dave
/
ansible-playbooks
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
2 Branches
0 Tags
425 KiB
 
 
Tag: Branch: Tree: bdbca4a90e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bdbca4a90e'
${ noResults }
ansible-playbooks/roles/ca/tasks/install.yml

154 lines
4.4 KiB
Raw Blame History

- name: ensure cryptography toolkit is installed
include_tasks: tasks/install_packages.yml
vars:
package:
- alpine: py3-cryptography
debian: python3-cryptography
- name: early check to ensure ca variables are defined
fail:
msg: "\"{{ item }}\" is not defined"
when: item is not defined
loop:
- ca_dir
- ca_key_types
- ca_rp
- ca_ip
- ca_crt_ext
- ca_csr_ext
- ca_key_ext
- name: create ca directories
file:
path: "{{ ca_dir }}"
state: directory
mode: 0700
- name: generate root private keys
community.crypto.openssl_privatekey:
path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
size: "{{ item.size | d(omit) }}"
curve: "{{ item.curve | d(omit) }}"
type: "{{ item.type }}"
backup: yes
cipher: auto
force: no
format: pkcs8
format_mismatch: convert
passphrase: "{{ ca_pk_password }}"
regenerate: never
mode: 0600
loop: "{{ ca_key_types }}"
- name: generate csr requests for all root keys
community.crypto.openssl_csr:
path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_csr_ext }}"
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
common_name: "{{ org }} Root CA ({{ item.type | upper }})"
digest: "{{ item.digest | d(omit) }}"
key_usage:
- keyCertSign
- cRLSign
key_usage_critical: yes
privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
privatekey_passphrase: "{{ ca_pk_password }}"
use_common_name_for_san: no
mode: 0600
loop: "{{ ca_key_types }}"
- name: generate root certificates
community.crypto.x509_certificate:
path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_crt_ext }}"
csr_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_csr_ext }}"
privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
privatekey_passphrase: "{{ ca_pk_password }}"
provider: selfsigned
selfsigned_not_after: "{{ ca_root_valid_until | mandatory }}"
selfsigned_digest: "{{ item.digest | d(omit) }}"
mode: 0600
loop: "{{ ca_key_types }}"
- name: generate inter private keys
community.crypto.openssl_privatekey:
path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}"
size: "{{ item.size | d(omit) }}"
curve: "{{ item.curve | d(omit) }}"
type: "{{ item.type }}"
backup: yes
cipher: auto
force: no
format: pkcs8
format_mismatch: convert
passphrase: "{{ ca_pk_inter_password }}"
regenerate: never
mode: 0600
loop: "{{ ca_key_types }}"
- name: generate csr requests for all inter keys
community.crypto.openssl_csr:
path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_csr_ext }}"
basic_constraints:
- 'CA:TRUE'
- 'pathlen:0'
basic_constraints_critical: yes
common_name: "{{ org }} Intermediate CA ({{ item.type | upper }})"
digest: "{{ item.digest | d(omit) }}"
key_usage:
- digitalSignature
- keyCertSign
- cRLSign
key_usage_critical: yes
privatekey_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}"
privatekey_passphrase: "{{ ca_pk_inter_password }}"
use_common_name_for_san: no
crl_distribution_points:
- full_name: "URI:http://crl.{{ int_tld }}/{{ item.name }}.crl"
crl_issuer: "URI:http://crl.{{ int_tld }}"
name_constraints_permitted:
- "DNS:{{ tld }}"
- "email:{{ tld }}"
name_constraints_excluded:
- "IP:0.0.0.0/0"
mode: 0600
loop: "{{ ca_key_types }}"
- name: generate inter certificates
community.crypto.x509_certificate:
path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_crt_ext }}"
csr_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_csr_ext }}"
privatekey_path: "{{ ca_dir }}/{{ ca_ip }}{{ item.name }}.{{ ca_key_ext }}"
privatekey_passphrase: "{{ ca_pk_inter_password }}"
provider: ownca
ownca_not_after: "{{ ca_inter_valid_until | mandatory }}"
ownca_digest: "{{ item.digest | d(omit) }}"
ownca_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_crt_ext }}"
ownca_privatekey_path: "{{ ca_dir }}/{{ ca_rp }}{{ item.name }}.{{ ca_key_ext }}"
ownca_privatekey_passphrase: "{{ ca_pk_password }}"
mode: 0600
loop: "{{ ca_key_types }}"
- name: install acme
include_tasks: install_acme.yml
- name: add directories to backup plan
include_role:
name: backup
vars:
function: add
backup_items:
- "{{ ca_dir }}"