diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/x509/ownca/cert/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/x509/ownca/cert/prepare/tasks/main.yml | 105 | ||||
-rw-r--r-- | roles/x509/static-ca/base/tasks/main.yml (renamed from roles/x509/ownca/base/tasks/main.yml) | 0 | ||||
-rw-r--r-- | roles/x509/static-ca/cert/finalize/tasks/main.yml (renamed from roles/x509/ownca/cert/finalize/tasks/main.yml) | 0 | ||||
-rw-r--r-- | roles/x509/static-ca/cert/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/x509/static-ca/cert/prepare/defaults/main.yml (renamed from roles/x509/ownca/cert/prepare/defaults/main.yml) | 14 | ||||
-rw-r--r-- | roles/x509/static-ca/cert/prepare/handlers/main.yml (renamed from roles/x509/ownca/cert/prepare/handlers/main.yml) | 0 | ||||
-rw-r--r-- | roles/x509/static-ca/cert/prepare/tasks/main.yml | 105 | ||||
-rw-r--r-- | roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 (renamed from roles/x509/ownca/cert/prepare/templates/updated.sh.j2) | 0 | ||||
-rwxr-xr-x | roles/x509/static-ca/contrib/gen-ca.py (renamed from roles/x509/ownca/contrib/gen-ca.py) | 0 |
10 files changed, 116 insertions, 116 deletions
diff --git a/roles/x509/ownca/cert/meta/main.yml b/roles/x509/ownca/cert/meta/main.yml deleted file mode 100644 index 602ee3f8..00000000 --- a/roles/x509/ownca/cert/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - role: x509/ownca/cert/prepare - - role: x509/ownca/cert/finalize diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml deleted file mode 100644 index 00d19c59..00000000 --- a/roles/x509/ownca/cert/prepare/tasks/main.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- -- name: compute path to ownca certificate directory - set_fact: - ownca_cert_path: "{{ ownca_cert_config.path | default([ownca_cert_base_dir, ownca_cert_name] | path_join) }}" - -- name: create directory for ownca certificate - file: - path: "{{ ownca_cert_path }}" - state: directory - mode: "{{ ownca_cert_config.mode | default('0700') }}" - owner: "{{ ownca_cert_config.owner | default(omit) }}" - group: "{{ ownca_cert_config.group | default(omit) }}" - notify: - - reload services for x509 certificates - - restart services for x509 certificates - -- name: generate key for ownca certificate - openssl_privatekey: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" - mode: "{{ ownca_cert_config.key.mode | default('0600') }}" - owner: "{{ ownca_cert_config.key.owner | default(omit) }}" - group: "{{ ownca_cert_config.key.group | default(omit) }}" - type: "{{ ownca_cert_config.key.type | default(omit) }}" - size: "{{ ownca_cert_config.key.size | default(omit) }}" - notify: - - reload services for x509 certificates - - restart services for x509 certificates - register: _ownca_key_ - -- name: generate csr for ownca certificate - community.crypto.openssl_csr: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem" - mode: "{{ ownca_cert_config.cert.mode | default('0644') }}" - owner: "{{ ownca_cert_config.cert.owner | default(omit) }}" - group: "{{ ownca_cert_config.cert.group | default(omit) }}" - privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" - create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}" - digest: "{{ ownca_cert_config.cert.digest | default(omit) }}" - common_name: "{{ ownca_cert_config.cert.common_name | default(ownca_cert_name) }}" - subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | union(ownca_cert_config.cert.san_extra | default([])) | list }}" - subject_alt_name_critical: yes - use_common_name_for_san: no - country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}" - locality_name: "{{ ownca_cert_config.cert.locality_name | default(omit) }}" - organization_name: "{{ ownca_cert_config.cert.organization_name | default(omit) }}" - organizational_unit_name: "{{ ownca_cert_config.cert.organizational_unit_name | default(omit) }}" - state_or_province_name: "{{ ownca_cert_config.cert.state_or_province_name | default(omit) }}" - basic_constraints: "{{ ownca_cert_config.cert.basic_constraints | default(omit) }}" - basic_constraints_critical: "{{ ownca_cert_config.cert.basic_constraints_critical | default(omit) }}" - key_usage: "{{ ownca_cert_config.cert.key_usage | default(omit) }}" - key_usage_critical: "{{ ownca_cert_config.cert.key_usage_critical | default(omit) }}" - extended_key_usage: "{{ ownca_cert_config.cert.extended_key_usage | default(omit) }}" - extended_key_usage_critical: "{{ ownca_cert_config.cert.extended_key_usage_critical | default(omit) }}" - -- name: check if ownca certificate already exists - stat: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - register: _ownca_cert_file_ - -- name: check validity of existing ownca certificate - when: _ownca_cert_file_.stat.exists - openssl_certificate_info: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - valid_at: - renew_margin: "{{ ownca_cert_config.cert.renew_margin | default(ownca_cert_default_renew_margin) }}" - register: _ownca_cert_info_ - -- name: generate ownca certificate - community.crypto.x509_certificate: - path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - mode: "{{ ownca_cert_config.cert.mode | default('0644') }}" - owner: "{{ ownca_cert_config.cert.owner | default(omit) }}" - group: "{{ ownca_cert_config.cert.group | default(omit) }}" - csr_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem" - provider: ownca - ownca_content: "{{ ownca_cert_config.ca.cert_content }}" - ownca_privatekey_content: "{{ ownca_cert_config.ca.key_content }}" - ownca_digest: "{{ ownca_cert_config.cert.digest | default(omit) }}" - ownca_not_before: "{{ ownca_cert_config.cert.not_before | default(omit) }}" - ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}" - force: "{{ _ownca_cert_file_.stat.exists and (not _ownca_cert_info_.valid_at.renew_margin) }}" - notify: - - reload services for x509 certificates - - restart services for x509 certificates - register: _ownca_cert_ - -- name: export paths to certificate files - set_fact: - x509_certificate_path_key: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem" - x509_certificate_path_cert: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - x509_certificate_path_chain: "" - x509_certificate_path_fullchain: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem" - -- name: generate custom post-renewal script - when: x509_certificate_renewal is defined - template: - src: updated.sh.j2 - dest: "{{ ownca_cert_path }}/updated.sh" - mode: 0755 - -- name: call custom post-renewal script - when: - - x509_certificate_renewal is defined - - (_ownca_key_ is changed) or (_ownca_cert_ is changed) - command: "{{ ownca_cert_path }}/updated.sh" diff --git a/roles/x509/ownca/base/tasks/main.yml b/roles/x509/static-ca/base/tasks/main.yml index e91eda4a..e91eda4a 100644 --- a/roles/x509/ownca/base/tasks/main.yml +++ b/roles/x509/static-ca/base/tasks/main.yml diff --git a/roles/x509/ownca/cert/finalize/tasks/main.yml b/roles/x509/static-ca/cert/finalize/tasks/main.yml index c5b6cafe..c5b6cafe 100644 --- a/roles/x509/ownca/cert/finalize/tasks/main.yml +++ b/roles/x509/static-ca/cert/finalize/tasks/main.yml diff --git a/roles/x509/static-ca/cert/meta/main.yml b/roles/x509/static-ca/cert/meta/main.yml new file mode 100644 index 00000000..bfaf1153 --- /dev/null +++ b/roles/x509/static-ca/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/static-ca/cert/prepare + - role: x509/static-ca/cert/finalize diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/static-ca/cert/prepare/defaults/main.yml index 30241273..5287cc93 100644 --- a/roles/x509/ownca/cert/prepare/defaults/main.yml +++ b/roles/x509/static-ca/cert/prepare/defaults/main.yml @@ -1,13 +1,13 @@ --- -ownca_cert_hostnames: "{{ x509_certificate_hostnames }}" -ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }}" +static_ca_cert_hostnames: "{{ x509_certificate_hostnames }}" +static_ca_cert_name: "{{ x509_certificate_name | default(static_ca_cert_hostnames[0]) }}" -ownca_cert_base_dir: "/etc/ssl" +static_ca_cert_base_dir: "/etc/ssl" -ownca_cert_default_renew_margin: "+30d" -ownca_cert_config: "{{ x509_certificate_config }}" -# ownca_cert_config: -# path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}" +static_ca_cert_default_renew_margin: "+30d" +static_ca_cert_config: "{{ x509_certificate_config }}" +# static_ca_cert_config: +# path: "{{ static_ca_cert_base_dir }}/{{ static_ca_cert_name }}" # mode: "0750" # owner: root # group: www-data diff --git a/roles/x509/ownca/cert/prepare/handlers/main.yml b/roles/x509/static-ca/cert/prepare/handlers/main.yml index 589d6dde..589d6dde 100644 --- a/roles/x509/ownca/cert/prepare/handlers/main.yml +++ b/roles/x509/static-ca/cert/prepare/handlers/main.yml diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..538bb58d --- /dev/null +++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: compute path to static-ca certificate directory + set_fact: + static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}" + +- name: create directory for static-ca certificate + file: + path: "{{ static_ca_cert_path }}" + state: directory + mode: "{{ static_ca_cert_config.mode | default('0700') }}" + owner: "{{ static_ca_cert_config.owner | default(omit) }}" + group: "{{ static_ca_cert_config.group | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + +- name: generate key for static-ca certificate + openssl_privatekey: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + mode: "{{ static_ca_cert_config.key.mode | default('0600') }}" + owner: "{{ static_ca_cert_config.key.owner | default(omit) }}" + group: "{{ static_ca_cert_config.key.group | default(omit) }}" + type: "{{ static_ca_cert_config.key.type | default(omit) }}" + size: "{{ static_ca_cert_config.key.size | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + register: _static_ca_key_ + +- name: generate csr for static-ca certificate + community.crypto.openssl_csr: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}" + digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}" + common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}" + subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}" + subject_alt_name_critical: yes + use_common_name_for_san: no + country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}" + locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}" + organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}" + organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}" + state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}" + basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}" + basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}" + key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}" + key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}" + extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}" + extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}" + +- name: check if static-ca certificate already exists + stat: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + register: _static_ca_cert_file_ + +- name: check validity of existing static-ca certificate + when: _static_ca_cert_file_.stat.exists + openssl_certificate_info: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + valid_at: + renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}" + register: _static_ca_cert_info_ + +- name: generate static-ca certificate + community.crypto.x509_certificate: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + provider: ownca + ownca_content: "{{ static_ca_cert_config.ca.cert_content }}" + ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}" + ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}" + ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}" + ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}" + force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + register: _static_ca_cert_ + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + x509_certificate_path_chain: "" + x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + +- name: generate custom post-renewal script + when: x509_certificate_renewal is defined + template: + src: updated.sh.j2 + dest: "{{ static_ca_cert_path }}/updated.sh" + mode: 0755 + +- name: call custom post-renewal script + when: + - x509_certificate_renewal is defined + - (_static_ca_key_ is changed) or (_static_ca_cert_ is changed) + command: "{{ static_ca_cert_path }}/updated.sh" diff --git a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2 b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 index f0757832..f0757832 100644 --- a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2 +++ b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 diff --git a/roles/x509/ownca/contrib/gen-ca.py b/roles/x509/static-ca/contrib/gen-ca.py index 8f99da6c..8f99da6c 100755 --- a/roles/x509/ownca/contrib/gen-ca.py +++ b/roles/x509/static-ca/contrib/gen-ca.py |