Pains-Perdus
/
ansible_hacky_pki
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

factorize the `when` condition

Browse Source
master
histausse 3 years ago
parent 3a4d709275
commit ec297a7dd3
Signed by: histausse
GPG Key ID: 67486F107F62E9E9
1 changed files with 111 additions and 121 deletions
Show Stats Download Patch File Download Diff File

16
roles/generate-cert/tasks/main.yml
Unescape Escape View File

@ -22,7 +22,8 @@
register: validity
when: cert_file.stat.exists
# TODO: Use a block to have only one `when`
- name: Generate the certificate
block:
- name: Generate private key
become: false
openssl_privatekey:
@ -30,7 +31,6 @@
mode: u=rw,g=,o=
size: "{{ key_size | default(omit) }}"
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
# TODO: add a revocation methode, most probably crl, with crl_distribution_points
- name: Generate a Certificate Signing Request
@ -52,7 +52,6 @@
key_usage_critical: yes
subject_alt_name: "{{ subject_alt_name | default(omit) }}"
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Put the CA in a file
become: false
@ -60,7 +59,6 @@
content: "{{ ca_cert }}"
dest: "/tmp/ansible_hacky_pki_ca.crt"
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Put the CA key in a file
become: false
@ -70,7 +68,6 @@
mode: u=rw,g=,o=
delegate_to: localhost
no_log: yes
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Sign the certificate
become: false
@ -83,7 +80,6 @@
ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
provider: ownca
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Send private key to the server
copy:
@ -93,7 +89,6 @@
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=,o=') }}"
no_log: yes
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Send certificate to the server
copy:
@ -102,7 +97,6 @@
owner: "{{ owner | default('root') }}"
group: "{{ group | default('root') }}"
mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
# Clean up
- name: Remove the local cert key
@ -111,7 +105,6 @@
path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CSR
become: false
@ -119,7 +112,6 @@
path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the local certificate
become: false
@ -127,7 +119,6 @@
path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CA certificate
become: false
@ -135,7 +126,6 @@
path: /tmp/ansible_hacky_pki_ca.crt
state: absent
delegate_to: localhost
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
- name: Remove the CA key
become: false
@ -143,4 +133,4 @@
path: /tmp/ansible_hacky_pki_ca.key
state: absent
delegate_to: localhost
when: not key_file.stat.exists
when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)

Write Preview
Loading…
Cancel
Save