rename: x509/ownca to x509/static-ca

author: Christian Pointner <equinox@spreadspace.org> 2023-12-20 00:12:57 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2023-12-20 00:12:57 +0100
commit: e004236b4cfa9735cc898ea372dcb99c199dd4b4 (patch)
tree: 497e1e3dcbb7a223f2e5aaa9b5800319c03dd5d1
parent: add mosquitto role (WIP) (diff)
13 files changed, 127 insertions, 127 deletions
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml
index 88af0dc5..bf7c41dd 100644
--- a/dan/sk-testvm.yml
+++ b/dan/sk-testvm.yml
@@ -13,10 +13,10 @@
   vars:
     acme_client: uacme
     # acme_client: acmetool
-    cert_provider: "{{ acme_client }}"
+    # cert_provider: "{{ acme_client }}"
     # cert_provider: static
     # cert_provider: selfsigned
-    # cert_provider: ownca
+    cert_provider: static-ca
   roles:
   - role: apt-repo/spreadspace
   - role: kubernetes/base
@@ -32,7 +32,7 @@
       template: generic
       tls:
         certificate_provider: "{{ cert_provider }}"
-        certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__default', default={}) }}"
+        certificate_config: "{{ lookup('vars', (cert_provider | replace('-','_'))+'_cert_config__default', default={}) }}"
         hsts: no
       hostnames:
       - testvm.elev8.at
@@ -46,7 +46,7 @@
       template: generic
       tls:
         certificate_provider: "{{ cert_provider }}"
-        certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}"
+        certificate_config: "{{ lookup('vars', (cert_provider | replace('-','_'))+'_cert_config__test', default={}) }}"
         hsts: no
       hostnames:
       - login.spreadspace.org
@@ -62,7 +62,7 @@
       template: generic
       tls:
         certificate_provider: "{{ cert_provider }}"
-        certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}"
+        certificate_config: "{{ lookup('vars', (cert_provider | replace('-','_'))+'_cert_config__test', default={}) }}"
         hsts: no
       hostnames:
       - test.spreadspace.org
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index de6cc9be..4ede061a 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -263,7 +263,7 @@ monitoring_landingpage_hostnames:
   - "mon.chaos-at-home.org"
 monitoring_landingpage_title: "chaos@home Monitoring Host"
 monitoring_landingpage_tls:
-  certificate_provider: ownca
+  certificate_provider: static-ca
   certificate_config:
     mode: "0750"
     owner: root
diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml
index 9a484968..12362457 100644
--- a/inventory/host_vars/sk-testvm.yml
+++ b/inventory/host_vars/sk-testvm.yml
@@ -412,7 +412,7 @@ selfsigned_cert_config__test:
 
 
 
-_ownca_cert_config__common: &ownca_cert_config__common
+_static_ca_cert_config__common: &static_ca_cert_config__common
   ca:
     key_content: |
       -----BEGIN RSA PRIVATE KEY-----
@@ -497,8 +497,8 @@ _ownca_cert_config__common: &ownca_cert_config__common
       VcNvbiSZ7MpW/SdanWVaAVxlZS9BAaPozU5V/Rg=
       -----END CERTIFICATE-----
 
-ownca_cert_config__default:
-  <<: *ownca_cert_config__common
+static_ca_cert_config__default:
+  <<: *static_ca_cert_config__common
   cert:
     organization_name: "elev8"
     organizational_unit_name: "ansible"
@@ -512,8 +512,8 @@ ownca_cert_config__default:
     create_subject_key_identifier: yes
     not_after: +1000w
 
