summaryrefslogtreecommitdiff
path: root/roles/x509/static-ca/cert/prepare/tasks/main.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/x509/static-ca/cert/prepare/tasks/main.yml')
-rw-r--r--roles/x509/static-ca/cert/prepare/tasks/main.yml105
1 files changed, 105 insertions, 0 deletions
diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..538bb58d
--- /dev/null
+++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml
@@ -0,0 +1,105 @@
+---
+- name: compute path to static-ca certificate directory
+ set_fact:
+ static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}"
+
+- name: create directory for static-ca certificate
+ file:
+ path: "{{ static_ca_cert_path }}"
+ state: directory
+ mode: "{{ static_ca_cert_config.mode | default('0700') }}"
+ owner: "{{ static_ca_cert_config.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.group | default(omit) }}"
+ notify:
+ - reload services for x509 certificates
+ - restart services for x509 certificates
+
+- name: generate key for static-ca certificate
+ openssl_privatekey:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+ mode: "{{ static_ca_cert_config.key.mode | default('0600') }}"
+ owner: "{{ static_ca_cert_config.key.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.key.group | default(omit) }}"
+ type: "{{ static_ca_cert_config.key.type | default(omit) }}"
+ size: "{{ static_ca_cert_config.key.size | default(omit) }}"
+ notify:
+ - reload services for x509 certificates
+ - restart services for x509 certificates
+ register: _static_ca_key_
+
+- name: generate csr for static-ca certificate
+ community.crypto.openssl_csr:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+ mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
+ privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+ create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
+ digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
+ common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}"
+ subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}"
+ subject_alt_name_critical: yes
+ use_common_name_for_san: no
+ country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}"
+ locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}"
+ organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}"
+ organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}"
+ state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}"
+ basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}"
+ basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}"
+ key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}"
+ key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}"
+ extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}"
+ extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
+
+- name: check if static-ca certificate already exists
+ stat:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ register: _static_ca_cert_file_
+
+- name: check validity of existing static-ca certificate
+ when: _static_ca_cert_file_.stat.exists
+ openssl_certificate_info:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ valid_at:
+ renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}"
+ register: _static_ca_cert_info_
+
+- name: generate static-ca certificate
+ community.crypto.x509_certificate:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
+ csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+ provider: ownca
+ ownca_content: "{{ static_ca_cert_config.ca.cert_content }}"
+ ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}"
+ ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
+ ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}"
+ ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}"
+ force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}"
+ notify:
+ - reload services for x509 certificates
+ - restart services for x509 certificates
+ register: _static_ca_cert_
+
+- name: export paths to certificate files
+ set_fact:
+ x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+ x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ x509_certificate_path_chain: ""
+ x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+
+- name: generate custom post-renewal script
+ when: x509_certificate_renewal is defined
+ template:
+ src: updated.sh.j2
+ dest: "{{ static_ca_cert_path }}/updated.sh"
+ mode: 0755
+
+- name: call custom post-renewal script
+ when:
+ - x509_certificate_renewal is defined
+ - (_static_ca_key_ is changed) or (_static_ca_cert_ is changed)
+ command: "{{ static_ca_cert_path }}/updated.sh"
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 02:36:58 +0000