blob: e160b57ac9c10092a5a0c93dd4d6d1b693f8bb8c (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
---
- name: generate TLS CA for openvpn
hosts: ele-router
connection: local
gather_facts: no
tasks:
- name: generate CA key and certificate
run_once: yes
block:
- name: generate CA keys
community.crypto.openssl_privatekey_pipe:
type: "Ed25519"
content: "{{ vault_ovpn_ca_key | default(omit) }}"
return_current_key: yes
register: ovpn_ca_key_result
no_log: true
- name: create signing request for CA certificate
community.crypto.openssl_csr_pipe:
privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
CN: "CA for ele-router vpn"
useCommonNameForSAN: no
key_usage:
- cRLSign
- keyCertSign
key_usage_critical: yes
basic_constraints:
- 'CA:TRUE'
- 'pathlen:0'
basic_constraints_critical: yes
register: ovpn_ca_csr_result
changed_when: false
- name: create self-signed CA certificate
community.crypto.x509_certificate_pipe:
content: "{{ vault_ovpn_ca_cert | default(omit) }}"
csr_content: "{{ ovpn_ca_csr_result.csr }}"
privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
provider: selfsigned
selfsigned_digest: sha256
selfsigned_not_after: "+18250d" ## 50 years
selfsigned_create_subject_key_identifier: always_create
register: ovpn_ca_cert_result
- name: generate key
community.crypto.openssl_privatekey_pipe:
type: "Ed25519"
content: "{{ vault_ovpn_keys[inventory_hostname] | default(omit) }}"
return_current_key: yes
register: ovpn_key_result
no_log: true
- name: create signing request for certificate
community.crypto.openssl_csr_pipe:
privatekey_content: "{{ ovpn_key_result.privatekey }}"
CN: "{{ inventory_hostname }}"
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: yes
extended_key_usage:
- "{{ (inventory_hostname == 'ele-router-hmtsaal') | ternary('serverAuth', 'clientAuth') }}"
extended_key_usage_critical: yes
basic_constraints:
- 'CA:FALSE'
basic_constraints_critical: yes
register: ovpn_csr_result
changed_when: false
- name: create certificate
community.crypto.x509_certificate_pipe:
content: "{{ vault_ovpn_certs[inventory_hostname] | default(omit) }}"
csr_content: "{{ ovpn_csr_result.csr }}"
privatekey_content: "{{ ovpn_key_result.privatekey }}"
provider: ownca
ownca_content: "{{ ovpn_ca_cert_result.certificate }}"
ownca_privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
ownca_digest: sha256
ownca_not_after: "+18250d" ## 50 years
register: ovpn_cert_result
- run_once: yes
set_fact:
vault_content: |
---
vault_ovpn_ca_key: |
{{ ovpn_ca_key_result.privatekey | indent(2) }}
vault_ovpn_ca_cert: |
{{ ovpn_ca_cert_result.certificate | indent(2) }}
vault_ovpn_keys:
{% for host in play_hosts %}
{{ host }}: |
{{ hostvars[host].ovpn_key_result.privatekey | indent(4) }}
{% endfor %}
vault_ovpn_certs:
{% for host in play_hosts %}
{{ host }}: |
{{ hostvars[host].ovpn_cert_result.certificate | indent(4) }}
{% endfor %}
- pause:
prompt: "Please put this into a vault file: \n\n{{ vault_content }}"
seconds: 1
|
