Manage self signed certificates.

defaults/main.yml

@@ -164,6 +164,17 @@ no_proxy_targets:
   - '127.0.0.1'
   - 'localhost'
 
+# A generic PKI directory where the local certificates will be stored
+pki_dir: /etc/pki
+pki_subdirs:
+  - certs
+  - keys
+pki_install_a_custom_ca: false
+self_signed_cert: "{{ pki_dir }}/certs/selfsigned/cert"
+self_signed_fullchain: "{{ pki_dir }}/certs/selfsigned/fullchain"
+self_signed_key: "{{ pki_dir }}/keys/selfsigned/privkey"
+self_signed_subject: "/CN={{ ansible_fqdn }} self signed"
+
 trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors'
 trusted_ca_deb_path: '/usr/local/share/ca-certificates'
 # it shoudn't be needed

meta/main.yml

@@ -2,14 +2,10 @@ galaxy_info:
   author: Andrea Dell'Amico
   description: Perform some low level system configuration
   company: ISTI-CNR
+  namespace: adellam
   role_name: basic_system_setup
-
-  issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
-
   license: EUPL 1.2+
-
   min_ansible_version: "2.9"
-
   # To view available platforms and versions (or releases), visit:
   # https://galaxy.ansible.com/api/v1/platforms/
   #
@@ -17,10 +13,13 @@ galaxy_info:
     - name: Ubuntu
       versions:
         - bionic
+        - focal
+        - jammy
     - name: EL
       versions:
         - "7"
         - "8"
+        - "9"
 
   galaxy_tags:
     - os-setup

tasks/main.yml

@@ -1,19 +1,34 @@
 ---
-- import_tasks: ansible-python3-pkgs.yml
-- import_tasks: hostname.yml
-- import_tasks: locale.yml
-- import_tasks: timezone.yml
-- import_tasks: sysctl.yml
-- import_tasks: http_client_proxy.yml
-- import_tasks: additional_disks.yml
+- name: Python3 requirements for ansible
+  ansible.builtin.import_tasks: ansible-python3-pkgs.yml
+- name: Set the hostname
+  ansible.builtin.import_tasks: hostname.yml
+- name: Set the locale
+  ansible.builtin.import_tasks: locale.yml
+- name: Set the timezone
+  ansible.builtin.import_tasks: timezone.yml
+- name: Sysctl kernel parameters
+  ansible.builtin.import_tasks: sysctl.yml
+- name: Self signed certificates waiting for the letsencrypt ones
+  ansible.builtin.import_tasks: self_signed_certificate.yml
+  when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
+- name: HTTP client proxy
+  ansible.builtin.import_tasks: http_client_proxy.yml
+- name: Manage additiondal disk volumes
+  ansible.builtin.import_tasks: additional_disks.yml
   when: additional_disks
-- import_tasks: autofs.yml
+- name: Manage the autofs configuration
+  ansible.builtin.import_tasks: autofs.yml
   when: autofs_client_mountpoint
-- import_tasks: tmpreaper.yml
-- import_tasks: trusted_ca.yml
-- ansible.builtin.import_tasks: ganesha-nfs.yml
+- name: Manage tmpreaper
+  ansible.builtin.import_tasks: tmpreaper.yml
+- name: Manage the trusted CAs
+  ansible.builtin.import_tasks: trusted_ca.yml
+- name: Ganesha NFS
+  ansible.builtin.import_tasks: ganesha-nfs.yml
   when: nfs_server_ganesha_enabled
-- import_tasks: nfs-kernel-server.yml
+- name: Linux Kernel NFS server
+  ansible.builtin.import_tasks: nfs-kernel-server.yml
   when:
     - nfs_server_enabled
     - not nfs_server_ganesha_enabled

tasks/self_signed_certificate.yml

@@ -0,0 +1,74 @@
+---
+- name: Manage the PKI directory
+  tags: ['pki', 'ssl', 'ca', 'letsencrypt']
+  block:
+    - name: Ensure that the PKI directory exists
+      ansible.builtin.file:
+        path: "{{ pki_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: Ensure that the PKI subdirectories exist
+      ansible.builtin.file:
+        path: "{{ pki_dir }}/{{ item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 0755
+      loop: "{{ pki_subdirs }}"
+
+- name: Letsencrypt is going to manage the certificates. Check if a certificate already exists
+  tags: ['pki', 'ssl', 'letsencrypt']
+  block:
+    - name: Check if a certificate already exists. If so, skip all the related tasks
+      ansible.builtin.stat:
+        path: "{{ letsencrypt_acme_sh_certificates_install_path }}"
+      register: true_cert
+
+- name: Manage self signed certificates, if letsencrypt is going to be installed
+  when:
+    - true_cert is defined
+    - true_cert.stat is defined
+    - true_cert.stat.islnk is not defined
+  tags: ['pki', 'ssl', 'letsencrypt']
+  block:
+    - name: Create the path to the self signed certificates
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 0755
+      loop:
+        - "{{ letsencrypt_acme_sh_certificates_install_base_path }}"
+        - "{{ pki_dir }}/certs/selfsigned"
+
+    - name: Path to the self signed key file
+      ansible.builtin.file:
+        path: "{{ pki_dir }}/keys/selfsigned"
+        state: directory
+        owner: root
+        group: root
+        mode: 0700
+
+    - name: Generate the self signed certificate and private key
+      ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}'
+      args:
+        creates: '{{ self_signed_cert }}'
+
+    - name: Copy the cert file into fullchain
+      ansible.builtin.copy:
+        src: "{{ self_signed_cert }}"
+        dest: "{{ self_signed_fullchain }}"
+        remote_src: true
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Create the symbolic link for the certificates into the letsencrypt live directory
+      ansible.builtin.file:
+        src: "{{ pki_dir }}/certs/selfsigned"
+        dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
+        state: link