Pains-Perdus
/
ansible_hacky_pki
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

factorize the `when` condition

Browse Source
master
histausse 3 years ago
parent 3a4d709275
commit ec297a7dd3
Signed by: histausse
GPG Key ID: 67486F107F62E9E9
1 changed files with 111 additions and 121 deletions
Show Stats Download Patch File Download Diff File

232
roles/generate-cert/tasks/main.yml
Unescape Escape View File

@ -22,125 +22,115 @@
register: validity
when: cert_file.stat.exists
# TODO: Use a block to have only one `when`
- name: Generate private key
become: false
openssl_privatekey:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
mode: u=rw,g=,o=
size: "{{ key_size | default(omit) }}"
delegate_to: localhost
- name: Generate the certificate
block:
- name: Generate private key
become: false
openssl_privatekey:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
mode: u=rw,g=,o=
size: "{{ key_size | default(omit) }}"
delegate_to: localhost
# TODO: add a revocation methode, most probably crl, with crl_distribution_points
- name: Generate a Certificate Signing Request
become: false
openssl_csr:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
common_name: "{{ cname }}"
country_name: "{{ country_name | default(omit) }}"
locality_name: "{{ locality_name | default(omit) }}"
state_or_province_name: "{{ state_or_province_name | default(omit) }}"
organization_name: "{{ organization_name | default(omit) }}"
organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
email_address: "{{ email_address | default(omit) }}"
basic_constraints:
- CA:FALSE # syntax?
basic_constraints_critical: yes
key_usage: "{{ key_usage }}"
key_usage_critical: yes
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
delegate_to: localhost
- name: Put the CA in a file
become: false
copy:
content: "{{ ca_cert }}"
dest: "/tmp/ansible_hacky_pki_ca.crt"
delegate_to: localhost
- name: Put the CA key in a file
become: false
copy:
content: "{{ ca_key }}"
dest: "/tmp/ansible_hacky_pki_ca.key"
mode: u=rw,g=,o=
delegate_to: localhost
no_log: yes
- name: Sign the certificate
become: false
openssl_certificate:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
ownca_not_after: "{{ validity_duration }}"
ownca_path: /tmp/ansible_hacky_pki_ca.crt
ownca_privatekey_passphrase: "{{ ca_passphrase }}"
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
provider: ownca
delegate_to: localhost
- name: Send private key to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
dest: "{{ directory }}/{{ cname }}.key"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
no_log: yes
- name: Send certificate to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
dest: "{{ directory }}/{{ cname }}.crt"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
# Clean up
- name: Remove the local cert key
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
state: absent
delegate_to: localhost
- name: Remove the CSR
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
state: absent
delegate_to: localhost
- name: Remove the local certificate
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
state: absent
delegate_to: localhost
- name: Remove the CA certificate
become: false
file:
path: /tmp/ansible_hacky_pki_ca.crt
state: absent
delegate_to: localhost
- name: Remove the CA key
become: false
file:
path: /tmp/ansible_hacky_pki_ca.key
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
# TODO: add a revocation methode, most probably crl, with crl_distribution_points
- name: Generate a Certificate Signing Request
become: false
openssl_csr:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
common_name: "{{ cname }}"
country_name: "{{ country_name | default(omit) }}"
locality_name: "{{ locality_name | default(omit) }}"
state_or_province_name: "{{ state_or_province_name | default(omit) }}"
organization_name: "{{ organization_name | default(omit) }}"
organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
email_address: "{{ email_address | default(omit) }}"
basic_constraints:
- CA:FALSE # syntax?
basic_constraints_critical: yes
key_usage: "{{ key_usage }}"
key_usage_critical: yes
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Put the CA in a file
become: false
copy:
content: "{{ ca_cert }}"
dest: "/tmp/ansible_hacky_pki_ca.crt"
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Put the CA key in a file
become: false
copy:
content: "{{ ca_key }}"
dest: "/tmp/ansible_hacky_pki_ca.key"
mode: u=rw,g=,o=
delegate_to: localhost
no_log: yes
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Sign the certificate
become: false
openssl_certificate:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
ownca_not_after: "{{ validity_duration }}"
ownca_path: /tmp/ansible_hacky_pki_ca.crt
ownca_privatekey_passphrase: "{{ ca_passphrase }}"
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
provider: ownca
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Send private key to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
dest: "{{ directory }}/{{ cname }}.key"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
no_log: yes
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Send certificate to the server
copy:
src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
dest: "{{ directory }}/{{ cname }}.crt"
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
# Clean up
- name: Remove the local cert key
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CSR
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the local certificate
become: false
file:
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CA certificate
become: false
file:
path: /tmp/ansible_hacky_pki_ca.crt
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CA key
become: false
file:
path: /tmp/ansible_hacky_pki_ca.key
state: absent
delegate_to: localhost
when: not key_file.stat.exists

Write Preview
Loading…
Cancel
Save