diff options
-rw-r--r-- | dan/sk-testvm.yml | 65 | ||||
-rw-r--r-- | inventory/host_vars/sk-testvm.yml | 117 | ||||
-rw-r--r-- | roles/x509/ownca/base/tasks/main.yml | 5 | ||||
-rw-r--r-- | roles/x509/ownca/cert/finalize/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/x509/ownca/cert/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/x509/ownca/cert/prepare/defaults/main.yml | 50 | ||||
-rw-r--r-- | roles/x509/ownca/cert/prepare/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/x509/ownca/cert/prepare/tasks/main.yml | 70 |
8 files changed, 288 insertions, 31 deletions
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml index 13a0b499..a004f9b5 100644 --- a/dan/sk-testvm.yml +++ b/dan/sk-testvm.yml @@ -11,11 +11,12 @@ - name: Payload Setup hosts: sk-testvm vars: - acme_client: uacme + # acme_client: uacme # acme_client: acmetool - cert_provider: "{{ acme_client }}" + # cert_provider: "{{ acme_client }}" # cert_provider: static # cert_provider: selfsigned + cert_provider: ownca roles: - role: apt-repo/spreadspace - role: kubernetes/base @@ -38,24 +39,26 @@ index: index.html static_cert_config: "{{ static_cert_config__default }}" selfsigned_cert_config: "{{ selfsigned_cert_config__default }}" - # - role: nginx/vhost - # nginx_vhost: - # name: test - # template: generic - # tls: - # certificate_provider: "{{ cert_provider }}" - # hsts: no - # hostnames: - # - test.spreadspace.org - # - test.spreadspace.com - # - test.spreadspace.net - # - test.spreadspace.systems - # locations: - # '/': - # root: /var/www/test - # index: index.html - # static_cert_config: "{{ static_cert_config__test }}" - # selfsigned_cert_config: "{{ selfsigned_cert_config__test }}" + ownca_cert_config: "{{ ownca_cert_config__default }}" + - role: nginx/vhost + nginx_vhost: + name: test + template: generic + tls: + certificate_provider: "{{ cert_provider }}" + hsts: no + hostnames: + - test.spreadspace.org + - test.spreadspace.com + - test.spreadspace.net + - test.spreadspace.systems + locations: + '/': + root: /var/www/test + index: index.html + static_cert_config: "{{ static_cert_config__test }}" + selfsigned_cert_config: "{{ selfsigned_cert_config__test }}" + ownca_cert_config: "{{ ownca_cert_config__test }}" # - role: apps/mumble # mumble_version: v1.4.274-4 # mumble_instance: spreadspace @@ -72,17 +75,17 @@ # rememberchannel: true # mumble_tls: # certificate_provider: "{{ cert_provider }}" - - role: apps/coturn - coturn_version: 4.6.2-r4 - coturn_realm: spreadspace - coturn_hostnames: - - test.spreadspace.org - - test.spreadspace.com - - test.spreadspace.net - - test.spreadspace.systems - coturn_auth_secret: "somewhat-secret" - coturn_tls: - certificate_provider: "{{ cert_provider }}" + # - role: apps/coturn + # coturn_version: 4.6.2-r4 + # coturn_realm: spreadspace + # coturn_hostnames: + # - test.spreadspace.org + # - test.spreadspace.com + # - test.spreadspace.net + # - test.spreadspace.systems + # coturn_auth_secret: "somewhat-secret" + # coturn_tls: + # certificate_provider: "{{ cert_provider }}" post_tasks: - name: make sure document root directories