Revert "Add pki role."

This reverts commit ac70793ad6. Implementation too inflexible. Try again!
2023-09-21 16:56:39 +02:00 · 2023-09-21 16:56:39 +02:00 · e4a70b3c0c
parent 4c91f424c6
commit e4a70b3c0c
4 changed files with 0 additions and 166 deletions
--- a/pki/defaults/main.yml
+++ b/pki/defaults/main.yml
@ -1,15 +0,0 @@
---
-pki_dir: /etc/pki         # Where to store PKI files
-
-pki_ca_cn: Null           # Certificate Authority Commmon Name
-pki_ca_host: Null         # Host where the CA is located
-pki_ca_filename: Null     # Filename used to created CA related file
-pki_ca_password: Null     # Password for the key of the CA
-
-
-# Private variable, please don't customize them
-pki_ca_key: "{{ pki_dir }}/private/{{ pki_ca_filename | mandatory }}.key"
-# pki_ca_csr: "{{ pki_dir }}/certs/{{ pki_ca_filename | mandatory }}.crt"
-pki_ca_crt: "{{ pki_dir }}/certs/{{ pki_ca_filename | mandatory }}.crt"
-pki_certificate_crt: "{{ pki_dir }}/certs/{{ ansible_fqdn }}.crt"
-pki_certificate_key: "{{ pki_dir }}/private/{{ ansible_fqdn }}.key"
--- a/pki/tasks/ca.yml
+++ b/pki/tasks/ca.yml
@ -1,28 +0,0 @@
---
- name: Create private key with password protection
-  community.crypto.openssl_privatekey:
-    path: "{{ pki_ca_key }}"
-    passphrase: "{{ pki_ca_password | mandatory }}"
-    cipher: auto
-
- name: Create certificate signing request (CSR) for CA certificate
-  community.crypto.openssl_csr_pipe:
-    privatekey_path: "{{ pki_ca_key }}"
-    privatekey_passphrase: "{{ pki_ca_password | mandatory }}"
-    common_name: "{{ pki_ca_cn | mandatory }}"
-    use_common_name_for_san: false
-    basic_constraints:
-      - 'CA:TRUE'
-    basic_constraints_critical: yes
-    key_usage:
-      - keyCertSign
-    key_usage_critical: true
-  register: ca_csr
-
- name: Create self-signed CA certificate from CSR
-  community.crypto.x509_certificate:
-    path: "{{ pki_ca_crt }}"
-    csr_content: "{{ ca_csr.csr }}"
-    privatekey_path: "{{ pki_ca_key }}"
-    privatekey_passphrase: "{{ pki_ca_password | mandatory }}"
-    provider: selfsigned
--- a/pki/tasks/main.yml
+++ b/pki/tasks/main.yml
@ -1,33 +0,0 @@
---
-
-# Prerequisites
-# TODO Python packages may need to be differente based on debian version
- name: Install python 2 cryptography
-  apt:
-    name: python-cryptography
-    state: present
-  when: ansible_python['executable'] == "/usr/bin/python"
-
- name: Install python 3 cryptography
-  apt:
-    name: python3-cryptography
-    state: present
-  when: ansible_python['executable'] == "/usr/bin/python3"
-
- name: Creates PKI tree directories
-  file:
-    path: "{{ item }}"
-    mode: 0700
-    state: directory
-  loop:
-    - "{{ pki_dir }}/certs"
-    - "{{ pki_dir }}/private"
-
-
-# Create Certificat Authority (CA)
- include: ca.yml
-  when: inventory_hostname == pki_ca_host and not ansible_check_mode
-
-
-# Create a certificate signed by the CA
- include: signed_certificate.yml
--- a/pki/tasks/signed_certificate.yml
+++ b/pki/tasks/signed_certificate.yml
@ -1,90 +0,0 @@
---
-# CA certificate
- name: Check whether CA certificate exists
-  stat:
-    path: "{{ pki_ca_crt }}"
-  delegate_to: "{{ pki_ca_host | mandatory }}"
-  run_once: true
-  register: ca_certificate_exists
-
- name: Fail if CA doesn't exists
-  fail:
-    msg: "CA '{{ pki_ca_crt }}' on host '{{ pki_ca_host }}' doesn't exists! You need to create one before continuing."
-  when: not ca_certificate_exists.stat.exists
-
- name: Read existing CA certificate if exists
-  slurp:
-    src: "{{ pki_ca_crt }}"
-  when: ca_certificate_exists.stat.exists
-  delegate_to: "{{ pki_ca_host | mandatory }}"
-  run_once: true
-  register: ca_certificate
-
- name: Write CA certificate file
-  copy:
-    dest: "{{ pki_ca_crt }}"
-    content: "{{ ca_certificate.content | b64decode }}"
-  run_once: true
-  register: ca_certificate
-
-
-# Create new signed certificate
- name: Create private key for new certificate
-  community.crypto.openssl_privatekey:
-    path: "{{ pki_certificate_key }}"
-  run_once: true
-
- name: Create certificate signing request (CSR) for new certificate
-  community.crypto.openssl_csr_pipe:
-    privatekey_path: "{{ pki_certificate_key }}"
-    common_name: "{{ ansible_fqdn }}"
-  run_once: true
-  register: csr
-
- name: Check whether certificate exists
-  stat:
-    path: "{{ pki_certificate_crt }}"
-  run_once: true
-  register: certificate_exists
-
- name: Read existing certificate if exists
-  slurp:
-    src: "{{ pki_certificate_crt }}"
-  when: certificate_exists.stat.exists
-  run_once: true
-  register: certificate
-
- name: Sign certificate with CA
-  community.crypto.x509_certificate_pipe:
-    content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
-    csr_content: "{{ csr.csr }}"
-    provider: ownca
-    ownca_path: "{{ pki_ca_crt }}"
-    ownca_privatekey_path: "{{ pki_ca_key }}"
-    ownca_privatekey_passphrase: "{{ pki_ca_password | mandatory}}"
-  delegate_to: "{{ pki_ca_host | mandatory }}"
-  run_once: true
-  register: certificate
-  when: not ansible_check_mode
-
- name: Write certificate file
-  copy:
-    dest: "{{ pki_certificate_crt }}"
-    content: "{{ certificate.certificate }}"
-  run_once: true
-  when: certificate is changed and not ansible_check_mode
-
- name: Write certificate file on the CA host
-  copy:
-    dest: "{{ pki_certificate_crt }}"
-    content: "{{ certificate.certificate }}"
-  delegate_to: "{{ pki_ca_host | mandatory }}"
-  run_once: true
-  when: certificate is changed and not ansible_check_mode
-
-
-# Allow other roles to know if some certifiates has changed
- name: Set fact, pki_changed
-  when: certificate is changed or ca_certificate is changed
-  set_fact:
-    pki_changed: True