summaryrefslogtreecommitdiff
path: root/roles/x509/ownca
diff options
context:
space:
mode:
Diffstat (limited to 'roles/x509/ownca')
-rw-r--r--roles/x509/ownca/base/tasks/main.yml5
-rw-r--r--roles/x509/ownca/cert/finalize/tasks/main.yml2
-rw-r--r--roles/x509/ownca/cert/meta/main.yml4
-rw-r--r--roles/x509/ownca/cert/prepare/defaults/main.yml56
-rw-r--r--roles/x509/ownca/cert/prepare/handlers/main.yml16
-rw-r--r--roles/x509/ownca/cert/prepare/tasks/main.yml105
-rw-r--r--roles/x509/ownca/cert/prepare/templates/updated.sh.j215
-rwxr-xr-xroles/x509/ownca/contrib/gen-ca.py72
8 files changed, 0 insertions, 275 deletions
diff --git a/roles/x509/ownca/base/tasks/main.yml b/roles/x509/ownca/base/tasks/main.yml
deleted file mode 100644
index e91eda4a..00000000
--- a/roles/x509/ownca/base/tasks/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: install needed packages
- apt:
- name: "{{ python_basename }}-cryptography"
- state: present
diff --git a/roles/x509/ownca/cert/finalize/tasks/main.yml b/roles/x509/ownca/cert/finalize/tasks/main.yml
deleted file mode 100644
index c5b6cafe..00000000
--- a/roles/x509/ownca/cert/finalize/tasks/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# nothing to do here
diff --git a/roles/x509/ownca/cert/meta/main.yml b/roles/x509/ownca/cert/meta/main.yml
deleted file mode 100644
index 602ee3f8..00000000
--- a/roles/x509/ownca/cert/meta/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-dependencies:
- - role: x509/ownca/cert/prepare
- - role: x509/ownca/cert/finalize
diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/ownca/cert/prepare/defaults/main.yml
deleted file mode 100644
index 30241273..00000000
--- a/roles/x509/ownca/cert/prepare/defaults/main.yml
+++ /dev/null
@@ -1,56 +0,0 @@
----
-ownca_cert_hostnames: "{{ x509_certificate_hostnames }}"
-ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }}"
-
-ownca_cert_base_dir: "/etc/ssl"
-
-ownca_cert_default_renew_margin: "+30d"
-ownca_cert_config: "{{ x509_certificate_config }}"
-# ownca_cert_config:
-# path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}"
-# mode: "0750"
-# owner: root
-# group: www-data
-# ca:
-# key_content: |
-# -----BEGIN RSA PRIVATE KEY-----
-# ...
-# -----END RSA PRIVATE KEY-----
-# cert_content: |
-# -----BEGIN CERTIFICATE-----
-# ...
-# -----END CERTIFICATE-----
-# key:
-# mode: "0640"
-# owner: root
-# group: www-data
-# type: RSA
-# size: 4096
-# cert:
-# mode: "0644"
-# owner: root
-# group: www-data
-# common_name: foo
-# san_extra:
-# - "IP:192.0.2.1"
-# country_name: "AT"
-# locality_name: "Graz"
-# organization_name: "spreadspace"
-# organizational_unit_name: "ansible"
-# state_or_province_name: "Styria"
-# basic_constraints:
-# - "CA:TRUE"
-# - "pathLenConstraint:0"
-# basic_constraints_critical: no
-# key_usage:
-# - digitalSignature
-# - keyAgreement
-# key_usage_critical: yes
-# extended_key_usage:
-# - serverAuth
-# extended_key_usage_critical: yes
-# create_subject_key_identifier: yes
-# digest: SHA256
-# not_before: +0h
-# not_after: +520w
-# renew_margin: +42d
diff --git a/roles/x509/ownca/cert/prepare/handlers/main.yml b/roles/x509/ownca/cert/prepare/handlers/main.yml
deleted file mode 100644
index 589d6dde..00000000
--- a/roles/x509/ownca/cert/prepare/handlers/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- name: reload services for x509 certificates
- loop: "{{ x509_certificate_reload_services | default([]) }}"
- loop_control:
- loop_var: x509_certificate_reload_service
- service:
- name: "{{ x509_certificate_reload_service }}"
- state: reloaded
-
-- name: restart services for x509 certificates
- loop: "{{ x509_certificate_restart_services | default([]) }}"
- loop_control:
- loop_var: x509_certificate_restart_service
- service:
- name: "{{ x509_certificate_restart_service }}"
- state: restarted
diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml
deleted file mode 100644
index 00d19c59..00000000
--- a/roles/x509/ownca/cert/prepare/tasks/main.yml
+++ /dev/null
@@ -1,105 +0,0 @@
----
-- name: compute path to ownca certificate directory
- set_fact:
- ownca_cert_path: "{{ ownca_cert_config.path | default([ownca_cert_base_dir, ownca_cert_name] | path_join) }}"
-
-- name: create directory for ownca certificate
- file:
- path: "{{ ownca_cert_path }}"
- state: directory
- mode: "{{ ownca_cert_config.mode | default('0700') }}"
- owner: "{{ ownca_cert_config.owner | default(omit) }}"
