public_git
/
ansibleguy.infra_certs
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

updating namespace and links of role

This commit is contained in:
Rath Pascal 2025-10-25 15:22:35 +02:00
parent 922355de8a
commit 14a86fe834
15 changed files with 85 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/integration_test_result.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
timeout-minutes: 1
env:
CI_JOB: 'ansible-test-molecule-${{ github.event.repository.name }}'
CI_DOMAIN: 'ci.ansibleguy.net'
CI_DOMAIN: 'ci.oss.oxl.app'
steps:
- name: Checkout

2
.github/workflows/integration_test_run.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
timeout-minutes: 1
env:
CI_JOB: 'ansible-test-molecule-${{ github.event.repository.name }}'
CI_DOMAIN: 'ci.ansibleguy.net'
CI_DOMAIN: 'ci.oss.oxl.app'
steps:
- name: Checkout

2
.github/workflows/lint.yml vendored
View File

@ -63,7 +63,7 @@ jobs:
- name: Preparing for AnsibleLint
run: |
mkdir -p '/tmp/ansible_lint/roles/'
ln -s "${{ github.workspace }}" "/tmp/ansible_lint/roles/ansibleguy.${{ github.event.repository.name }}"
ln -s "${{ github.workspace }}" "/tmp/ansible_lint/roles/oxlorg.certs"
shell: bash
- name: Running AnsibleLint

4
LICENSE.txt
View File

@ -7,5 +7,5 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
E-Mail: contact@ansibleguy.net
Web: https://github.com/ansibleguy
E-Mail: contact@oxl.at
Web: https://github.com/O-X-L

