- name: CA and certs | Generate group certs and keys when: inventory_hostname in groups[cacert_ca_group] block: - name: Generate subject_alt_ips set_fact: client_subject_alt_ips: "{{ groups[group_item] | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}" loop: "{{ item.host_groups }}" loop_control: loop_var: group_item when: - groups[group_item] is defined - debug: msg: "{{ client_subject_alt_ips }}" - name: Generate subject_alt_names set_fact: client_subject_alt_names: "{{ groups[group_item] | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}" loop: "{{ item.host_groups }}" loop_control: loop_var: group_item when: - groups[group_item] is defined - debug: msg: "{{ client_subject_alt_names }}" - name: Generate an OpenSSL private client key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key" register: cacert_client_key_gen - name: Generate an OpenSSL Certificate Signing Request for client with subject_alt_name community.crypto.openssl_csr: path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr" privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key" common_name: "{{ item.name }}" subject_alt_name: "{{ ((client_subject_alt_ips | default([])) + (client_subject_alt_names | default([]))) }}" register: cacert_client_csr - name: Generate an OpenSSL certificate for client signed with your own CA certificate community.crypto.x509_certificate: path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt" csr_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr" ownca_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt" ownca_privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key" provider: ownca register: cacert_client_cert - name: Get {{ item.name }} OpenSSL crt and key content ansible.builtin.shell: | cat {{ cacert_ssl_gen_path }}/{{ item.name }}.{crt,key} register: concated_crt_key changed_when: false - name: Concatenate and save {{ item.name }} OpenSSL crt and key to single file copy: content: "{{ concated_crt_key.stdout }}" dest: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem" - name: Get group key content slurp: src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key" register: cacert_group_certs_key_b64 - name: Get group cert content slurp: src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt" register: cacert_group_certs_cert_b64 - name: Get group cert and key concat content slurp: src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem" register: cacert_group_certs_concat_b64 - name: Set facts about key and cert set_fact: cacert_group_certs_key: "{{ cacert_group_certs_key_b64.content | b64decode }}" cacert_group_certs_cert: "{{ cacert_group_certs_cert_b64.content | b64decode }}" cacert_group_certs_concat: "{{ cacert_group_certs_concat_b64.content | b64decode }}" delegate_to: "{{ fact_item }}" delegate_facts: true run_once: true with_items: - "{{ groups[cacert_ca_group] | default([]) }}" - "{{ groups[cacert_clients_group] | default([]) }}" loop_control: loop_var: fact_item - name: Distribute group certificates become: true when: inventory_hostname in groups[cacert_clients_group] block: - name: CA and cert | Check if dest dir exist on remote host file: name: "{{ host_item.path }}" state: directory loop: "{{ item.hosts }}" loop_control: loop_var: host_item when: - inventory_hostname == host_item.host - name: CA and cert | Check if dest dir exist on remote host for group file: name: "{{ group_item.path }}" state: directory loop: "{{ item.groups }}" loop_control: loop_var: group_item when: - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))" - name: Put group key for host copy: content: "{{ cacert_group_certs_key }}" dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.key" loop: "{{ item.hosts }}" loop_control: loop_var: host_item when: - inventory_hostname == host_item.host - name: Put group cert for host copy: content: "{{ cacert_group_certs_cert }}" dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.crt" loop: "{{ item.hosts }}" loop_control: loop_var: host_item when: - inventory_hostname == host_item.host - name: Put group key and cert concat for host copy: content: "{{ cacert_group_certs_concat }}" dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.{{ host_item.concat | default('pem') }}" loop: "{{ item.hosts }}" loop_control: loop_var: host_item when: - inventory_hostname == host_item.host - name: Put group key for group copy: content: "{{ cacert_group_certs_key }}" dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.key" loop: "{{ item.groups }}" loop_control: loop_var: group_item when: - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))" - name: Put group cert for group copy: content: "{{ cacert_group_certs_cert }}" dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.crt" loop: "{{ item.groups }}" loop_control: loop_var: group_item when: - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))" - name: Put group key and cert concat for group copy: content: "{{ cacert_group_certs_concat }}" dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.{{ group_item.concat | default('pem') }}" loop: "{{ item.groups }}" loop_control: loop_var: group_item when: - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"