- group: "{{ ownca_cert_config.group | default(omit) }}"
- notify:
- - reload services for x509 certificates
- - restart services for x509 certificates
-
-- name: generate key for ownca certificate
- openssl_privatekey:
- path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
- mode: "{{ ownca_cert_config.key.mode | default('0600') }}"
- owner: "{{ ownca_cert_config.key.owner | default(omit) }}"
- group: "{{ ownca_cert_config.key.group | default(omit) }}"
- type: "{{ ownca_cert_config.key.type | default(omit) }}"
- size: "{{ ownca_cert_config.key.size | default(omit) }}"
- notify:
- - reload services for x509 certificates
- - restart services for x509 certificates
- register: _ownca_key_
-
-- name: generate csr for ownca certificate
- community.crypto.openssl_csr:
- path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem"
- mode: "{{ ownca_cert_config.cert.mode | default('0644') }}"
- owner: "{{ ownca_cert_config.cert.owner | default(omit) }}"
- group: "{{ ownca_cert_config.cert.group | default(omit) }}"
- privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
- create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
- digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
- common_name: "{{ ownca_cert_config.cert.common_name | default(ownca_cert_name) }}"
- subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | union(ownca_cert_config.cert.san_extra | default([])) | list }}"
- subject_alt_name_critical: yes
- use_common_name_for_san: no
- country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}"
- locality_name: "{{ ownca_cert_config.cert.locality_name | default(omit) }}"
- organization_name: "{{ ownca_cert_config.cert.organization_name | default(omit) }}"
- organizational_unit_name: "{{ ownca_cert_config.cert.organizational_unit_name | default(omit) }}"
- state_or_province_name: "{{ ownca_cert_config.cert.state_or_province_name | default(omit) }}"
- basic_constraints: "{{ ownca_cert_config.cert.basic_constraints | default(omit) }}"
- basic_constraints_critical: "{{ ownca_cert_config.cert.basic_constraints_critical | default(omit) }}"
- key_usage: "{{ ownca_cert_config.cert.key_usage | default(omit) }}"
- key_usage_critical: "{{ ownca_cert_config.cert.key_usage_critical | default(omit) }}"
- extended_key_usage: "{{ ownca_cert_config.cert.extended_key_usage | default(omit) }}"
- extended_key_usage_critical: "{{ ownca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
-
-- name: check if ownca certificate already exists
- stat:
- path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
- register: _ownca_cert_file_
-
-- name: check validity of existing ownca certificate
- when: _ownca_cert_file_.stat.exists
- openssl_certificate_info:
- path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
- valid_at:
- renew_margin: "{{ ownca_cert_config.cert.renew_margin | default(ownca_cert_default_renew_margin) }}"
- register: _ownca_cert_info_
-
-- name: generate ownca certificate
- community.crypto.x509_certificate:
- path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
- mode: "{{ ownca_cert_config.cert.mode | default('0644') }}"
- owner: "{{ ownca_cert_config.cert.owner | default(omit) }}"
- group: "{{ ownca_cert_config.cert.group | default(omit) }}"
- csr_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem"
- provider: ownca
- ownca_content: "{{ ownca_cert_config.ca.cert_content }}"
- ownca_privatekey_content: "{{ ownca_cert_config.ca.key_content }}"
- ownca_digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
- ownca_not_before: "{{ ownca_cert_config.cert.not_before | default(omit) }}"
- ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}"
- force: "{{ _ownca_cert_file_.stat.exists and (not _ownca_cert_info_.valid_at.renew_margin) }}"
- notify:
- - reload services for x509 certificates
- - restart services for x509 certificates
- register: _ownca_cert_
-
-- name: export paths to certificate files
- set_fact:
- x509_certificate_path_key: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
- x509_certificate_path_cert: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
- x509_certificate_path_chain: ""
- x509_certificate_path_fullchain: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
-
-- name: generate custom post-renewal script
- when: x509_certificate_renewal is defined
- template:
- src: updated.sh.j2
- dest: "{{ ownca_cert_path }}/updated.sh"
- mode: 0755
-
