Use a new evobsd_ssl_cert_hostname var instead of ansible_fqdn
On OpenBSD, ansible_fqdn is the reverse of the IP, which is not always properly configured
This commit is contained in:
parent
f2451118c4
commit
6a2faf5649
5 changed files with 13 additions and 8 deletions
|
@ -29,4 +29,5 @@ evobsd_dumpserverstate_include: true
|
|||
evobsd_install_url: "https://cdn.openbsd.org/pub/OpenBSD"
|
||||
|
||||
# default_ssl.yml
|
||||
evobsd_default_ssl_cert: true
|
||||
evobsd_default_ssl_cert: true
|
||||
evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
|
||||
|
|
|
@ -12,14 +12,14 @@
|
|||
state: directory
|
||||
ignore_errors: '{{ ansible_check_mode }}'
|
||||
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
- name: Create private key and csr for default site ({{ evobsd_ssl_cert_hostname }})
|
||||
ansible.builtin.command:
|
||||
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
|
||||
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -batch -subj "/CN={{ evobsd_ssl_cert_hostname }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||
creates: "/etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key"
|
||||
|
||||
- name: Create certificate for default site
|
||||
ansible.builtin.command:
|
||||
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -signkey /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||
creates: "/etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt"
|
||||
|
|
|
@ -6,3 +6,5 @@ nagios_nrpe_allowed_hosts:
|
|||
| union(nagios_nrpe_additional_allowed_hosts) | unique }}"
|
||||
|
||||
nagios_nrpe_default_ntp_server: "pool.ntp.org"
|
||||
|
||||
evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
|
||||
|
||||
# SSL Certificate
|
||||
ssl_cert_file=/etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
ssl_privatekey_file=/etc/ssl/private/{{ ansible_fqdn }}.key
|
||||
ssl_cert_file=/etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt
|
||||
ssl_privatekey_file=/etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key
|
||||
|
||||
{% if ansible_distribution_version is version_compare("7.2",'>=') %}
|
||||
# Allow older cipher suites for older Icinga version
|
||||
|
|
|
@ -27,6 +27,8 @@
|
|||
# evobsd_ssh_group: "foo-ssh"
|
||||
# evobsd_sudo_group: "foo-sudo"
|
||||
#
|
||||
# evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
|
||||
#
|
||||
# evolix_users:
|
||||
# foo:
|
||||
# name: foo
|
||||
|
|
Loading…
Reference in a new issue