current state

7 vuotta sitten · 7a8a5982c0
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,15 +1,16 @@
 certificate_name: "{{ certificate_common_name | regex_replace(' ', '_') }}"
 certificate_file: "{{ certificate_directory }}/{{ certificate_name }}.cert.pem"
 certificate_file: "{{ certificate_directory }}/certs/{{ certificate_name }}.cert.pem"

 certificate_private_key_file: "{{ certificate_private_directory }}/{{ certificate_name }}.key.pem"
 certificate_private_key_file: "{{ certificate_directory }}/private/{{ certificate_name }}.key.pem"
 certificate_private_key_size: 4096

 certificate_signing_request_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.pem"
 certificate_signing_request_config_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.cnf"
 certificate_signing_request_file: "{{ certificate_directory }}/csr/{{ certificate_name }}.csr.pem"
 certificate_signing_request_config_file: "{{ certificate_directory }}/cnf/{{ certificate_name }}.csr.cnf"

 certificate_authority: false
 certificate_key_usage:
  - digitalSignature
  - keyEncipherment
 #certificate_extended_key_usage:

 # certificate_key_usage:
 #   - digitalSignature
 #   - keyEncipherment
 # certificate_extended_key_usage:
 #  - serverAuth
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -0,0 +1,7 @@
 ---

 - name: stat certificate
  stat:
    path: "{{ certificate_file }}"
  register: _certificate_stat
  listen: certificate changed
--- a/tasks/csr.yml
+++ b/tasks/csr.yml
@@ -23,6 +23,6 @@
  changed_when: false
  register: _certificate_signing_request_info

 - name: certificate signing request debug
  debug:
    msg: "{{ _certificate_signing_request_info.stdout_lines }}"
 # - name: certificate signing request debug
 #   debug:
 #     msg: "{{ _certificate_signing_request_info.stdout_lines }}"
--- a/tasks/directory.yml
+++ b/tasks/directory.yml
@@ -0,0 +1,22 @@
 ---

 - name: directory
  file:
    path: "{{ certificate_directory }}"
    state: directory

 - name: subdirectories
  file:
    path: "{{ certificate_directory }}/{{item}}"
    state: directory
  with_items:
    - certs
    - csr
    - cnf
    - private

 - name: private directory
  file:
    path: "{{ certificate_authority_directory }}/private"
    mode: 0700
    state: directory
--- a/tasks/key.yml
+++ b/tasks/key.yml
@@ -9,3 +9,4 @@
    creates: "{{ certificate_private_key_file }}"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
  notify: certificate changed
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,5 +1,8 @@
 ---

 - include: directory.yml
  when: certificate_directory is defined

 - name: setup
  include: setup_{{ansible_os_family}}.yml

--- a/tasks/provider-ca.yml
+++ b/tasks/provider-ca.yml
@@ -0,0 +1,49 @@
 ---

 - include: key.yml
 - include: csr.yml

 - name: certificate host_files directory
  local_action: file
  args:
    path: host_files/{{inventory_hostname}}/certificate
    state: directory

 - name: fetch certificate signing request
  fetch:
    src: "{{ certificate_signing_request_file }}"
    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
    flat: yes
    fail_on_missing: yes

 - name: copy certificate signing request
  copy:
    src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
    dest: "{{ certificate_authority_directory }}/csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem"
  delegate_to: "{{ certificate_authority_host }}"

 - name: sign certificate with ca
  command: openssl ca -selfsign -batch -notext
    -config cnf/ca.cnf
    -in csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem
    -out certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem
    {{ certificate_authority_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
  args:
    chdir: "{{ certificate_authority_directory }}"
    creates: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_authority_private_key_password | default('') }}"
  delegate_to: "{{ certificate_authority_host }}"

 - name: fetch certificate
  fetch:
    src: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
    flat: yes
    fail_on_missing: yes
  delegate_to: "{{ certificate_authority_host }}"

 - name: copy certificate
  copy:
    src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
    dest: "{{ certificate_file }}"
--- a/tasks/provider-letsencrypt.yml
+++ b/tasks/provider-letsencrypt.yml
@@ -0,0 +1 @@
 ---
--- a/tasks/provider-selfsigned.yml
+++ b/tasks/provider-selfsigned.yml
@@ -15,3 +15,4 @@
    creates: "{{ certificate_file }}"
  environment:
    PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
  notify: certificate changed
--- a/templates/certificate_extensions.cnf.j2
+++ b/templates/certificate_extensions.cnf.j2
@@ -3,7 +3,9 @@
 [certificate_extensions]
 # Extensions for server certificates (`man x509v3_config`).
 basicConstraints = critical, {{ certificate_basic_constraints | join(', ') }}
 {% if certificate_key_usage is defined %}
 keyUsage = critical, {{ certificate_key_usage | join(', ') }}
 {% endif %}
 {% if certificate_extended_key_usage is defined  and  certificate_extended_key_usage %}
 extendedKeyUsage=critical, {{ certificate_extended_key_usage | join(', ') }}
 {% endif %}
--- a/templates/csr.cnf.j2
+++ b/templates/csr.cnf.j2
@@ -18,7 +18,7 @@ L = {{certificate_locality}}
 {% if certificate_organization is defined%}
 O = {{certificate_organization}}
 {% endif %}
 {% if certificate_organizational_unit is defined%}/OU=
 {% if certificate_organizational_unit is defined%}
 OU = {{certificate_organizational_unit}}
 {% endif %}
 CN = {{certificate_common_name}}