From e004236b4cfa9735cc898ea372dcb99c199dd4b4 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 20 Dec 2023 00:12:57 +0100 Subject: rename: x509/ownca to x509/static-ca --- .../x509/static-ca/cert/prepare/defaults/main.yml | 56 +++++++++++ .../x509/static-ca/cert/prepare/handlers/main.yml | 16 ++++ roles/x509/static-ca/cert/prepare/tasks/main.yml | 105 +++++++++++++++++++++ .../static-ca/cert/prepare/templates/updated.sh.j2 | 15 +++ 4 files changed, 192 insertions(+) create mode 100644 roles/x509/static-ca/cert/prepare/defaults/main.yml create mode 100644 roles/x509/static-ca/cert/prepare/handlers/main.yml create mode 100644 roles/x509/static-ca/cert/prepare/tasks/main.yml create mode 100644 roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 (limited to 'roles/x509/static-ca/cert/prepare') diff --git a/roles/x509/static-ca/cert/prepare/defaults/main.yml b/roles/x509/static-ca/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..5287cc93 --- /dev/null +++ b/roles/x509/static-ca/cert/prepare/defaults/main.yml @@ -0,0 +1,56 @@ +--- +static_ca_cert_hostnames: "{{ x509_certificate_hostnames }}" +static_ca_cert_name: "{{ x509_certificate_name | default(static_ca_cert_hostnames[0]) }}" + +static_ca_cert_base_dir: "/etc/ssl" + +static_ca_cert_default_renew_margin: "+30d" +static_ca_cert_config: "{{ x509_certificate_config }}" +# static_ca_cert_config: +# path: "{{ static_ca_cert_base_dir }}/{{ static_ca_cert_name }}" +# mode: "0750" +# owner: root +# group: www-data +# ca: +# key_content: | +# -----BEGIN RSA PRIVATE KEY----- +# ... +# -----END RSA PRIVATE KEY----- +# cert_content: | +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- +# key: +# mode: "0640" +# owner: root +# group: www-data +# type: RSA +# size: 4096 +# cert: +# mode: "0644" +# owner: root +# group: www-data +# common_name: foo +# san_extra: +# - "IP:192.0.2.1" +# country_name: "AT" +# locality_name: "Graz" +# organization_name: "spreadspace" +# organizational_unit_name: "ansible" +# state_or_province_name: "Styria" +# basic_constraints: +# - "CA:TRUE" +# - "pathLenConstraint:0" +# basic_constraints_critical: no +# key_usage: +# - digitalSignature +# - keyAgreement +# key_usage_critical: yes +# extended_key_usage: +# - serverAuth +# extended_key_usage_critical: yes +# create_subject_key_identifier: yes +# digest: SHA256 +# not_before: +0h +# not_after: +520w +# renew_margin: +42d diff --git a/roles/x509/static-ca/cert/prepare/handlers/main.yml b/roles/x509/static-ca/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..589d6dde --- /dev/null +++ b/roles/x509/static-ca/cert/prepare/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + loop_control: + loop_var: x509_certificate_reload_service + service: + name: "{{ x509_certificate_reload_service }}" + state: reloaded + +- name: restart services for x509 certificates + loop: "{{ x509_certificate_restart_services | default([]) }}" + loop_control: + loop_var: x509_certificate_restart_service + service: + name: "{{ x509_certificate_restart_service }}" + state: restarted diff --git a/roles/x509/static-ca/cert/prepare/tasks/main.yml b/roles/x509/static-ca/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..538bb58d --- /dev/null +++ b/roles/x509/static-ca/cert/prepare/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: compute path to static-ca certificate directory + set_fact: + static_ca_cert_path: "{{ static_ca_cert_config.path | default([static_ca_cert_base_dir, static_ca_cert_name] | path_join) }}" + +- name: create directory for static-ca certificate + file: + path: "{{ static_ca_cert_path }}" + state: directory + mode: "{{ static_ca_cert_config.mode | default('0700') }}" + owner: "{{ static_ca_cert_config.owner | default(omit) }}" + group: "{{ static_ca_cert_config.group | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + +- name: generate key for static-ca certificate + openssl_privatekey: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + mode: "{{ static_ca_cert_config.key.mode | default('0600') }}" + owner: "{{ static_ca_cert_config.key.owner | default(omit) }}" + group: "{{ static_ca_cert_config.key.group | default(omit) }}" + type: "{{ static_ca_cert_config.key.type | default(omit) }}" + size: "{{ static_ca_cert_config.key.size | default(omit) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + register: _static_ca_key_ + +- name: generate csr for static-ca certificate + community.crypto.openssl_csr: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + