1 files changed, 105 insertions, 0 deletions

diff --git a/elevate/ele-router.yml b/elevate/ele-router.yml
new file mode 100644
index 00000000..e160b57a
--- /dev/null
+++ b/elevate/ele-router.yml
@@ -0,0 +1,105 @@
+---
+- name: generate TLS CA for openvpn
+  hosts: ele-router
+  connection: local
+  gather_facts: no
+  tasks:
+  - name: generate CA key and certificate
+    run_once: yes
+    block:
+    - name: generate CA keys
+      community.crypto.openssl_privatekey_pipe:
+        type: "Ed25519"
+        content: "{{ vault_ovpn_ca_key | default(omit) }}"
+        return_current_key: yes
+      register: ovpn_ca_key_result
+      no_log: true
+
+    - name: create signing request for CA certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
+        CN: "CA for ele-router vpn"
+        useCommonNameForSAN: no
+        key_usage:
+        - cRLSign
+        - keyCertSign
+        key_usage_critical: yes
+        basic_constraints:
+        - 'CA:TRUE'
+        - 'pathlen:0'
+        basic_constraints_critical: yes
+      register: ovpn_ca_csr_result
+      changed_when: false
+
+    - name: create self-signed CA certificate
+      community.crypto.x509_certificate_pipe:
+        content: "{{ vault_ovpn_ca_cert | default(omit) }}"
+        csr_content: "{{ ovpn_ca_csr_result.csr }}"
+        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
+        provider: selfsigned
+        selfsigned_digest: sha256
+        selfsigned_not_after: "+18250d" ## 50 years
+        selfsigned_create_subject_key_identifier: always_create
+      register: ovpn_ca_cert_result
+
+
+  - name: generate key
+    community.crypto.openssl_privatekey_pipe:
+      type: "Ed25519"
+      content: "{{ vault_ovpn_keys[inventory_hostname] | default(omit) }}"
+      return_current_key: yes
+    register: ovpn_key_result
+    no_log: true
+
+  - name: create signing request for certificate
+    community.crypto.openssl_csr_pipe:
+      privatekey_content: "{{ ovpn_key_result.privatekey }}"
+      CN: "{{ inventory_hostname }}"
+      key_usage:
+      - digitalSignature
+      - keyEncipherment
+      key_usage_critical: yes
+      extended_key_usage:
+      - "{{ (inventory_hostname == 'ele-router-hmtsaal') | ternary('serverAuth', 'clientAuth') }}"
+      extended_key_usage_critical: yes
+      basic_constraints:
+      - 'CA:FALSE'
+      basic_constraints_critical: yes
+    register: ovpn_csr_result
+    changed_when: false
+
+  - name: create certificate
+    community.crypto.x509_certificate_pipe:
+      content: "{{ vault_ovpn_certs[inventory_hostname] | default(omit) }}"
+      csr_content: "{{ ovpn_csr_result.csr }}"
+      privatekey_content: "{{ ovpn_key_result.privatekey }}"
+      provider: ownca
+      ownca_content: "{{ ovpn_ca_cert_result.certificate }}"
+      ownca_privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
+      ownca_digest: sha256
+      ownca_not_after: "+18250d" ## 50 years
+    register: ovpn_cert_result
+
+
+  - run_once: yes
+    set_fact:
+      vault_content: |
+        ---
+        vault_ovpn_ca_key: |
+          {{ ovpn_ca_key_result.privatekey | indent(2) }}
+        vault_ovpn_ca_cert: |
+          {{ ovpn_ca_cert_result.certificate | indent(2) }}
+        vault_ovpn_keys:
+        {% for host in play_hosts %}
+          {{ host }}: |
+            {{ hostvars[host].ovpn_key_result.privatekey | indent(4) }}
+        {% endfor %}
+        vault_ovpn_certs:
+        {% for host in play_hosts %}
+          {{ host }}: |
+            {{ hostvars[host].ovpn_cert_result.certificate | indent(4) }}
+        {% endfor %}
+
+  - pause:
+      prompt: "Please put this into a vault file: \n\n{{ vault_content }}"
+      seconds: 1