2022-12-16 16:51:39 +00:00
|
|
|
- name: include pre_requisite.yml
|
|
|
|
import_tasks: pre_requisite.yml
|
|
|
|
|
|
|
|
- name: Create cfssl user
|
|
|
|
ansible.builtin.user:
|
|
|
|
name: cfssl
|
|
|
|
shell: /usr/sbin/nologin
|
|
|
|
create_home: no
|
|
|
|
home: '{{pki_dir}}'
|
|
|
|
|
|
|
|
- name: create pki dir
|
|
|
|
file:
|
|
|
|
path: '{{pki_dir}}'
|
|
|
|
state: directory
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0700
|
|
|
|
|
|
|
|
- name: create pki csr dir
|
|
|
|
file:
|
|
|
|
path: '{{pki_dir}}/csr'
|
|
|
|
state: directory
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0700
|
|
|
|
|
|
|
|
- name: create pki etc dir
|
|
|
|
file:
|
|
|
|
path: '{{pki_dir}}/etc'
|
|
|
|
state: directory
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0700
|
|
|
|
|
|
|
|
- name: create pki data dir
|
|
|
|
file:
|
|
|
|
path: '{{pki_dir}}/data'
|
|
|
|
state: directory
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0700
|
|
|
|
|
|
|
|
- name: create pki CA dir
|
|
|
|
file:
|
|
|
|
path: '{{pki_dir}}/CA'
|
|
|
|
state: directory
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0700
|
|
|
|
|
|
|
|
- name: creating CA CSR json
|
|
|
|
template:
|
|
|
|
src: csr_ROOT_CA.json.j2
|
|
|
|
dest: '{{pki_dir}}/csr/csr_ROOT_CA.json'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: creating Intermediate CA CSR json
|
|
|
|
template:
|
|
|
|
src: csr_intermediate_CA.json.j2
|
|
|
|
dest: '{{pki_dir}}/csr/csr_intermediate_CA.json'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: creating config file
|
|
|
|
template:
|
|
|
|
src: cfssl.json.j2
|
|
|
|
dest: '{{pki_dir}}/etc/cfssl.json'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: creating db config file
|
|
|
|
template:
|
|
|
|
src: db.json.j2
|
|
|
|
dest: '{{pki_dir}}/etc/db.json'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: creating init sql file
|
|
|
|
template:
|
|
|
|
src: init.sql.j2
|
|
|
|
dest: '{{pki_dir}}/data/init.sql'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: create certificate authority key pair and CSR, autosign it
|
|
|
|
shell: '{{cfssl_bin_directory}}/cfssl gencert -initca {{pki_dir}}/csr/csr_ROOT_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca'
|
|
|
|
args:
|
|
|
|
chdir: '{{pki_dir}}/CA/'
|
2022-12-21 19:51:34 +00:00
|
|
|
creates: '{{pki_dir}}/CA/ca-key.pem'
|
2022-12-16 16:51:39 +00:00
|
|
|
|
|
|
|
- name: create intermediate certificate authority key pair and CSR, autosign it
|
|
|
|
shell: '{{cfssl_bin_directory}}/cfssl gencert -ca {{pki_dir}}/CA/ca.pem -ca-key {{pki_dir}}/CA/ca-key.pem -config={{pki_dir}}/etc/cfssl.json -profile="intermediate_ca" {{pki_dir}}/csr/csr_intermediate_CA.json | {{cfssl_bin_directory}}/cfssljson -bare ca-server'
|
|
|
|
args:
|
|
|
|
chdir: '{{pki_dir}}/CA/'
|
2022-12-21 19:51:34 +00:00
|
|
|
creates: '{{pki_dir}}/CA/ca-server-key.pem'
|
2022-12-16 16:51:39 +00:00
|
|
|
|
|
|
|
- name: create sqlite3 database
|
|
|
|
shell: 'cat {{pki_dir}}/data/init.sql | sqlite3 {{pki_dir}}/data/certdb.db'
|
|
|
|
args:
|
|
|
|
chdir: '{{pki_dir}}/CA/'
|
2022-12-21 19:51:34 +00:00
|
|
|
creates: '{{pki_dir}}/data/certdb.db'
|
2022-12-16 16:51:39 +00:00
|
|
|
|
|
|
|
|
|
|
|
- name: Change owner of ca-server.pem by cfssl
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: '{{pki_dir}}/CA/ca-server.pem'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: Change owner of ca-server.pem by cfssl
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: '{{pki_dir}}/CA/ca-server-key.pem'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: Change owner of certdb.db by cfssl
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: '{{pki_dir}}/data/certdb.db'
|
|
|
|
owner: cfssl
|
|
|
|
group: cfssl
|
|
|
|
mode: 0600
|
|
|
|
|
|
|
|
- name: Création du fichier de service /lib/systemd/system/cfssl.service
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: cfssl.service.j2
|
|
|
|
dest: /lib/systemd/system/cfssl.service
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
|
|
|
|
- name : Create firewall rules
|
|
|
|
ansible.builtin.shell: 'firewall-cmd --zone=public --permanent --add-port=8888/tcp && firewall-cmd --reload'
|
|
|
|
|
|
|
|
- name: Démarrage et activation du service cfssl
|
|
|
|
ansible.builtin.service:
|
|
|
|
name: cfssl
|
|
|
|
state: started
|
|
|
|
enabled: true
|