-- name: call custom post-renewal script
- when:
- - x509_certificate_renewal is defined
- - (_ownca_key_ is changed) or (_ownca_cert_ is changed)
- command: "{{ ownca_cert_path }}/updated.sh"
diff --git a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2 b/roles/x509/ownca/cert/prepare/templates/updated.sh.j2
deleted file mode 100644
index f0757832..00000000
--- a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-{% if 'install' in x509_certificate_renewal %}
-{% for file in x509_certificate_renewal.install %}
-
-install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'group' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new"
-{% for src in file.src %}
-cat "{{ lookup('vars', 'x509_certificate_path_' + src) }}" >> "{{ file.dest }}.new"
-{% endfor %}
-mv "{{ file.dest }}.new" "{{ file.dest }}"
-{% endfor %}
-{% endif %}
-{% if 'reload' in x509_certificate_renewal %}
-
-{{ x509_certificate_renewal.reload | trim }}
-{% endif %}
diff --git a/roles/x509/ownca/contrib/gen-ca.py b/roles/x509/ownca/contrib/gen-ca.py
deleted file mode 100755
index 8f99da6c..00000000
--- a/roles/x509/ownca/contrib/gen-ca.py
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/env python3
-
-from cryptography import x509
-from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.x509.oid import NameOID
-import datetime
-import argparse
-
-parser = argparse.ArgumentParser("spreadspace ansible CA-generator")
-parser.add_argument("-n", "--variable-name", dest='varname', help="ansible variable name to be used", type=str, required=True)
-parser.add_argument("-CN", "--common-name", dest='CN', help="Common Name field of the CA's subject", type=str, required=True)
-parser.add_argument("-O", "--organization-name", dest='O', help="Organization Name field of the CA's subject", type=str)
-parser.add_argument("-OU", "--organizational-unit", dest='OU', help="Organizational Unit field of the CA's subject", type=str)
-parser.add_argument("-C", "--country-name", dest='C', help="Country Name field of the CA's subject", type=str)
-parser.add_argument("-ST", "--state-or-provice", dest='ST', help="State-or-Province field of the CA's subject", type=str)
-parser.add_argument("-L", "--locality", dest='L', help="Locality Name field of the CA's subject", type=str)
-args = parser.parse_args()
-
-subject_fields = []
-if args.CN:
- subject_fields.append(x509.NameAttribute(NameOID.COMMON_NAME, args.CN))
-if args.O:
- subject_fields.append(x509.NameAttribute(NameOID.ORGANIZATION_NAME, args.O))
-if args.OU:
- subject_fields.append(x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, args.OU))
-if args.C:
- subject_fields.append(x509.NameAttribute(NameOID.COUNTRY_NAME, args.C))
-if args.ST:
- subject_fields.append(x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, args.ST))
-if args.L:
- subject_fields.append(x509.NameAttribute(NameOID.LOCALITY_NAME, args.L))
-
-subject = issuer = x509.Name(subject_fields)
-private_key = rsa.generate_private_key(
- public_exponent=65537,
- key_size=4096,
-)
-public_key = private_key.public_key()
-
-builder = x509.CertificateBuilder()
-builder = builder.subject_name(subject)
-builder = builder.issuer_name(issuer)
-builder = builder.not_valid_before(datetime.datetime.today() - datetime.timedelta(days=1))
-builder = builder.not_valid_after(datetime.datetime.today() + datetime.timedelta(weeks=2080)) # about 20years
-builder = builder.serial_number(x509.random_serial_number())
-builder = builder.public_key(public_key)
-builder = builder.add_extension(x509.BasicConstraints(ca=True, path_length=1), critical=True)
-certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256())
-
-
-private_key_pem = private_key.private_bytes(encoding=serialization.Encoding.PEM,
- format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption())
-certificate_pem = certificate.public_bytes(serialization.Encoding.PEM)
-
-
-print("## Add this to vault file")
-print("")
-print("vault_%s_key: |" % (args.varname))
-for line in private_key_pem.splitlines():
- print(" {}".format(line.decode('utf-8')))
-
-print("")
-print("")
-print("")
-print("")
-print("## Add this to vars file")
-print("")
-print("%s_key: \"{{ vault_%s_key }}\"" % (args.varname, args.varname))
-print("%s_cert: |" % (args.varname))
-for line in certificate_pem.splitlines():
- print(" {}".format(line.decode('utf-8')))
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 05:18:37 +0000