x509: add new role managed-ca

9 files changed, 288 insertions, 0 deletions

diff --git a/roles/x509/managed-ca/base/tasks/main.yml b/roles/x509/managed-ca/base/tasks/main.yml
new file mode 100644
index 00000000..e91eda4a
--- /dev/null
+++ b/roles/x509/managed-ca/base/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: install needed packages
+  apt:
+    name: "{{ python_basename }}-cryptography"
+    state: present
diff --git a/roles/x509/managed-ca/ca/defaults/main.yml b/roles/x509/managed-ca/ca/defaults/main.yml
new file mode 100644
index 00000000..09d021d1
--- /dev/null
+++ b/roles/x509/managed-ca/ca/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+# managed_ca_authorities:
+#   foo:
+#     key:
+#       type: RSA
+#       size: 4096
+#     cert:
+#       common_name: foo CA
+#       country_name: "AT"
+#       locality_name: "Graz"
+#       organization_name: "spreadspace"
+#       organizational_unit_name: "ansible"
+#       state_or_province_name: "Styria"
+#       digest: sha256
+#       not_before: +0h
+#       not_after: +520w
diff --git a/roles/x509/managed-ca/ca/tasks/main.yml b/roles/x509/managed-ca/ca/tasks/main.yml
new file mode 100644
index 00000000..e675ad8c
--- /dev/null
+++ b/roles/x509/managed-ca/ca/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+- name: create mangaged-ca CA directories
+  loop: "{{ managed_ca_authorities | list }}"
+  file:
+    path: "/etc/ssl/managed-ca/{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: create managed-ca CA private keys
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_privatekey:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    type: "{{ item.value.key.type | default(omit) }}"
+    size: "{{ item.value.key.size | default(omit) }}"
+    owner: root
+    group: root
+    mode: 0600
+
+- name: create signing request for managed-ca CA certificates
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_csr:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
+    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    common_name: "{{ item.value.cert.common_name | default(item.key) }}"
+    use_common_name_for_san: no
+    country_name: "{{ item.value.cert.country_name | default(omit) }}"
+    locality_name: "{{ item.value.cert.locality_name | default(omit) }}"
+    organization_name: "{{ item.value.cert.organization_name | default(omit) }}"
+    organizational_unit_name: "{{ item.value.cert.organizational_unit_name | default(omit) }}"
+    state_or_province_name: "{{ item.value.cert.state_or_province_name | default(omit) }}"
+    key_usage:
+    - cRLSign
+    - keyCertSign
+    key_usage_critical: yes
+    basic_constraints:
+    - 'CA:TRUE'
+    - 'pathlen:0'
+    basic_constraints_critical: yes
+
+- name: create managed-ca CA certificates
+  loop: "{{ managed_ca_authorities | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  openssl_certificate:
+    path: "/etc/ssl/managed-ca/{{ item.key }}/crt.pem"
+    csr_path: "/etc/ssl/managed-ca/{{ item.key }}/csr.pem"
+    privatekey_path: "/etc/ssl/managed-ca/{{ item.key }}/key.pem"
+    provider: selfsigned
+    selfsigned_digest: "{{ item.value.cert.digest | default(omit) }}"
+    selfsigned_not_before: "{{ item.value.cert.not_before | default(omit) }}"
+    selfsigned_not_after: "{{ item.value.cert.not_after | default(omit) }}"
+    selfsigned_create_subject_key_identifier: always_create
diff --git a/roles/x509/managed-ca/cert/finalize/tasks/main.yml b/roles/x509/managed-ca/cert/finalize/tasks/main.yml
new file mode 100644
index 00000000..c5b6cafe
--- /dev/null
+++ b/roles/x509/managed-ca/cert/finalize/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+# nothing to do here
diff --git a/roles/x509/managed-ca/cert/meta/main.yml b/roles/x509/managed-ca/cert/meta/main.yml
new file mode 100644
index 00000000..ce1e5477
--- /dev/null
+++ b/roles/x509/managed-ca/cert/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: x509/managed-ca/cert/prepare
+  - role: x509/managed-ca/cert/finalize
diff --git a/roles/x509/managed-ca/cert/prepare/defaults/main.yml b/roles/x509/managed-ca/cert/prepare/defaults/main.yml
new file mode 100644
index 00000000..8664e7c9
--- /dev/null
+++ b/roles/x509/managed-ca/cert/prepare/defaults/main.yml
@@ -0,0 +1,49 @@
+---
+managed_ca_cert_hostnames: "{{ x509_certificate_hostnames }}"
+managed_ca_cert_name: "{{ x509_certificate_name | default(managed_ca_cert_hostnames[0]) }}"
+
+managed_ca_cert_base_dir: "/etc/ssl"
+
+managed_ca_cert_default_renew_margin: "+30d"
+managed_ca_cert_config: "{{ x509_certificate_config }}"
+# managed_ca_cert_config:
+#   path: "{{ managed_ca_cert_base_dir }}/{{ managed_ca_cert_name }}"
+#   mode: "0750"
+#   owner: root
+#   group: www-data
+#   ca:
+#     host: inventory_name_of_ca_host
+#     name: my-ca
+#   key:
+#     mode: "0640"
+#     owner: root
+#     group: www-data
+#     type: RSA
+#     size: 4096
+#   cert:
+#     mode: "0644"
+#     owner: root
+#     group: www-data
+#     common_name: foo
+#     san_extra:
+#     - "IP:192.0.2.1"
+#     country_name: "AT"
+#     locality_name: "Graz"
+#     organization_name: "spreadspace"
+#     organizational_unit_name: "ansible"
+#     state_or_province_name: "Styria"
+#     basic_constraints:
+#     - "CA:FALSE"
+#     basic_constraints_critical: no
+#     key_usage:
+#     - digitalSignature
+#     - keyAgreement
+#     key_usage_critical: yes
+#     extended_key_usage:
+#     - serverAuth
+#     extended_key_usage_critical: yes
+#     create_subject_key_identifier: yes
+#     digest: sha256
+#     not_before: +0h
+#     not_after: +520w
+#     renew_margin: +42d
diff --git a/roles/x509/managed-ca/cert/prepare/handlers/main.yml b/roles/x509/managed-ca/cert/prepare/handlers/main.yml
new file mode 100644
index 00000000..589d6dde
--- /dev/null
+++ b/roles/x509/managed-ca/cert/prepare/handlers/main.yml
@@ -0,0 +1,16 @@
+---
+- name: reload services for x509 certificates
+  loop: "{{ x509_certificate_reload_services | default([]) }}"
+  loop_control:
+    loop_var: x509_certificate_reload_service
+  service:
+    name: "{{ x509_certificate_reload_service }}"
+    state: reloaded
+
+- name: restart services for x509 certificates
+  loop: "{{ x509_certificate_restart_services | default([]) }}"
+  loop_control:
+    loop_var: x509_certificate_restart_service
+  service:
+    name: "{{ x509_certificate_restart_service }}"
+    state: restarted
diff --git a/roles/x509/managed-ca/cert/prepare/tasks/main.yml b/roles/x509/managed-ca/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..97292b04
--- /dev/null
+++ b/roles/x509/managed-ca/cert/prepare/tasks/main.yml
@@ -0,0 +1,123 @@
+---
+- name: compute path to managed-ca certificate directory
+  set_fact:
+    managed_ca_cert_path: "{{ managed_ca_cert_config.path | default([managed_ca_cert_base_dir, managed_ca_cert_name] | path_join) }}"
+
+- name: create directory for managed-ca certificate
+  file:
+    path: "{{ managed_ca_cert_path }}"
+    state: directory
+    mode: "{{ managed_ca_cert_config.mode | default('0700') }}"
+    owner: "{{ managed_ca_cert_config.owner | default(omit) }}"
+    group: "{{ managed_ca_cert_config.group | default(omit) }}"
+  notify:
+  - reload services for x509 certificates
+  - restart services for x509 certificates
+
+- name: generate key for managed-ca certificate
+  openssl_privatekey:
+    path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem"
+    mode: "{{ managed_ca_cert_config.key.mode | default('0600') }}"
+    owner: "{{ managed_ca_cert_config.key.owner | default(omit) }}"
+    group: "{{ managed_ca_cert_config.key.group | default(omit) }}"
+    type: "{{ managed_ca_cert_config.key.type | default(omit) }}"
+    size: "{{ managed_ca_cert_config.key.size | default(omit) }}"
+  notify:
+  - reload services for x509 certificates
+  - restart services for x509 certificates
+  register: _managed_ca_key_
+
+- name: generate csr for managed-ca certificate
+  community.crypto.openssl_csr:
+    path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-csr.pem"
+    mode: "{{ managed_ca_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ managed_ca_cert_config.cert.owner | default(omit) }}"
+    group: "{{ managed_ca_cert_config.cert.group | default(omit) }}"
+    privatekey_path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem"
+    create_subject_key_identifier: "{{ managed_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
+    digest: "{{ managed_ca_cert_config.cert.digest | default(omit) }}"
+    common_name: "{{ managed_ca_cert_config.cert.common_name | default(managed_ca_cert_name) }}"
+    subject_alt_name: "{{ ['DNS:'] | product(managed_ca_cert_hostnames) | map('join') | union(managed_ca_cert_config.cert.san_extra | default([])) | list }}"
+    subject_alt_name_critical: yes
+    use_common_name_for_san: no
+    country_name: "{{ managed_ca_cert_config.cert.country_name | default(omit) }}"
+    locality_name: "{{ managed_ca_cert_config.cert.locality_name | default(omit) }}"
+    organization_name: "{{ managed_ca_cert_config.cert.organization_name | default(omit) }}"
+    organizational_unit_name: "{{ managed_ca_cert_config.cert.organizational_unit_name | default(omit) }}"