exist loop: diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml index a09d8de5..264e87f6 100644 --- a/inventory/host_vars/sk-testvm.yml +++ b/inventory/host_vars/sk-testvm.yml @@ -408,3 +408,120 @@ selfsigned_cert_config__test: extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w + + + +_ownca_cert_config__common: &ownca_cert_config__common + ca: + key_content: | + -----BEGIN RSA PRIVATE KEY----- + MIIJKQIBAAKCAgEA4DWgGPbEjSsvk5wCvZWicF8QwkY2oNKFHY4MIXq7YEnaG6dN + mz6nAV4T/Ui2Q7RUrXhCjj0OOKvA2vW+3Ilg5fENfawheIo4Uyu9n6930JjJS3sM + anaSDMwJEBbZV7jUAtLmUIccQ69FK5Ofjay9p+R+apYbIxZnU0j8x2fwTppa200m + S4BZAJ4qVmnJTLI5Byeily3GwgjNpONiI7bjN0outWQfXcZK1oFNmP9tLFwOBQLm + Za5cxnFI9T2PB6dx54dgWmy9QT9HpC+eW5fjcUb8z8PMovGNH1fPJ9GElDDH9Dw2 + HGpVHGKHSNLW6AWHL8zm4pnq9GzIWtgD8h1cJ6F9OXt6R4MsfX1dhSCU9vH6wd64 + adFL08NLpr4YuwiwgmhV4PZaQx3v97wAtpF5q6e1G8f9QMu9cVbnSZbbkM4jPwrz + 0//nKlKLmGM5NSFVUM/+Fyl9jbBGfvBjRzpm6dUySr94erfT8Kolk+bHo1AyH27u + q4cGMuf9HlG7b0+xvNSetR1ASKVU4zG6Sbu7aCHjvQQhsrPhohq307U7v/OI12uz + AW/Jd/NKovLIPvZ38HJqgpPsBdWImPHp4osBzGKJEMYsHmrnCE82Q4wVuh32pKKf + sOh8ZdoTxxwVSV4zppyNUvEnsannLi7fa58hwBiHgM/YcuQkOl6JQSXQYcMCAwEA + AQKCAgAR29j26WpU2kdDCS64s3tfBbDRNgQyQYKD4lAktzYcoH/51ZTbaZ1Q1mcI + 35VRBZinFp3/3sIhZnYz8ADLZ+VAJjgOYLsWcwqzKUKZ6RabQXLrNbpn8oOF9xc+ + YQDf5A4odBcPUVZsLRZOjHGC40BaErEKbrlroo8JYGtuELaLSZqKFEuZa6LrPINK + eHOlzckNa61KQHBap+vawe02bgy21zcAO3Y6Ix92lZG86ZTkbygDYyyUldO4T3Fh + w2JUrZQ86RjA1coqBnnU4fbJp0ALwlKZ0/1FT1s6eg/l7+I7vDpObHYHmQ/9dPr/ + TyKkvuf6jpDSJN4aU7M5H91fQtJtBCtm1IF2IwZk28pZ/cpFJestUpW6OPQjkDMU + kY69a5N61CWm41KyoO5Gwe0GGav+0NTc8yz6sC54sJucf2LaePfFp9hKagROZOVz + f9/wCdXXyjxRntYQ3zAK/0/xgutp+AOYOB8qgJJh5eyPCqN6ORnjSqlo4aKMdh+y + I72b796wgDLF6j+CACoWVJzKz93S1nCpVAbnMCh5nqA/bLjEKpO6mDNtws7e42/L + iDvSGm5N1OM+jt1krAdJJKl04lKyXW3n8u9DWyMr8bNORJfFCok5HnXvIT0JsyhU + 8e7gEC/e5ekgAdHabBvarfASpFtGBV2Sb4plDh9fBWT6nIJg/QKCAQEA+OXO/YK0 + JBu9VDGGS2mJDyuHmf4BicBMhijFZDbsvCGdIleSq09A4sL0SyM5r0LMCRLBozMC + Lj1TYVYx0TyOarfQSAK4P0r1YOenZ1qIKzcYEK3Ff4zdgmWqjIFNHGhLn2eqJo7H + VfJrYaMoR6XxMsCyvfgOOLl+i75Q9LtkPj96QbxO7L/wOh2atJmvN6Bg1cddMPME + 8fznoDw88Vwbk/zMJ18D7X1h2Fi+XZIAR0Xmr0jem4Xzlu77wnNLjDpF2jecdCGM + lrk+YRoVg1Cu2G0/4rWetA1+SUKZQSuXkWTXJJqSCsYCMf/bOmQZFUR5ZYoyAx9G + xULo0crCanmSzQKCAQEA5pt4U3ehRmeZWj41V6++Zr7R45vnxq5tkNmCtl2aCft5 + 4nmCqVodEP9W2VcsLYLvobkgN3pbIfOEDLcq7jvp1gHf+3a3Bjh8tompI8ik8ju6 + 0tfIyLIiiZ75tX9Q5rR7d+lU5pczQI4rYo9vJqmaJ6NYT/337CgRBbBsqqKzvodi + 9EgpNvIfqYi3HVIQkLXlldfon2A/izrQUBoT0fJyS0xls4B/GGM7ZuInA9zic4Jr + S2c9a81ANzrNThFeKOrqWTF4M9aWtpb14opkU8A7Qlo5qqtDFOZrYqbq3nokzBE7 + UcsmK+MZjZ1yVbeB9MCgShyUt8Zkaxna9OXsYxlmzwKCAQBGkECCts+DfSnL+M5u + CtmEp36mNdER0KbhUiXEJ54uKAl4dwNp9eobX9IKi04LVhCqcdrb/dYcbd55tgoh + m910e/BcugiqSQIQGxzmvE/mkJQOBnX7l2AlW9ViSDYoW5k09BrVG51/zF6NK8h7 + p5weG2uRWAYQJuatj6M7/vSIgU6T3GMz06azkzkNApUeXCWX9hGBkyRPxreUQf+1 + Hbvj1MO8Vb+zUNywjVhLBt11V2fzQeF6jhtlKxPNKQq+ErdDCokck3ZcNOBufwqi + U/l9+lsmVv9LZJftBSiVxVoPKlukUP4ed8yfiD4K694AnY0dMHTFVdSmkDWZZLaB + oT3xAoIBAQC1MZdbzfWUQjaGZ7a2DUqHpIt6UbfNrqQ8WguQiv9LtKJSRrNZqYqJ + Hnf5EbuOjwEGi1U7AhK1HIe3DfzXb5AOLS72gJLSenPTYVra2P5xrmje3dnPh9gH + VjhSWZURkOIql9Wz0T3eDVcdfCITuNN9LaVoRN8WWWz2kWbwtCKTJAGme0SW/avP + I7LtgNuvOJ0KHbmT8KY9GZswNS05m0weygpm/iHe4al871lEebwckm8HsjjaiU1Z + mARUwOTBNcOpDWurH4MQOJE+zQqDm9l0CzygUyzEMUBTJWAKKuLazPdVD1AQz8H2 + Oa3ql+OukePgF5DqzSF93bTjE/2m6ACVAoIBAQDvxhGd42R0bOf3QPZBE5yqdv90 + skC5qukjYH6lxwHkcB8LTalCphlkLVsFEPmWRb2tyffRBo9kt/5FDrlS6Vy8hFVH + APzkdvWU0WEGfjsXUgzF1+pGEQz61bcLGHNI8ER+cw1THCz5oYtPwPbuGergnjWT + onbvuHfvTw61mI8GyhtQJ/THAoAaVOpZOt+svFArPPjb6PWEEO3SkRjiLy34h5fQ + 0fKVI9AOhZ91olHeJna72Y0JW9BZFoayrJLwyioGjYW5UbZw6U+GOr+5HrIBLges + BhiOTyD58bMx2Nq6MpeEd/DpImo09m4f0LOtJlY6d3V0KFEk3WkySvjebsii + -----END RSA PRIVATE KEY----- + cert_content: | + -----BEGIN CERTIFICATE----- + MIIE+TCCAuGgAwIBAgIUG/PNjwu4G93mNa7Tkc56e2xkX/swDQYJKoZIhvcNAQEL + BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAgFw0yMzA4MjIxODQ1MTdaGA8yMDczMDgw + OTE4NDUxN1owEjEQMA4GA1UEAwwHVGVzdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD + ggIPADCCAgoCggIBAOA1oBj2xI0rL5OcAr2VonBfEMJGNqDShR2ODCF6u2BJ2hun + TZs+pwFeE/1ItkO0VK14Qo49DjirwNr1vtyJYOXxDX2sIXiKOFMrvZ+vd9CYyUt7 + DGp2kgzMCRAW2Ve41ALS5lCHHEOvRSuTn42svafkfmqWGyMWZ1NI/Mdn8E6aWttN + JkuAWQCeKlZpyUyyOQcnopctxsIIzaTjYiO24zdKLrVkH13GStaBTZj/bSxcDgUC + 5mWuXMZxSPU9jwenceeHYFpsvUE/R6QvnluX43FG/M/DzKLxjR9XzyfRhJQwx/Q8 + NhxqVRxih0jS1ugFhy/M5uKZ6vRsyFrYA/IdXCehfTl7ekeDLH19XYUglPbx+sHe + uGnRS9PDS6a+GLsIsIJoVeD2WkMd7/e8ALaReauntRvH/UDLvXFW50mW25DOIz8K + 89P/5ypSi5hjOTUhVVDP/hcpfY2wRn7wY0c6ZunVMkq/eHq30/CqJZPmx6NQMh9u + 7quHBjLn/R5Ru29PsbzUnrUdQEilVOMxukm7u2gh470EIbKz4aIat9O1O7/ziNdr + swFvyXfzSqLyyD72d/ByaoKT7AXViJjx6eKLAcxiiRDGLB5q5whPNkOMFbod9qSi + n7DofGXaE8ccFUleM6acjVLxJ7Gp5y4u32ufIcAYh4DP2HLkJDpeiUEl0GHDAgMB + AAGjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud + DgQWBBT/zWdBzW0LOzkBLcTPiPOtxwMY8zANBgkqhkiG9w0BAQsFAAOCAgEAwzS4 + ohxCrOFX3SiQ/oFgcowhoeTCcFFiFjP79vxundnOwzACq1QLaEGquqHAeqNS8BLG + p1aTrbPFxvWXeyU5fDxAjKGlE1x1Co221WNCtowfPWgxE0f+n2IyHeNMaj8GeHvj + Flut9zjQ1WcXQ92dqF9FJJGRFxUxWx4U7xc6LPTRQPi+Z06T3uUpnFpzY2R2RiXE + JXtezXnihnDQf0CxOfqNeKLNXOHnb/y0zdF4ETZI/+kMq237pb2ZPW/3/3nsQcmY + ee+mrECVmY7XPUqRVKuuJiSm58ldrZxEIMTjk09ZGMAb0GBcBGsLBkeFQ5+g3HtC + cuNKLWolqKeHA+YXcbCRPl94LNKnG7Sm8rKuC0YxLXAOLAvFW+o0MEkFaBqVkgS4 + 0SCYKDgeN0bWNqelh33YNnHvarP58gO33Um93Lvjp2f0UrQwjYjyia1GocgL7sxm + AaL7REHQTXpBwgHyiEpBwGJ5wKfX6eJZf48zBOHEKmh/VfD3WjMWRnXNc9p1dkBY + VnxhIf4we5jvQDDUidht6MH4W0UBDuOVj2sISQLmp33vC16sUcyaliZh67GaV9k6 + tCFHpw0V6XfsNgomJB8p9+sO4qRYA40fIfWRIkTsYIEV1lEhDvUkzH4qZrnijepA + VcNvbiSZ7MpW/SdanWVaAVxlZS9BAaPozU5V/Rg= + -----END CERTIFICATE----- + +ownca_cert_config__default: + <<: *ownca_cert_config__common + cert: + organization_name: "elev8" + organizational_unit_name: "ansible" + key_usage: + - digitalSignature + - keyAgreement + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +1000w + +ownca_cert_config__test: + <<: *ownca_cert_config__common + cert: + organization_name: "spreadspace" + organizational_unit_name: "ansible" + key_usage: + - digitalSignature + - keyAgreement + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w diff --git a/roles/x509/ownca/base/tasks/main.yml