Revert "Add pki role."
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2623|3|2620|26|:+1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/358//ansiblelint">Evolix » ansible-roles » unstable #358</a> Details
gitea/ansible-roles/pipeline/head This commit looks good Details

This reverts commit ac70793ad6.

Implementation too inflexible. Try again!
This commit is contained in:
Brice Waegeneire 2023-09-21 16:56:39 +02:00
parent 4c91f424c6
commit e4a70b3c0c
4 changed files with 0 additions and 166 deletions

View File

@ -1,15 +0,0 @@
---
pki_dir: /etc/pki # Where to store PKI files
pki_ca_cn: Null # Certificate Authority Commmon Name
pki_ca_host: Null # Host where the CA is located
pki_ca_filename: Null # Filename used to created CA related file
pki_ca_password: Null # Password for the key of the CA
# Private variable, please don't customize them
pki_ca_key: "{{ pki_dir }}/private/{{ pki_ca_filename | mandatory }}.key"
# pki_ca_csr: "{{ pki_dir }}/certs/{{ pki_ca_filename | mandatory }}.crt"
pki_ca_crt: "{{ pki_dir }}/certs/{{ pki_ca_filename | mandatory }}.crt"
pki_certificate_crt: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.crt"
pki_certificate_key: "{{ pki_dir }}/private/{{ ansible_fqdn }}.key"

View File

@ -1,28 +0,0 @@
---
- name: Create private key with password protection
community.crypto.openssl_privatekey:
path: "{{ pki_ca_key }}"
passphrase: "{{ pki_ca_password | mandatory }}"
cipher: auto
- name: Create certificate signing request (CSR) for CA certificate
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ pki_ca_key }}"
privatekey_passphrase: "{{ pki_ca_password | mandatory }}"
common_name: "{{ pki_ca_cn | mandatory }}"
use_common_name_for_san: false
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
key_usage:
- keyCertSign
key_usage_critical: true
register: ca_csr
- name: Create self-signed CA certificate from CSR
community.crypto.x509_certificate:
path: "{{ pki_ca_crt }}"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ pki_ca_key }}"
privatekey_passphrase: "{{ pki_ca_password | mandatory }}"
provider: selfsigned

View File

@ -1,33 +0,0 @@
---
# Prerequisites
# TODO Python packages may need to be differente based on debian version
- name: Install python 2 cryptography
apt:
name: python-cryptography
state: present
when: ansible_python['executable'] == "/usr/bin/python"
- name: Install python 3 cryptography
apt:
name: python3-cryptography
state: present
when: ansible_python['executable'] == "/usr/bin/python3"
- name: Creates PKI tree directories
file:
path: "{{ item }}"
mode: 0700
state: directory
loop:
- "{{ pki_dir }}/certs"
- "{{ pki_dir }}/private"
# Create Certificat Authority (CA)
- include: ca.yml
when: inventory_hostname == pki_ca_host and not ansible_check_mode
# Create a certificate signed by the CA
- include: signed_certificate.yml

View File

@ -1,90 +0,0 @@
---
# CA certificate
- name: Check whether CA certificate exists
stat:
path: "{{ pki_ca_crt }}"
delegate_to: "{{ pki_ca_host | mandatory }}"
run_once: true
register: ca_certificate_exists
- name: Fail if CA doesn't exists
fail:
msg: "CA '{{ pki_ca_crt }}' on host '{{ pki_ca_host }}' doesn't exists! You need to create one before continuing."
when: not ca_certificate_exists.stat.exists
- name: Read existing CA certificate if exists
slurp:
src: "{{ pki_ca_crt }}"
when: ca_certificate_exists.stat.exists
delegate_to: "{{ pki_ca_host | mandatory }}"
run_once: true
register: ca_certificate
- name: Write CA certificate file
copy:
dest: "{{ pki_ca_crt }}"
content: "{{ ca_certificate.content | b64decode }}"
run_once: true
register: ca_certificate
# Create new signed certificate
- name: Create private key for new certificate
community.crypto.openssl_privatekey:
path: "{{ pki_certificate_key }}"
run_once: true
- name: Create certificate signing request (CSR) for new certificate
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ pki_certificate_key }}"
common_name: "{{ ansible_fqdn }}"
run_once: true
register: csr
- name: Check whether certificate exists
stat:
path: "{{ pki_certificate_crt }}"
run_once: true
register: certificate_exists
- name: Read existing certificate if exists
slurp:
src: "{{ pki_certificate_crt }}"
when: certificate_exists.stat.exists
run_once: true
register: certificate
- name: Sign certificate with CA
community.crypto.x509_certificate_pipe:
content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
csr_content: "{{ csr.csr }}"
provider: ownca
ownca_path: "{{ pki_ca_crt }}"
ownca_privatekey_path: "{{ pki_ca_key }}"
ownca_privatekey_passphrase: "{{ pki_ca_password | mandatory}}"
delegate_to: "{{ pki_ca_host | mandatory }}"
run_once: true
register: certificate
when: not ansible_check_mode
- name: Write certificate file
copy:
dest: "{{ pki_certificate_crt }}"
content: "{{ certificate.certificate }}"
run_once: true
when: certificate is changed and not ansible_check_mode
- name: Write certificate file on the CA host
copy:
dest: "{{ pki_certificate_crt }}"
content: "{{ certificate.certificate }}"
delegate_to: "{{ pki_ca_host | mandatory }}"
run_once: true
when: certificate is changed and not ansible_check_mode
# Allow other roles to know if some certifiates has changed
- name: Set fact, pki_changed
when: certificate is changed or ca_certificate is changed
set_fact:
pki_changed: True