36
README.md
View File

@ -2,16 +2,16 @@
Ansible Role to create certificates to use on a linux server.
[![Lint](https://github.com/ansibleguy/infra_certs/actions/workflows/lint.yml/badge.svg)](https://github.com/ansibleguy/infra_certs/actions/workflows/lint.yml)
[![Ansible Galaxy](https://badges.ansibleguy.net/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/infra_certs)
[![Lint](https://github.com/O-X-L/ansible-role-certs/actions/workflows/lint.yml/badge.svg)](https://github.com/O-X-L/ansible-role-certs/actions/workflows/lint.yml)
[![Ansible Galaxy](https://badges.oss.oxl.app/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/oxlorg/certs)
**Molecule Integration-Tests**:
* Status: [![Molecule Test Status](https://badges.ansibleguy.net/infra_certs.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2) |
[![Functional-Tests](https://github.com/ansibleguy/infra_certs/actions/workflows/integration_test_result.yml/badge.svg)](https://github.com/ansibleguy/infra_certs/actions/workflows/integration_test_result.yml)
* Logs: [API](https://ci.ansibleguy.net/api/job/ansible-test-molecule-infra_certs/logs?token=2b7bba30-9a37-4b57-be8a-99e23016ce70&lines=1000) | [Short](https://badges.ansibleguy.net/log/molecule_infra_certs_test_short.log) | [Full](https://badges.ansibleguy.net/log/molecule_infra_certs_test.log)
* Status: [![Molecule Test Status](https://badges.oss.oxl.app/infra_certs.molecule.svg)](https://github.com/O-X-L/ansible-role-oxl-cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2) |
[![Functional-Tests](https://github.com/O-X-L/ansible-role-certs/actions/workflows/integration_test_result.yml/badge.svg)](https://github.com/O-X-L/ansible-role-certs/actions/workflows/integration_test_result.yml)
* Logs: [API](https://ci.oss.oxl.app/api/job/ansible-test-molecule-infra_certs/logs?token=2b7bba30-9a37-4b57-be8a-99e23016ce70&lines=1000) | [Short](https://badges.oss.oxl.app/log/molecule_infra_certs_test_short.log) | [Full](https://badges.oss.oxl.app/log/molecule_infra_certs_test.log)
Internal CI: [Tester Role](https://github.com/ansibleguy/_meta_cicd) | [Jobs API](https://github.com/O-X-L/github-self-hosted-jobs-systemd)
Internal CI: [Tester Role](https://github.com/O-X-L/ansible-role-oxl-cicd) | [Jobs API](https://github.com/O-X-L/github-self-hosted-jobs-systemd)
**Tested:**
@ -24,13 +24,13 @@ Internal CI: [Tester Role](https://github.com/ansibleguy/_meta_cicd) | [Jobs API
```bash
# latest
ansible-galaxy role install git+https://github.com/ansibleguy/infra_certs
ansible-galaxy role install git+https://github.com/O-X-L/ansible-role-certs
# from galaxy
ansible-galaxy install ansibleguy.infra_certs
ansible-galaxy install oxlorg.certs
# or to custom role-path
ansible-galaxy install ansibleguy.infra_certs --roles-path ./roles
ansible-galaxy install oxlorg.certs --roles-path ./roles
# install dependencies
ansible-galaxy install -r requirements.yml
@ -60,8 +60,8 @@ certs:
letsencrypt:
certs:
myNiceSite:
domains: ['myRandomSite.net', 'ansibleguy.net']
email: 'certs@template.ansibleguy.net'
domains: ['myRandomSite.net', 'oxl.at']
email: 'certs@template.oxl.at'
service: 'apache'
```
@ -79,8 +79,8 @@ certs:
cn: 'My great certificate!'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
domains: ['mySoGreat.site', 'ansibleguy.net']
email: 'certs@template.oxl.at'
domains: ['mySoGreat.site', 'oxl.at']
ips: ['192.168.44.2']
pwd: !vault ...
```
@ -97,14 +97,14 @@ certs:
cn: 'My great certificate!'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
domains: ['mySoGreat.site', 'ansibleguy.net']
email: 'certs@template.oxl.at'
domains: ['mySoGreat.site', 'oxl.at']
ca:
path: '/etc/ca'
cn: 'SUPER CertificateAuthority'
org: 'AnsibleGuy'
country: 'AT'
email: 'certs@template.ansibleguy.net'
email: 'certs@template.oxl.at'
pwd: !vault ...
```
@ -165,10 +165,10 @@ ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
* **Note:** Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in [the main defaults-file](https://github.com/ansibleguy/infra_certs/blob/latest/defaults/main/1_main.yml)!
For all available options - see the default-config located in [the main defaults-file](https://github.com/O-X-L/ansible-role-certs/blob/latest/defaults/main/1_main.yml)!
* **Note:** If you have the need to **mass manage certificates** - you might want to check out the [ansibleguy.infra_pki](https://github.com/ansibleguy/infra_pki) role that enables you to create and manage a full **P**ublic **K**ey **I**nfrastructure.
* **Note:** If you have the need to **mass manage certificates** - you might want to check out the [oxlorg.pki](https://github.com/O-X-L/ansible-role-pki) role that enables you to create and manage a full **P**ublic **K**ey **I**nfrastructure.
* **Note:** The certificate file-name (_name variable as defined or else CommonName_) will be updated:

8
defaults/main/1_main.yml
View File

@ -91,8 +91,8 @@ defaults_certs:
# letsencrypt example:
# certs:
# example1:
# domains: ['example1.ansibleguy.net']
# email: 'dummy@ansibleguy.net'
# domains: ['example1.oxl.at']
# email: 'dummy@oxl.at'
# example2:
# domains: ['example2.ansibleguy.net']
# email: 'dummy@ansibleguy.net'
# domains: ['example2.oxl.at']
# email: 'dummy@oxl.at'

8
meta/main.yml
View File

@ -1,16 +1,18 @@
---
galaxy_info:
author: 'AnsibleGuy <guy@ansibleguy.net>'
namespace: 'ansibleguy'
author: 'Rath Pascal <contact@oxl.at>'
namespace: 'oxlorg'
license: 'MIT'
issue_tracker_url: 'https://github.com/ansibleguy/infra_certs/issues'
issue_tracker_url: 'https://github.com/O-X-L/ansible-role-certs/issues'
min_ansible_version: '2.14'
description: 'Meat-role to generate/manage certificates for other roles'
platforms:
- name: Debian
versions:
- bullseye
- bookworm
- trixies
galaxy_tags:
- 'certificates'
- 'certs'

2
molecule/default/Usage.md
View File

@ -5,6 +5,6 @@ Check out the [Molecule Tutorial](https://github.com/ansibleguy/ansible_tutorial
# Running
```bash
cd roles/ansibleguy.ROLE
cd roles/oxlorg.certs
molecule test
```

44
molecule/default/converge.yml
View File

@ -5,7 +5,7 @@
- name: Converge Internal
hosts: test-ag-certs-internal
roles:
- role: ansibleguy.infra_certs
- role: oxlorg.certs
vars:
certs:
mode: 'selfsigned'
@ -13,11 +13,11 @@
cert:
name: 'self_srv'
domains: ['cert.test.ansibleguy.net']
domains: ['cert.test.oxl.at']
ips: ['192.168.0.1']
cn: 'SelfSigned Server Cert'
org: 'AnsibleGuy Test'
email: 'testmaster@ansibleguy.net'
email: 'testmaster@oxl.at'
ou: 'Test'
country: 'AT'
state: 'Styria'
@ -25,11 +25,11 @@
valid_days: 5
key_usage: 'serverAuth'
crl_distribution:
crl_issuer: 'URI:https://ca.template.ansibleguy.net/'
full_name: 'URI:https://ca.template.ansibleguy.net/revocations.crl'
crl_issuer: 'URI:https://ca.template.oxl.at/'
full_name: 'URI:https://ca.template.oxl.at/revocations.crl'
reasons: ['key_compromise', 'ca_compromise']
- role: ansibleguy.infra_certs
- role: oxlorg.certs
vars:
certs:
mode: 'selfsigned'
@ -40,7 +40,7 @@
cn: 'SelfSigned Client Cert'
key_usage: 'clientAuth'
- role: ansibleguy.infra_certs
- role: oxlorg.certs
vars:
certs:
mode: 'selfsigned'
@ -48,10 +48,10 @@
cert:
name: 'self_other'
san_other: 'DNS:cert.templates.ansibleguy.net,email:other@cert.template.ansibleguy.net'
san_other: 'DNS:cert.templates.oxl.at,email:other@cert.template.oxl.at'
cn: 'SelfSigned Other Cert'
- role: ansibleguy.infra_certs
- role: oxlorg.certs
vars:
certs:
mode: 'ca'
@ -59,11 +59,11 @@
cert:
name: 'self_minca_srv'
domains: ['cert.test.ansibleguy.net']
domains: ['cert.test.oxl.at']
ips: ['192.168.0.1']
cn: 'CA-Signed Server Cert'
org: 'AnsibleGuy Test'
email: 'testmaster@ansibleguy.net'
email: 'testmaster@oxl.at'
ou: 'Test'
country: 'AT'
state: 'Styria'
@ -71,11 +71,11 @@
valid_days: 5
key_usage: 'serverAuth'
crl_distribution:
crl_issuer: 'URI:https://ca.template.ansibleguy.net/'
full_name: 'URI:https://ca.template.ansibleguy.net/revocations.crl'
crl_issuer: 'URI:https://ca.template.oxl.at/'
full_name: 'URI:https://ca.template.oxl.at/revocations.crl'
reasons: ['key_compromise', 'ca_compromise']
- role: ansibleguy.infra_certs
- role: oxlorg.certs
vars:
certs:
mode: 'ca'
@ -86,7 +86,7 @@
cn: 'CA-Signed Client Cert'
key_usage: 'clientAuth'
- role: ansibleguy.infra_certs
- role: oxlorg.certs
vars:
certs:
mode: 'ca'
@ -94,14 +94,14 @@
cert:
name: 'self_minca_pwd'
domains: ['cert.test.ansibleguy.net']
domains: ['cert.test.oxl.at']
ips: ['192.168.0.1']
cn: 'CA-Signed Server Cert'
pwd: 'Nope.'
key_usage: 'serverAuth'
crl_distribution:
crl_issuer: 'URI:https://ca.template.ansibleguy.net/'
full_name: 'URI:https://ca.template.ansibleguy.net/revocations.crl'
crl_issuer: 'URI:https://ca.template.oxl.at/'
full_name: 'URI:https://ca.template.oxl.at/revocations.crl'
reasons: ['key_compromise', 'ca_compromise']
ca:
@ -109,7 +109,7 @@
pwd: 'YouWantMyTreasure?YouCanHaveIt!SearchForIt-SomewhereOutThere-Hidden-IsTheBiggestTreasureOfTheWorld.'
cn: 'SelfSigned CA Cert'
org: 'AnsibleGuy Test'
email: 'testmaster@ansibleguy.net'
email: 'testmaster@oxl.at'
ou: 'Test'
country: 'AT'
state: 'Styria'
@ -125,12 +125,12 @@
letsencrypt:
certs:
test:
domains: ['infra-certs.test.ansibleguy.net']
email: 'testmaster@ansibleguy.net'
domains: ['infra-certs.test.oxl.at']
email: 'testmaster@oxl.at'
path: '/etc/ssl/le_test'
renew_timer: 'Mon *-*-* 03:00:00'
service: 'nginx'
roles:
- ansibleguy.infra_certs
- oxlorg.certs

2
playbook.yml
View File

@ -7,4 +7,4 @@
become: true
gather_facts: yes
roles:
- ansibleguy.infra_certs
- oxlorg.certs

28
tasks/debian/letsencrypt/main.yml
View File

@ -93,16 +93,38 @@
group: 'root'
mode: 0644
loop:
- 'ansibleguy.infra_certs.LetsEncryptCertbot.service'
- 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
- 'letsencrypt-certbot.service'
- 'letsencrypt-certbot.timer'
- name: Certificates | LetsEncrypt Certbot | Enabling cert-renewal timer
ansible.builtin.systemd:
daemon_reload: yes
name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
name: 'letsencrypt-certbot.timer'
enabled: yes
state: started
- name: Certificates | LetsEncrypt Certbot | Removing legacy services (1/2)
ansible.builtin.systemd:
name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
enabled: false
state: stopped
register: legacy_svc_removal
failed_when:
- legacy_svc_removal.failed
- "'does not exist' not in legacy_svc_removal.msg"
- "'Could not find' not in legacy_svc_removal.msg"
- name: Certificates | LetsEncrypt Certbot | Removing legacy services (1/2)
ansible.builtin.template:
src: "templates/etc/systemd/system/{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
owner: 'root'
group: 'root'
mode: 0644
loop:
- 'ansibleguy.infra_certs.LetsEncryptCertbot.service'
- 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
# Renew all previously obtained certificates that are near expiry
- name: Certificates | LetsEncrypt Certbot | Running renewal
ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}"

2
templates/etc/apache2/sites-enabled/le_dummy.conf.j2
View File

@ -1,5 +1,5 @@
# {{ ansible_managed }}
# ansibleguy.infra_certs - dummy site used for letsencrypt certbot
# oxlorg.certs - dummy site used for letsencrypt certbot
<VirtualHost *:80>
ServerName dummy.letsencrypt.localhost

2
templates/etc/nginx/sites-enabled/le_dummy.j2
View File

@ -1,5 +1,5 @@
# {{ ansible_managed }}
# ansibleguy.infra_certs - dummy site used for letsencrypt certbot
# oxlorg.certs - dummy site used for letsencrypt certbot
server {
listen 80;

2
templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.service.j2 → templates/etc/systemd/system/letsencrypt-certbot.service.j2
View File

@ -1,5 +1,5 @@
# {{ ansible_managed }}
# ansibleguy.infra_certs
# oxlorg.certs
[Unit]
Description=Service to renew LetsEncrypt Certificates using certbot

2
templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.timer.j2 → templates/etc/systemd/system/letsencrypt-certbot.timer.j2
View File

@ -1,5 +1,5 @@
# {{ ansible_managed }}
# ansibleguy.infra_certs
# oxlorg.certs
[Unit]
Description=Timer to renew LetsEncrypt Certificates using certbot