Ver código fonte

current state

master
pai
commit
7a8a5982c0
11 arquivos alterados com 99 adições e 12 exclusões
  1. +9
    -8
      defaults/main.yml
  2. +7
    -0
      handlers/main.yml
  3. +3
    -3
      tasks/csr.yml
  4. +22
    -0
      tasks/directory.yml
  5. +1
    -0
      tasks/key.yml
  6. +3
    -0
      tasks/main.yml
  7. +49
    -0
      tasks/provider-ca.yml
  8. +1
    -0
      tasks/provider-letsencrypt.yml
  9. +1
    -0
      tasks/provider-selfsigned.yml
  10. +2
    -0
      templates/certificate_extensions.cnf.j2
  11. +1
    -1
      templates/csr.cnf.j2

+ 9
- 8
defaults/main.yml Ver arquivo

@@ -1,15 +1,16 @@
certificate_name: "{{ certificate_common_name | regex_replace(' ', '_') }}"
certificate_file: "{{ certificate_directory }}/{{ certificate_name }}.cert.pem"
certificate_file: "{{ certificate_directory }}/certs/{{ certificate_name }}.cert.pem"

certificate_private_key_file: "{{ certificate_private_directory }}/{{ certificate_name }}.key.pem"
certificate_private_key_file: "{{ certificate_directory }}/private/{{ certificate_name }}.key.pem"
certificate_private_key_size: 4096

certificate_signing_request_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.pem"
certificate_signing_request_config_file: "{{ certificate_directory }}/{{ certificate_name }}.csr.cnf"
certificate_signing_request_file: "{{ certificate_directory }}/csr/{{ certificate_name }}.csr.pem"
certificate_signing_request_config_file: "{{ certificate_directory }}/cnf/{{ certificate_name }}.csr.cnf"

certificate_authority: false
certificate_key_usage:
- digitalSignature
- keyEncipherment
#certificate_extended_key_usage:

# certificate_key_usage:
# - digitalSignature
# - keyEncipherment
# certificate_extended_key_usage:
# - serverAuth

+ 7
- 0
handlers/main.yml Ver arquivo

@@ -0,0 +1,7 @@
---

- name: stat certificate
stat:
path: "{{ certificate_file }}"
register: _certificate_stat
listen: certificate changed

+ 3
- 3
tasks/csr.yml Ver arquivo

@@ -23,6 +23,6 @@
changed_when: false
register: _certificate_signing_request_info

- name: certificate signing request debug
debug:
msg: "{{ _certificate_signing_request_info.stdout_lines }}"
# - name: certificate signing request debug
# debug:
# msg: "{{ _certificate_signing_request_info.stdout_lines }}"

+ 22
- 0
tasks/directory.yml Ver arquivo

@@ -0,0 +1,22 @@
---

- name: directory
file:
path: "{{ certificate_directory }}"
state: directory

- name: subdirectories
file:
path: "{{ certificate_directory }}/{{item}}"
state: directory
with_items:
- certs
- csr
- cnf
- private

- name: private directory
file:
path: "{{ certificate_authority_directory }}/private"
mode: 0700
state: directory

+ 1
- 0
tasks/key.yml Ver arquivo

@@ -9,3 +9,4 @@
creates: "{{ certificate_private_key_file }}"
environment:
PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
notify: certificate changed

+ 3
- 0
tasks/main.yml Ver arquivo

@@ -1,5 +1,8 @@
---

- include: directory.yml
when: certificate_directory is defined

- name: setup
include: setup_{{ansible_os_family}}.yml



+ 49
- 0
tasks/provider-ca.yml Ver arquivo

@@ -0,0 +1,49 @@
---

- include: key.yml
- include: csr.yml

- name: certificate host_files directory
local_action: file
args:
path: host_files/{{inventory_hostname}}/certificate
state: directory

- name: fetch certificate signing request
fetch:
src: "{{ certificate_signing_request_file }}"
dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
flat: yes
fail_on_missing: yes

- name: copy certificate signing request
copy:
src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.csr.pem
dest: "{{ certificate_authority_directory }}/csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem"
delegate_to: "{{ certificate_authority_host }}"

- name: sign certificate with ca
command: openssl ca -selfsign -batch -notext
-config cnf/ca.cnf
-in csr/{{inventory_hostname}}-{{certificate_name}}.csr.pem
-out certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem
{{ certificate_authority_private_key_password is defined | ternary('-passin env:PRIVATE_KEY_PASSWORD','') }}
args:
chdir: "{{ certificate_authority_directory }}"
creates: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
environment:
PRIVATE_KEY_PASSWORD: "{{ certificate_authority_private_key_password | default('') }}"
delegate_to: "{{ certificate_authority_host }}"

- name: fetch certificate
fetch:
src: "{{ certificate_authority_directory }}/certs/{{inventory_hostname}}-{{certificate_name}}.cert.pem"
dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
flat: yes
fail_on_missing: yes
delegate_to: "{{ certificate_authority_host }}"

- name: copy certificate
copy:
src: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
dest: "{{ certificate_file }}"

+ 1
- 0
tasks/provider-letsencrypt.yml Ver arquivo

@@ -0,0 +1 @@
---

+ 1
- 0
tasks/provider-selfsigned.yml Ver arquivo

@@ -15,3 +15,4 @@
creates: "{{ certificate_file }}"
environment:
PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
notify: certificate changed

+ 2
- 0
templates/certificate_extensions.cnf.j2 Ver arquivo

@@ -3,7 +3,9 @@
[certificate_extensions]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = critical, {{ certificate_basic_constraints | join(', ') }}
{% if certificate_key_usage is defined %}
keyUsage = critical, {{ certificate_key_usage | join(', ') }}
{% endif %}
{% if certificate_extended_key_usage is defined and certificate_extended_key_usage %}
extendedKeyUsage=critical, {{ certificate_extended_key_usage | join(', ') }}
{% endif %}


+ 1
- 1
templates/csr.cnf.j2 Ver arquivo

@@ -18,7 +18,7 @@ L = {{certificate_locality}}
{% if certificate_organization is defined%}
O = {{certificate_organization}}
{% endif %}
{% if certificate_organizational_unit is defined%}/OU=
{% if certificate_organizational_unit is defined%}
OU = {{certificate_organizational_unit}}
{% endif %}
CN = {{certificate_common_name}}


Carregando…
Cancelar
Salvar