From 84ecad4298fcb44399c3db87459bbc4e878ef828 Mon Sep 17 00:00:00 2001
From: AnsibleGuy <guy@ansibleguy.net>
Date: Wed, 15 May 2024 21:14:05 +0200
Subject: [PATCH] implement snakoil certificate-creation as faster alternative

---
 defaults/main/1_main.yml |  2 +-
 tasks/main.yml           |  4 ++++
 tasks/snakeoil.yml       | 51 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 tasks/snakeoil.yml

diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
index b4507da..af5b898 100644
--- a/defaults/main/1_main.yml
+++ b/defaults/main/1_main.yml
@@ -6,7 +6,7 @@ testing: false
 
 # default config => is overwritten by provided config
 defaults_certs:
-  mode: 'selfsigned'  # selfsigned, ca, pki, le_certbot
+  mode: 'selfsigned'  # selfsigned, snakeoil/quick, ca, pki, le_certbot
   path: '/etc/ssl/ansible'
 
   cert:
diff --git a/tasks/main.yml b/tasks/main.yml
index 709f000..b30a1f8 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -40,3 +40,7 @@
   when:
     - CERT_CONFIG.mode == 'le_certbot'
     - "ansible_distribution|lower in ['debian', 'ubuntu']"
+
+- name: Certificates | Snakeoil
+  ansible.builtin.include_tasks: snakeoil.yml
+  when: "CERT_CONFIG.mode in ['snakeoil', 'quick']"
diff --git a/tasks/snakeoil.yml b/tasks/snakeoil.yml
new file mode 100644
index 0000000..0205748
--- /dev/null
+++ b/tasks/snakeoil.yml
@@ -0,0 +1,51 @@
+---
+
+- name: Certificates | Snakeoil | Creating cert directory
+  ansible.builtin.file:
+    path: "{{ CERT_CONFIG.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ CERT_CONFIG.owner_key }}"
+    group: "{{ CERT_CONFIG.group_key }}"
+
+- name: Certificates | Snakeoil | Setting SAN
+  ansible.builtin.set_fact:
+    cert_san: "{% for domain in CERT_CONFIG.cert.domains %}
+    {% if domain | valid_hostname %}DNS:{{ domain }}{% if not loop.last %},{% endif %}{% endif %}
+    {% endfor %}
+    {% for ip in CERT_CONFIG.cert.ips %}
+    {% if ip | valid_ip %},IP:{{ ip }}{% endif %}
+    {% endfor %}
+    {% if CERT_CONFIG.cert.san_other %}
+    {%   if CERT_CONFIG.cert.domains | length > 0 or CERT_CONFIG.cert.ips | length > 0 %},{% endif %}
+    {{ CERT_CONFIG.cert.san_other }}
+    {% endif %}"
+  when: >
+    CERT_CONFIG.cert.domains | length > 0 or
+    CERT_CONFIG.cert.ips | length > 0 or
+    CERT_CONFIG.cert.san_other
+
+- name: Certfificates | Snakeoil | Build command
+  ansible.builtin.set_fact:
+    cert_cmd: "openssl req -x509 -newkey rsa:{{ CERT_CONFIG.cert.key_size }} -sha256 -nodes \
+      {% if CERT_CONFIG.cert.cn | default(none, true) is not none %}
+      -subj \"/CN={{ CERT_CONFIG.cert.cn }}\" \
+      {% endif %}
+      {% if cert_san | default(none, true) is not none %}
+      -addext \"subjectAltName = {{ cert_san | replace(' ', '') }}\" \
+      {% endif %}
+      -keyout {{ cert_key }} -out {{ cert_pub }} \
+      -days {{ CERT_CONFIG.cert.valid_days }}"
+    cert_pub: "{{ cert_pub }}"
+  vars:
+    cert_pub: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_cert }}"
+    cert_key: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_key }}"
+
+- name: Certificates | Snakeoil | Certificate command
+  ansible.builtin.debug:
+    var: cert_cmd
+
+- name: Certificates | Snakeoil | Create Certificate
+  ansible.builtin.command: "{{ cert_cmd }}"
+  args:
+    creates: "{{ cert_pub }}"