-ownca_cert_config__test:
-  <<: *ownca_cert_config__common
+static_ca_cert_config__test:
+  <<: *static_ca_cert_config__common
   cert:
     organization_name: "spreadspace"
     organizational_unit_name: "ansible"
diff --git a/roles/x509/ownca/cert/meta/main.yml b/roles/x509/ownca/cert/meta/main.yml
deleted file mode 100644
index 602ee3f8..00000000
--- a/roles/x509/ownca/cert/meta/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-dependencies:
-  - role: x509/ownca/cert/prepare
-  - role: x509/ownca/cert/finalize
diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml
deleted file mode 100644
index 00d19c59..00000000
--- a/roles/x509/ownca/cert/prepare/tasks/main.yml
+++ /dev/null
@@ -1,105 +0,0 @@
----
-- name: compute path to ownca certificate directory
-  set_fact:
-    ownca_cert_path: "{{ ownca_cert_config.path | default([ownca_cert_base_dir, ownca_cert_name] | path_join) }}"
-
-- name: create directory for ownca certificate
-  file:
-    path: "{{ ownca_cert_path }}"
-    state: directory
-    mode: "{{ ownca_cert_config.mode | default('0700') }}"
-    owner: "{{ ownca_cert_config.owner | default(omit) }}"
-    group: "{{ ownca_cert_config.group | default(omit) }}"
-  notify:
-  - reload services for x509 certificates
-  - restart services for x509 certificates
-
-- name: generate key for ownca certificate
-  openssl_privatekey:
-    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
-    mode: "{{ ownca_cert_config.key.mode | default('0600') }}"
-    owner: "{{ ownca_cert_config.key.owner | default(omit) }}"
-    group: "{{ ownca_cert_config.key.group | default(omit) }}"
-    type: "{{ ownca_cert_config.key.type | default(omit) }}"
-    size: "{{ ownca_cert_config.key.size | default(omit) }}"
-  notify:
-  - reload services for x509 certificates
-  - restart services for x509 certificates
-  register: _ownca_key_
-
-- name: generate csr for ownca certificate
-  community.crypto.openssl_csr:
-    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem"
-    mode: "{{ ownca_cert_config.cert.mode | default('0644') }}"
-    owner: "{{ ownca_cert_config.cert.owner | default(omit) }}"
-    group: "{{ ownca_cert_config.cert.group | default(omit) }}"
-    privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
-    create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
-    digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
-    common_name: "{{ ownca_cert_config.cert.common_name | default(ownca_cert_name) }}"
-    subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | union(ownca_cert_config.cert.san_extra | default([])) | list }}"
-    subject_alt_name_critical: yes
-    use_common_name_for_san: no
-    country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}"
-    locality_name: "{{ ownca_cert_config.cert.locality_name | default(omit) }}"
-    organization_name: "{{ ownca_cert_config.cert.organization_name | default(omit) }}"
-    organizational_unit_name: "{{ ownca_cert_config.cert.organizational_unit_name | default(omit) }}"
-    state_or_province_name: "{{ ownca_cert_config.cert.state_or_province_name | default(omit) }}"
-    basic_constraints: "{{ ownca_cert_config.cert.basic_constraints | default(omit) }}"
-    basic_constraints_critical: "{{ ownca_cert_config.cert.basic_constraints_critical | default(omit) }}"
-    key_usage: "{{ ownca_cert_config.cert.key_usage | default(omit) }}"
-    key_usage_critical: "{{ ownca_cert_config.cert.key_usage_critical | default(omit) }}"
-    extended_key_usage: "{{ ownca_cert_config.cert.extended_key_usage | default(omit) }}"
