summaryrefslogtreecommitdiff
path: root/roles/x509/static-ca/cert
diff options
context:
space:
mode:
Diffstat (limited to 'roles/x509/static-ca/cert')
-rw-r--r--roles/x509/static-ca/cert/finalize/tasks/main.yml2
-rw-r--r--roles/x509/static-ca/cert/meta/main.yml4
-rw-r--r--roles/x509/static-ca/cert/prepare/defaults/main.yml56
-rw-r--r--roles/x509/static-ca/cert/prepare/handlers/main.yml16
-rw-r--r--roles/x509/static-ca/cert/prepare/tasks/main.yml105
-rw-r--r--roles/x509/static-ca/cert/prepare/templates/updated.sh.j215
6 files changed, 198 insertions, 0 deletions
diff --git a/roles/x509/static-ca/cert/finalize/tasks/main.yml b/roles/x509/static-ca/cert/finalize/tasks/main.yml
new file mode 100644
index 00000000..c5b6cafe
--- /dev/null
+++ b/roles/x509/static-ca/cert/finalize/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+# nothing to do here
diff --git a/roles/x509/static-ca/cert/meta/main.yml b/roles/x509/static-ca/cert/meta/main.yml
new file mode 100644
index 00000000..bfaf1153
--- /dev/null
+++ b/roles/x509/static-ca/cert/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+ - role: x509/static-ca/cert/prepare
+ - role: x509/static-ca/cert/finalize
diff --git a/roles/x509/static-ca/cert/prepare/defaults/main.yml b/roles/x509/static-ca/cert/prepare/defaults/main.yml
new file mode 100644
index 00000000..5287cc93
--- /dev/null
+++ b/roles/x509/static-ca/cert/prepare/defaults/main.yml
@@ -0,0 +1,56 @@
+---
+static_ca_cert_hostnames: "{{ x509_certificate_hostnames }}"
+static_ca_cert_name: "{{ x509_certificate_name | default(static_ca_cert_hostnames[0]) }}"
+
+static_ca_cert_base_dir: "/etc/ssl"
+
+static_ca_cert_default_renew_margin: "+30d"
+static_ca_cert_config: "{{ x509_certificate_config }}"
+# static_ca_cert_config:
+# path: "{{ static_ca_cert_base_dir }}/{{ static_ca_cert_name }}"
+# mode: "0750"
+# owner: root
+# group: www-data
+# ca:
+# key_content: |
+# -----BEGIN RSA PRIVATE KEY-----
+# ...
+# -----END RSA PRIVATE KEY-----
+# cert_content: |
+# -----BEGIN CERTIFICATE-----
+# ...
+# -----END CERTIFICATE-----
+# key:
+# mode: "0640"
+# owner: root
+# group: www-data
+# type: RSA
+# size: 4096
+# cert:
+# mode: "0644"
+# owner: root
+# group: www-data
+# common_name: foo
+# san_extra:
+# - "IP:192.0.2.1"
+# country_name: "AT"
+# locality_name: "Graz"
+# organization_name: "spreadspace"
+# organizational_unit_name: "ansible"
+# state_or_province_name: "Styria"
+# basic_constraints:
+# - "CA:TRUE"
+# - "pathLenConstraint:0"
+# basic_constraints_critical: no
+# key_usage:
+# - digitalSignature
+# - keyAgreement
+# key_usage_critical: yes
+# extended_key_usage:
+# - serverAuth
+# extended_key_usage_critical: yes
+# create_subject_key_identifier: yes
+# digest: SHA256
+# not_before: +0h
+# not_after: +520w
+# renew_margin: +42d
diff --git a/roles/x509/static-ca/cert/prepare/handlers/main.yml b/roles/x509/static-ca/cert/prepare/handlers/main.yml
new file mode 100644
index 00000000..589d6dde
--- /dev/null
+++ b/roles/x509/static-ca/cert/prepare/handlers/main.yml
@@ -0,0 +1,16 @@
+---
+- name: reload services for x509 certificates
+ loop: "{{ x509_certificate_reload_services | default([]) }}"
+ loop_control:
+ loop_var: x509_certificate_reload_service
+ service:
+ name: "{{ x509_certificate_reload_service }}"
+ state: reloaded
+
+- name: restart services for x509 certificates
+ loop: "{{ x509_certificate_restart_services | default([]) }}"
+ loop_control:
+ loop_var: x509_certificate_restart_service
+ service:
+ name: "{{ x509_certificate_restart_service }}"
+ state: restarted
diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..538bb58d
--- /dev/null
+++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml
@@ -0,0 +1,105 @@
+---
+- name: compute path to static-ca certificate directory
+ set_fact:
+ static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}"
+
+- name: create directory for static-ca certificate
+ file:
+ path: "{{ static_ca_cert_path }}"
+ state: directory
+ mode: "{{ static_ca_cert_config.mode | default('0700') }}"
+ owner: "{{ static_ca_cert_config.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.group | default(omit) }}"
+ notify:
+ - reload services for x509 certificates
+ - restart services for x509 certificates
+
+- name: generate key for static-ca certificate
+ openssl_privatekey:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+ mode: "{{ static_ca_cert_config.key.mode | default('0600') }}"
