diff options
13 files changed, 127 insertions, 127 deletions
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml index 88af0dc5..bf7c41dd 100644 --- a/dan/sk-testvm.yml +++ b/dan/sk-testvm.yml @@ -13,10 +13,10 @@ vars: acme_client: uacme # acme_client: acmetool - cert_provider: "{{ acme_client }}" + # cert_provider: "{{ acme_client }}" # cert_provider: static # cert_provider: selfsigned - # cert_provider: ownca + cert_provider: static-ca roles: - role: apt-repo/spreadspace - role: kubernetes/base @@ -32,7 +32,7 @@ template: generic tls: certificate_provider: "{{ cert_provider }}" - certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__default', default={}) }}" + certificate_config: "{{ lookup('vars', (cert_provider | replace('-','_'))+'_cert_config__default', default={}) }}" hsts: no hostnames: - testvm.elev8.at @@ -46,7 +46,7 @@ template: generic tls: certificate_provider: "{{ cert_provider }}" - certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}" + certificate_config: "{{ lookup('vars', (cert_provider | replace('-','_'))+'_cert_config__test', default={}) }}" hsts: no hostnames: - login.spreadspace.org @@ -62,7 +62,7 @@ template: generic tls: certificate_provider: "{{ cert_provider }}" - certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}" + certificate_config: "{{ lookup('vars', (cert_provider | replace('-','_'))+'_cert_config__test', default={}) }}" hsts: no hostnames: - test.spreadspace.org diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index de6cc9be..4ede061a 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -263,7 +263,7 @@ monitoring_landingpage_hostnames: - "mon.chaos-at-home.org" monitoring_landingpage_title: "chaos@home Monitoring Host" monitoring_landingpage_tls: - certificate_provider: ownca + certificate_provider: static-ca certificate_config: mode: "0750" owner: root diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml index 9a484968..12362457 100644 --- a/inventory/host_vars/sk-testvm.yml +++ b/inventory/host_vars/sk-testvm.yml @@ -412,7 +412,7 @@ selfsigned_cert_config__test: -_ownca_cert_config__common: &ownca_cert_config__common +_static_ca_cert_config__common: &static_ca_cert_config__common ca: key_content: | -----BEGIN RSA PRIVATE KEY----- @@ -497,8 +497,8 @@ _ownca_cert_config__common: &ownca_cert_config__common VcNvbiSZ7MpW/SdanWVaAVxlZS9BAaPozU5V/Rg= -----END CERTIFICATE----- -ownca_cert_config__default: - <<: *ownca_cert_config__common +static_ca_cert_config__default: + <<: *static_ca_cert_config__common cert: organization_name: "elev8" organizational_unit_name: "ansible" @@ -512,8 +512,8 @@ ownca_cert_config__default: create_subject_key_identifier: yes not_after: +1000w -ownca_cert_config__test: - <<: *ownca_cert_config__common +static_ca_cert_config__test: + <<: *static_ca_cert_config__common cert: organization_name: "spreadspace" organizational_unit_name: "ansible" diff --git a/roles/x509/ownca/cert/meta/main.yml b/roles/x509/ownca/cert/meta/main.yml deleted file mode 100644 index 602ee3f8..00000000 --- a/roles/x509/ownca/cert/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - role: x509/ownca/cert/prepare - - role: x509/ownca/cert/finalize diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml deleted file mode 100644 index 00d19c59..00000000 --- a/roles/x509/ownca/cert/prepare/tasks/main.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- -- name: compute path to ownca certificate directory - set_fact: - ownca_cert_path: "{{ ownca_cert_config.path | default([ownca_cert_base_dir, ownca_cert_name] | path_join) }}" - -- name: create directory for ownca certificate - file: - path: "{{ ownca_cert_path }}" - state: directory - mode: "{{ ownca_cert_config.mode | default('0700') }}" - owner: "{{ ownca_cert_config.owner | default(omit) }}" - group: "{{ ownca_cert_config.group | default(omit) }}" - notify: - - reload services for x509 certificates - - restart services for x509 certificates - -- name: generate key for ownca certificate - openssl_privatekey: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" - mode: "{{ ownca_cert_config.key.mode | default('0600') }}" - owner: "{{ ownca_cert_config.key.owner | default(omit) }}" - group: "{{ ownca_cert_config.key.group | default(omit) }}" - type: "{{ ownca_cert_config.key.type | default(omit) }}" - size: "{{ ownca_cert_config.key.size | default(omit) }}" - notify: - - reload services for x509 certificates - - restart services for x509 certificates - register: _ownca_key_ - -- name: generate csr for ownca certificate - community.crypto.openssl_csr: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem" - mode: "{{ ownca_cert_config.cert.mode | default('0644') }}" - owner: "{{ ownca_cert_config.cert.owner | default(omit) }}" - group: "{{ ownca_cert_config.cert.group | default(omit) }}" - privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" - create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}" - digest: "{{ ownca_cert_config.cert.digest | default(omit) }}" - common_name: "{{ ownca_cert_config.cert.common_name | default(ownca_cert_name) }}" - subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | union(ownca_cert_config.cert.san_extra | default([])) | list }}" - subject_alt_name_critical: yes - use_common_name_for_san: no - country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}" - locality_name: "{{ ownca_cert_config.cert.locality_name | default(omit) }}" - organization_name: "{{ ownca_cert_config.cert.organization_name | default(omit) }}" - organizational_unit_name: "{{ ownca_cert_config.cert.organizational_unit_name | default(omit) }}" - state_or_province_name: "{{ ownca_cert_config.cert.state_or_province_name | default(omit) }}" - basic_constraints: "{{ ownca_cert_config.cert.basic_constraints | default(omit) }}" - basic_constraints_critical: "{{ ownca_cert_config.cert.basic_constraints_critical | default(omit) }}" - key_usage: "{{ ownca_cert_config.cert.key_usage | default(omit) }}" - key_usage_critical: "{{ ownca_cert_config.cert.key_usage_critical | default(omit) }}" - extended_key_usage: "{{ ownca_cert_config.cert.extended_key_usage | default(omit) }}" - extended_key_usage_critical: "{{ ownca_cert_config.cert.extended_key_usage_critical | default(omit) }}" - -- name: check if ownca certificate already exists - stat: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - register: _ownca_cert_file_ - -- name: check validity of existing ownca certificate - when: _ownca_cert_file_.stat.exists - openssl_certificate_info: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - valid_at: - renew_margin: "{{ ownca_cert_config.cert.renew_margin | default(ownca_cert_default_renew_margin) }}" - register: _ownca_cert_info_ - -- name: generate ownca certificate - community.crypto.x509_certificate: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - mode: "{{ ownca_cert_config.cert.mode | default('0644') }}" - owner: "{{ ownca_cert_config.cert.owner | default(omit) }}" - group: "{{ ownca_cert_config.cert.group | default(omit) }}" - csr_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem" - provider: ownca - ownca_content: "{{ ownca_cert_config.ca.cert_content }}" - ownca_privatekey_content: "{{ ownca_cert_config.ca.key_content }}" - ownca_digest: "{{ ownca_cert_config.cert.digest | default(omit) }}" - ownca_not_before: "{{ ownca_cert_config.cert.not_before | default(omit) }}" - ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}" - force: "{{ _ownca_cert_file_.stat.exists and (not _ownca_cert_info_.valid_at.renew_margin) }}" - notify: - - reload services for x509 certificates - - restart services for x509 certificates - register: _ownca_cert_ - -- name: export paths to certificate files - set_fact: - x509_certificate_path_key: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" - x509_certificate_path_cert: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - x509_certificate_path_chain: "" - x509_certificate_path_fullchain: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - -- name: generate custom post-renewal script - when: x509_certificate_renewal is defined - template: - src: updated.sh.j2 - dest: "{{ ownca_cert_path }}/updated.sh" - mode: 0755 - -- name: call custom post-renewal script - when: - - x509_certificate_renewal is defined - - (_ownca_key_ is changed) or (_ownca_cert_ is changed) - command: "{{ ownca_cert_path }}/updated.sh" diff --git a/roles/x509/ownca/base/tasks/main.yml b/roles/x509/static-ca/base/tasks/main.yml index e91eda4a..e91eda4a 100644 --- a/roles/x509/ownca/base/tasks/main.yml +++ b/roles/x509/static-ca/base/tasks/main.yml diff --git a/roles/x509/ownca/cert/finalize/tasks/main.yml b/roles/x509/static-ca/cert/finalize/tasks/main.yml index c5b6cafe..c5b6cafe 100644 --- a/roles/x509/ownca/cert/finalize/tasks/main.yml +++ b/roles/x509/static-ca/cert/finalize/tasks/main.yml diff --git a/roles/x509/static-ca/cert/meta/main.yml b/roles/x509/static-ca/cert/meta/main.yml new file mode 100644 index 00000000..bfaf1153 --- /dev/null +++ b/roles/x509/static-ca/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/static-ca/cert/prepare + - role: x509/static-ca/cert/finalize diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/static-ca/cert/prepare/defaults/main.yml index 30241273..5287cc93 100644 --- a/roles/x509/ownca/cert/prepare/defaults/main.yml +++ b/roles/x509/static-ca/cert/prepare/defaults/main.yml @@ -1,13 +1,13 @@ --- -ownca_cert_hostnames: "{{ x509_certificate_hostnames }}" -ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }}" +static_ca_cert_hostnames: "{{ x509_certificate_hostnames }}" +static_ca_cert_name: "{{ x509_certificate_name | default(static_ca_cert_hostnames[0]) }}" -ownca_cert_base_dir: "/etc/ssl" +static_ca_cert_base_dir: "/etc/ssl" -ownca_cert_default_renew_margin: "+30d" -ownca_cert_config: "{{ x509_certificate_config }}" -# ownca_cert_config: -# path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}" +static_ca_cert_default_renew_margin: "+30d" +static_ca_cert_config: "{{ x509_certificate_config }}" +# static_ca_cert_config: +# path: "{{ static_ca_cert_base_dir }}/{{ static_ca_cert_name }}" # mode: "0750" # owner: root # group: www-data diff --git a/roles/x509/ownca/cert/prepare/handlers/main.yml b/roles/x509/static-ca/cert/prepare/handlers/main.yml index 589d6dde..589d6dde 100644 --- a/roles/x509/ownca/cert/prepare/handlers/main.yml +++ b/roles/x509/static-ca/cert/prepare/handlers/main.yml diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..538bb58d --- /dev/null +++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: compute path to static-ca certificate directory + set_fact: + static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}" + +- name: create directory for static-ca certificate + file: + path: "{{ static_ca_cert_path }}" + state: directory + mode: "{{ static_ca_cert_config.mode | default('0700') }}" + owner: "{{ static_ca_cert_config.owner | default(omit) }}" + group: "{{ static_ca_cert_config.group | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + +- name: generate key for static-ca certificate + openssl_privatekey: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + mode: "{{ static_ca_cert_config.key.mode | default('0600') }}" + owner: "{{ static_ca_cert_config.key.owner | default(omit) }}" + group: "{{ static_ca_cert_config.key.group | default(omit) }}" + type: "{{ static_ca_cert_config.key.type | default(omit) }}" + size: "{{ static_ca_cert_config.key.size | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + register: _static_ca_key_ + +- name: generate csr for static-ca certificate + community.crypto.openssl_csr: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}" + digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}" + common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}" + subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}" + subject_alt_name_critical: yes + use_common_name_for_san: no + country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}" + locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}" + organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}" + organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}" + state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}" + basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}" + basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}" + key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}" + key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}" + extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}" + extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}" + +- name: check if static-ca certificate already exists + stat: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + register: _static_ca_cert_file_ + +- name: check validity of existing static-ca certificate + when: _static_ca_cert_file_.stat.exists + openssl_certificate_info: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + valid_at: + renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}" + register: _static_ca_cert_info_ + +- name: generate static-ca certificate + community.crypto.x509_certificate: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + provider: ownca + ownca_content: "{{ static_ca_cert_config.ca.cert_content }}" + ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}" + ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}" + ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}" + ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}" + force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + register: _static_ca_cert_ + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + x509_certificate_path_chain: "" + x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + +- name: generate custom post-renewal script + when: x509_certificate_renewal is defined + template: + src: updated.sh.j2 + dest: "{{ static_ca_cert_path }}/updated.sh" + mode: 0755 + +- name: call custom post-renewal script + when: + - x509_certificate_renewal is defined + - (_static_ca_key_ is changed) or (_static_ca_cert_ is changed) + command: "{{ static_ca_cert_path }}/updated.sh" diff --git a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2 b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 index f0757832..f0757832 100644 --- a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2 +++ b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 diff --git a/roles/x509/ownca/contrib/gen-ca.py b/roles/x509/static-ca/contrib/gen-ca.py index 8f99da6c..8f99da6c 100755 --- a/roles/x509/ownca/contrib/gen-ca.py +++ b/roles/x509/static-ca/contrib/gen-ca.py |