aboutsummaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/signed_certificate/defaults/main.yml15
-rw-r--r--roles/signed_certificate/tasks/main.yml50
-rw-r--r--roles/signed_certificate/tasks/sign.yml31
3 files changed, 96 insertions, 0 deletions
diff --git a/roles/signed_certificate/defaults/main.yml b/roles/signed_certificate/defaults/main.yml
new file mode 100644
index 0000000..c46ef37
--- /dev/null
+++ b/roles/signed_certificate/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+cert_name: '{{ ansible_facts.fqdn }}'
+key_path: '/etc/ssl/private/'
+cert_path: '/etc/ssl/certs/'
+alt_name: '{{ "DNS:" + ansible_facts.fqdn }}'
+owner: root
+group: root
+
+signed_certificate:
+ issuer_cn: ''
+ renew_at: '+5d'
+ valid_for: '+30d'
+ privkey_path: '/invalid'
+ privkey_passphrase: ''
+ cert_content: ''
diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml
new file mode 100644
index 0000000..3e1a7b2
--- /dev/null
+++ b/roles/signed_certificate/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+- name: Unset cert_changed flag
+ set_fact:
+ cert_changed: False
+
+- name: Instaall crypt libs
+ apt:
+ name:
+ - python3-cryptography
+ become: yes
+
+- name: Check for OpenSSL Private Key
+ community.crypto.openssl_privatekey_info:
+ path: '{{ key_path }}/{{ cert_name }}.key'
+ ignore_errors: yes
+ become: yes
+ register: key_check
+
+- name: Create OpenSSL Private Key
+ community.crypto.openssl_privatekey:
+ path: '{{ key_path }}/{{ cert_name }}.key'
+ owner: '{{ owner }}'
+ group: '{{ group }}'
+ become: yes
+ when: key_check.failed
+
+- name: Read existing Certificate
+ community.crypto.x509_certificate_info:
+ path: '{{ cert_path }}/{{ cert_name }}.pem'
+ valid_at:
+ point_1: '{{ signed_certificate.renew_at }}'
+ ignore_errors: yes
+ become: yes
+ register: existing_cert
+
+- name: Check certificate
+ assert:
+ that:
+ - existing_cert.valid_at.point_1
+ - not existing_cert.failed
+ - existing_cert.subject.commonName == ansible_facts.fqdn
+ - existing_cert.issuer.commonName == '{{ signed_certificate.issuer_cn }}'
+ success_msg: Certificate is valid
+ fail_msg: Certificate is not valid. creating a new one.
+ ignore_errors: yes
+ register: cert_assert
+
+- name: Trigger Cert generation
+ include: sign.yml
+ when: cert_assert.failed
diff --git a/roles/signed_certificate/tasks/sign.yml b/roles/signed_certificate/tasks/sign.yml
new file mode 100644
index 0000000..b99df32
--- /dev/null
+++ b/roles/signed_certificate/tasks/sign.yml
@@ -0,0 +1,31 @@
+---
+- name: Create CSR
+ community.crypto.openssl_csr_pipe:
+ privatekey_path: '{{ key_path }}/{{ cert_name }}.key'
+ common_name: '{{ ansible_facts.fqdn }}'
+ subject_alt_name: '{{ alt_name }}'
+ register: request
+ become: yes
+
+- name: Sign OpenSSL Certificate
+ community.crypto.x509_certificate_pipe:
+ provider: ownca
+ ownca_privatekey_path: '{{ signed_certificate.privkey_path }}'
+ ownca_privatekey_passphrase: '{{ signed_certificate.privkey_passphrase }}'
+ ownca_content: '{{ signed_certificate.cert_content }}'
+ ownca_not_after: '{{ signed_certificate.valid_for }}'
+ csr_content: '{{ request.csr }}'
+ delegate_to: localhost
+ register: cert
+
+- name: Install Signed OpenSSL Certificate
+ copy:
+ dest: '{{ cert_path }}/{{ cert_name }}.pem'
+ content: '{{ cert.certificate }}'
+ owner: '{{ owner }}'
+ group: '{{ group }}'
+ become: yes
+
+- name: Set cert_changed flag
+ set_fact:
+ cert_changed: True
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 06:05:04 +0000