diff options
-rw-r--r-- | LICENSE | 21 | ||||
-rw-r--r-- | README.md | 1 | ||||
-rw-r--r-- | galaxy.yml | 18 | ||||
-rw-r--r-- | plugins/README.md | 31 | ||||
-rw-r--r-- | roles/signed_certificate/defaults/main.yml | 15 | ||||
-rw-r--r-- | roles/signed_certificate/tasks/main.yml | 50 | ||||
-rw-r--r-- | roles/signed_certificate/tasks/sign.yml | 31 |
7 files changed, 167 insertions, 0 deletions
@@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 Jonas Gunz + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..0253663 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# Ansible Collection - kompetenzbolzen.stuff diff --git a/galaxy.yml b/galaxy.yml new file mode 100644 index 0000000..1735baf --- /dev/null +++ b/galaxy.yml @@ -0,0 +1,18 @@ +namespace: kompetenzbolzen +name: stuff +version: 0.0.0 +readme: README.md +authors: +- Jonas Gunz <himself@jonasgunz.de> + +description: Collections of Ansible roles I use +license_file: 'LICENSE' +tags: [] + +# Collections that this collection requires to be installed for it to be usable. The key of the dict is the +# collection label 'namespace.name'. The value is a version range +# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version +# range specifiers can be set and are separated by ',' +dependencies: {} +build_ignore: [] + diff --git a/plugins/README.md b/plugins/README.md new file mode 100644 index 0000000..67044d2 --- /dev/null +++ b/plugins/README.md @@ -0,0 +1,31 @@ +# Collections Plugins Directory + +This directory can be used to ship various plugins inside an Ansible collection. Each plugin is placed in a folder that +is named after the type of plugin it is in. It can also include the `module_utils` and `modules` directory that +would contain module utils and modules respectively. + +Here is an example directory of the majority of plugins currently supported by Ansible: + +``` +└── plugins + ├── action + ├── become + ├── cache + ├── callback + ├── cliconf + ├── connection + ├── filter + ├── httpapi + ├── inventory + ├── lookup + ├── module_utils + ├── modules + ├── netconf + ├── shell + ├── strategy + ├── terminal + ├── test + └── vars +``` + +A full list of plugin types can be found at [Working With Plugins](https://docs.ansible.com/ansible/2.11/plugins/plugins.html). diff --git a/roles/signed_certificate/defaults/main.yml b/roles/signed_certificate/defaults/main.yml new file mode 100644 index 0000000..c46ef37 --- /dev/null +++ b/roles/signed_certificate/defaults/main.yml @@ -0,0 +1,15 @@ +--- +cert_name: '{{ ansible_facts.fqdn }}' +key_path: '/etc/ssl/private/' +cert_path: '/etc/ssl/certs/' +alt_name: '{{ "DNS:" + ansible_facts.fqdn }}' +owner: root +group: root + +signed_certificate: + issuer_cn: '' + renew_at: '+5d' + valid_for: '+30d' + privkey_path: '/invalid' + privkey_passphrase: '' + cert_content: '' diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml new file mode 100644 index 0000000..3e1a7b2 --- /dev/null +++ b/roles/signed_certificate/tasks/main.yml @@ -0,0 +1,50 @@ +--- +- name: Unset cert_changed flag + set_fact: + cert_changed: False + +- name: Instaall crypt libs + apt: + name: + - python3-cryptography + become: yes + +- name: Check for OpenSSL Private Key + community.crypto.openssl_privatekey_info: + path: '{{ key_path }}/{{ cert_name }}.key' + ignore_errors: yes + become: yes + register: key_check + +- name: Create OpenSSL Private Key + community.crypto.openssl_privatekey: + path: '{{ key_path }}/{{ cert_name }}.key' + owner: '{{ owner }}' + group: '{{ group }}' + become: yes + when: key_check.failed + +- name: Read existing Certificate + community.crypto.x509_certificate_info: + path: '{{ cert_path }}/{{ cert_name }}.pem' + valid_at: + point_1: '{{ signed_certificate.renew_at }}' + ignore_errors: yes + become: yes + register: existing_cert + +- name: Check certificate + assert: + that: + - existing_cert.valid_at.point_1 + - not existing_cert.failed + - existing_cert.subject.commonName == ansible_facts.fqdn + - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}' + success_msg: Certificate is valid + fail_msg: Certificate is not valid. creating a new one. + ignore_errors: yes + register: cert_assert + +- name: Trigger Cert generation + include: sign.yml + when: cert_assert.failed diff --git a/roles/signed_certificate/tasks/sign.yml b/roles/signed_certificate/tasks/sign.yml new file mode 100644 index 0000000..b99df32 --- /dev/null +++ b/roles/signed_certificate/tasks/sign.yml @@ -0,0 +1,31 @@ +--- +- name: Create CSR + community.crypto.openssl_csr_pipe: + privatekey_path: '{{ key_path }}/{{ cert_name }}.key' + common_name: '{{ ansible_facts.fqdn }}' + subject_alt_name: '{{ alt_name }}' + register: request + become: yes + +- name: Sign OpenSSL Certificate + community.crypto.x509_certificate_pipe: + provider: ownca + ownca_privatekey_path: '{{ signed_certificate.privkey_path }}' + ownca_privatekey_passphrase: '{{ signed_certificate.privkey_passphrase }}' + ownca_content: '{{ signed_certificate.cert_content }}' + ownca_not_after: '{{ signed_certificate.valid_for }}' + csr_content: '{{ request.csr }}' + delegate_to: localhost + register: cert + +- name: Install Signed OpenSSL Certificate + copy: + dest: '{{ cert_path }}/{{ cert_name }}.pem' + content: '{{ cert.certificate }}' + owner: '{{ owner }}' + group: '{{ group }}' + become: yes + +- name: Set cert_changed flag + set_fact: + cert_changed: True |