diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-09-12 00:41:07 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-09-12 00:41:07 +0200 |
| commit | 33890cacb183b69bf0032fd3dbd41b9c20cab4b1 (patch) | |
| tree | f5d042cb37c9a72f4ba003d2a8efbaa31aa7b4a3 /roles | |
| parent | monitoring/grafana: add automatic handling for admin password and additonal u... (diff) | |
x509/certificates: generic config handling
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/nginx/vhost/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/nginx/vhost/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/x509/acmetool/cert/finalize/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/x509/ownca/cert/prepare/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/x509/ownca/cert/prepare/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/x509/selfsigned/cert/prepare/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/x509/selfsigned/cert/prepare/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/x509/static/cert/prepare/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/x509/uacme/cert/prepare/defaults/main.yml | 1 |
9 files changed, 22 insertions, 4 deletions
diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index 0eb67b42..834e1e10 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -34,6 +34,10 @@ # variant: legacy # hsts: false # certificate_provider: acmetool +# certificate_config: +# request: +# challenge: +# http-self-test: false # hostnames: # - static.example.com # extra_directives: |- diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml index 2c1f0f29..5468bcc6 100644 --- a/roles/nginx/vhost/tasks/main.yml +++ b/roles/nginx/vhost/tasks/main.yml @@ -4,6 +4,7 @@ vars: x509_certificate_name: "{{ nginx_vhost.name }}" x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_config: "{{ nginx_vhost.tls.certificate_config | default({}) }}" x509_certificate_reload_services: - nginx include_role: @@ -43,6 +44,7 @@ vars: x509_certificate_name: "{{ nginx_vhost.name }}" x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_config: "{{ nginx_vhost.tls.certificate_config | default({}) }}" x509_certificate_reload_services: - nginx include_role: diff --git a/roles/x509/acmetool/cert/finalize/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml index b9a80136..06c8e04a 100644 --- a/roles/x509/acmetool/cert/finalize/defaults/main.yml +++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml @@ -3,3 +3,5 @@ acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}" acmetool_cert_name: "{{ x509_certificate_name | default(acmetool_cert_hostnames[0]) }}" acmetool_reconcile_disabled: false + +acmetool_cert_config: "{{ x509_certificate_config }}" diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/ownca/cert/prepare/defaults/main.yml index 4953db74..89dced63 100644 --- a/roles/x509/ownca/cert/prepare/defaults/main.yml +++ b/roles/x509/ownca/cert/prepare/defaults/main.yml @@ -4,6 +4,7 @@ ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }} ownca_cert_base_dir: "/etc/ssl" +ownca_cert_config: "{{ x509_certificate_config }}" # ownca_cert_config: # path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}" # mode: "0750" @@ -28,6 +29,9 @@ ownca_cert_base_dir: "/etc/ssl" # mode: "0644" # owner: root # group: www-data +# common_name: foo +# san_extra: +# - "IP:192.0.2.1" # country_name: "AT" # locality_name: "Graz" # organization_name: "spreadspace" diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml index a2d14ed6..6eb3525f 100644 --- a/roles/x509/ownca/cert/prepare/tasks/main.yml +++ b/roles/x509/ownca/cert/prepare/tasks/main.yml @@ -31,8 +31,8 @@ privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}" digest: "{{ ownca_cert_config.cert.digest | default(omit) }}" - common_name: "{{ ownca_cert_name }}" - subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | list }}" + common_name: "{{ ownca_cert_config.cert.common_name | default(ownca_cert_name) }}" + subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | union(ownca_cert_config.cert.san_extra | default([])) | list }}" subject_alt_name_critical: yes use_common_name_for_san: no country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}" diff --git a/roles/x509/selfsigned/cert/prepare/defaults/main.yml b/roles/x509/selfsigned/cert/prepare/defaults/main.yml index 53dc3b06..e45343e5 100644 --- a/roles/x509/selfsigned/cert/prepare/defaults/main.yml +++ b/roles/x509/selfsigned/cert/prepare/defaults/main.yml @@ -4,6 +4,7 @@ selfsigned_cert_name: "{{ x509_certificate_name | default(selfsigned_cert_hostna selfsigned_cert_base_dir: "/etc/ssl" +selfsigned_cert_config: "{{ x509_certificate_config }}" # selfsigned_cert_config: # path: "{{ selfsigned_cert_base_dir }}/{{ selfsigned_cert_name }}" # mode: "0750" @@ -19,6 +20,9 @@ selfsigned_cert_base_dir: "/etc/ssl" # mode: "0644" # owner: root # group: www-data +# common_name: foo +# san_extra: +# - "IP:192.0.2.1" # country_name: "AT" # locality_name: "Graz" # organization_name: "spreadspace" diff --git a/roles/x509/selfsigned/cert/prepare/tasks/main.yml b/roles/x509/selfsigned/cert/prepare/tasks/main.yml index e7a47742..72999807 100644 --- a/roles/x509/selfsigned/cert/prepare/tasks/main.yml +++ b/roles/x509/selfsigned/cert/prepare/tasks/main.yml @@ -31,8 +31,8 @@ privatekey_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem" create_subject_key_identifier: "{{ selfsigned_cert_config.cert.create_subject_key_identifier | default(omit) }}" digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}" - common_name: "{{ selfsigned_cert_name }}" - subject_alt_name: "{{ ['DNS:'] | product(selfsigned_cert_hostnames) | map('join') | list }}" + common_name: "{{ selfsigned_cert_config.cert.common_name | default(selfsigned_cert_name) }}" + subject_alt_name: "{{ ['DNS:'] | product(selfsigned_cert_hostnames) | map('join') | union(selfsigned_cert_config.cert.san_extra | default([])) | list }}" subject_alt_name_critical: yes use_common_name_for_san: no country_name: "{{ selfsigned_cert_config.cert.country_name | default(omit) }}" diff --git a/roles/x509/static/cert/prepare/defaults/main.yml b/roles/x509/static/cert/prepare/defaults/main.yml index d632a5de..b9a2f88f 100644 --- a/roles/x509/static/cert/prepare/defaults/main.yml +++ b/roles/x509/static/cert/prepare/defaults/main.yml @@ -4,6 +4,7 @@ static_cert_name: "{{ x509_certificate_name | default(static_cert_hostnames[0]) static_cert_base_dir: "/etc/ssl" +static_cert_config: "{{ x509_certificate_config }}" # static_cert_config: # path: "{{ static_cert_base_dir }}/{{ static_cert_name }}" # mode: "0750" diff --git a/roles/x509/uacme/cert/prepare/defaults/main.yml b/roles/x509/uacme/cert/prepare/defaults/main.yml index b15c1e44..60b59649 100644 --- a/roles/x509/uacme/cert/prepare/defaults/main.yml +++ b/roles/x509/uacme/cert/prepare/defaults/main.yml @@ -2,6 +2,7 @@ uacme_cert_hostnames: "{{ x509_certificate_hostnames }}" uacme_cert_name: "{{ x509_certificate_name | default(uacme_cert_hostnames[0]) }}" +uacme_cert_config: "{{ x509_certificate_config }}" # uacme_cert_config: # key: # mode: "0640" |