From de8b4a8e586979d4f2978a25b5e35cb934b148af Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 22 Aug 2023 22:06:12 +0200
Subject: add ownca x509/certifcate provider

---
 roles/x509/ownca/cert/prepare/tasks/main.yml | 70 ++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 roles/x509/ownca/cert/prepare/tasks/main.yml

(limited to 'roles/x509/ownca/cert/prepare/tasks/main.yml')

diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml
new file mode 100644
index 00000000..a2d14ed6
--- /dev/null
+++ b/roles/x509/ownca/cert/prepare/tasks/main.yml
@@ -0,0 +1,70 @@
+---
+- name: compute path to ownca certificate directory
+  set_fact:
+    ownca_cert_path: "{{ ownca_cert_config.path | default([ownca_cert_base_dir, ownca_cert_name] | path_join) }}"
+
+- name: create directory for ownca certificate
+  file:
+    path: "{{ ownca_cert_path }}"
+    state: directory
+    mode: "{{ ownca_cert_config.mode | default('0700') }}"
+    owner: "{{ ownca_cert_config.owner | default(omit) }}"
+    group: "{{ ownca_cert_config.group | default(omit) }}"
+  notify: reload services for x509 certificates
+
+- name: generate key for ownca certificate
+  openssl_privatekey:
+    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
+    mode: "{{ ownca_cert_config.key.mode | default('0600') }}"
+    owner: "{{ ownca_cert_config.key.owner | default(omit) }}"
+    group: "{{ ownca_cert_config.key.group | default(omit) }}"
+    type: "{{ ownca_cert_config.key.type | default(omit) }}"
+    size: "{{ ownca_cert_config.key.size | default(omit) }}"
+  notify: reload services for x509 certificates
+
+- name: generate csr for ownca certificate
+  community.crypto.openssl_csr:
+    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem"
+    mode: "{{ ownca_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ ownca_cert_config.cert.owner | default(omit) }}"
+    group: "{{ ownca_cert_config.cert.group | default(omit) }}"
+    privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
+    create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
+    digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
+    common_name: "{{ ownca_cert_name }}"
+    subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | list }}"
+    subject_alt_name_critical: yes
+    use_common_name_for_san: no
+    country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}"
+    locality_name: "{{ ownca_cert_config.cert.locality_name | default(omit) }}"
+    organization_name: "{{ ownca_cert_config.cert.organization_name | default(omit) }}"
+    organizational_unit_name: "{{ ownca_cert_config.cert.organizational_unit_name | default(omit) }}"
+    state_or_province_name: "{{ ownca_cert_config.cert.state_or_province_name | default(omit) }}"
+    basic_constraints: "{{ ownca_cert_config.cert.basic_constraints | default(omit) }}"
+    basic_constraints_critical: "{{ ownca_cert_config.cert.basic_constraints_critical | default(omit) }}"
+    key_usage: "{{ ownca_cert_config.cert.key_usage | default(omit) }}"
+    key_usage_critical: "{{ ownca_cert_config.cert.key_usage_critical | default(omit) }}"
+    extended_key_usage: "{{ ownca_cert_config.cert.extended_key_usage | default(omit) }}"
+    extended_key_usage_critical: "{{ ownca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
+
+- name: generate ownca certificate
+  community.crypto.x509_certificate:
+    path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
+    mode: "{{ ownca_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ ownca_cert_config.cert.owner | default(omit) }}"
+    group: "{{ ownca_cert_config.cert.group | default(omit) }}"
+    csr_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-csr.pem"
+    provider: ownca
+    ownca_content: "{{ ownca_cert_config.ca.cert_content }}"
+    ownca_privatekey_content: "{{ ownca_cert_config.ca.key_content }}"
+    ownca_digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
+    ownca_not_before: "{{ ownca_cert_config.cert.not_before | default(omit) }}"
+    ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}"
+  notify: reload services for x509 certificates
+
+- name: export paths to certificate files
+  set_fact:
+    x509_certificate_path_key: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
+    x509_certificate_path_cert: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
+    x509_certificate_path_chain: ""
+    x509_certificate_path_fullchain: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
-- 
cgit v1.2.3