-    extended_key_usage_critical: "{{ ownca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
-
-- name: check if ownca certificate already exists
-  stat:
-    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
-  register: _ownca_cert_file_
-
-- name: check validity of existing ownca certificate
-  when: _ownca_cert_file_.stat.exists
-  openssl_certificate_info:
-    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
-    valid_at:
-      renew_margin: "{{ ownca_cert_config.cert.renew_margin | default(ownca_cert_default_renew_margin) }}"
-  register: _ownca_cert_info_
-
-- name: generate ownca certificate
-  community.crypto.x509_certificate:
-    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
-    mode: "{{ ownca_cert_config.cert.mode | default('0644') }}"
-    owner: "{{ ownca_cert_config.cert.owner | default(omit) }}"
-    group: "{{ ownca_cert_config.cert.group | default(omit) }}"
-    csr_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem"
-    provider: ownca
-    ownca_content: "{{ ownca_cert_config.ca.cert_content }}"
-    ownca_privatekey_content: "{{ ownca_cert_config.ca.key_content }}"
-    ownca_digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
-    ownca_not_before: "{{ ownca_cert_config.cert.not_before | default(omit) }}"
-    ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}"
-    force: "{{ _ownca_cert_file_.stat.exists and (not _ownca_cert_info_.valid_at.renew_margin) }}"
-  notify:
-  - reload services for x509 certificates
-  - restart services for x509 certificates
-  register: _ownca_cert_
-
-- name: export paths to certificate files
-  set_fact:
-    x509_certificate_path_key: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
-    x509_certificate_path_cert: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
-    x509_certificate_path_chain: ""
-    x509_certificate_path_fullchain: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
-
-- name: generate custom post-renewal script
-  when: x509_certificate_renewal is defined
-  template:
-    src: updated.sh.j2
-    dest: "{{ ownca_cert_path }}/updated.sh"
-    mode: 0755
-
-- name: call custom post-renewal script
-  when:
-  - x509_certificate_renewal is defined
-  - (_ownca_key_ is changed) or (_ownca_cert_ is changed)
-  command: "{{ ownca_cert_path }}/updated.sh"
diff --git a/roles/x509/ownca/base/tasks/main.yml b/roles/x509/static-ca/base/tasks/main.yml
index e91eda4a..e91eda4a 100644
--- a/roles/x509/ownca/base/tasks/main.yml
+++ b/roles/x509/static-ca/base/tasks/main.yml
diff --git a/roles/x509/ownca/cert/finalize/tasks/main.yml b/roles/x509/static-ca/cert/finalize/tasks/main.yml
index c5b6cafe..c5b6cafe 100644
--- a/roles/x509/ownca/cert/finalize/tasks/main.yml
+++ b/roles/x509/static-ca/cert/finalize/tasks/main.yml
diff --git a/roles/x509/static-ca/cert/meta/main.yml b/roles/x509/static-ca/cert/meta/main.yml
new file mode 100644
index 00000000..bfaf1153
--- /dev/null
+++ b/roles/x509/static-ca/cert/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: x509/static-ca/cert/prepare
+  - role: x509/static-ca/cert/finalize
diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/static-ca/cert/prepare/defaults/main.yml
index 30241273..5287cc93 100644
--- a/roles/x509/ownca/cert/prepare/defaults/main.yml
+++ b/roles/x509/static-ca/cert/prepare/defaults/main.yml
@@ -1,13 +1,13 @@
 ---
-ownca_cert_hostnames: "{{ x509_certificate_hostnames }}"
-ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }}"
+static_ca_cert_hostnames: "{{ x509_certificate_hostnames }}"
+static_ca_cert_name: "{{ x509_certificate_name | default(static_ca_cert_hostnames[0]) }}"
 