+ owner: "{{ static_ca_cert_config.key.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.key.group | default(omit) }}"
+ type: "{{ static_ca_cert_config.key.type | default(omit) }}"
+ size: "{{ static_ca_cert_config.key.size | default(omit) }}"
+ notify:
+ - reload services for x509 certificates
+ - restart services for x509 certificates
+ register: _static_ca_key_
+
+- name: generate csr for static-ca certificate
+ community.crypto.openssl_csr:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+ mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
+ privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+ create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
+ digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
+ common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}"
+ subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}"
+ subject_alt_name_critical: yes
+ use_common_name_for_san: no
+ country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}"
+ locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}"
+ organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}"
+ organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}"
+ state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}"
+ basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}"
+ basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}"
+ key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}"
+ key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}"
+ extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}"
+ extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
+
+- name: check if static-ca certificate already exists
+ stat:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ register: _static_ca_cert_file_
+
+- name: check validity of existing static-ca certificate
+ when: _static_ca_cert_file_.stat.exists
+ openssl_certificate_info:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ valid_at:
+ renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}"
+ register: _static_ca_cert_info_
+
+- name: generate static-ca certificate
+ community.crypto.x509_certificate:
+ path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
+ owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
+ group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
+ csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+ provider: ownca
+ ownca_content: "{{ static_ca_cert_config.ca.cert_content }}"
+ ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}"
+ ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}"
+ ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}"
+ ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}"
+ force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}"
+ notify:
+ - reload services for x509 certificates
+ - restart services for x509 certificates
+ register: _static_ca_cert_
+
+- name: export paths to certificate files
+ set_fact:
+ x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem"
+ x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+ x509_certificate_path_chain: ""
+ x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+
+- name: generate custom post-renewal script
+ when: x509_certificate_renewal is defined
+ template:
+ src: updated.sh.j2
+ dest: "{{ static_ca_cert_path }}/updated.sh"
+ mode: 0755
+
+- name: call custom post-renewal script
+ when:
+ - x509_certificate_renewal is defined
+ - (_static_ca_key_ is changed) or (_static_ca_cert_ is changed)
+ command: "{{ static_ca_cert_path }}/updated.sh"
diff --git a/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2
new file mode 100644
index 00000000..f0757832
--- /dev/null
+++ b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2
@@ -0,0 +1,15 @@
+#!/bin/sh
+{% if 'install' in x509_certificate_renewal %}
+{% for file in x509_certificate_renewal.install %}
+
+install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'group' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new"
+{% for src in file.src %}
+cat "{{ lookup('vars', 'x509_certificate_path_' + src) }}" >> "{{ file.dest }}.new"
+{% endfor %}
+mv "{{ file.dest }}.new" "{{ file.dest }}"
+{% endfor %}
+{% endif %}
+{% if 'reload' in x509_certificate_renewal %}
+
+{{ x509_certificate_renewal.reload | trim }}
+{% endif %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 05:12:34 +0000