7UF+f2NwtUVdj1wHB0x7bh9asNv+ZDC5O2ze8dn09CS7Puh13bsVFm1iapngrr
+C6ctethJF67A/mRa7UzqHzesAznkgaWfhDLyygNX0PzI5ywVAKbgvxUWndPx3oY6
+yx5jrfk+opMUUnDu9AqhthTPaKK1s3JXJBOW2R/rlgYokfO7VBDkRv/ty3B1BnmS
+xdOV/01f5JJdgfLlR6PNd2FMmMoCesg9YwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
+AQAX5KZYIYcMuHRdsd/EKwee+pzp0irs1dqbNwYJIj3HS8Zx/qd+LET4irQbY72N
+9Z2s0UTSngy4axlyItKrn+k26FUnSW80W8GMb/dEIyKg5Vnu+zLKnKj85dGUBSAP
+AzhNyqkwiY5BFFy/tvuFBvjxle9vkBNZrmtsh/PktzaW3BNrYaE9xDMYesT9xi73
+aKFMIryVZWzZKmMaJhcMcMarWzAvLftV+0VfJV3EWtzpEbjEu3mIsoBZvD0uGqbU
+Llt1yeYyBrcdIbDQZgeRHhrJjC8yx0iqvj5WmnEp8hk6YtqdwGGTJxkpUtxFT/dO
++0vEpa88MmGGUdXZ4NWI2IYe
 -----END CERTIFICATE-----

site.yml

@@ -7,7 +7,7 @@
   gather_facts: True
   vars_files:
     - vars/defaults.yml
-    - vars/user.yml
+    - vars/{{ 'testing' if testing else 'user' }}.yml
 
   roles:
     - common

tests.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# use timeout or gtimeout
+export TIMEOUT="timeout"
+if [ -z `which timeout` ]; then
+    export TIMEOUT="gtimeout"
+fi
+
+SUITE_RET=0
+
+runtest() {
+  NAME=$1
+  OUTPUT=`$TIMEOUT -k 1 5 bash -c "$2" 2>&1`
+  RET="$?"
+  if [ $RET -eq 0 ]; then
+    printf "$NAME: \e[00;32mPASSED\e[00m\n"
+  elif [ $RET -eq 124 ]; then
+    printf "$NAME: \e[00;31mTIMEOUT\e[00m\n"
+    SUITE_RET=1
+  else
+    printf "$NAME: \e[00;31mFAILED\e[00m\n"
+    echo "$OUTPUT"
+    SUITE_RET=1
+  fi
+}
+
+
+
+# SSH
+runtest test_ssh "nc -w1 172.16.100.2 22 | grep '^SSH'"
+
+# SMTP
+runtest test_smtp "echo 'quit' | nc -w1 172.16.100.2 25 | grep 'ESMTP Postfix'"
+runtest test_smtps "echo '' | openssl s_client -connect 172.16.100.2:465 | grep 'TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA'"
+runtest test_smtp_tls "echo '' | openssl s_client -connect 172.16.100.2:25 -starttls smtp | grep 'TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA'"
+
+# IMAP
+runtest test_imaps "echo '' | openssl s_client -connect 172.16.100.2:993 | grep 'TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA'"
+
+# HTTP/S
+runtest test_http "echo 'GET /' | nc -w1 172.16.100.2 80 | grep 'It works!'"
+runtest test_https "echo '' | openssl s_client -connect 172.16.100.2:443 | grep 'TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA'"
+runtest test_blog_redirect "curl 172.16.100.2:80 -H 'Host: sovereign.local' -v | grep '301 Moved Permanently'"
+
+# The blog will give 403 because it is an empty directory
+runtest test_blog "curl https://172.16.100.2:443/ -H 'Host: sovereign.local' -v --insecure | grep '403 Forbidden'"
+
+# Other web sites
+runtest test_roundcube "curl https://172.16.100.2:443/ -H 'Host: mail.sovereign.local' -v --insecure | grep 'Welcome to Roundcube Webmail'"
+runtest test_owncloud "curl https://172.16.100.2:443/ -H 'Host: cloud.sovereign.local' -v --insecure | grep 'ownCloud'"
+
+# ZNC
+runtest test_znc "echo '' | openssl s_client -connect 172.16.100.2:6697 | grep 'TLSv1/SSLv3, Cipher is AES256-SHA'"
+
+exit $SUITE_RET

vars/testing.yml

@@ -0,0 +1,52 @@
+---
+###############################################################################
+# Variables used when testing with Vagrant
+# For a complete reference look at the `vars/defaults.yml` file.
+###############################################################################
+
+# common
+domain: sovereign.local
+main_user_name: sovereign
+encfs_password: testPassword
+
+# ircbouncer
+irc_nick: sovereign
+irc_ident: sovereign
+irc_realname: Mr. Sovereign
+irc_quitmsg: Bye
+irc_password_hash: "sha256#4bfc209c5e19874337fd89c80675ad194836efea5efd4189b7f73cd9e0a6094f#,i*Msa0B;w9yR23nm1ZB#" #foo
+
+# mailserver
+mail_mysql_password: testPassword
+mail_virtual_domains:
+  - name: "{{ domain }}"
+    pk_id: 1
+    primary_user: "{{ main_user_name }}"
+mail_virtual_users:
+  - address: "{{ main_user_name }}@{{ domain }}"
+    password_hash: "$6$.f8oDqN1cDE/$Iyk8.scbwZCxw5pf9Flcvu.VYk9Jk77y/UaM0DyIcw9wouNqifXr3xV1fQPPNgBIM3BEEabAxePtC5Y/iX5vH1" #foo
+    domain_pk_id: 1
+mail_virtual_aliases:
+  - source: "root@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+  - source: "postmaster@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+  - source: "webmaster@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+
+# owncloud
+owncloud_mysql_password: testPassword
+
+# vpn
+openvpn_key_country:  "US"
+openvpn_key_province: "California"
+openvpn_key_city: "Beverly Hills"
+openvpn_key_org: "ACME CORPORATION"
+openvpn_key_ou: "Anvil Department"
+openvpn_clients:
+  - laptop
+  - phone
+  - tablet