+    state_or_province_name: "{{ managed_ca_cert_config.cert.state_or_province_name | default(omit) }}"
+    basic_constraints: "{{ managed_ca_cert_config.cert.basic_constraints | default(omit) }}"
+    basic_constraints_critical: "{{ managed_ca_cert_config.cert.basic_constraints_critical | default(omit) }}"
+    key_usage: "{{ managed_ca_cert_config.cert.key_usage | default(omit) }}"
+    key_usage_critical: "{{ managed_ca_cert_config.cert.key_usage_critical | default(omit) }}"
+    extended_key_usage: "{{ managed_ca_cert_config.cert.extended_key_usage | default(omit) }}"
+    extended_key_usage_critical: "{{ managed_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
+
+- name: slurp csr for managed-ca certificate
+  slurp:
+    src: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-csr.pem"
+  register: _managed_ca_csr_
+
+- name: check if managed-ca certificate already exists
+  stat:
+    path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
+  register: _managed_ca_cert_file_
+
+- name: check validity of existing managed-ca certificate
+  when: _managed_ca_cert_file_.stat.exists
+  openssl_certificate_info:
+    path: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
+    valid_at:
+      renew_margin: "{{ managed_ca_cert_config.cert.renew_margin | default(managed_ca_cert_default_renew_margin) }}"
+  register: _managed_ca_cert_info_
+
+- name: slurp existing existing managed-ca certificate
+  when: _managed_ca_cert_file_.stat.exists
+  slurp:
+    src: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
+  register: _managed_ca_cert_current_
+
+- name: generate managed-ca certificate
+  delegate_to: "{{ managed_ca_cert_config.ca.host }}"
+  community.crypto.x509_certificate_pipe:
+    content: "{{ _managed_ca_cert_current_.content | default('') | b64decode }}"
+    csr_content: "{{ _managed_ca_csr_.content | b64decode }}"
+    provider: ownca
+    ownca_path: "/etc/ssl/managed-ca/{{ managed_ca_cert_config.ca.name }}/crt.pem"
+    ownca_privatekey_path: "/etc/ssl/managed-ca/{{ managed_ca_cert_config.ca.name }}/key.pem"
+    ownca_digest: "{{ managed_ca_cert_config.cert.digest | default(omit) }}"
+    ownca_not_before: "{{ managed_ca_cert_config.cert.not_before | default(omit) }}"
+    ownca_not_after: "{{ managed_ca_cert_config.cert.not_after | default(omit) }}"
+    force: "{{ _managed_ca_cert_file_.stat.exists and (not _managed_ca_cert_info_.valid_at.renew_margin) }}"
+  register: _managed_ca_cert_new_
+
+- name: store managed-ca certificate
+  copy:
+    content: "{{ _managed_ca_cert_new_.certificate }}"
+    dest: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
+    mode: "{{ managed_ca_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ managed_ca_cert_config.cert.owner | default(omit) }}"
+    group: "{{ managed_ca_cert_config.cert.group | default(omit) }}"
+  register: _managed_ca_cert_
+  notify:
+  - reload services for x509 certificates
+  - restart services for x509 certificates
+
+- name: export paths to certificate files
+  set_fact:
+    x509_certificate_path_key: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-key.pem"
+    x509_certificate_path_cert: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
+    x509_certificate_path_chain: ""
+    x509_certificate_path_fullchain: "{{ managed_ca_cert_path }}/{{ managed_ca_cert_name }}-crt.pem"
+
+- name: generate custom post-renewal script
+  when: x509_certificate_renewal is defined
+  template:
+    src: updated.sh.j2
+    dest: "{{ managed_ca_cert_path }}/updated.sh"
+    mode: 0755
+
+- name: call custom post-renewal script
+  when:
+  - x509_certificate_renewal is defined
+  - (_managed_ca_key_ is changed) or (_managed_ca_cert_ is changed)
+  command: "{{ managed_ca_cert_path }}/updated.sh"
diff --git a/roles/x509/managed-ca/cert/prepare/templates/updated.sh.j2 b/roles/x509/managed-ca/cert/prepare/templates/updated.sh.j2
new file mode 100644
index 00000000..f0757832
--- /dev/null
+++ b/roles/x509/managed-ca/cert/prepare/templates/updated.sh.j2
@@ -0,0 +1,15 @@
+#!/bin/sh
+{% if 'install' in x509_certificate_renewal %}
+{%   for file in x509_certificate_renewal.install %}
+
+install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'group' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new"
+{%     for src in file.src %}
+cat "{{ lookup('vars', 'x509_certificate_path_' + src) }}" >> "{{ file.dest }}.new"
+{%     endfor %}
+mv "{{ file.dest }}.new" "{{ file.dest }}"
+{%   endfor %}
+{% endif %}
+{% if 'reload' in x509_certificate_renewal %}
+
+{{ x509_certificate_renewal.reload | trim }}
+{% endif %}