-ownca_cert_base_dir: "/etc/ssl"
+static_ca_cert_base_dir: "/etc/ssl"
 
-ownca_cert_default_renew_margin: "+30d"
-ownca_cert_config: "{{ x509_certificate_config }}"
-# ownca_cert_config:
-#   path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}"
+static_ca_cert_default_renew_margin: "+30d"
+static_ca_cert_config: "{{ x509_certificate_config }}"
+# static_ca_cert_config:
+#   path: "{{ static_ca_cert_base_dir }}/{{ static_ca_cert_name }}"
 #   mode: "0750"
 #   owner: root
 #   group: www-data
diff --git a/roles/x509/ownca/cert/prepare/handlers/main.yml b/roles/x509/static-ca/cert/prepare/handlers/main.yml
index 589d6dde..589d6dde 100644
--- a/roles/x509/ownca/cert/prepare/handlers/main.yml
+++ b/roles/x509/static-ca/cert/prepare/handlers/main.yml
diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..538bb58d
--- /dev/null
+++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml
@@ -0,0 +1,105 @@
+---
+- name: compute path to static-ca certificate directory
+  set_fact:
+    static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}"
+
+- name: create directory for static-ca certificate
+  file:
+    path: "{{ static_ca_cert_path }}"
+    state: directory
+    mode: "{{ static_ca_cert_config.mode | default('0700') }}"
+    owner: "{{ static_ca_cert_config.owner | default(omit) }}"
+    group: "{{ static_ca_cert_config.group | default(omit) }}"
+  notify:
+  - reload services for x509 certificates
+  - restart services for x509 certificates
+
+- name: generate key for static-ca certificate
+  openssl_privatekey:
+    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+    mode: "{{ static_ca_cert_config.key.mode | default('0600') }}"
+    owner: "{{ static_ca_cert_config.key.owner | default(omit) }}"
+    group: "{{ static_ca_cert_config.key.group | default(omit) }}"
+    type: "{{ static_ca_cert_config.key.type | default(omit) }}"
+    size: "{{ static_ca_cert_config.key.size | default(omit) }}"
+  notify:
+  - reload services for x509 certificates
+  - restart services for x509 certificates
+  register: _static_ca_key_
+
+- name: generate csr for static-ca certificate
+  community.crypto.openssl_csr:
+    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+    mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
+    group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
+    privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+    create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
+    digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
+    common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}"
+    subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}"
+    subject_alt_name_critical: yes
+    use_common_name_for_san: no
+    country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}"
+    locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}"
+    organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}"
+    organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}"
+    state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}"
+    basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}"
+    basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}"
+    key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}"
+    key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}"
+    extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}"
+    extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
+
+- name: check if static-ca certificate already exists
+  stat:
+    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+  register: _static_ca_cert_file_
+
+- name: check validity of existing static-ca certificate
+  when: _static_ca_cert_file_.stat.exists
+  openssl_certificate_info:
+    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+    valid_at:
+      renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}"
+  register: _static_ca_cert_info_
+
+- name: generate static-ca certificate
+  community.crypto.x509_certificate:
+    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+    mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
+    group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
+    csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+    provider: ownca
+    ownca_content: "{{ static_ca_cert_config.ca.cert_content }}"
+    ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}"
+    ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
+    ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}"
+    ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}"
+    force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}"
+  notify:
+  - reload services for x509 certificates
+  - restart services for x509 certificates
+  register: _static_ca_cert_
+
+- name: export paths to certificate files
+  set_fact:
+    x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+    x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+    x509_certificate_path_chain: ""
+    x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+
+- name: generate custom post-renewal script
+  when: x509_certificate_renewal is defined
+  template:
+    src: updated.sh.j2
+    dest: "{{ static_ca_cert_path }}/updated.sh"
+    mode: 0755
+
+- name: call custom post-renewal script
+  when:
+  - x509_certificate_renewal is defined
+  - (_static_ca_key_ is changed) or (_static_ca_cert_ is changed)
+  command: "{{ static_ca_cert_path }}/updated.sh"
diff --git a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2 b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2
index f0757832..f0757832 100644
--- a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2
+++ b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2
diff --git a/roles/x509/ownca/contrib/gen-ca.py b/roles/x509/static-ca/contrib/gen-ca.py
index 8f99da6c..8f99da6c 100755
--- a/roles/x509/ownca/contrib/gen-ca.py
+++ b/roles/x509/static-ca/contrib/gen-ca.py
author	Christian Pointner <equinox@spreadspace.org>	2023-12-20 00:12:57 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2023-12-20 00:12:57 +0100
commit	e004236b4cfa9735cc898ea372dcb99c199dd4b4 (patch)
tree	497e1e3dcbb7a223f2e5aaa9b5800319c03dd5d1
parent	add mosquitto role (WIP) (diff)