cacert/tasks/ca.yaml

- name: Create CA {{ cacert_ca_name }}
  when: inventory_hostname in groups[cacert_ca_group]
  block:
    - name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA)
      community.crypto.openssl_privatekey:
        path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
      register: cacert_ca_key_gen

    - name: Generate an OpenSSL Certificate Signing Request
      community.crypto.openssl_csr:
        path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.csr"
        privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
        use_common_name_for_san: false
        basic_constraints:
          - 'CA:TRUE'
        basic_constraints_critical: yes
        key_usage:
          - keyCertSign
        key_usage_critical: true
        common_name: "{{ cacert_ca_name }}"
      register: cacert_ca_csr
    
    - name: Generate a Self Signed OpenSSL CA certificate
      community.crypto.x509_certificate:
        path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
        csr_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.csr"
        privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
        provider: selfsigned
      register: cacert_ca_cert_gen

    - name: Get CA cert content
      slurp:
        src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
      register: cacert_ca_cert_b64

    - name: Get CA key content
      slurp:
        src: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
      register: cacert_ca_key_b64

    - name: Set facts about key and cert
      set_fact:
        cacert_ca_key: "{{ cacert_ca_key_b64.content | b64decode }}"
        cacert_ca_cert: "{{ cacert_ca_cert_b64.content | b64decode }}"
      delegate_to: "{{ item }}"
      delegate_facts: true
      run_once: true
      with_items: 
        - "{{ groups[cacert_ca_group] | default([]) }}"
        - "{{ groups[cacert_clients_group] | default([]) }}"

- name: Distribute CA certificate to hosts
  become: true
  when: inventory_hostname in groups.cacert_clients
  block:
    - name: CA and cert | Check if dest dir exist on remote host
      file:
        name: "{{ host_item.path }}"
        state: directory
      loop: "{{ cacert_ca_copy_to.hosts  }}"
      loop_control:
        loop_var: host_item
      when:
        - inventory_hostname == host_item.host

    - name: Put CA cert for host
      copy:
        content: "{{ cacert_ca_cert }}"
        dest: "{{ host_item.path }}/{{ cacert_ca_name }}.crt"
      loop: "{{ cacert_ca_copy_to.hosts }}"
      loop_control:
        loop_var: host_item
      when:
        - inventory_hostname == host_item.host

    - name: Put CA OpenSSL cert to PKI
      copy:
        content: "{{ cacert_ca_cert }}"
        dest: "/etc/pki/ca-trust/source/anchors/{{ cacert_ca_name }}.crt"
      loop: "{{ cacert_ca_copy_to.hosts }}"
      loop_control:
        loop_var: host_item
      register: ca_trust_anchors
      when:
        - inventory_hostname == host_item.host
    
    - name: Update CA trust
      shell: update-ca-trust extract
      loop: "{{ cacert_ca_copy_to.hosts }}"
      loop_control:
        loop_var: host_item
      when:
        - ca_trust_anchors.changed 
        - cacert_ca_trust_anchors_update
        - inventory_hostname == host_item.host

- name: Distribute CA certificate to groups
  become: true
  when: inventory_hostname in groups[cacert_clients_group]
  block:
    - name: CA and cert | Check if dest dir exist on remote host in group
      file:
        name: "{{ group_item.path }}"
        state: directory
      loop: "{{ cacert_ca_copy_to.groups  }}"
      loop_control:
        loop_var: group_item
      when:
        - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"

    - name: Put CA cert for host in group
      copy:
        content: "{{ cacert_ca_cert }}"
        dest: "{{ group_item.path }}/{{ cacert_ca_name }}.crt"
      loop: "{{ cacert_ca_copy_to.groups }}"
      loop_control:
        loop_var: group_item
      when:
        - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"

    - name: Put CA OpenSSL cert to PKI
      copy:
        content: "{{ cacert_ca_cert }}"
        dest: "/etc/pki/ca-trust/source/anchors/{{ cacert_ca_name }}.crt"
      loop: "{{ cacert_ca_copy_to.groups }}"
      loop_control:
        loop_var: group_item
      register: ca_trust_anchors
      when:
        - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
    
    - name: Update CA trust
      shell: update-ca-trust extract
      loop: "{{ cacert_ca_copy_to.groups }}"
      loop_control:
        loop_var: group_item
      when:
        - ca_trust_anchors.changed 
        - cacert_ca_trust_anchors_update
        - "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"