public_git
/
ansibleguy.infra_certs
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
ansibleguy.infra_certs/defaults/main.yml

86 lines
2.0 KiB
YAML
Raw Blame History

---
# default config => is overwritten by provided config
default_certs:
mode: 'selfsigned' # selfsigned, ca, pki, le_certbot
path: '/etc/certs'
cert:
name:
key_size: 4096 # 1024, 2048, 4096
key_type: 'RSA'
cipher: 'AES-256-CBC' # see: 'openssl list -cipher-algorithms'
digest: 'sha256'
regenerate: 'partial_idempotence'
pwd:
domains: []
ips: []
# certificate config
cn: 'Ansible Certificate'
org:
ou:
country:
state:
locality:
email: # if using letsencrypt you might pass an email per domain => see letsencrypt-certs
key_usage: 'serverAuth' # serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, ocspSigning
ocsp_staple: false
crl_distribution: []
# - full_name:
# - "URI:https://ca.example.com/revocations.crl"
# crl_issuer:
# - "URI:https://ca.example.com/"
# reasons:
# - key_compromise
# - ca_compromise
# - cessation_of_operation
valid_days: 730
mode_key: '0640'
mode_cert: '0644'
owner_key: 'root'
group_key: 'root'
owner_cert: 'root'
group_cert: 'root'
extension_cert: 'crt'
extension_key: 'key'
extension_csr: 'csr'
letsencrypt:
path: '/etc/letsencrypt'
service: # apache, nginx
renew_timer: 'Mon *-*-* 01:00:00'
verbosity: 'v'
certs: {} # see 'default_le_certbot_cert_config'
renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
ca:
path: '/etc/certs/ca'
valid_days: 7300
key_size: 8192 # 1024, 2048, 4096, 8192
key_type: 'RSA'
cipher: 'AES-256-CBC' # see: 'openssl list -cipher-algorithms'
digest: 'sha512'
regenerate: 'partial_idempotence'
pwd:
# certificate config
cn: 'CA Certificate'
org:
ou:
country:
state:
locality:
email:
CERT_CONFIG: "{{ default_certs | combine(certs, recursive=true) }}"
default_le_certbot_cert_config:
domains: []
state: 'present'
email:
Reference in New Issue View Git Blame Copy Permalink