diff --git a/README.md b/README.md index 3637db8..aa391c9 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,38 @@ Role Name ========= -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A role that installs EasyRSA Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +The most important variables are listed below: + +``` yaml +easy_rsa_install: True +easy_rsa_main_version: 3 +easy_rsa_version: '{{ easy_rsa_main_version }}.0.7' +easy_rsa_req_email: 'ca@example.com' +easy_rsa_req_ou: 'EASY RSA' +# rsa or ec +easy_rsa_algo: 'rsa' +easy_rsa_key_size: 4096 +easy_rsa_curve: 'secp384r1' +easy_rsa_ca_expire: 3650 +easy_rsa_cert_expire: 370 +easy_rsa_digest: 'sha384' +easy_rsa_batch_mode: False + +easy_rsa_req_country: 'IT' +easy_rsa_req_province: 'Province' +easy_rsa_req_city: 'City' +easy_rsa_req_org: 'Organization' +``` Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +None License ------- @@ -35,4 +42,4 @@ EUPL-1.2 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Andrea Dell'Amico, diff --git a/defaults/main.yml b/defaults/main.yml index 95d3c70..53e1c57 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,19 @@ --- -# defaults file for ansible-role-template \ No newline at end of file +easy_rsa_install: True +easy_rsa_main_version: 3 +easy_rsa_version: '{{ easy_rsa_main_version }}.0.7' +easy_rsa_req_email: 'ca@example.com' +easy_rsa_req_ou: 'EASY RSA' +# rsa or ec +easy_rsa_algo: 'rsa' +easy_rsa_key_size: 4096 +easy_rsa_curve: 'secp384r1' +easy_rsa_ca_expire: 3650 +easy_rsa_cert_expire: 370 +easy_rsa_digest: 'sha384' +easy_rsa_batch_mode: False + +easy_rsa_req_country: 'IT' +easy_rsa_req_province: 'Province' +easy_rsa_req_city: 'City' +easy_rsa_req_org: 'Organization' diff --git a/meta/main.yml b/meta/main.yml index 1126a5e..3b03217 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,61 +1,29 @@ galaxy_info: - author: your name - description: your description + author: Andrea Dell'Amico + description: Systems Architect company: ISTI-CNR - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: EUPL-1.2 + license: EUPL 1.2+ min_ansible_version: 2.8 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # Optionally specify the branch Galaxy will use when accessing the GitHub - # repo for this role. During role install, if no tags are available, - # Galaxy will use this branch. During import Galaxy will access files on - # this branch. If Travis integration is configured, only notifications for this - # branch will be accepted. Otherwise, in all cases, the repo's default branch - # (usually master) will be used. - #github_branch: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. # To view available platforms and versions (or releases), visit: # https://galaxy.ansible.com/api/v1/platforms/ # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + platforms: + - name: Ubuntu + versions: + - bionic + - name: EL + versions: + - 7 + - 8 - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - pki + - certificates + - security dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. - diff --git a/tasks/main.yml b/tasks/main.yml index 53c6cae..e0d018e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,57 @@ --- -# tasks file for ansible-role-template \ No newline at end of file +- name: Install the Easy RSA suite on EL + block: + - name: Install the easyRSA package + yum: pkg={{ easy_rsa_package }} state=present + + when: + - easy_rsa_install | bool + - ansible_distribution_file_variety == "RedHat" + tags: [ 'easyrsa', 'easy_rsa', 'ca' ] + +- name: Install the Easy RSA suite on Deb + block: + - name: Create the easy rsa base directory + file: dest={{ easy_rsa_base_dir_path }} state=directory owner=root group=root + + - name: Download the easy-rsa distribution from github + unarchive: remote_src=yes src={{ easy_rsa_github_distribution }} dest={{ easy_rsa_github_install_dir }} owner=root group=root + + - name: Link to the downloaded distribution + file: src={{ easy_rsa_github_install_dir }}/{{ easy_rsa_github_name }} dest={{ easy_rsa_base_dir }} state=link + + when: + - easy_rsa_install | bool + - ansible_distribution_file_variety == "Debian" + tags: [ 'easyrsa', 'easy_rsa', 'ca' ] + +- name: Configure the pki directory and install the helper scripts + block: + - name: Create the PKI directory + file: dest={{ easy_rsa_pki_basedir }} state=directory owner=root group=root mode=0750 + + - name: Link the executable + file: src={{ easy_rsa_executable }} dest={{ easy_rsa_pki_basedir }}/easyrsa state=link + + - name: Link the x509 directory + file: src={{ easy_rsa_base_dir }}/x509-types dest={{ easy_rsa_pki_basedir }}/x509-types state=link + + - name: Install the vars file + template: src=vars.j2 dest={{ easy_rsa_pki_basedir }}/vars owner=root group=root mode=0640 + + - name: Install the helper scripts + template: src={{ item }}.sh.j2 dest=/usr/local/bin/{{ item }} owner=root group=root mode=0544 + with_items: '{{ easy_rsa_helper_scripts }}' + tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ] + + - name: Check if the CA has been initialized yet + stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key + register: easy_rsa_ca_key_file + + - name: Display the easyrsa initialization commands if the CA has not been + debug: + msg: "Run the '{{ easy_rsa_pki_basedir }}/easyrsa init-pki' and '{{ easy_rsa_pki_basedir }}/easyrsa build-ca' commands" + when: not easy_rsa_ca_key_file.stat.exists + + when: easy_rsa_install | bool + tags: [ 'easyrsa', 'easy_rsa', 'ca' ] diff --git a/templates/client-host-certificate.sh.j2 b/templates/client-host-certificate.sh.j2 new file mode 100644 index 0000000..9f5910d --- /dev/null +++ b/templates/client-host-certificate.sh.j2 @@ -0,0 +1,34 @@ +#!/bin/bash + +host_arg= +if [ $# -ne 1 ] ; then + echo "You need to pass just one argument: the full hostname for wich the certificate is required" + exit 1 +else + host_arg="$1" +fi + +easy_rsa_base_dir={{ easy_rsa_pki_basedir }} +easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" +easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_vars_file="${easy_rsa_base_dir}/vars" +if [ -f "${easy_vars_file}.tmpl" ] ; then + echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." + exit 1 +fi + +echo "" +echo "Starting the creation of a client host certificate." +echo "" + +cd "$easy_rsa_base_dir" +./easyrsa build-client-full "$host_arg" nopass + +echo "" +echo "Done." +echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" +echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" +echo "" +echo "Remember that the key of the host certificates do not passphrase protected" + +exit 0 diff --git a/templates/personal-certificate.sh.j2 b/templates/personal-certificate.sh.j2 new file mode 100644 index 0000000..a0fa314 --- /dev/null +++ b/templates/personal-certificate.sh.j2 @@ -0,0 +1,41 @@ +#!/bin/bash + +name_arg= +email_arg= +if [ $# -ne 2 ] ; then + echo "You need to pass exactly two parameters in the following order: the full name, between double quotes, and the email address" + exit 1 +else + name_arg="$1" + email_arg="$2" +fi + +easy_rsa_base_dir={{ easy_rsa_pki_basedir }} +easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" +easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_vars_file="${easy_rsa_base_dir}/vars" +if [ -f "${easy_vars_file}.tmpl" ] ; then + echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." + exit 1 +fi + +echo "" +echo "Starting the creation of a client host certificate." +echo "Remember that you need to supply a passphrase for the private key." +echo "" + +sleep 5 + +cd "$easy_rsa_base_dir" +cp -f "$easy_vars_file" "${easy_vars_file}.tmpl" +sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file" +./easyrsa build-client-full "$name_arg" +mv -f "${easy_vars_file}.tmpl" "$easy_vars_file" + +echo "" +echo "Done." +echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt" +echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key" +echo "" + +exit 0 diff --git a/templates/safessl-easyrsa.cnf b/templates/safessl-easyrsa.cnf new file mode 100644 index 0000000..030785c --- /dev/null +++ b/templates/safessl-easyrsa.cnf @@ -0,0 +1,140 @@ +# For use with Easy-RSA 3.1 and OpenSSL or LibreSSL + +RANDFILE = /srv/CA/pki/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = /srv/CA/pki # Where everything is kept +certs = /srv/CA/pki # Where the issued certs are kept +crl_dir = /srv/CA/pki # Where the issued crl are kept +database = /srv/CA/pki/index.txt # database index file. +new_certs_dir = /srv/CA/pki/certs_by_serial # default place for new certs. + +certificate = /srv/CA/pki/ca.crt # The CA certificate +serial = /srv/CA/pki/serial # The current serial number +crl = /srv/CA/pki/crl.pem # The current CRL +private_key = /srv/CA/pki/private/ca.key # The private key +RANDFILE = /srv/CA/pki/.rand # private random number file + +x509_extensions = basic_exts # The extentions to add to the cert + +# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA +# is designed for will. In return, we get the Issuer attached to CRLs. +crl_extensions = crl_ext + +default_days = 730 # how long to certify for +default_crl_days= 180 # how long before next CRL +default_md = sha384 # use public key default MD +preserve = no # keep passed DN ordering + +# This allows to renew certificates which have not been revoked +unique_subject = no + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the 'anything' policy, which defines allowed DN fields +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +# Easy-RSA request handling +# We key off $DN_MODE to determine how to format the DN +[ req ] +default_bits = 3072 +default_keyfile = privkey.pem +default_md = sha384 +distinguished_name = cn_only +x509_extensions = easyrsa_ca # The extentions to add to the self signed cert + +# A placeholder to handle the $EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it + +#################################################################### +# Easy-RSA DN (Subject) handling + +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = ISTI-CNR S2I2S CA + +# Easy-RSA DN for org support: +[ org ] +countryName = Country Name (2 letter code) +countryName_default = IT +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Tuscany + +localityName = Locality Name (eg, city) +localityName_default = Pisa + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = ISTI-CNR + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = S2I2S IT Services + +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = Easy-RSA CA + +emailAddress = Email Address +emailAddress_default = me@example.net +emailAddress_max = 64 + +#################################################################### +# Easy-RSA cert extension handling + +# This section is effectively unused as the main script sets extensions +# dynamically. This core section is left to support the odd usecase where +# a user calls openssl directly. +[ basic_exts ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +# The Easy-RSA CA extensions +[ easyrsa_ca ] + +# PKIX recommendations: + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This could be marked critical, but it's nice to support reading by any +# broken clients who attempt to do so. +basicConstraints = CA:true + +# Limit key usage to CA tasks. If you really want to use the generated pair as +# a self-signed cert, comment this out. +keyUsage = cRLSign, keyCertSign + +# nsCertType omitted by default. Let's try to let the deprecated stuff die. +# nsCertType = sslCA + +# CRL extensions. +[ crl_ext ] + +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + diff --git a/templates/server-host-certificate.sh.j2 b/templates/server-host-certificate.sh.j2 new file mode 100644 index 0000000..3338a27 --- /dev/null +++ b/templates/server-host-certificate.sh.j2 @@ -0,0 +1,34 @@ +#!/bin/bash + +host_arg= +if [ $# -ne 1 ] ; then + echo "You need to pass just one argument: the full hostname for wich the certificate is required" + exit 1 +else + host_arg="$1" +fi + +easy_rsa_base_dir={{ easy_rsa_pki_basedir }} +easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" +easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_vars_file="${easy_rsa_base_dir}/vars" +if [ -f "${easy_vars_file}.tmpl" ] ; then + echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." + exit 1 +fi + +echo "" +echo "Starting the creation of a server host certificate." +echo "" + +cd "$easy_rsa_base_dir" +./easyrsa build-server-full "$host_arg" nopass + +echo "" +echo "Done." +echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" +echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" +echo "" +echo "Remember that the key of the host certificates do not passphrase protected" + +exit 0 diff --git a/templates/vars.j2 b/templates/vars.j2 new file mode 100644 index 0000000..3b7a7e6 --- /dev/null +++ b/templates/vars.j2 @@ -0,0 +1,211 @@ +# Easy-RSA 3 parameter settings + +# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades don't wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file 'vars' if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the 'vars' file. +# +# All of the editable settings are shown commented and start with the command +# 'set_var' -- this means any set_var command that is uncommented has been +# modified by the user. If you're happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped +# backslashes (single forward slashes are recommended.) This means your path to +# the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DON'T EDIT THIS SECTION +# +# Easy-RSA 3.x doesn't source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "'How to use this file' near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. + +#set_var EASYRSA "${0%/*}" + +# If your OpenSSL command is not in the system PATH, you will need to define the +# path to it here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. + +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. By +# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the +# directory you are currently in). +# +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! (Interactive mode will prompt before acting.) + +#set_var EASYRSA_PKI "$PWD/pki" + +# Define X509 DN mode. +# This is used to adjust what elements are included in the Subject field as the DN +# (this is the "Distinguished Name.") +# Note that in cn_only mode the Organizational fields further below aren't used. +# +# Choices are: +# cn_only - use just a CN value +# org - use the "traditional" Country/Province/City/Org/OU/email/CN format + +set_var EASYRSA_DN "org" + +# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) +# These are the default values for fields which will be placed in the +# certificate. Don't leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email.) + +set_var EASYRSA_REQ_COUNTRY "{{ easy_rsa_req_country }}" +set_var EASYRSA_REQ_PROVINCE "{{ easy_rsa_req_province }}" +set_var EASYRSA_REQ_CITY "{{ easy_rsa_req_city }}" +set_var EASYRSA_REQ_ORG "{{ easy_rsa_req_org }}" +set_var EASYRSA_REQ_EMAIL "{{ easy_rsa_req_email }}" +set_var EASYRSA_REQ_OU "{{ easy_rsa_req_ou }}" + +# Choose a size in bits for your keypairs. The recommended value is 2048. Using +# 2048-bit keys is considered more than sufficient for many years into the +# future. Larger keysizes will slow down TLS negotiation and make key/DH param +# generation take much longer. Values up to 4096 should be accepted by most +# software. Only used when the crypto alg is rsa (see below.) + +set_var EASYRSA_KEY_SIZE {{ easy_rsa_key_size }} + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec + +set_var EASYRSA_ALGO {{ easy_rsa_algo }} + +# Define the named curve, used in ec mode only: + +set_var EASYRSA_CURVE {{ easy_rsa_curve }} + +# In how many days should the root CA key expire? + +set_var EASYRSA_CA_EXPIRE {{ easy_rsa_ca_expire }} + +# In how many days should certificates expire? + +set_var EASYRSA_CERT_EXPIRE {{ easy_rsa_cert_expire }} + +# How many days until the next CRL publish date? Note that the CRL can still be +# parsed after this timeframe passes. It is only used for an expected next +# publication date. + +# How many days before its expiration date a certificate is allowed to be +# renewed? +set_var EASYRSA_CERT_RENEW 30 + +set_var EASYRSA_CRL_DAYS 180 + +# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default +# is "no" to discourage use of deprecated extensions. If you require this +# feature to use with --ns-cert-type, set this to "yes" here. This support +# should be replaced with the more modern --remote-cert-tls feature. If you do +# not use --ns-cert-type in your configs, it is safe (and recommended) to leave +# this defined to "no". When set to "yes", server-signed certs get the +# nsCertType=server attribute, and also get any NS_COMMENT defined below in the +# nsComment field. + +set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. + +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# A temp file used to stage cert extensions during signing. The default should +# be fine for most users; however, some users might want an alternative under a +# RAM-based FS, such as /dev/shm or /tmp on some systems. + +set_var EASYRSA_TEMP_FILE "/run/easyrsa/extensions.temp" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a 'command not found' error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you're doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named 'COMMON' is included first when present. Note that +# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then +# fallback to $EASYRSA for the 'x509-types' dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the +# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA +# specific and you cannot just use a standard config file, so this is an +# advanced feature. + +#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" + +# Default CN: +# This is best left alone. Interactively you will set this manually, and BATCH +# callers are expected to set this themselves. + +#set_var EASYRSA_REQ_CN "ChangeMe" + +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +set_var EASYRSA_DIGEST "{{ easy_rsa_digest }}" + +# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly +# in batch mode without any user input, confirmation on dangerous operations, +# or most output. Setting this to any non-blank string enables batch mode. + +{% if easy_rsa_batch_mode %} +set_var EASYRSA_BATCH "enabled" +{% endif %} diff --git a/vars/main.yml b/vars/main.yml index 3808477..318abae 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,21 @@ --- -# vars file for ansible-role-template \ No newline at end of file +centos_install_epel: true + +easy_rsa_github_distribution: 'https://github.com/OpenVPN/easy-rsa/releases/download/v{{ easy_rsa_version }}/EasyRSA-{{ easy_rsa_version }}.tgz' +easy_rsa_github_name: 'EasyRSA-{{ easy_rsa_version }}' +easy_rsa_github_install_dir: '/opt' +# EL only +easy_rsa_package: + - easy-rsa + +easy_rsa_base_dir_path: '/usr/share/easy-rsa' +easy_rsa_base_dir: '{{ easy_rsa_base_dir_path }}/{{ easy_rsa_main_version }}' +easy_rsa_executable: '{{ easy_rsa_base_dir }}/easyrsa' + +easy_rsa_pki_basedir: /srv/CA + +easy_rsa_helper_scripts: + - 'client-host-certificate' + - 'server-host-certificate' + - 'personal-certificate' +