From 09cfa80d77d3c5eab07417b4e95cae7c991e7895 Mon Sep 17 00:00:00 2001
From: Jeltz <tom.barthe+aurore@ens-paris-saclay.fr>
Date: Sun, 20 Sep 2020 00:12:35 +0200
Subject: [PATCH] =?UTF-8?q?R=C3=A9organisation=20de=20`openssl-ca`=20et=20?=
 =?UTF-8?q?`openssl-common`.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 host_vars/pki.aurore.local.yml      | 19 +++++-----
 roles/openssl-ca/tasks/main.yml     | 57 ++++++++++-------------------
 roles/openssl-common/tasks/main.yml | 18 +++++++++
 3 files changed, 48 insertions(+), 46 deletions(-)

diff --git a/host_vars/pki.aurore.local.yml b/host_vars/pki.aurore.local.yml
index 056caa2..e0f3aa2 100644
--- a/host_vars/pki.aurore.local.yml
+++ b/host_vars/pki.aurore.local.yml
@@ -1,11 +1,12 @@
 ---
-root_ca_slug: aurore-root-ca
-root_ca_common_name: Aurore Test Root CA
-root_ca_country_name: FR
-root_ca_locality_name: Gif-sur-Yvette
-root_ca_state_name: Essone
-root_ca_organization_name: Aurore
-root_ca_email: pki@aurore.local
-root_ca_not_before: +0s
-root_ca_not_after: +3650d
+root_ca:
+  slug: aurore-root-ca
+  common_name: Aurore Test Root CA
+  country_name: FR
+  locality_name: Gif-sur-Yvette
+  state_name: Essone
+  organization_name: Aurore
+  email: pki@aurore.local
+  not_before: +0s
+  not_after: +3650d
 ...
\ No newline at end of file
diff --git a/roles/openssl-ca/tasks/main.yml b/roles/openssl-ca/tasks/main.yml
index 35d3efc..d11fcab 100644
--- a/roles/openssl-ca/tasks/main.yml
+++ b/roles/openssl-ca/tasks/main.yml
@@ -1,26 +1,8 @@
 ---
-- name: Create directories for storing certificates
-  become: true
-  file:
-    path: "/etc/{{ item.name }}"
-    state: directory
-    owner: root
-    group: root
-    mode: "{{ item.mode }}"
-  loop:
-    - name: ssl
-      mode: u=rwx,g=rx,o=rx
-    - name: ssl/private
-      mode: u=rwx,g=,o=
-    - name: ssl/csr
-      mode: u=rwx,g=,o=
-    - name: ssl/certs
-      mode: u=rwx,g=rx,o=rx
-
-- name: Generate a private key for the root CA
+- name: Generate a private key for root CA
   become: true
   openssl_privatekey:
-    path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
+    path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
     owner: root
     group: root
     mode: u=r,g=,o=
@@ -30,44 +12,45 @@
 - name: Generate a CSR for the root CA private key
   become: true
   openssl_csr:
-    privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
-    path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
+    privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
+    path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
     owner: root
     group: root
     mode: u=r,g=,o=
-    common_name: "{{ root_ca_common_name }}"
-    country_name: "{{ root_ca_country_name }}"
-    locality_name: "{{ root_ca_locality_name }}"
-    organization_name: "{{ root_ca_organization_name }}"
-    state_or_province_name: "{{ root_ca_state_name }}"
-    email_address: "{{ root_ca_email }}"
+    common_name: "{{ root_ca.common_name }}"
+    country_name: "{{ root_ca.country_name }}"
+    locality_name: "{{ root_ca.locality_name }}"
+    organization_name: "{{ root_ca.organization_name }}"
+    state_or_province_name: "{{ root_ca.state_name }}"
+    email_address: "{{ root_ca.email }}"
     use_common_name_for_san: false
     basic_constraints_critical: true
     basic_constraints:
       - CA:TRUE
-      - pathlen:1
+      - pathlen:0  # FIXME: sub CA personnes ?
     key_usage:
       - keyCertSign
       - cRLSign
     key_usage_critical: true
 
-# FIXME: regénérer quand le certificat n'est plus à jour
+# FIXME: regénérer quand le certificat est expiré (ne semble pas
+# le cas actuellement)
 - name: Generate the root CA certificate
   become: true
   openssl_certificate:
-    privatekey_path: "/etc/ssl/private/{{ root_ca_slug }}.pem"
-    csr_path: "/etc/ssl/csr/{{ root_ca_slug }}.csr"
-    path: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
+    privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
+    csr_path: "/etc/ssl/csr/{{ root_ca.slug }}.csr"
+    path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
     owner: root
     group: root
     mode: u=r,g=r,o=r
     provider: selfsigned
-    selfsigned_not_before: "{{ root_ca_not_before }}"
-    selfsigned_not_after: "{{ root_ca_not_after }}"
+    selfsigned_not_before: "{{ root_ca.not_before }}"
+    selfsigned_not_after: "{{ root_ca.not_after }}"
 
 - name: Retrieve the root CA certificate
   fetch:
-    src: "/etc/ssl/certs/{{ root_ca_slug }}.pem"
-    dest: "loot/certs/{{ root_ca_slug }}.pem"
+    src: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
+    dest: "loot/certs/{{ root_ca.slug }}.pem"
     flat: yes
 ...
\ No newline at end of file
diff --git a/roles/openssl-common/tasks/main.yml b/roles/openssl-common/tasks/main.yml
index c37cdd9..84aa921 100644
--- a/roles/openssl-common/tasks/main.yml
+++ b/roles/openssl-common/tasks/main.yml
@@ -4,4 +4,22 @@
   apt:
     name: python3-cryptography
     state: present
+
+- name: Create directories for storing certificates
+  become: true
+  file:
+    path: "/etc/{{ item.name }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+    - name: ssl
+      mode: u=rwx,g=rx,o=rx
+    - name: ssl/private
+      mode: u=rwx,g=,o=
+    - name: ssl/csr
+      mode: u=rwx,g=,o=
+    - name: ssl/certs
+      mode: u=rwx,g=rx,o=rx
 ...
\ No newline at end of file