114 lines
3.8 KiB
YAML
114 lines
3.8 KiB
YAML
---
|
|
- name: Install the Easy RSA suite on EL
|
|
block:
|
|
- name: Install the easyRSA package
|
|
yum: pkg={{ easy_rsa_package }} state=present
|
|
|
|
when:
|
|
- easy_rsa_install | bool
|
|
- ansible_distribution_file_variety == "RedHat"
|
|
tags: [ 'easyrsa', 'easy_rsa', 'ca' ]
|
|
|
|
- name: Install the Easy RSA suite on Deb
|
|
block:
|
|
- name: Create the easy rsa base directory
|
|
file: dest={{ easy_rsa_base_dir_path }} state=directory owner=root group=root
|
|
|
|
- name: Download the easy-rsa distribution from github
|
|
unarchive: remote_src=yes src={{ easy_rsa_github_distribution }} dest={{ easy_rsa_github_install_dir }} owner=root group=root
|
|
|
|
- name: Link to the downloaded distribution
|
|
file: src={{ easy_rsa_github_install_dir }}/{{ easy_rsa_github_name }} dest={{ easy_rsa_base_dir }} state=link
|
|
|
|
when:
|
|
- easy_rsa_install | bool
|
|
- ansible_distribution_file_variety == "Debian"
|
|
tags: [ 'easyrsa', 'easy_rsa', 'ca' ]
|
|
|
|
- name: Configure the pki directory and install the helper scripts
|
|
block:
|
|
- name: Create the PKI directory
|
|
file: dest={{ easy_rsa_pki_basedir }} state=directory owner=root group=root mode=0750
|
|
|
|
- name: Link the executable
|
|
file: src={{ easy_rsa_executable }} dest={{ easy_rsa_pki_basedir }}/easyrsa state=link
|
|
|
|
- name: Link the x509 directory
|
|
file: src={{ easy_rsa_base_dir }}/x509-types dest={{ easy_rsa_pki_basedir }}/x509-types state=link
|
|
|
|
- name: Install the vars file
|
|
template: src=vars.j2 dest={{ easy_rsa_pki_basedir }}/vars owner=root group=root mode=0640
|
|
|
|
- name: Install the helper scripts
|
|
template: src={{ item }}.sh.j2 dest=/usr/local/bin/{{ item }} owner=root group=root mode=0544
|
|
with_items: '{{ easy_rsa_helper_scripts }}'
|
|
tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ]
|
|
|
|
- name: Fix the CA:False constraint
|
|
lineinfile:
|
|
path: '{{ easy_rsa_base_dir }}/x509-types/{{ item }}'
|
|
regexp: '^basicConstraints\ =\ CA:FALSE'
|
|
line: 'basicConstraints = critical,CA:FALSE'
|
|
loop:
|
|
- client
|
|
- code-signing
|
|
- email
|
|
- kdc
|
|
- server
|
|
- serverClient
|
|
when: easy_rsa_critical_ca_false
|
|
|
|
- name: Add a CRL distribution URI
|
|
lineinfile:
|
|
path: '{{ easy_rsa_base_dir }}/x509-types/COMMON'
|
|
regexp: '^crlDistributionPoints.*'
|
|
line: 'crlDistributionPoints = URI:{{ easy_rsa_crl_url }}'
|
|
when: easy_rsa_add_crl_url
|
|
|
|
- name: Check if the CA has been initialized yet
|
|
stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key
|
|
register: easy_rsa_ca_key_file
|
|
|
|
- name: Display the easyrsa initialization commands if the CA has not been
|
|
debug:
|
|
msg: "Run the '{{ easy_rsa_pki_basedir }}/easyrsa init-pki' and '{{ easy_rsa_pki_basedir }}/easyrsa build-ca' commands"
|
|
when: not easy_rsa_ca_key_file.stat.exists
|
|
|
|
when: easy_rsa_install | bool
|
|
tags: [ 'easyrsa', 'easy_rsa', 'ca' ]
|
|
|
|
- name: Expiration check
|
|
block:
|
|
- name: Install the mailx package on EL
|
|
ansible.builtin.yum:
|
|
pkg: mailx
|
|
state: present
|
|
when:
|
|
- easy_rsa_install | bool
|
|
- ansible_distribution_file_variety == "RedHat"
|
|
- easy_rsa_alert_on_cert_expiration
|
|
|
|
- name: Install the mailx package on deb systems
|
|
ansible.builtin.apt:
|
|
pkg: bsd-mailx
|
|
state: present
|
|
cache_valid_time: 1800
|
|
when:
|
|
- easy_rsa_install | bool
|
|
- ansible_distribution_file_variety == "Debian"
|
|
- easy_rsa_alert_on_cert_expiration
|
|
|
|
- name: Install a cron job that runs the expiry check, daily
|
|
ansible.builtin.cron:
|
|
name: "Check on the certificate expiration"
|
|
job: "/usr/local/bin/check-x509-certs-expiration-date >/dev/null 2>&1"
|
|
state: present
|
|
special_time: daily
|
|
user: root
|
|
cron_file: check-certificates-expiration-date
|
|
|
|
when:
|
|
- easy_rsa_install | bool
|
|
- easy_rsa_alert_on_cert_expiration
|
|
tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_expiry_check' ]
|