initial

7 files changed, 167 insertions, 0 deletions

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..7485fc7
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Jonas Gunz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..0253663
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+# Ansible Collection - kompetenzbolzen.stuff
diff --git a/galaxy.yml b/galaxy.yml
new file mode 100644
index 0000000..1735baf
--- /dev/null
+++ b/galaxy.yml
@@ -0,0 +1,18 @@
+namespace: kompetenzbolzen
+name: stuff
+version: 0.0.0
+readme: README.md
+authors:
+- Jonas Gunz <himself@jonasgunz.de>
+
+description: Collections of Ansible roles I use
+license_file: 'LICENSE'
+tags: []
+
+# Collections that this collection requires to be installed for it to be usable. The key of the dict is the
+# collection label 'namespace.name'. The value is a version range
+# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
+# range specifiers can be set and are separated by ','
+dependencies: {}
+build_ignore: []
+
diff --git a/plugins/README.md b/plugins/README.md
new file mode 100644
index 0000000..67044d2
--- /dev/null
+++ b/plugins/README.md
@@ -0,0 +1,31 @@
+# Collections Plugins Directory
+
+This directory can be used to ship various plugins inside an Ansible collection. Each plugin is placed in a folder that
+is named after the type of plugin it is in. It can also include the `module_utils` and `modules` directory that
+would contain module utils and modules respectively.
+
+Here is an example directory of the majority of plugins currently supported by Ansible:
+
+```
+└── plugins
+    ├── action
+    ├── become
+    ├── cache
+    ├── callback
+    ├── cliconf
+    ├── connection
+    ├── filter
+    ├── httpapi
+    ├── inventory
+    ├── lookup
+    ├── module_utils
+    ├── modules
+    ├── netconf
+    ├── shell
+    ├── strategy
+    ├── terminal
+    ├── test
+    └── vars
+```
+
+A full list of plugin types can be found at [Working With Plugins](https://docs.ansible.com/ansible/2.11/plugins/plugins.html).
diff --git a/roles/signed_certificate/defaults/main.yml b/roles/signed_certificate/defaults/main.yml
new file mode 100644
index 0000000..c46ef37
--- /dev/null
+++ b/roles/signed_certificate/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+cert_name: '{{ ansible_facts.fqdn }}'
+key_path: '/etc/ssl/private/'
+cert_path: '/etc/ssl/certs/'
+alt_name: '{{  "DNS:" + ansible_facts.fqdn  }}'
+owner: root
+group: root
+
+signed_certificate:
+  issuer_cn: ''
+  renew_at: '+5d'
+  valid_for: '+30d'
+  privkey_path: '/invalid'
+  privkey_passphrase: ''
+  cert_content: ''
diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml
new file mode 100644
index 0000000..3e1a7b2
--- /dev/null
+++ b/roles/signed_certificate/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+- name: Unset cert_changed flag
+  set_fact:
+    cert_changed: False
+
+- name: Instaall crypt libs
+  apt:
+    name:
+      - python3-cryptography
+  become: yes
+
+- name: Check for OpenSSL Private Key
+  community.crypto.openssl_privatekey_info:
+    path: '{{ key_path }}/{{ cert_name }}.key'
+  ignore_errors: yes
+  become: yes
+  register: key_check
+
+- name: Create OpenSSL Private Key
+  community.crypto.openssl_privatekey:
+    path: '{{ key_path }}/{{ cert_name }}.key'
+    owner: '{{ owner }}'
+    group: '{{ group }}'
+  become: yes
+  when: key_check.failed
+
+- name: Read existing Certificate
+  community.crypto.x509_certificate_info:
+    path: '{{ cert_path }}/{{ cert_name }}.pem'
+    valid_at:
+      point_1: '{{ signed_certificate.renew_at }}'
+  ignore_errors: yes
+  become: yes
+  register: existing_cert
+
+- name: Check certificate
+  assert:
+    that:
+      - existing_cert.valid_at.point_1
+      - not existing_cert.failed
+      - existing_cert.subject.commonName == ansible_facts.fqdn
+      - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}'
+    success_msg: Certificate is valid
+    fail_msg: Certificate is not valid. creating a new one.
+  ignore_errors: yes
+  register: cert_assert
+
+- name: Trigger Cert generation
+  include: sign.yml
+  when: cert_assert.failed
diff --git a/roles/signed_certificate/tasks/sign.yml b/roles/signed_certificate/tasks/sign.yml
new file mode 100644
index 0000000..b99df32
--- /dev/null
+++ b/roles/signed_certificate/tasks/sign.yml
@@ -0,0 +1,31 @@
+---
+- name: Create CSR
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: '{{ key_path }}/{{ cert_name }}.key'
+    common_name: '{{ ansible_facts.fqdn }}'
+    subject_alt_name: '{{ alt_name }}'
+  register: request
+  become: yes
+
+- name: Sign OpenSSL Certificate
+  community.crypto.x509_certificate_pipe:
+    provider: ownca
+    ownca_privatekey_path: '{{ signed_certificate.privkey_path }}'
+    ownca_privatekey_passphrase: '{{ signed_certificate.privkey_passphrase }}'
+    ownca_content: '{{ signed_certificate.cert_content }}'
+    ownca_not_after: '{{ signed_certificate.valid_for }}'
+    csr_content: '{{ request.csr }}'
+  delegate_to: localhost
+  register: cert
+
+- name: Install Signed OpenSSL Certificate
+  copy:
+    dest: '{{ cert_path }}/{{ cert_name }}.pem'
+    content: '{{ cert.certificate }}'
+    owner: '{{ owner }}'
+    group: '{{ group }}'
+  become: yes
+
+- name: Set cert_changed flag
+  set_fact:
+    cert_changed: True