From 5a438c406b6977c5da8fffc189aafeb72933d62f Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 25 Dec 2023 18:02:58 +0100
Subject: x509/static-ca: move certificate signing to localhost

---
 roles/x509/static-ca/cert/prepare/tasks/main.yml | 32 ++++++++++++++++++------
 1 file changed, 25 insertions(+), 7 deletions(-)

(limited to 'roles/x509/static-ca/cert/prepare/tasks')

diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml
index 9a8d1bde..4f618b51 100644
--- a/roles/x509/static-ca/cert/prepare/tasks/main.yml
+++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml
@@ -52,6 +52,11 @@
     extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}"
     extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}"
 
+- name: slurp csr for static-ca certificate
+  slurp:
+    src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+  register: _static_ca_csr_
+
 - name: check if static-ca certificate already exists
   stat:
     path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
@@ -65,13 +70,17 @@
       renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}"
   register: _static_ca_cert_info_
 
+- name: slurp existing static-ca certificate
+  when: _static_ca_cert_file_.stat.exists
+  slurp:
+    src: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+  register: _static_ca_cert_current_
+
 - name: generate static-ca certificate
-  community.crypto.x509_certificate:
-    path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
-    mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
-    owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
-    group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
-    csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem"
+  delegate_to: localhost
+  community.crypto.x509_certificate_pipe:
+    content: "{{ _static_ca_cert_current_.content | default('') | b64decode }}"
+    csr_content: "{{ _static_ca_csr_.content | b64decode }}"
     provider: ownca
     ownca_content: "{{ static_ca_cert_config.ca.cert_content }}"
     ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}"
@@ -79,10 +88,19 @@
     ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}"
     ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}"
     force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}"
+  register: _static_ca_cert_new_
+
+- name: install static-ca certificate
+  copy:
+    content: "{{ _static_ca_cert_new_.certificate }}"
+    dest: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem"
+    mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}"
+    owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}"
+    group: "{{ static_ca_cert_config.cert.group | default(omit) }}"
+  register: _static_ca_cert_
   notify:
   - reload services for x509 certificates
   - restart services for x509 certificates
-  register: _static_ca_cert_
 
 - name: install CA certificate
   copy:
-- 
cgit v1.2.3