Try to use ansible modules for every task.
This commit is contained in:
parent
d9bc0b6f6a
commit
9c497992c3
|
@ -1,15 +1,17 @@
|
|||
---
|
||||
java_keystore_use_default: False
|
||||
java_keystore_use_default: false
|
||||
java_default_keystore: '{{ jdk_java_home }}/jre/lib/security/cacerts'
|
||||
java_default_truststore: "{{ java_default_keystore }}"
|
||||
java_keystore_dir: "{{ pki_dir | default('/etc/pki') }}/jdk"
|
||||
#java_keystore_file: '{{ java_default_keystore }}'
|
||||
java_keystore_file: '{{ java_keystore_dir }}/java.jks'
|
||||
java_keytool_bin: '{{ jdk_java_home }}/jre/bin/keytool'
|
||||
java_keystore_file: "{% if java_keystore_use_default %}{{ java_default_keystore }}{% else %}{{ java_keystore_dir }}/java.jks{% endif %}"
|
||||
java_truststore_file: "{{ java_keystore_file }}"
|
||||
|
||||
#java_keystore_certs_list: []
|
||||
java_trusted_certificates_list: []
|
||||
java_keystore_certs_list: []
|
||||
java_keystore_cert_alias: '{{ ansible_fqdn }}'
|
||||
# This is the default java password. No need to hide it.
|
||||
# This is the default password of the JDK keystore. No need to hide it.
|
||||
# Change it inside a vault file if you need something good
|
||||
java_keystore_pwd: changeit
|
||||
java_truststore_pwd: "{{ java_keystore_pwd }}"
|
||||
java_keystore_letsencrypt_trusted_ca: identrustdstx3
|
||||
java_import_letsencrypt_cert: True
|
||||
java_import_letsencrypt_cert: true
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
# handlers file for ansible-role-template
|
|
@ -1,33 +1,30 @@
|
|||
galaxy_info:
|
||||
author: Andrea Dell'Amico
|
||||
description: Systems Architect
|
||||
description: Role that manages a Java keystore
|
||||
company: ISTI-CNR
|
||||
|
||||
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
|
||||
|
||||
namespace: adellam
|
||||
role_name: java_keystore
|
||||
license: EUPL 1.2+
|
||||
|
||||
min_ansible_version: 2.8
|
||||
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
min_ansible_version: "1.14"
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- jammy
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
- 8
|
||||
- "7"
|
||||
- "8"
|
||||
- "9"
|
||||
|
||||
galaxy_tags:
|
||||
- java
|
||||
- keystore
|
||||
|
||||
dependencies:
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git
|
||||
- name: openjdk
|
||||
src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-openjdk.git
|
||||
version: master
|
||||
name: openjdk
|
||||
state: latest
|
||||
|
||||
|
|
|
@ -1,32 +1,69 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the PKI directory
|
||||
file: dest={{ java_keystore_dir }} state=directory owner=root group=root mode=0755
|
||||
|
||||
- name: Manage the PKI directory
|
||||
when: not java_keystore_use_default
|
||||
tags: java_keystore
|
||||
block:
|
||||
- name: Create the PKI directory
|
||||
ansible.builtin.file:
|
||||
dest: "{{ java_keystore_dir }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
||||
- block:
|
||||
- name: Import the certificates
|
||||
shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ item.alias }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then {{ java_keytool_bin }} -trustcacerts -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt -importcert -alias {{ item.alias }} -file {{ item.certfile }} ; fi
|
||||
with_items: '{{ java_keystore_certs_list | default([]) }}'
|
||||
|
||||
- name: Import the certificate key
|
||||
shell: RETVAL= ; {{ java_keytool_bin }} -import -alias NOME -keyalg RSA -keystore {{ java_keystore_file }} -dname "CN={{ ansible_fqdn }}" -keypass {{ java_keystore_pwd }} -storepass {{ java_keystore_pwd }} -file {{ item.keyfile }}
|
||||
with_items: '{{ java_keystore_certs_list | default([]) }}'
|
||||
|
||||
when: java_keystore_certs_list is defined
|
||||
tags: java_keystore
|
||||
|
||||