b/roles/x509/ownca/base/tasks/main.yml new file mode 100644 index 00000000..51397d67 --- /dev/null +++ b/roles/x509/ownca/base/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: install needed packages + apt: + name: "{{ python_basename }}-openssl" + state: present diff --git a/roles/x509/ownca/cert/finalize/tasks/main.yml b/roles/x509/ownca/cert/finalize/tasks/main.yml new file mode 100644 index 00000000..c5b6cafe --- /dev/null +++ b/roles/x509/ownca/cert/finalize/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# nothing to do here diff --git a/roles/x509/ownca/cert/meta/main.yml b/roles/x509/ownca/cert/meta/main.yml new file mode 100644 index 00000000..602ee3f8 --- /dev/null +++ b/roles/x509/ownca/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/ownca/cert/prepare + - role: x509/ownca/cert/finalize diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/ownca/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..4953db74 --- /dev/null +++ b/roles/x509/ownca/cert/prepare/defaults/main.yml @@ -0,0 +1,50 @@ +--- +ownca_cert_hostnames: "{{ x509_certificate_hostnames }}" +ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }}" + +ownca_cert_base_dir: "/etc/ssl" + +# ownca_cert_config: +# path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}" +# mode: "0750" +# owner: root +# group: www-data +# ca: +# key_content: | +# -----BEGIN RSA PRIVATE KEY----- +# ... +# -----END RSA PRIVATE KEY----- +# cert_content: | +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- +# key: +# mode: "0640" +# owner: root +# group: www-data +# type: RSA +# size: 4096 +# cert: +# mode: "0644" +# owner: root +# group: www-data +# country_name: "AT" +# locality_name: "Graz" +# organization_name: "spreadspace" +# organizational_unit_name: "ansible" +# state_or_province_name: "Styria" +# basic_constraints: +# - "CA:TRUE" +# - "pathLenConstraint:0" +# basic_constraints_critical: no +# key_usage: +# - digitalSignature +# - keyAgreement +# key_usage_critical: yes +# extended_key_usage: +# - serverAuth +# extended_key_usage_critical: yes +# create_subject_key_identifier: yes +# digest: SHA256 +# not_before: +0h +# not_after: +520w diff --git a/roles/x509/ownca/cert/prepare/handlers/main.yml b/roles/x509/ownca/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..b169d6ca --- /dev/null +++ b/roles/x509/ownca/cert/prepare/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..a2d14ed6 --- /dev/null +++ b/roles/x509/ownca/cert/prepare/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- name: compute path to ownca certificate directory + set_fact: + ownca_cert_path: "{{ ownca_cert_config.path | default([ownca_cert_base_dir, ownca_cert_name] | path_join) }}" + +- name: create directory for ownca certificate + file: + path: "{{ ownca_cert_path }}" + state: directory + mode: "{{ ownca_cert_config.mode | default('0700') }}" + owner: "{{ ownca_cert_config.owner | default(omit) }}" + group: "{{ ownca_cert_config.group | default(omit) }}" + notify: reload services for x509 certificates + +- name: generate key for ownca certificate + openssl_privatekey: + path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" + mode: "{{ ownca_cert_config.key.mode | default('0600') }}" + owner: "{{ ownca_cert_config.key.owner | default(omit) }}" + group: "{{ ownca_cert_config.key.group | default(omit) }}" + type: "{{ ownca_cert_config.key.type | default(omit) }}" + size: "{{ ownca_cert_config.key.size | default(omit) }}" + notify: reload services for x509 certificates + +- name: generate csr for ownca certificate + community.crypto.openssl_csr: + path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem" + mode: "{{ ownca_cert_config.cert.mode | default('0644') }}" + owner: "{{ ownca_cert_config.cert.owner | default(omit) }}" + group: "{{ ownca_cert_config.cert.group | default(omit) }}" + privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" + create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}" + digest: "{{ ownca_cert_config.cert.digest | default(omit) }}" + common_name: "{{ ownca_cert_name }}" + subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | list }}" + subject_alt_name_critical: yes + use_common_name_for_san: no + country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}" + locality_name: "{{ ownca_cert_config.cert.locality_name | default(omit) }}" + organization_name: "{{ ownca_cert_config.cert.organization_name | default(omit) }}" + organizational_unit_name: "{{ ownca_cert_config.cert.organizational_unit_name | default(omit) }}" + state_or_province_name: "{{ ownca_cert_config.cert.state_or_province_name | default(omit) }}" + basic_constraints: "{{ ownca_cert_config.cert.basic_constraints | default(omit) }}" + basic_constraints_critical: "{{ ownca_cert_config.cert.basic_constraints_critical | default(omit) }}" + key_usage: "{{ ownca_cert_config.cert.key_usage | default(omit) }}" + key_usage_critical: "{{ ownca_cert_config.cert.key_usage_critical | default(omit) }}" + extended_key_usage: "{{ ownca_cert_config.cert.extended_key_usage | default(omit) }}" + extended_key_usage_critical: "{{ ownca_cert_config.cert.extended_key_usage_critical | default(omit) }}" + +- name: generate ownca certificate + community.crypto.x509_certificate: + path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" + mode: "{{ ownca_cert_config.cert.mode | default('0644') }}" + owner: "{{ ownca_cert_config.cert.owner | default(omit) }}" + group: "{{ ownca_cert_config.cert.group | default(omit) }}" + csr_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem" + provider: ownca + ownca_content: "{{ ownca_cert_config.ca.cert_content }}" + ownca_privatekey_content: "{{ ownca_cert_config.ca.key_content }}" + ownca_digest: "{{ ownca_cert_config.cert.digest | default(omit) }}" + ownca_not_before: "{{ ownca_cert_config.cert.not_before | default(omit) }}" + ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}" + notify: reload services for x509 certificates + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" + x509_certificate_path_cert: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" + x509_certificate_path_chain: "" + x509_certificate_path_fullchain: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" |