From d96def22ce142fe53d078543a9202198627f2b89 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 10 Jul 2023 11:07:24 +0200 Subject: [PATCH] Manage self signed certificates. --- defaults/main.yml | 11 +++++ meta/main.yml | 9 ++-- tasks/main.yml | 39 +++++++++++----- tasks/self_signed_certificate.yml | 74 +++++++++++++++++++++++++++++++ 4 files changed, 116 insertions(+), 17 deletions(-) create mode 100644 tasks/self_signed_certificate.yml diff --git a/defaults/main.yml b/defaults/main.yml index b96f75a..22976b9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -164,6 +164,17 @@ no_proxy_targets: - '127.0.0.1' - 'localhost' +# A generic PKI directory where the local certificates will be stored +pki_dir: /etc/pki +pki_subdirs: + - certs + - keys +pki_install_a_custom_ca: false +self_signed_cert: "{{ pki_dir }}/certs/selfsigned/cert" +self_signed_fullchain: "{{ pki_dir }}/certs/selfsigned/fullchain" +self_signed_key: "{{ pki_dir }}/keys/selfsigned/privkey" +self_signed_subject: "/CN={{ ansible_fqdn }} self signed" + trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors' trusted_ca_deb_path: '/usr/local/share/ca-certificates' # it shoudn't be needed diff --git a/meta/main.yml b/meta/main.yml index 0aa20a6..c635cc1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,14 +2,10 @@ galaxy_info: author: Andrea Dell'Amico description: Perform some low level system configuration company: ISTI-CNR + namespace: adellam role_name: basic_system_setup - - issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - license: EUPL 1.2+ - min_ansible_version: "2.9" - # To view available platforms and versions (or releases), visit: # https://galaxy.ansible.com/api/v1/platforms/ # @@ -17,10 +13,13 @@ galaxy_info: - name: Ubuntu versions: - bionic + - focal + - jammy - name: EL versions: - "7" - "8" + - "9" galaxy_tags: - os-setup diff --git a/tasks/main.yml b/tasks/main.yml index cfb2221..4ffd0dd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,19 +1,34 @@ --- -- import_tasks: ansible-python3-pkgs.yml -- import_tasks: hostname.yml -- import_tasks: locale.yml -- import_tasks: timezone.yml -- import_tasks: sysctl.yml -- import_tasks: http_client_proxy.yml -- import_tasks: additional_disks.yml +- name: Python3 requirements for ansible + ansible.builtin.import_tasks: ansible-python3-pkgs.yml +- name: Set the hostname + ansible.builtin.import_tasks: hostname.yml +- name: Set the locale + ansible.builtin.import_tasks: locale.yml +- name: Set the timezone + ansible.builtin.import_tasks: timezone.yml +- name: Sysctl kernel parameters + ansible.builtin.import_tasks: sysctl.yml +- name: Self signed certificates waiting for the letsencrypt ones + ansible.builtin.import_tasks: self_signed_certificate.yml + when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install +- name: HTTP client proxy + ansible.builtin.import_tasks: http_client_proxy.yml +- name: Manage additiondal disk volumes + ansible.builtin.import_tasks: additional_disks.yml when: additional_disks -- import_tasks: autofs.yml +- name: Manage the autofs configuration + ansible.builtin.import_tasks: autofs.yml when: autofs_client_mountpoint -- import_tasks: tmpreaper.yml -- import_tasks: trusted_ca.yml -- ansible.builtin.import_tasks: ganesha-nfs.yml +- name: Manage tmpreaper + ansible.builtin.import_tasks: tmpreaper.yml +- name: Manage the trusted CAs + ansible.builtin.import_tasks: trusted_ca.yml +- name: Ganesha NFS + ansible.builtin.import_tasks: ganesha-nfs.yml when: nfs_server_ganesha_enabled -- import_tasks: nfs-kernel-server.yml +- name: Linux Kernel NFS server + ansible.builtin.import_tasks: nfs-kernel-server.yml when: - nfs_server_enabled - not nfs_server_ganesha_enabled diff --git a/tasks/self_signed_certificate.yml b/tasks/self_signed_certificate.yml new file mode 100644 index 0000000..1da55f7 --- /dev/null +++ b/tasks/self_signed_certificate.yml @@ -0,0 +1,74 @@ +--- +- name: Manage the PKI directory + tags: ['pki', 'ssl', 'ca', 'letsencrypt'] + block: + - name: Ensure that the PKI directory exists + ansible.builtin.file: + path: "{{ pki_dir }}" + state: directory + owner: root + group: root + mode: 0755 + + - name: Ensure that the PKI subdirectories exist + ansible.builtin.file: + path: "{{ pki_dir }}/{{ item }}" + state: directory + owner: root + group: root + mode: 0755 + loop: "{{ pki_subdirs }}" + +- name: Letsencrypt is going to manage the certificates. Check if a certificate already exists + tags: ['pki', 'ssl', 'letsencrypt'] + block: + - name: Check if a certificate already exists. If so, skip all the related tasks + ansible.builtin.stat: + path: "{{ letsencrypt_acme_sh_certificates_install_path }}" + register: true_cert + +- name: Manage self signed certificates, if letsencrypt is going to be installed + when: + - true_cert is defined + - true_cert.stat is defined + - true_cert.stat.islnk is not defined + tags: ['pki', 'ssl', 'letsencrypt'] + block: + - name: Create the path to the self signed certificates + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: 0755 + loop: + - "{{ letsencrypt_acme_sh_certificates_install_base_path }}" + - "{{ pki_dir }}/certs/selfsigned" + + - name: Path to the self signed key file + ansible.builtin.file: + path: "{{ pki_dir }}/keys/selfsigned" + state: directory + owner: root + group: root + mode: 0700 + + - name: Generate the self signed certificate and private key + ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}' + args: + creates: '{{ self_signed_cert }}' + + - name: Copy the cert file into fullchain + ansible.builtin.copy: + src: "{{ self_signed_cert }}" + dest: "{{ self_signed_fullchain }}" + remote_src: true + owner: root + group: root + mode: 0644 + + - name: Create the symbolic link for the certificates into the letsencrypt live directory + ansible.builtin.file: + src: "{{ pki_dir }}/certs/selfsigned" + dest: "{{ letsencrypt_acme_sh_certificates_install_path }}" + state: link