--- - name: Install the Easy RSA suite on EL block: - name: Install the easyRSA package yum: pkg={{ easy_rsa_package }} state=present when: - easy_rsa_install | bool - ansible_distribution_file_variety == "RedHat" tags: [ 'easyrsa', 'easy_rsa', 'ca' ] - name: Install the Easy RSA suite on Deb block: - name: Create the easy rsa base directory file: dest={{ easy_rsa_base_dir_path }} state=directory owner=root group=root - name: Download the easy-rsa distribution from github unarchive: remote_src=yes src={{ easy_rsa_github_distribution }} dest={{ easy_rsa_github_install_dir }} owner=root group=root - name: Link to the downloaded distribution file: src={{ easy_rsa_github_install_dir }}/{{ easy_rsa_github_name }} dest={{ easy_rsa_base_dir }} state=link when: - easy_rsa_install | bool - ansible_distribution_file_variety == "Debian" tags: [ 'easyrsa', 'easy_rsa', 'ca' ] - name: Configure the pki directory and install the helper scripts block: - name: Create the PKI directory file: dest={{ easy_rsa_pki_basedir }} state=directory owner=root group=root mode=0750 - name: Link the executable file: src={{ easy_rsa_executable }} dest={{ easy_rsa_pki_basedir }}/easyrsa state=link - name: Link the x509 directory file: src={{ easy_rsa_base_dir }}/x509-types dest={{ easy_rsa_pki_basedir }}/x509-types state=link - name: Install the vars file template: src=vars.j2 dest={{ easy_rsa_pki_basedir }}/vars owner=root group=root mode=0640 - name: Install the helper scripts template: src={{ item }}.sh.j2 dest=/usr/local/bin/{{ item }} owner=root group=root mode=0544 with_items: '{{ easy_rsa_helper_scripts }}' tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ] - name: Fix the CA:False constraint lineinfile: path: '{{ easy_rsa_base_dir }}/x509-types/{{ item }}' regexp: '^basicConstraints\ =\ CA:FALSE' line: 'basicConstraints = critical,CA:FALSE' loop: - client - code-signing - email - kdc - server - serverClient when: easy_rsa_critical_ca_false - name: Add a CRL distribution URI lineinfile: path: '{{ easy_rsa_base_dir }}/x509-types/COMMON' regexp: '^crlDistributionPoints.*' line: 'crlDistributionPoints = URI:{{ easy_rsa_crl_url }}' when: easy_rsa_add_crl_url - name: Check if the CA has been initialized yet stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key register: easy_rsa_ca_key_file - name: Display the easyrsa initialization commands if the CA has not been debug: msg: "Run the '{{ easy_rsa_pki_basedir }}/easyrsa init-pki' and '{{ easy_rsa_pki_basedir }}/easyrsa build-ca' commands" when: not easy_rsa_ca_key_file.stat.exists when: easy_rsa_install | bool tags: [ 'easyrsa', 'easy_rsa', 'ca' ] - name: Expiration check block: - name: Install the mailx package on EL ansible.builtin.yum: pkg: mailx state: present when: - easy_rsa_install | bool - ansible_distribution_file_variety == "RedHat" - easy_rsa_alert_on_cert_expiration - name: Install the mailx package on deb systems ansible.builtin.apt: pkg: bsd-mailx state: present cache_valid_time: 1800 when: - easy_rsa_install | bool - ansible_distribution_file_variety == "Debian" - easy_rsa_alert_on_cert_expiration - name: Install a cron job that runs the expiry check, daily ansible.builtin.cron: name: "Check on the certificate expiration" job: "/usr/local/bin/check-x509-certs-expiration-date >/dev/null 2>&1" state: present special_time: daily user: root cron_file: check-certificates-expiration-date when: - easy_rsa_install | bool - easy_rsa_alert_on_cert_expiration tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_expiry_check' ]