From 7d3f6ae25ce4a5d6e14b3ec6d95cd54165e0a646 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 16 Aug 2023 03:33:05 +0200 Subject: add role: x509/selfsigned --- dan/sk-testvm.yml | 35 ++++++++++- roles/x509/acmetool/cert/prepare/tasks/main.yml | 2 +- roles/x509/selfsigned/base/tasks/main.yml | 5 ++ roles/x509/selfsigned/cert/finalize/tasks/main.yml | 2 + roles/x509/selfsigned/cert/meta/main.yml | 4 ++ .../x509/selfsigned/cert/prepare/defaults/main.yml | 41 +++++++++++++ roles/x509/selfsigned/cert/prepare/tasks/main.yml | 69 ++++++++++++++++++++++ 7 files changed, 154 insertions(+), 4 deletions(-) create mode 100644 roles/x509/selfsigned/base/tasks/main.yml create mode 100644 roles/x509/selfsigned/cert/finalize/tasks/main.yml create mode 100644 roles/x509/selfsigned/cert/meta/main.yml create mode 100644 roles/x509/selfsigned/cert/prepare/defaults/main.yml create mode 100644 roles/x509/selfsigned/cert/prepare/tasks/main.yml diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml index c66601cb..de8e66ba 100644 --- a/dan/sk-testvm.yml +++ b/dan/sk-testvm.yml @@ -11,7 +11,9 @@ - name: Payload Setup hosts: sk-testvm vars: - cert_provider: static + # cert_provider: acmetool + # cert_provider: static + cert_provider: selfsigned roles: - role: "x509/{{ cert_provider }}/base" - role: nginx/base @@ -54,7 +56,21 @@ '/': root: /var/www/default index: index.html - static_cert_config: "{{ static_cert_config__default }}" + # static_cert_config: "{{ static_cert_config__default }}" + selfsigned_cert_config: + cert: + organization_name: "elev8" + organizational_unit_name: "ansible" + key_usage: + - digitalSignature + - keyAgreement + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +1000w + include_role: name: nginx/vhost @@ -91,6 +107,19 @@ '/': root: /var/www/test index: index.html - static_cert_config: "{{ static_cert_config__test }}" + # static_cert_config: "{{ static_cert_config__test }}" + selfsigned_cert_config: + cert: + organization_name: "spreadspace" + organizational_unit_name: "ansible" + key_usage: + - digitalSignature + - keyAgreement + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w include_role: name: nginx/vhost diff --git a/roles/x509/acmetool/cert/prepare/tasks/main.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml index 1f7dc724..146c5ac4 100644 --- a/roles/x509/acmetool/cert/prepare/tasks/main.yml +++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml @@ -36,6 +36,6 @@ - name: export paths to certificate files set_fact: x509_certificate_path_key: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/privkey" - x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain" x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert" x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain" + x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain" diff --git a/roles/x509/selfsigned/base/tasks/main.yml b/roles/x509/selfsigned/base/tasks/main.yml new file mode 100644 index 00000000..51397d67 --- /dev/null +++ b/roles/x509/selfsigned/base/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: install needed packages + apt: + name: "{{ python_basename }}-openssl" + state: present diff --git a/roles/x509/selfsigned/cert/finalize/tasks/main.yml b/roles/x509/selfsigned/cert/finalize/tasks/main.yml new file mode 100644 index 00000000..c5b6cafe --- /dev/null +++ b/roles/x509/selfsigned/cert/finalize/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# nothing to do here diff --git a/roles/x509/selfsigned/cert/meta/main.yml b/roles/x509/selfsigned/cert/meta/main.yml new file mode 100644 index 00000000..c7a30d00 --- /dev/null +++ b/roles/x509/selfsigned/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/selfsigned/cert/prepare + - role: x509/selfsigned/cert/finalize diff --git a/roles/x509/selfsigned/cert/prepare/defaults/main.yml b/roles/x509/selfsigned/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..53dc3b06 --- /dev/null +++ b/roles/x509/selfsigned/cert/prepare/defaults/main.yml @@ -0,0 +1,41 @@ +--- +selfsigned_cert_hostnames: "{{ x509_certificate_hostnames }}" +selfsigned_cert_name: "{{ x509_certificate_name | default(selfsigned_cert_hostnames[0]) }}" + +selfsigned_cert_base_dir: "/etc/ssl" + +# selfsigned_cert_config: +# path: "{{ selfsigned_cert_base_dir }}/{{ selfsigned_cert_name }}" +# mode: "0750" +# owner: root +# group: www-data +# key: +# mode: "0640" +# owner: root +# group: www-data +# type: RSA +# size: 4096 +# cert: +# mode: "0644" +# owner: root +# group: www-data +# country_name: "AT" +# locality_name: "Graz" +# organization_name: "spreadspace" +# organizational_unit_name: "ansible" +# state_or_province_name: "Styria" +# basic_constraints: +# - "CA:TRUE" +# - "pathLenConstraint:0" +# basic_constraints_critical: no +# key_usage: +# - digitalSignature +# - keyAgreement +# key_usage_critical: yes +# extended_key_usage: +# - serverAuth +# extended_key_usage_critical: yes +# create_subject_key_identifier: yes +# digest: SHA256 +# not_before: +0h +# not_after: +520w diff --git a/roles/x509/selfsigned/cert/prepare/tasks/main.yml b/roles/x509/selfsigned/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..c089d420 --- /dev/null +++ b/roles/x509/selfsigned/cert/prepare/tasks/main.yml @@ -0,0 +1,69 @@ +--- +- name: compute path to selfsigned certificate directory + set_fact: + selfsigned_cert_path: "{{ selfsigned_cert_config.path | default([selfsigned_cert_base_dir, selfsigned_cert_name] | path_join) }}" + +- name: create directory for selfsigned certificate + file: + path: "{{ selfsigned_cert_path }}" + state: directory + mode: "{{ selfsigned_cert_config.mode | default('0700') }}" + owner: "{{ selfsigned_cert_config.owner | default(omit) }}" + group: "{{ selfsigned_cert_config.group | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + +- name: generate key for selfsigned certificate + openssl_privatekey: + path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem" + mode: "{{ selfsigned_cert_config.key.mode | default('0600') }}" + owner: "{{ selfsigned_cert_config.key.owner | default(omit) }}" + group: "{{ selfsigned_cert_config.key.group | default(omit) }}" + type: "{{ selfsigned_cert_config.key.type | default(omit) }}" + size: "{{ selfsigned_cert_config.key.size | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + +- name: generate csr for selfsigned certificate + community.crypto.openssl_csr: + path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-csr.pem" + mode: "{{ selfsigned_cert_config.cert.mode | default('0600') }}" + owner: "{{ selfsigned_cert_config.cert.owner | default(omit) }}" + group: "{{ selfsigned_cert_config.cert.group | default(omit) }}" + privatekey_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem" + create_subject_key_identifier: "{{ selfsigned_cert_config.cert.create_subject_key_identifier | default(omit) }}" + digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}" + common_name: "{{ selfsigned_cert_name }}" + subject_alt_name: "{{ ['DNS:'] | product(selfsigned_cert_hostnames) | map('join') | list }}" + subject_alt_name_critical: yes + use_common_name_for_san: no + country_name: "{{ selfsigned_cert_config.cert.country_name | default(omit) }}" + locality_name: "{{ selfsigned_cert_config.cert.locality_name | default(omit) }}" + organization_name: "{{ selfsigned_cert_config.cert.organization_name | default(omit) }}" + organizational_unit_name: "{{ selfsigned_cert_config.cert.organizational_unit_name | default(omit) }}" + state_or_province_name: "{{ selfsigned_cert_config.cert.state_or_province_name | default(omit) }}" + basic_constraints: "{{ selfsigned_cert_config.cert.basic_constraints | default(omit) }}" + basic_constraints_critical: "{{ selfsigned_cert_config.cert.basic_constraints_critical | default(omit) }}" + key_usage: "{{ selfsigned_cert_config.cert.key_usage | default(omit) }}" + key_usage_critical: "{{ selfsigned_cert_config.cert.key_usage_critical | default(omit) }}" + extended_key_usage: "{{ selfsigned_cert_config.cert.extended_key_usage | default(omit) }}" + extended_key_usage_critical: "{{ selfsigned_cert_config.cert.extended_key_usage_critical | default(omit) }}" + +- name: generate selfsigned certificate + community.crypto.x509_certificate: + path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem" + mode: "{{ selfsigned_cert_config.cert.mode | default('0644') }}" + owner: "{{ selfsigned_cert_config.cert.owner | default(omit) }}" + group: "{{ selfsigned_cert_config.cert.group | default(omit) }}" + privatekey_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem" + csr_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-csr.pem" + provider: selfsigned + selfsigned_digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}" + selfsigned_not_before: "{{ selfsigned_cert_config.cert.not_before | default(omit) }}" + selfsigned_not_after: "{{ selfsigned_cert_config.cert.not_after | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem" + x509_certificate_path_cert: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem" + x509_certificate_path_chain: "" + x509_certificate_path_fullchain: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem" -- cgit v1.2.3