diff options
Diffstat (limited to 'elevate/ele-router.yml')
-rw-r--r-- | elevate/ele-router.yml | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/elevate/ele-router.yml b/elevate/ele-router.yml new file mode 100644 index 00000000..e160b57a --- /dev/null +++ b/elevate/ele-router.yml @@ -0,0 +1,105 @@ +--- +- name: generate TLS CA for openvpn + hosts: ele-router + connection: local + gather_facts: no + tasks: + - name: generate CA key and certificate + run_once: yes + block: + - name: generate CA keys + community.crypto.openssl_privatekey_pipe: + type: "Ed25519" + content: "{{ vault_ovpn_ca_key | default(omit) }}" + return_current_key: yes + register: ovpn_ca_key_result + no_log: true + + - name: create signing request for CA certificate + community.crypto.openssl_csr_pipe: + privatekey_content: "{{ ovpn_ca_key_result.privatekey }}" + CN: "CA for ele-router vpn" + useCommonNameForSAN: no + key_usage: + - cRLSign + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + register: ovpn_ca_csr_result + changed_when: false + + - name: create self-signed CA certificate + community.crypto.x509_certificate_pipe: + content: "{{ vault_ovpn_ca_cert | default(omit) }}" + csr_content: "{{ ovpn_ca_csr_result.csr }}" + privatekey_content: "{{ ovpn_ca_key_result.privatekey }}" + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years + selfsigned_create_subject_key_identifier: always_create + register: ovpn_ca_cert_result + + + - name: generate key + community.crypto.openssl_privatekey_pipe: + type: "Ed25519" + content: "{{ vault_ovpn_keys[inventory_hostname] | default(omit) }}" + return_current_key: yes + register: ovpn_key_result + no_log: true + + - name: create signing request for certificate + community.crypto.openssl_csr_pipe: + privatekey_content: "{{ ovpn_key_result.privatekey }}" + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + - keyEncipherment + key_usage_critical: yes + extended_key_usage: + - "{{ (inventory_hostname == 'ele-router-hmtsaal') | ternary('serverAuth', 'clientAuth') }}" + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + register: ovpn_csr_result + changed_when: false + + - name: create certificate + community.crypto.x509_certificate_pipe: + content: "{{ vault_ovpn_certs[inventory_hostname] | default(omit) }}" + csr_content: "{{ ovpn_csr_result.csr }}" + privatekey_content: "{{ ovpn_key_result.privatekey }}" + provider: ownca + ownca_content: "{{ ovpn_ca_cert_result.certificate }}" + ownca_privatekey_content: "{{ ovpn_ca_key_result.privatekey }}" + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + register: ovpn_cert_result + + + - run_once: yes + set_fact: + vault_content: | + --- + vault_ovpn_ca_key: | + {{ ovpn_ca_key_result.privatekey | indent(2) }} + vault_ovpn_ca_cert: | + {{ ovpn_ca_cert_result.certificate | indent(2) }} + vault_ovpn_keys: + {% for host in play_hosts %} + {{ host }}: | + {{ hostvars[host].ovpn_key_result.privatekey | indent(4) }} + {% endfor %} + vault_ovpn_certs: + {% for host in play_hosts %} + {{ host }}: | + {{ hostvars[host].ovpn_cert_result.certificate | indent(4) }} + {% endfor %} + + - pause: + prompt: "Please put this into a vault file: \n\n{{ vault_content }}" + seconds: 1 |