mirror of
https://gitea.0xace.cc/ansible-galaxy/postgresql.git
synced 2024-11-25 16:26:42 +00:00
143 lines
5.4 KiB
YAML
143 lines
5.4 KiB
YAML
- name: Create CA
|
|
when: inventory_hostname in groups[postgresql_cacert_ca_host_group]
|
|
block:
|
|
- name: CA and certs | Install cryptography library
|
|
package:
|
|
name: python3-cryptography
|
|
state: present
|
|
|
|
- name: CA and certs | Check if ssl gen dir exist
|
|
file:
|
|
name: "{{ postgresql_ssl_path }}"
|
|
state: directory
|
|
|
|
- name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA)
|
|
community.crypto.openssl_privatekey:
|
|
path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
|
register: postgresql_cacert_ca_key_gen
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request
|
|
community.crypto.openssl_csr:
|
|
path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
|
privatekey_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
|
use_common_name_for_san: false
|
|
basic_constraints:
|
|
- 'CA:TRUE'
|
|
basic_constraints_critical: yes
|
|
key_usage:
|
|
- keyCertSign
|
|
key_usage_critical: true
|
|
common_name: "CA-{{ postgresql_self_signed_cert_name }}"
|
|
register: postgresql_cacert_ca_csr
|
|
|
|
- name: Generate a Self Signed OpenSSL CA certificate
|
|
community.crypto.x509_certificate:
|
|
path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
|
csr_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
|
privatekey_path: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
|
provider: selfsigned
|
|
register: postgresql_cacert_ca_cert_gen
|
|
|
|
- name: Get CA cert content
|
|
slurp:
|
|
src: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
|
register: postgresql_cacert_ca_cert_b64
|
|
|
|
- name: Get CA csr content
|
|
slurp:
|
|
src: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
|
register: postgresql_cacert_ca_csr_b64
|
|
|
|
- name: Get CA key content
|
|
slurp:
|
|
src: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
|
register: postgresql_cacert_ca_key_b64
|
|
|
|
- name: Set facts about key and cert
|
|
set_fact:
|
|
postgresql_cacert_ca_key: "{{ postgresql_cacert_ca_key_b64.content | b64decode }}"
|
|
postgresql_cacert_ca_csr: "{{ postgresql_cacert_ca_csr_b64.content | b64decode }}"
|
|
postgresql_cacert_ca_cert: "{{ postgresql_cacert_ca_cert_b64.content | b64decode }}"
|
|
delegate_to: "{{ fact_item }}"
|
|
delegate_facts: true
|
|
with_items:
|
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: fact_item
|
|
|
|
- name: Distribute CA certificates
|
|
become: true
|
|
block:
|
|
- name: CA and cert | Check if dest dir exist on remote host
|
|
file:
|
|
name: "{{ postgresql_ssl_path }}"
|
|
state: directory
|
|
loop:
|
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
|
|
- name: Put CA key
|
|
copy:
|
|
content: "{{ postgresql_cacert_ca_key }}"
|
|
dest: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.key"
|
|
mode: 0600
|
|
owner: "{{ postgresql_user }}"
|
|
group: "{{ postgresql_group }}"
|
|
loop:
|
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
|
|
- name: Put CA csr
|
|
copy:
|
|
content: "{{ postgresql_cacert_ca_csr }}"
|
|
dest: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.csr"
|
|
mode: 0644
|
|
owner: "{{ postgresql_user }}"
|
|
group: "{{ postgresql_group }}"
|
|
loop:
|
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
|
|
- name: Put CA cert
|
|
copy:
|
|
content: "{{ postgresql_cacert_ca_cert }}"
|
|
dest: "{{ postgresql_ssl_path }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
|
mode: 0644
|
|
owner: "{{ postgresql_user }}"
|
|
group: "{{ postgresql_group }}"
|
|
loop:
|
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
|
|
- name: Put CA OpenSSL cert to PKI
|
|
copy:
|
|
content: "{{ postgresql_cacert_ca_cert }}"
|
|
dest: "{{ postgresql_cacert_ca_trust_dir }}/CA-{{ postgresql_self_signed_cert_name }}.crt"
|
|
mode: 0644
|
|
loop:
|
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
register: postgresql_ca_trust_anchors
|
|
|
|
- name: Update CA trust
|
|
shell: "{{ postgresql_cacert_update_ca_trust_command }}"
|
|
loop:
|
|
- "{{ groups[postgresql_cacert_ca_host_group] | default([]) }}"
|
|
- "{{ groups[postgresql_cacert_clients_group] | default([]) }}"
|
|
loop_control:
|
|
loop_var: host_item
|
|
when:
|
|
- postgresql_ca_trust_anchors.changed
|
|
- postgresql_cacert_ca_trust_anchors_update
|