Use a new evobsd_ssl_cert_hostname var instead of ansible_fqdn

On OpenBSD, ansible_fqdn is the reverse of the IP, which is not always properly configured
This commit is contained in:
Jérémy Dubois 2024-02-20 12:04:33 +01:00
parent f2451118c4
commit 6a2faf5649
5 changed files with 13 additions and 8 deletions

View file

@ -29,4 +29,5 @@ evobsd_dumpserverstate_include: true
evobsd_install_url: "https://cdn.openbsd.org/pub/OpenBSD"
# default_ssl.yml
evobsd_default_ssl_cert: true
evobsd_default_ssl_cert: true
evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"

View file

@ -12,14 +12,14 @@
state: directory
ignore_errors: '{{ ansible_check_mode }}'
- name: Create private key and csr for default site ({{ ansible_fqdn }})
- name: Create private key and csr for default site ({{ evobsd_ssl_cert_hostname }})
ansible.builtin.command:
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -batch -subj "/CN={{ evobsd_ssl_cert_hostname }}"
args:
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
creates: "/etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key"
- name: Create certificate for default site
ansible.builtin.command:
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -signkey /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt
args:
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
creates: "/etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt"

View file

@ -6,3 +6,5 @@ nagios_nrpe_allowed_hosts:
| union(nagios_nrpe_additional_allowed_hosts) | unique }}"
nagios_nrpe_default_ntp_server: "pool.ntp.org"
evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"

View file

@ -2,8 +2,8 @@
allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
# SSL Certificate
ssl_cert_file=/etc/ssl/certs/{{ ansible_fqdn }}.crt
ssl_privatekey_file=/etc/ssl/private/{{ ansible_fqdn }}.key
ssl_cert_file=/etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt
ssl_privatekey_file=/etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key
{% if ansible_distribution_version is version_compare("7.2",'>=') %}
# Allow older cipher suites for older Icinga version

View file

@ -27,6 +27,8 @@
# evobsd_ssh_group: "foo-ssh"
# evobsd_sudo_group: "foo-sudo"
#
# evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
#
# evolix_users:
# foo:
# name: foo