From cd0ea9417325428fce97ce778a1ba221f866e0f5 Mon Sep 17 00:00:00 2001 From: Arnaud GRESSE Date: Fri, 16 Dec 2022 18:02:08 +0100 Subject: [PATCH] add role --- roles/defaults/main.yml | 13 +++++++++++++ roles/handlers/main.yml | 0 roles/tasks/main.yml | 27 +++++++++++++++++++++++++++ roles/tasks/pre_requisite.yml | 22 ++++++++++++++++++++++ roles/templates/server.cnf.j2 | 13 +++++++++++++ 5 files changed, 75 insertions(+) create mode 100644 roles/defaults/main.yml create mode 100644 roles/handlers/main.yml create mode 100644 roles/tasks/main.yml create mode 100644 roles/tasks/pre_requisite.yml create mode 100644 roles/templates/server.cnf.j2 diff --git a/roles/defaults/main.yml b/roles/defaults/main.yml new file mode 100644 index 0000000..5cc77ba --- /dev/null +++ b/roles/defaults/main.yml @@ -0,0 +1,13 @@ +--- +cfssl_version: 1.6.3 +cfssl_bin_directory: /usr/bin +cfssl_serve_url: localhost:8888 +cfssl_profile: server + +cnf_file: /etc/ssl/server.cnf +key_file: /etc/ssl/private/{{inventory_hostname_short}}.key +csr_file: /etc/ssl/{{inventory_hostname_short}}.csr +cert_file: /etc/ssl/certs/{{inventory_hostname_short}}.pem + +integrate_ca: yes +ca_filename : my_intermediate_ca.crt \ No newline at end of file diff --git a/roles/handlers/main.yml b/roles/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/tasks/main.yml b/roles/tasks/main.yml new file mode 100644 index 0000000..a184f56 --- /dev/null +++ b/roles/tasks/main.yml @@ -0,0 +1,27 @@ +- name: include pre_requisite.yml + import_tasks: pre_requisite.yml + +- name: creating cnf file + template: + src: server.cnf.j2 + dest: '{{cnf_file}}' + owner: root + group: root + mode: 0644 + +- name: create csr and key with openssl + shell: 'openssl req -new -newkey rsa:2048 -nodes -sha256 -config {{cnf_file}} -out {{csr_file}} -keyout {{key_file}}' + +- name: sign certificate + shell: '{{cfssl_bin_directory}}/cfssl sign -remote "{{cfssl_serve_url}}" -profile "{{cfssl_profile}}" {{csr_file}} | cfssljson -bare -stdout > {{cert_file}}' + +- name: remove csr in content certificate + shell: 'openssl x509 -in {{cert_file}} -out {{cert_file}}' + +- name: recuperate ca certificate + shell: '{{cfssl_bin_directory}}/cfssl info -remote "{{cfssl_serve_url}}" | cfssljson -bare -stdout > /usr/local/share/ca-certificates/{{ca_filename}}' + when: integrate_ca + +- name: Update CA Store + shell: 'update-ca-certificates' + when: integrate_ca \ No newline at end of file diff --git a/roles/tasks/pre_requisite.yml b/roles/tasks/pre_requisite.yml new file mode 100644 index 0000000..a867db2 --- /dev/null +++ b/roles/tasks/pre_requisite.yml @@ -0,0 +1,22 @@ +--- +- name: Check if cfssl is already available + stat: + path: '{{cfssl_bin_directory}}/cfssl' + register: cfssl_exist +- name: Download statically linked cfssl binary + get_url: + url: https://github.com/cloudflare/cfssl/releases/download/v{{cfssl_version}}/cfssl_{{cfssl_version}}_linux_amd64 + dest: '{{cfssl_bin_directory}}/cfssl' + mode: 0755 + when: cfssl_exist.stat.exists == false + +- name: Check if cfssljson is already available + stat: + path: '{{cfssl_bin_directory}}/cfssljson' + register: cfssljson_exist +- name: Download statically linked cfssljson binary + get_url: + url: https://github.com/cloudflare/cfssl/releases/download/v{{cfssl_version}}/cfssljson_{{cfssl_version}}_linux_amd64 + dest: '{{cfssl_bin_directory}}/cfssljson' + mode: 0755 + when: cfssljson_exist.stat.exists == false \ No newline at end of file diff --git a/roles/templates/server.cnf.j2 b/roles/templates/server.cnf.j2 new file mode 100644 index 0000000..fa04612 --- /dev/null +++ b/roles/templates/server.cnf.j2 @@ -0,0 +1,13 @@ +[ req ] +prompt = no +distinguished_name = dn +req_extensions = req_ext + +[ dn ] +CN = {{inventory_hostname_short}}.{{vm_domain_name}} + +[ req_ext ] +subjectAltName = DNS:{{inventory_hostname_short}}.{{vm_domain_name}},DNS:{{inventory_hostname_short}}-adm.{{vm_domain_name}} + +[ alt_names ] +DNS.1 = {{inventory_hostname_short}}-adm.{{vm_domain_name}} \ No newline at end of file