public_git
/
ansibleguy.infra_mariadb
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

implement snakoil certificate-creation as faster alternative

This commit is contained in:
AnsibleGuy 2024-05-15 21:14:05 +02:00
parent aa5d0ba109
commit 84ecad4298
No known key found for this signature in database
GPG Key ID: 52984C069F5AD3CD
3 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main/1_main.yml
View File

@ -6,7 +6,7 @@ testing: false
# default config => is overwritten by provided config # default config => is overwritten by provided config
defaults_certs: defaults_certs:
mode: 'selfsigned' # selfsigned, ca, pki, le_certbot mode: 'selfsigned' # selfsigned, snakeoil/quick, ca, pki, le_certbot
path: '/etc/ssl/ansible' path: '/etc/ssl/ansible'
cert: cert:

4
tasks/main.yml
View File

@ -40,3 +40,7 @@
when: when:
- CERT_CONFIG.mode == 'le_certbot' - CERT_CONFIG.mode == 'le_certbot'
- "ansible_distribution|lower in ['debian', 'ubuntu']" - "ansible_distribution|lower in ['debian', 'ubuntu']"
- name: Certificates | Snakeoil
ansible.builtin.include_tasks: snakeoil.yml
when: "CERT_CONFIG.mode in ['snakeoil', 'quick']"

51
tasks/snakeoil.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: Certificates | Snakeoil | Creating cert directory
ansible.builtin.file:
path: "{{ CERT_CONFIG.path }}"
state: directory
mode: 0750
owner: "{{ CERT_CONFIG.owner_key }}"
group: "{{ CERT_CONFIG.group_key }}"
- name: Certificates | Snakeoil | Setting SAN
ansible.builtin.set_fact:
cert_san: "{% for domain in CERT_CONFIG.cert.domains %}
{% if domain | valid_hostname %}DNS:{{ domain }}{% if not loop.last %},{% endif %}{% endif %}
{% endfor %}
{% for ip in CERT_CONFIG.cert.ips %}
{% if ip | valid_ip %},IP:{{ ip }}{% endif %}
{% endfor %}
{% if CERT_CONFIG.cert.san_other %}
{% if CERT_CONFIG.cert.domains | length > 0 or CERT_CONFIG.cert.ips | length > 0 %},{% endif %}
{{ CERT_CONFIG.cert.san_other }}
{% endif %}"
when: >
CERT_CONFIG.cert.domains | length > 0 or
CERT_CONFIG.cert.ips | length > 0 or
CERT_CONFIG.cert.san_other
- name: Certfificates | Snakeoil | Build command
ansible.builtin.set_fact:
cert_cmd: "openssl req -x509 -newkey rsa:{{ CERT_CONFIG.cert.key_size }} -sha256 -nodes \
{% if CERT_CONFIG.cert.cn | default(none, true) is not none %}
-subj \"/CN={{ CERT_CONFIG.cert.cn }}\" \
{% endif %}
{% if cert_san | default(none, true) is not none %}
-addext \"subjectAltName = {{ cert_san | replace(' ', '') }}\" \
{% endif %}
-keyout {{ cert_key }} -out {{ cert_pub }} \
-days {{ CERT_CONFIG.cert.valid_days }}"
cert_pub: "{{ cert_pub }}"
vars:
cert_pub: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_cert }}"
cert_key: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_key }}"
- name: Certificates | Snakeoil | Certificate command
ansible.builtin.debug:
var: cert_cmd
- name: Certificates | Snakeoil | Create Certificate
ansible.builtin.command: "{{ cert_cmd }}"
args:
creates: "{{ cert_pub }}"