- block:
|
||||
- name: Import the Letsencrypt intermediate CA cert
|
||||
shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ java_keystore_letsencrypt_trusted_ca }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then {{ java_keytool_bin }} -trustcacerts -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt -importcert -alias {{ java_keystore_letsencrypt_trusted_ca }} -dname "CN={{ ansible_fqdn }}" -file {{ letsencrypt_acme_certs_dir }}/fullchain ; fi
|
||||
|
||||
- name: Import the letsencrypt certificate
|
||||
shell: RETVAL= ; {{ java_keytool_bin }} -list -keystore {{ java_keystore_file }} -storepass {{ java_keystore_pwd }} -noprompt | grep {{ ansible_fqdn }} ; RETVAL=$? ; if [ $RETVAL -ne 0 ] ; then openssl pkcs12 -export -in {{ letsencrypt_acme_certs_dir }}/cert -inkey {{ letsencrypt_acme_certs_dir }}/privkey -CAfile {{ letsencrypt_acme_certs_dir }}/fullchain -name "{{ ansible_fqdn }}" -out /var/tmp/{{ ansible_fqdn }}.p12 -password pass:{{ java_keystore_pwd }} ; {{ java_keytool_bin }} -importkeystore -srcstorepass {{ java_keystore_pwd }} -deststorepass {{ java_keystore_pwd }} -destkeystore {{ java_keystore_file }} -srckeystore /var/tmp/{{ ansible_fqdn }}.p12 -srcstoretype PKCS12 ; rm -f /var/tmp/{{ ansible_fqdn }}.p12 ; fi
|
||||
|
||||
- name: Import a certificate generated by a mkcert CA into a keystore
|
||||
when:
|
||||
- java_import_letsencrypt_cert
|
||||
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
tags: java_keystore
|
||||
- java_keystore_certs_list is defined
|
||||
- mkcert_create_certificate is defined and mkcert_create_certificate
|
||||
tags: [java_keystore, java_keystore_mkcert]
|
||||
block:
|
||||
- name: Generate a PKCS12 from the certificate and key produced by mkcert
|
||||
community.crypto.openssl_pkcs12:
|
||||
action: export
|
||||
friendly_name: "{{ java_keystore_cert_alias }}"
|
||||
path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12"
|
||||
certificate_path: "{{ mkcert_cert_dest_path }}"
|
||||
privatekey_path: "{{ mkcert_key_dest_path }}"
|
||||
other_certificates: '{{ java_trusted_certificates_list }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
state: present
|
||||
|
||||
- name: Import the CA certificate
|
||||
community.general.java_cert:
|
||||
pkcs12_path: "{{ pki_dir }}/keys/{{ ansible_fqdn }}.pkcs12"
|
||||
cert_alias: "{{ java_keystore_cert_alias }}"
|
||||
keystore_path: "{{ java_keystore_file }}"
|
||||
keystore_pass: "{{ java_keystore_pwd }}"
|
||||
keystore_create: true
|
||||
state: present
|
||||
|
||||
- name: Import a certificate generated by a Letsencrypt into a keystore
|
||||
when:
|
||||
- java_keystore_certs_list is defined
|
||||
- mkcert_create_certificate is defined and mkcert_create_certificate
|
||||
tags: [java_keystore, java_keystore_letsencrypt, letsencrypt]
|
||||
block:
|
||||
- name: Generate a PKCS12 from the certificate and key produced by Letsencrypt
|
||||
community.crypto.openssl_pkcs12:
|
||||
action: export
|
||||
friendly_name: "{{ java_keystore_cert_alias }}"
|
||||
path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12"
|
||||
certificate_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/cert"
|
||||
privatekey_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/privkey"
|
||||
other_certificates:
|
||||
- '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
state: present
|
||||
|
||||
- name: Import the CA certificate
|
||||
community.general.java_cert:
|
||||
pkcs12_path: "{{ letsencrypt_acme_sh_certificates_install_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}.pkcs12"
|
||||
cert_alias: "{{ java_keystore_cert_alias }}"
|
||||
keystore_path: "{{ java_keystore_file }}"
|
||||
keystore_pass: "{{ java_keystore_pwd }}"
|
||||
keystore_create: true
|
||||
state: present
|
||||
|
|
Loading…
Reference in New Issue