77 lines
2.9 KiB
YAML
77 lines
2.9 KiB
YAML
---
|
|
- name: certificate_from_private_ca | Create the certificate using the private CA
|
|
tags: [pki, tls, tls_certificate]
|
|
block:
|
|
- name: certificate_from_private_ca | Set the common group between mkcert-ca and ansible
|
|
ansible.builtin.set_fact:
|
|
ansible_common_remote_group: ansible
|
|
|
|
- name: certificate_from_private_ca | Remove the already existing certificates from the CA archive (delegate to the CA server)
|
|
ansible.builtin.file:
|
|
path: /srv/mkcert-ca/{{ item }}
|
|
state: absent
|
|
loop:
|
|
- "{{ mkcert_cert_name }}"
|
|
- "{{ mkcert_key_name }}"
|
|
- client-{{ mkcert_cert_name }}
|
|
- client-{{ mkcert_key_name }}
|
|
delegate_to: "{{ mkcert_ca_host }}"
|
|
|
|
- name: certificate_from_private_ca | Create the certificate (delegate to the CA server)
|
|
ansible.builtin.command:
|
|
cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
|
|
args:
|
|
chdir: /srv/mkcert-ca
|
|
creates: /srv/mkcert-ca/{{ mkcert_cert_name }}
|
|
environment:
|
|
CAROOT: /srv/mkcert-ca/.local/share/mkcert
|
|
delegate_to: "{{ mkcert_ca_host }}"
|
|
|
|
- name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA server)
|
|
ansible.builtin.command:
|
|
cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list
|
|
}} # yamllint disable-line rule:line-length
|
|
args:
|
|
chdir: /srv/mkcert-ca
|
|
creates: /srv/mkcert-ca/client-{{ mkcert_cert_name }}
|
|
environment:
|
|
CAROOT: /srv/mkcert-ca/.local/share/mkcert
|
|
delegate_to: "{{ mkcert_ca_host }}"
|
|
|
|
- name: certificate_from_private_ca | Manage the certificate installation
|
|
tags: [pki, tls, tls_certificate]
|
|
block:
|
|
- name: certificate_from_private_ca | Get the certificate and its key from the CA server
|
|
ansible.builtin.fetch:
|
|
src: /srv/mkcert-ca/{{ item }}
|
|
dest: files/
|
|
flat: true
|
|
loop:
|
|
- "{{ mkcert_cert_name }}"
|
|
- "{{ mkcert_key_name }}"
|
|
- client-{{ mkcert_cert_name }}
|
|
- client-{{ mkcert_key_name }}
|
|
delegate_to: "{{ mkcert_ca_host }}"
|
|
|
|
- name: certificate_from_private_ca | Copy the certificate to the destination server
|
|
ansible.builtin.copy:
|
|
src: files/{{ item }}
|
|
dest: "{{ mkcert_cert_dest_path }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0444"
|
|
loop:
|
|
- "{{ mkcert_cert_name }}"
|
|
- client-{{ mkcert_cert_name }}
|
|
|
|
- name: certificate_from_private_ca | Copy the certificate to the destination server
|
|
ansible.builtin.copy:
|
|
src: files/{{ item }}
|
|
dest: "{{ mkcert_key_dest_path }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0440"
|
|
loop:
|
|
- "{{ mkcert_key_name }}"
|
|
- client-{{ mkcert_key_name }}
|