Revert "Add pki role."
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2623|3|2620|26|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/358//ansiblelint">Evolix » ansible-roles » unstable #358</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2623|3|2620|26|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/358//ansiblelint">Evolix » ansible-roles » unstable #358</a>
gitea/ansible-roles/pipeline/head This commit looks good
This reverts commit ac70793ad6
.
Implementation too inflexible. Try again!
This commit is contained in:
parent
4c91f424c6
commit
e4a70b3c0c
4 changed files with 0 additions and 166 deletions
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
pki_dir: /etc/pki # Where to store PKI files
|
||||
|
||||
pki_ca_cn: Null # Certificate Authority Commmon Name
|
||||
pki_ca_host: Null # Host where the CA is located
|
||||
pki_ca_filename: Null # Filename used to created CA related file
|
||||
pki_ca_password: Null # Password for the key of the CA
|
||||
|
||||
|
||||
# Private variable, please don't customize them
|
||||
pki_ca_key: "{{ pki_dir }}/private/{{ pki_ca_filename | mandatory }}.key"
|
||||
# pki_ca_csr: "{{ pki_dir }}/certs/{{ pki_ca_filename | mandatory }}.crt"
|
||||
pki_ca_crt: "{{ pki_dir }}/certs/{{ pki_ca_filename | mandatory }}.crt"
|
||||
pki_certificate_crt: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.crt"
|
||||
pki_certificate_key: "{{ pki_dir }}/private/{{ ansible_fqdn }}.key"
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
- name: Create private key with password protection
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ pki_ca_key }}"
|
||||
passphrase: "{{ pki_ca_password | mandatory }}"
|
||||
cipher: auto
|
||||
|
||||
- name: Create certificate signing request (CSR) for CA certificate
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ pki_ca_key }}"
|
||||
privatekey_passphrase: "{{ pki_ca_password | mandatory }}"
|
||||
common_name: "{{ pki_ca_cn | mandatory }}"
|
||||
use_common_name_for_san: false
|
||||
basic_constraints:
|
||||
- 'CA:TRUE'
|
||||
basic_constraints_critical: yes
|
||||
key_usage:
|
||||
- keyCertSign
|
||||
key_usage_critical: true
|
||||
register: ca_csr
|
||||
|
||||
- name: Create self-signed CA certificate from CSR
|
||||
community.crypto.x509_certificate:
|
||||
path: "{{ pki_ca_crt }}"
|
||||
csr_content: "{{ ca_csr.csr }}"
|
||||
privatekey_path: "{{ pki_ca_key }}"
|
||||
privatekey_passphrase: "{{ pki_ca_password | mandatory }}"
|
||||
provider: selfsigned
|
|
@ -1,33 +0,0 @@
|
|||
---
|
||||
|
||||
# Prerequisites
|
||||
# TODO Python packages may need to be differente based on debian version
|
||||
- name: Install python 2 cryptography
|
||||
apt:
|
||||
name: python-cryptography
|
||||
state: present
|
||||
when: ansible_python['executable'] == "/usr/bin/python"
|
||||
|
||||
- name: Install python 3 cryptography
|
||||
apt:
|
||||
name: python3-cryptography
|
||||
state: present
|
||||
when: ansible_python['executable'] == "/usr/bin/python3"
|
||||
|
||||
- name: Creates PKI tree directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
mode: 0700
|
||||
state: directory
|
||||
loop:
|
||||
- "{{ pki_dir }}/certs"
|
||||
- "{{ pki_dir }}/private"
|
||||
|
||||
|
||||
# Create Certificat Authority (CA)
|
||||
- include: ca.yml
|
||||
when: inventory_hostname == pki_ca_host and not ansible_check_mode
|
||||
|
||||
|
||||
# Create a certificate signed by the CA
|
||||
- include: signed_certificate.yml
|
|
@ -1,90 +0,0 @@
|
|||
---
|
||||
# CA certificate
|
||||
- name: Check whether CA certificate exists
|
||||
stat:
|
||||
path: "{{ pki_ca_crt }}"
|
||||
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||||
run_once: true
|
||||
register: ca_certificate_exists
|
||||
|
||||
- name: Fail if CA doesn't exists
|
||||
fail:
|
||||
msg: "CA '{{ pki_ca_crt }}' on host '{{ pki_ca_host }}' doesn't exists! You need to create one before continuing."
|
||||
when: not ca_certificate_exists.stat.exists
|
||||
|
||||
- name: Read existing CA certificate if exists
|
||||
slurp:
|
||||
src: "{{ pki_ca_crt }}"
|
||||
when: ca_certificate_exists.stat.exists
|
||||
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||||
run_once: true
|
||||
register: ca_certificate
|
||||
|
||||
- name: Write CA certificate file
|
||||
copy:
|
||||
dest: "{{ pki_ca_crt }}"
|
||||
content: "{{ ca_certificate.content | b64decode }}"
|
||||
run_once: true
|
||||
register: ca_certificate
|
||||
|
||||
|
||||
# Create new signed certificate
|
||||
- name: Create private key for new certificate
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "{{ pki_certificate_key }}"
|
||||
run_once: true
|
||||
|
||||
- name: Create certificate signing request (CSR) for new certificate
|
||||
community.crypto.openssl_csr_pipe:
|
||||
privatekey_path: "{{ pki_certificate_key }}"
|
||||
common_name: "{{ ansible_fqdn }}"
|
||||
run_once: true
|
||||
register: csr
|
||||
|
||||
- name: Check whether certificate exists
|
||||
stat:
|
||||
path: "{{ pki_certificate_crt }}"
|
||||
run_once: true
|
||||
register: certificate_exists
|
||||
|
||||
- name: Read existing certificate if exists
|
||||
slurp:
|
||||
src: "{{ pki_certificate_crt }}"
|
||||
when: certificate_exists.stat.exists
|
||||
run_once: true
|
||||
register: certificate
|
||||
|
||||
- name: Sign certificate with CA
|
||||
community.crypto.x509_certificate_pipe:
|
||||
content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
|
||||
csr_content: "{{ csr.csr }}"
|
||||
provider: ownca
|
||||
ownca_path: "{{ pki_ca_crt }}"
|
||||
ownca_privatekey_path: "{{ pki_ca_key }}"
|
||||
ownca_privatekey_passphrase: "{{ pki_ca_password | mandatory}}"
|
||||
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||||
run_once: true
|
||||
register: certificate
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: Write certificate file
|
||||
copy:
|
||||
dest: "{{ pki_certificate_crt }}"
|
||||
content: "{{ certificate.certificate }}"
|
||||
run_once: true
|
||||
when: certificate is changed and not ansible_check_mode
|
||||
|
||||
- name: Write certificate file on the CA host
|
||||
copy:
|
||||
dest: "{{ pki_certificate_crt }}"
|
||||
content: "{{ certificate.certificate }}"
|
||||
delegate_to: "{{ pki_ca_host | mandatory }}"
|
||||
run_once: true
|
||||
when: certificate is changed and not ansible_check_mode
|
||||
|
||||
|
||||
# Allow other roles to know if some certifiates has changed
|
||||
- name: Set fact, pki_changed
|
||||
when: certificate is changed or ca_certificate is changed
|
||||
set_fact:
|
||||
pki_changed: True
|
Loading…
Add table
Reference in a new issue