privatekey_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + create_subject_key_identifier: "{{ static_ca_cert_config.cert.create_subject_key_identifier | default(omit) }}" + digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}" + common_name: "{{ static_ca_cert_config.cert.common_name | default(static_ca_cert_name) }}" + subject_alt_name: "{{ ['DNS:'] | product(static_ca_cert_hostnames) | map('join') | union(static_ca_cert_config.cert.san_extra | default([])) | list }}" + subject_alt_name_critical: yes + use_common_name_for_san: no + country_name: "{{ static_ca_cert_config.cert.country_name | default(omit) }}" + locality_name: "{{ static_ca_cert_config.cert.locality_name | default(omit) }}" + organization_name: "{{ static_ca_cert_config.cert.organization_name | default(omit) }}" + organizational_unit_name: "{{ static_ca_cert_config.cert.organizational_unit_name | default(omit) }}" + state_or_province_name: "{{ static_ca_cert_config.cert.state_or_province_name | default(omit) }}" + basic_constraints: "{{ static_ca_cert_config.cert.basic_constraints | default(omit) }}" + basic_constraints_critical: "{{ static_ca_cert_config.cert.basic_constraints_critical | default(omit) }}" + key_usage: "{{ static_ca_cert_config.cert.key_usage | default(omit) }}" + key_usage_critical: "{{ static_ca_cert_config.cert.key_usage_critical | default(omit) }}" + extended_key_usage: "{{ static_ca_cert_config.cert.extended_key_usage | default(omit) }}" + extended_key_usage_critical: "{{ static_ca_cert_config.cert.extended_key_usage_critical | default(omit) }}" + +- name: check if static-ca certificate already exists + stat: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + register: _static_ca_cert_file_ + +- name: check validity of existing static-ca certificate + when: _static_ca_cert_file_.stat.exists + openssl_certificate_info: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + valid_at: + renew_margin: "{{ static_ca_cert_config.cert.renew_margin | default(static_ca_cert_default_renew_margin) }}" + register: _static_ca_cert_info_ + +- name: generate static-ca certificate + community.crypto.x509_certificate: + path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + mode: "{{ static_ca_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_ca_cert_config.cert.owner | default(omit) }}" + group: "{{ static_ca_cert_config.cert.group | default(omit) }}" + csr_path: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-csr.pem" + provider: ownca + ownca_content: "{{ static_ca_cert_config.ca.cert_content }}" + ownca_privatekey_content: "{{ static_ca_cert_config.ca.key_content }}" + ownca_digest: "{{ static_ca_cert_config.cert.digest | default(omit) }}" + ownca_not_before: "{{ static_ca_cert_config.cert.not_before | default(omit) }}" + ownca_not_after: "{{ static_ca_cert_config.cert.not_after | default(omit) }}" + force: "{{ _static_ca_cert_file_.stat.exists and (not _static_ca_cert_info_.valid_at.renew_margin) }}" + notify: + - reload services for x509 certificates + - restart services for x509 certificates + register: _static_ca_cert_ + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-key.pem" + x509_certificate_path_cert: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + x509_certificate_path_chain: "" + x509_certificate_path_fullchain: "{{ static_ca_cert_path }}/{{ static_ca_cert_name }}-crt.pem" + +- name: generate custom post-renewal script + when: x509_certificate_renewal is defined + template: + src: updated.sh.j2 + dest: "{{ static_ca_cert_path }}/updated.sh" + mode: 0755 + +- name: call custom post-renewal script + when: + - x509_certificate_renewal is defined + - (_static_ca_key_ is changed) or (_static_ca_cert_ is changed) + command: "{{ static_ca_cert_path }}/updated.sh" diff --git a/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 new file mode 100644 index 00000000..f0757832 --- /dev/null +++ b/roles/x509/static-ca/cert/prepare/templates/updated.sh.j2 @@ -0,0 +1,15 @@ +#!/bin/sh +{% if 'install' in x509_certificate_renewal %} +{% for file in x509_certificate_renewal.install %} + +install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'group' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new" +{% for src in file.src %} +cat "{{ lookup('vars', 'x509_certificate_path_' + src) }}" >> "{{ file.dest }}.new" +{% endfor %} +mv "{{ file.dest }}.new" "{{ file.dest }}" +{% endfor %} +{% endif %} +{% if 'reload' in x509_certificate_renewal %} + +{{ x509_certificate_renewal.reload | trim }} +{% endif %} -- cgit v1.2.3