ansibleguy.infra_certs/defaults/main.yml

---

no_prompts: false
debug: false
testing: false

# default config => is overwritten by provided config
defaults_certs:
  mode: 'selfsigned'  # selfsigned, ca, pki, le_certbot
  path: '/etc/ssl/ansible'

  cert:
    name:
    key_size: 4096  # 1024, 2048, 4096
    key_type: 'RSA'
    cipher: 'auto'
    digest: 'sha256'
    regenerate: 'partial_idempotence'
    pwd:
    domains: []
    ips: []
    backend: 'auto'

    # certificate config
    cn: 'Ansible Certificate'
    org:
    ou:
    country:
    state:
    locality:
    san_other:  # other RAW values to set as subject alternative name => MUST BE VALID
    email:  # if using letsencrypt you might pass an email per domain => see letsencrypt-certs
    key_usage: 'serverAuth'  # serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, ocspSigning
    ocsp_staple: false
    crl_distribution: []  # list of dicts
    #      - full_name:
    #        - "URI:https://ca.example.com/revocations.crl"
    #        crl_issuer:
    #          - "URI:https://ca.example.com/"
    #        reasons:
    #          - key_compromise
    #          - ca_compromise
    #          - cessation_of_operation
    valid_days: 730

  mode_key: '0640'
  mode_cert: '0644'

  owner_key: 'root'
  group_key: 'root'
  owner_cert: 'root'
  group_cert: 'root'

  extension_cert: 'crt'
  extension_key: 'key'
  extension_csr: 'csr'

  letsencrypt:
    path: '/etc/letsencrypt'
    service:  # apache, nginx
    renew_timer: 'Mon *-*-* 01:00:00'
    verbosity: 'v'
    certs: {}  # see 'default_le_certbot_cert' below
    renew: false  # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
    email:

  ca:
    path:
    valid_days: 7300
    key_size: 8192  # 1024, 2048, 4096, 8192
    key_type: 'RSA'
    cipher: 'auto'
    digest: 'sha512'
    regenerate: 'partial_idempotence'
    pwd:
    backend: 'auto'

    # certificate config
    cn: 'CA Certificate'
    org:
    ou:
    country:
    state:
    locality:
    email:

CERT_CONFIG: "{{ defaults_certs | combine(certs, recursive=true) }}"

default_le_certbot_cert:
  domains: []
  key_size: "{{ CERT_CONFIG.letsencrypt.key_size | default(CERT_CONFIG.cert.key_size, true) }}"
  state: "{{ CERT_CONFIG.letsencrypt.state | default('present', true) }}"
  email: "{{ CERT_CONFIG.letsencrypt.email }}"

# letsencrypt example:
# certs:
#   example1:
#     domains: ['example1.ansibleguy.net']
#     email: 'dummy@ansibleguy.net'
#   example2:
#     domains: ['example2.ansibleguy.net']
#     email: 'dummy@ansibleguy.net'