summaryrefslogtreecommitdiff
path: root/elevate/ele-router.yml
blob: e160b57ac9c10092a5a0c93dd4d6d1b693f8bb8c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
---
- name: generate TLS CA for openvpn
  hosts: ele-router
  connection: local
  gather_facts: no
  tasks:
  - name: generate CA key and certificate
    run_once: yes
    block:
    - name: generate CA keys
      community.crypto.openssl_privatekey_pipe:
        type: "Ed25519"
        content: "{{ vault_ovpn_ca_key | default(omit) }}"
        return_current_key: yes
      register: ovpn_ca_key_result
      no_log: true

    - name: create signing request for CA certificate
      community.crypto.openssl_csr_pipe:
        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
        CN: "CA for ele-router vpn"
        useCommonNameForSAN: no
        key_usage:
        - cRLSign
        - keyCertSign
        key_usage_critical: yes
        basic_constraints:
        - 'CA:TRUE'
        - 'pathlen:0'
        basic_constraints_critical: yes
      register: ovpn_ca_csr_result
      changed_when: false

    - name: create self-signed CA certificate
      community.crypto.x509_certificate_pipe:
        content: "{{ vault_ovpn_ca_cert | default(omit) }}"
        csr_content: "{{ ovpn_ca_csr_result.csr }}"
        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
        provider: selfsigned
        selfsigned_digest: sha256
        selfsigned_not_after: "+18250d" ## 50 years
        selfsigned_create_subject_key_identifier: always_create
      register: ovpn_ca_cert_result


  - name: generate key
    community.crypto.openssl_privatekey_pipe:
      type: "Ed25519"
      content: "{{ vault_ovpn_keys[inventory_hostname] | default(omit) }}"
      return_current_key: yes
    register: ovpn_key_result
    no_log: true

  - name: create signing request for certificate
    community.crypto.openssl_csr_pipe:
      privatekey_content: "{{ ovpn_key_result.privatekey }}"
      CN: "{{ inventory_hostname }}"
      key_usage:
      - digitalSignature
      - keyEncipherment
      key_usage_critical: yes
      extended_key_usage:
      - "{{ (inventory_hostname == 'ele-router-hmtsaal') | ternary('serverAuth', 'clientAuth') }}"
      extended_key_usage_critical: yes
      basic_constraints:
      - 'CA:FALSE'
      basic_constraints_critical: yes
    register: ovpn_csr_result
    changed_when: false

  - name: create certificate
    community.crypto.x509_certificate_pipe:
      content: "{{ vault_ovpn_certs[inventory_hostname] | default(omit) }}"
      csr_content: "{{ ovpn_csr_result.csr }}"
      privatekey_content: "{{ ovpn_key_result.privatekey }}"
      provider: ownca
      ownca_content: "{{ ovpn_ca_cert_result.certificate }}"
      ownca_privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
      ownca_digest: sha256
      ownca_not_after: "+18250d" ## 50 years
    register: ovpn_cert_result


  - run_once: yes
    set_fact:
      vault_content: |
        ---
        vault_ovpn_ca_key: |
          {{ ovpn_ca_key_result.privatekey | indent(2) }}
        vault_ovpn_ca_cert: |
          {{ ovpn_ca_cert_result.certificate | indent(2) }}
        vault_ovpn_keys:
        {% for host in play_hosts %}
          {{ host }}: |
            {{ hostvars[host].ovpn_key_result.privatekey | indent(4) }}
        {% endfor %}
        vault_ovpn_certs:
        {% for host in play_hosts %}
          {{ host }}: |
            {{ hostvars[host].ovpn_cert_result.certificate | indent(4) }}
        {% endfor %}

  - pause:
      prompt: "Please put this into a vault file: \n\n{{ vault_content }}"
      seconds: 1