use the new addapted version of hacky_pky
This commit is contained in:
parent
f86fe4a3df
commit
7b1e1a1408
GPG key ID:
67486F107F62E9E9
2 changed files with 36 additions and 6 deletions
|
|
@ -5,3 +5,4 @@ key_usage:
|
||||||
validity_duration: "+365d"
|
validity_duration: "+365d"
|
||||||
time_before_expiration_for_renewal: "+30d" # need a better name
|
time_before_expiration_for_renewal: "+30d" # need a better name
|
||||||
force_renewal: no
|
force_renewal: no
|
||||||
|
store_directory: /etc/hackypky
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,16 @@
|
||||||
---
|
---
|
||||||
|
- name: Ensure the directories used to store certs exist
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
group: root
|
||||||
|
owner: root
|
||||||
|
mode: u=rwx,g=rx,o=rx
|
||||||
|
loop:
|
||||||
|
- "{{ store_directory }}"
|
||||||
|
- "{{ store_directory }}/crts"
|
||||||
|
- "{{ store_directory }}/keys"
|
||||||
|
|
||||||
- name: Ensure the directory containing the cert exist
|
- name: Ensure the directory containing the cert exist
|
||||||
file:
|
file:
|
||||||
path: "{{ directory }}"
|
path: "{{ directory }}"
|
||||||
|
|
@ -6,17 +18,17 @@
|
||||||
|
|
||||||
- name: Test if the key already exist
|
- name: Test if the key already exist
|
||||||
stat:
|
stat:
|
||||||
path: "{{ directory }}/{{ cname }}.key"
|
path: "{{ store_directory}}/keys/{{ cname }}.key"
|
||||||
register: key_file
|
register: key_file
|
||||||
|
|
||||||
- name: Test if the cert already exist
|
- name: Test if the cert already exist
|
||||||
stat:
|
stat:
|
||||||
path: "{{ directory }}/{{ cname }}.crt"
|
path: "{{ store_directory}}/crts/{{ cname }}.crt"
|
||||||
register: cert_file
|
register: cert_file
|
||||||
|
|
||||||
- name: Test if we need to renew the certificate
|
- name: Test if we need to renew the certificate
|
||||||
openssl_certificate_info:
|
openssl_certificate_info:
|
||||||
path: "{{ directory }}/{{ cname }}.crt"
|
path: "{{ store_directory }}/crts/{{ cname }}.crt"
|
||||||
valid_at:
|
valid_at:
|
||||||
renewal: "{{ time_before_expiration_for_renewal }}"
|
renewal: "{{ time_before_expiration_for_renewal }}"
|
||||||
register: validity
|
register: validity
|
||||||
|
|
@ -67,7 +79,7 @@
|
||||||
dest: "/tmp/ansible_hacky_pki_ca.key"
|
dest: "/tmp/ansible_hacky_pki_ca.key"
|
||||||
mode: u=rw,g=,o=
|
mode: u=rw,g=,o=
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
no_log: true
|
no_log: yes
|
||||||
|
|
||||||
- name: Sign the certificate
|
- name: Sign the certificate
|
||||||
become: false
|
become: false
|
||||||
|
|
@ -84,7 +96,7 @@
|
||||||
- name: Send private key to the server
|
- name: Send private key to the server
|
||||||
copy:
|
copy:
|
||||||
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
|
||||||
dest: "{{ directory }}/{{ cname }}.key"
|
dest: "{{ store_directory }}/keys/{{ cname }}.key"
|
||||||
owner: "{{ owner | default('root') }}"
|
owner: "{{ owner | default('root') }}"
|
||||||
group: "{{ group | default('root') }}"
|
group: "{{ group | default('root') }}"
|
||||||
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
|
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
|
||||||
|
|
@ -93,7 +105,7 @@
|
||||||
- name: Send certificate to the server
|
- name: Send certificate to the server
|
||||||
copy:
|
copy:
|
||||||
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
|
||||||
dest: "{{ directory }}/{{ cname }}.crt"
|
dest: "{{ store_directory }}/crts/{{ cname }}.crt"
|
||||||
owner: "{{ owner | default('root') }}"
|
owner: "{{ owner | default('root') }}"
|
||||||
group: "{{ group | default('root') }}"
|
group: "{{ group | default('root') }}"
|
||||||
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
|
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
|
||||||
|
|
@ -134,3 +146,20 @@
|
||||||
state: absent
|
state: absent
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
|
||||||
|
|
||||||
|
- name: Create the link to cert
|
||||||
|
file:
|
||||||
|
src: "{{ store_directory }}/crts/{{ cname }}.crt"
|
||||||
|
dest: "{{ directory }}/{{ cname }}.crt"
|
||||||
|
owner: "{{ owner | default('root') }}"
|
||||||
|
group: "{{ group | default('root') }}"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: Create the link to key
|
||||||
|
file:
|
||||||
|
src: "{{ store_directory }}/keys/{{ cname }}.key"
|
||||||
|
dest: "{{ directory }}/{{ cname }}.key"
|
||||||
|
owner: "{{ owner | default('root') }}"
|
||||||
|
group: "{{ group | default('root') }}"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue