Manage self signed certificates.
This commit is contained in:
parent
8579383158
commit
d96def22ce
|
@ -164,6 +164,17 @@ no_proxy_targets:
|
|||
- '127.0.0.1'
|
||||
- 'localhost'
|
||||
|
||||
# A generic PKI directory where the local certificates will be stored
|
||||
pki_dir: /etc/pki
|
||||
pki_subdirs:
|
||||
- certs
|
||||
- keys
|
||||
pki_install_a_custom_ca: false
|
||||
self_signed_cert: "{{ pki_dir }}/certs/selfsigned/cert"
|
||||
self_signed_fullchain: "{{ pki_dir }}/certs/selfsigned/fullchain"
|
||||
self_signed_key: "{{ pki_dir }}/keys/selfsigned/privkey"
|
||||
self_signed_subject: "/CN={{ ansible_fqdn }} self signed"
|
||||
|
||||
trusted_ca_el_anchors_path: '/etc/pki/ca-trust/source/anchors'
|
||||
trusted_ca_deb_path: '/usr/local/share/ca-certificates'
|
||||
# it shoudn't be needed
|
||||
|
|
|
@ -2,14 +2,10 @@ galaxy_info:
|
|||
author: Andrea Dell'Amico
|
||||
description: Perform some low level system configuration
|
||||
company: ISTI-CNR
|
||||
namespace: adellam
|
||||
role_name: basic_system_setup
|
||||
|
||||
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
|
||||
|
||||
license: EUPL 1.2+
|
||||
|
||||
min_ansible_version: "2.9"
|
||||
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
|
@ -17,10 +13,13 @@ galaxy_info:
|
|||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- jammy
|
||||
- name: EL
|
||||
versions:
|
||||
- "7"
|
||||
- "8"
|
||||
- "9"
|
||||
|
||||
galaxy_tags:
|
||||
- os-setup
|
||||
|
|
|
@ -1,19 +1,34 @@
|
|||
---
|
||||
- import_tasks: ansible-python3-pkgs.yml
|
||||
- import_tasks: hostname.yml
|
||||
- import_tasks: locale.yml
|
||||
- import_tasks: timezone.yml
|
||||
- import_tasks: sysctl.yml
|
||||
- import_tasks: http_client_proxy.yml
|
||||
- import_tasks: additional_disks.yml
|
||||
- name: Python3 requirements for ansible
|
||||
ansible.builtin.import_tasks: ansible-python3-pkgs.yml
|
||||
- name: Set the hostname
|
||||
ansible.builtin.import_tasks: hostname.yml
|
||||
- name: Set the locale
|
||||
ansible.builtin.import_tasks: locale.yml
|
||||
- name: Set the timezone
|
||||
ansible.builtin.import_tasks: timezone.yml
|
||||
- name: Sysctl kernel parameters
|
||||
ansible.builtin.import_tasks: sysctl.yml
|
||||
- name: Self signed certificates waiting for the letsencrypt ones
|
||||
ansible.builtin.import_tasks: self_signed_certificate.yml
|
||||
when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
|
||||
- name: HTTP client proxy
|
||||
ansible.builtin.import_tasks: http_client_proxy.yml
|
||||
- name: Manage additiondal disk volumes
|
||||
ansible.builtin.import_tasks: additional_disks.yml
|
||||
when: additional_disks
|
||||
- import_tasks: autofs.yml
|
||||
- name: Manage the autofs configuration
|
||||
ansible.builtin.import_tasks: autofs.yml
|
||||
when: autofs_client_mountpoint
|
||||
- import_tasks: tmpreaper.yml
|
||||
- import_tasks: trusted_ca.yml
|
||||
- ansible.builtin.import_tasks: ganesha-nfs.yml
|
||||
- name: Manage tmpreaper
|
||||
ansible.builtin.import_tasks: tmpreaper.yml
|
||||
- name: Manage the trusted CAs
|
||||
ansible.builtin.import_tasks: trusted_ca.yml
|
||||
- name: Ganesha NFS
|
||||
ansible.builtin.import_tasks: ganesha-nfs.yml
|
||||
when: nfs_server_ganesha_enabled
|
||||
- import_tasks: nfs-kernel-server.yml
|
||||
- name: Linux Kernel NFS server
|
||||
ansible.builtin.import_tasks: nfs-kernel-server.yml
|
||||
when:
|
||||
- nfs_server_enabled
|
||||
- not nfs_server_ganesha_enabled
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
---
|
||||
- name: Manage the PKI directory
|
||||
tags: ['pki', 'ssl', 'ca', 'letsencrypt']
|
||||
block:
|
||||
- name: Ensure that the PKI directory exists
|
||||
ansible.builtin.file:
|
||||
path: "{{ pki_dir }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure that the PKI subdirectories exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ pki_dir }}/{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
loop: "{{ pki_subdirs }}"
|
||||
|
||||
- name: Letsencrypt is going to manage the certificates. Check if a certificate already exists
|
||||
tags: ['pki', 'ssl', 'letsencrypt']
|
||||
block:
|
||||
- name: Check if a certificate already exists. If so, skip all the related tasks
|
||||
ansible.builtin.stat:
|
||||
path: "{{ letsencrypt_acme_sh_certificates_install_path }}"
|
||||
register: true_cert
|
||||
|
||||
- name: Manage self signed certificates, if letsencrypt is going to be installed
|
||||
when:
|
||||
- true_cert is defined
|
||||
- true_cert.stat is defined
|
||||
- true_cert.stat.islnk is not defined
|
||||
tags: ['pki', 'ssl', 'letsencrypt']
|
||||
block:
|
||||
- name: Create the path to the self signed certificates
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
loop:
|
||||
- "{{ letsencrypt_acme_sh_certificates_install_base_path }}"
|
||||
- "{{ pki_dir }}/certs/selfsigned"
|
||||
|
||||
- name: Path to the self signed key file
|
||||
ansible.builtin.file:
|
||||
path: "{{ pki_dir }}/keys/selfsigned"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
|
||||
- name: Generate the self signed certificate and private key
|
||||
ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}'
|
||||
args:
|
||||
creates: '{{ self_signed_cert }}'
|
||||
|
||||
- name: Copy the cert file into fullchain
|
||||
ansible.builtin.copy:
|
||||
src: "{{ self_signed_cert }}"
|
||||
dest: "{{ self_signed_fullchain }}"
|
||||
remote_src: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Create the symbolic link for the certificates into the letsencrypt live directory
|
||||
ansible.builtin.file:
|
||||
src: "{{ pki_dir }}/certs/selfsigned"
|
||||
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
|
||||
state: link
|
Loading…
Reference in New Issue