mirror of
https://gitea.0xace.cc/ansible-galaxy/cacert.git
synced 2025-04-05 08:21:56 +00:00
188 lines
7.1 KiB
YAML
188 lines
7.1 KiB
YAML
- name: CA and certs | Generate group certs and keys
|
|
when:
|
|
- inventory_hostname in groups[cacert_ca_group]
|
|
block:
|
|
- name: Generate subject_alt_ips for {{ item.name }}
|
|
set_fact:
|
|
client_subject_alt_ips: "{{ groups[group_item] | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}"
|
|
loop: "{{ item.append_groups }}"
|
|
loop_control:
|
|
loop_var: group_item
|
|
when:
|
|
- groups[group_item] is defined
|
|
|
|
- debug:
|
|
msg: "{{ client_subject_alt_ips }}"
|
|
|
|
- name: Generate subject_alt_names for {{ item.name }}
|
|
set_fact:
|
|
client_subject_alt_names: "{{ groups[group_item] | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}"
|
|
loop: "{{ item.append_groups }}"
|
|
loop_control:
|
|
loop_var: group_item
|
|
when:
|
|
- groups[group_item] is defined
|
|
|
|
- debug:
|
|
msg: "{{ client_subject_alt_names }}"
|
|
|
|
- name: Generate an OpenSSL private client {{ item.name }} key with the default values (4096 bits, RSA)
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
|
register: cacert_client_key_gen
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request for client {{ item.name }} with subject_alt_name
|
|
community.crypto.openssl_csr:
|
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
|
privatekey_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
|
common_name: "{{ item.name }}"
|
|
subject_alt_name: "{{ ((client_subject_alt_ips | default([])) + (client_subject_alt_names | default([]))) }}"
|
|
register: cacert_client_csr
|
|
|
|
- name: Generate an OpenSSL certificate for client {{ item.name }} signed with your own CA certificate
|
|
community.crypto.x509_certificate:
|
|
path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
|
csr_path: "{{ cacert_ssl_gen_path }}/{{ item.name }}.csr"
|
|
ownca_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.crt"
|
|
ownca_privatekey_path: "{{ cacert_ssl_gen_path }}/{{ cacert_ca_name }}.key"
|
|
provider: ownca
|
|
register: cacert_client_cert
|
|
|
|
- name: Get {{ item.name }} OpenSSL crt and key content
|
|
ansible.builtin.shell: |
|
|
cat {{ cacert_ssl_gen_path }}/{{ item.name }}.{crt,key}
|
|
register: concated_crt_key
|
|
changed_when: false
|
|
|
|
- name: Concatenate and save {{ item.name }} OpenSSL crt and key to single file
|
|
copy:
|
|
content: "{{ concated_crt_key.stdout }}"
|
|
dest: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem"
|
|
|
|
- name: Get group key {{ item.name }} content
|
|
slurp:
|
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.key"
|
|
register: cacert_group_certs_key_b64
|
|
|
|
- name: Get group cert {{ item.name }} content
|
|
slurp:
|
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.crt"
|
|
register: cacert_group_certs_cert_b64
|
|
|
|
- name: Get group cert and key concat {{ item.name }} content
|
|
slurp:
|
|
src: "{{ cacert_ssl_gen_path }}/{{ item.name }}.pem"
|
|
register: cacert_group_certs_concat_b64
|
|
|
|
- name: Set facts about {{ item.name }} key and cert
|
|
set_fact:
|
|
cacert_group_certs_key: "{{ cacert_group_certs_key_b64.content | b64decode }}"
|
|
cacert_group_certs_cert: "{{ cacert_group_certs_cert_b64.content | b64decode }}"
|
|
cacert_group_certs_concat: "{{ cacert_group_certs_concat_b64.content | b64decode }}"
|
|
delegate_to: "{{ fact_item }}"
|
|
delegate_facts: true
|
|
with_items:
|
|
- "{{ groups[cacert_ca_group] | default([]) }}"
|
|
- "{{ groups[cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: fact_item
|
|
|
|
- name: Distribute group certificates for hosts
|
|
become: true
|
|
when:
|
|
- item.hosts is defined
|
|
- inventory_hostname in groups[cacert_clients_group]
|
|
block:
|
|
- name: CA and cert | Check if dest dir exist on remote host
|
|
file:
|
|
name: "{{ host_item.path }}"
|
|
state: directory
|
|
loop: "{{ item.hosts }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
when:
|
|
- inventory_hostname == host_item.host
|
|
|
|
- name: Put group key {{ item.name }} for host
|
|
copy:
|
|
content: "{{ cacert_group_certs_key }}"
|
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.key"
|
|
loop: "{{ item.hosts }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
when:
|
|
- host_item.concat is not defined
|
|
- inventory_hostname == host_item.host
|
|
|
|
- name: Put group cert {{ item.name }} for host
|
|
copy:
|
|
content: "{{ cacert_group_certs_cert }}"
|
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.crt"
|
|
loop: "{{ item.hosts }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
when:
|
|
- host_item.concat is not defined
|
|
- inventory_hostname == host_item.host
|
|
|
|
- name: Put group key and cert concat {{ item.name }} for host
|
|
copy:
|
|
content: "{{ cacert_group_certs_concat }}"
|
|
dest: "{{ host_item.path }}/{{ host_item.name | default(item.name) }}.{{ host_item.concat | default('pem') }}"
|
|
loop: "{{ item.hosts }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
when:
|
|
- host_item.concat is defined
|
|
- inventory_hostname == host_item.host
|
|
|
|
- name: Distribute group certificates for groups
|
|
become: true
|
|
when:
|
|
- item.groups is defined
|
|
- inventory_hostname in groups[cacert_clients_group]
|
|
block:
|
|
- name: CA and cert | Check if dest dir exist on remote host for group
|
|
file:
|
|
name: "{{ group_item.path }}"
|
|
state: directory
|
|
loop: "{{ item.groups }}"
|
|
loop_control:
|
|
loop_var: group_item
|
|
when:
|
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
|
|
|
- name: Put group key {{ item.name }} for group
|
|
copy:
|
|
content: "{{ cacert_group_certs_key }}"
|
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.key"
|
|
loop: "{{ item.groups }}"
|
|
loop_control:
|
|
loop_var: group_item
|
|
when:
|
|
- group_item.concat is not defined
|
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
|
|
|
- name: Put group cert {{ item.name }} for group
|
|
copy:
|
|
content: "{{ cacert_group_certs_cert }}"
|
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.crt"
|
|
loop: "{{ item.groups }}"
|
|
loop_control:
|
|
loop_var: group_item
|
|
when:
|
|
- group_item.concat is not defined
|
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
|
|
|
- name: Put group key and cert concat {{ item.name }} for group
|
|
copy:
|
|
content: "{{ cacert_group_certs_concat }}"
|
|
dest: "{{ group_item.path }}/{{ group_item.name | default(item.name) }}.{{ group_item.concat | default('pem') }}"
|
|
loop: "{{ item.groups }}"
|
|
loop_control:
|
|
loop_var: group_item
|
|
when:
|
|
- group_item.concat is defined
|
|
- "inventory_hostname in (groups[group_item.group] | map('extract', hostvars, ['inventory_hostname']) | join(','))"
|
|
|