99 lines
2.3 KiB
YAML
99 lines
2.3 KiB
YAML
---
|
|
|
|
no_prompts: false
|
|
debug: false
|
|
testing: false
|
|
|
|
# default config => is overwritten by provided config
|
|
defaults_certs:
|
|
mode: 'selfsigned' # selfsigned, snakeoil/quick, ca, pki, le_certbot
|
|
path: '/etc/ssl/ansible'
|
|
|
|
cert:
|
|
name:
|
|
key_size: 4096 # 1024, 2048, 4096
|
|
key_type: 'ECC'
|
|
curve: 'secp256r1'
|
|
cipher: 'auto'
|
|
digest: 'sha256'
|
|
regenerate: 'partial_idempotence'
|
|
pwd:
|
|
domains: []
|
|
ips: []
|
|
backend: 'auto'
|
|
|
|
# certificate config
|
|
cn: 'Ansible Certificate'
|
|
org:
|
|
ou:
|
|
country:
|
|
state:
|
|
locality:
|
|
san_other: # other RAW values to set as subject alternative name => MUST BE VALID
|
|
email: # if using letsencrypt you might pass an email per domain => see letsencrypt-certs
|
|
key_usage: 'serverAuth' # serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, ocspSigning
|
|
ocsp_staple: false
|
|
crl_distribution: [] # list of dicts
|
|
# - full_name:
|
|
# - "URI:https://ca.example.com/revocations.crl"
|
|
# crl_issuer:
|
|
# - "URI:https://ca.example.com/"
|
|
# reasons:
|
|
# - key_compromise
|
|
# - ca_compromise
|
|
# - cessation_of_operation
|
|
valid_days: 730
|
|
|
|
mode_key: '0640'
|
|
mode_cert: '0644'
|
|
|
|
owner_key: 'root'
|
|
group_key: 'root'
|
|
owner_cert: 'root'
|
|
group_cert: 'root'
|
|
|
|
extension_cert: 'crt'
|
|
extension_key: 'key'
|
|
extension_csr: 'csr'
|
|
|
|
letsencrypt:
|
|
path: '/etc/letsencrypt'
|
|
service: # apache, nginx
|
|
renew_timer: 'Mon *-*-* 01:00:00'
|
|
verbosity: 'v'
|
|
certs: {} # see 'default_le_certbot_cert' below
|
|
renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
|
|
hook:
|
|
email:
|
|
key_size:
|
|
|
|
ca:
|
|
path:
|
|
valid_days: 7300
|
|
key_size: 8192 # 1024, 2048, 4096, 8192
|
|
key_type: 'ECC'
|
|
curve: 'secp256r1'
|
|
cipher: 'auto'
|
|
digest: 'sha512'
|
|
regenerate: 'partial_idempotence'
|
|
pwd:
|
|
backend: 'auto'
|
|
|
|
# certificate config
|
|
cn: 'CA Certificate'
|
|
org:
|
|
ou:
|
|
country:
|
|
state:
|
|
locality:
|
|
email:
|
|
|
|
# letsencrypt example:
|
|
# certs:
|
|
# example1:
|
|
# domains: ['example1.ansibleguy.net']
|
|
# email: 'dummy@ansibleguy.net'
|
|
# example2:
|
|
# domains: ['example2.ansibleguy.net']
|
|
# email: 'dummy@ansibleguy.net'
|