public_git
/
ansibleguy.infra_mariadb
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
ansibleguy.infra_mariadb/tasks/internal/cert.yml

205 lines
9.8 KiB
YAML
Raw Blame History

---
- name: Certificates | Internal | Cert | Generate private key (encrypted)
community.crypto.openssl_privatekey:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
cipher: "{{ CERT_CONFIG.cert.cipher }}"
size: "{{ CERT_CONFIG.cert.key_size }}"
type: "{{ CERT_CONFIG.cert.key_type }}"
passphrase: "{{ CERT_CONFIG.cert.pwd }}"
regenerate: "{{ CERT_CONFIG.cert.regenerate }}"
mode: "{{ CERT_CONFIG.mode_key }}"
owner: "{{ CERT_CONFIG.owner_key }}"
group: "{{ CERT_CONFIG.group_key }}"
no_log: true
when: CERT_CONFIG.cert.pwd | default(none, true) is not none
- name: Certificates | Internal | Cert | Generate private key (plain)
community.crypto.openssl_privatekey:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
size: "{{ CERT_CONFIG.cert.key_size }}"
type: "{{ CERT_CONFIG.cert.key_type }}"
regenerate: "{{ CERT_CONFIG.cert.regenerate }}"
mode: "{{ CERT_CONFIG.mode_key }}"
owner: "{{ CERT_CONFIG.owner_key }}"
group: "{{ CERT_CONFIG.group_key }}"
no_log: true
when: CERT_CONFIG.cert.pwd | default(none, true) is none
- name: Certificates | Internal | Cert | Setting SAN
ansible.builtin.set_fact:
cert_san: "{% for domain in CERT_CONFIG.cert.domains %}
{% if domain | valid_domain %}DNS:{{ domain }}{% if not loop.last %},{% endif %}{% endif %}
{% endfor %}
{% for ip in CERT_CONFIG.cert.ips %}
{% if ip | valid_ip %},IP:{{ ip }}{% endif %}
{% endfor %}"
- name: Certificates | Internal | Cert | Generating signing-request (encrypted key)
community.crypto.openssl_csr:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
privatekey_passphrase: "{{ CERT_CONFIG.cert.pwd }}"
digest: "{{ CERT_CONFIG.cert.digest }}"
common_name: "{{ CERT_CONFIG.cert.cn }}"
organization_name: "{{ CERT_CONFIG.cert.org }}"
country_name: "{{ CERT_CONFIG.cert.country }}"
state_or_province_name: "{{ CERT_CONFIG.cert.state }}"
locality_name: "{{ CERT_CONFIG.cert.locality }}"
email_address: "{{ CERT_CONFIG.cert.email }}"
extended_key_usage: "{{ CERT_CONFIG.cert.key_usage }}"
ocsp_must_staple: "{{ CERT_CONFIG.cert.ocsp_staple }}"
crl_distribution_points: "{{ CERT_CONFIG.cert.crl_distribution }}"
subject_alt_name: "{{ cert_san | replace(' ', '') | default('DNS:localhost', true) }}"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when: CERT_CONFIG.cert.pwd | default(none, true) is not none
changed_when: false
- name: Certificates | Internal | Cert | Generating signing-request (plain key)
community.crypto.openssl_csr:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
digest: "{{ CERT_CONFIG.cert.digest }}"
common_name: "{{ CERT_CONFIG.cert.cn }}"
organization_name: "{{ CERT_CONFIG.cert.org }}"
country_name: "{{ CERT_CONFIG.cert.country }}"
state_or_province_name: "{{ CERT_CONFIG.cert.state }}"
locality_name: "{{ CERT_CONFIG.cert.locality }}"
email_address: "{{ CERT_CONFIG.cert.email }}"
extended_key_usage: "{{ CERT_CONFIG.cert.key_usage }}"
ocsp_must_staple: "{{ CERT_CONFIG.cert.ocsp_staple }}"
crl_distribution_points: "{{ CERT_CONFIG.cert.crl_distribution }}"
subject_alt_name: "{{ cert_san | replace(' ', '') | default('DNS:localhost', true) }}"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when: CERT_CONFIG.cert.pwd | default(none, true) is none
changed_when: false
- name: Certificates | Internal | Cert | Self-Signed | Generating certificate (encrypted key)
community.crypto.x509_certificate:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_cert }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
privatekey_passphrase: "{{ CERT_CONFIG.cert.pwd }}"
csr_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
provider: selfsigned
valid_in: "{{ CERT_CONFIG.cert.valid_days }}d"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when:
- CERT_CONFIG.cert.pwd | default(none, true) is not none
- CERT_CONFIG.mode == 'selfsigned'
- name: Certificates | Internal | Cert | Self-Signed | Generating certificate (plain key)
community.crypto.x509_certificate:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_cert }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
csr_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
provider: selfsigned
valid_in: "{{ CERT_CONFIG.cert.valid_days }}d"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when:
- CERT_CONFIG.cert.pwd | default(none, true) is none
- CERT_CONFIG.mode == 'selfsigned'
- name: Certificates | Internal | Cert | CA-Signed | Generating certificate (encrypted key; encrypted ca-key)
community.crypto.x509_certificate:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_cert }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
privatekey_passphrase: "{{ CERT_CONFIG.cert.pwd }}"
csr_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
valid_in: "{{ CERT_CONFIG.cert.valid_days }}d"
provider: ownca
ownca_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_cert }}"
ownca_privatekey_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_key }}"
ownca_privatekey_passphrase: "{{ CERT_CONFIG.ca.pwd }}"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when:
- CERT_CONFIG.ca.pwd | default(none, true) is not none
- CERT_CONFIG.cert.pwd | default(none, true) is not none
- CERT_CONFIG.mode == 'ca'
- name: Certificates | Internal | Cert | CA-Signed | Generating certificate (plain key; encrypted ca-key)
community.crypto.x509_certificate:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_cert }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
csr_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
valid_in: "{{ CERT_CONFIG.cert.valid_days }}d"
provider: ownca
ownca_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_cert }}"
ownca_privatekey_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_key }}"
ownca_privatekey_passphrase: "{{ CERT_CONFIG.ca.pwd }}"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when:
- CERT_CONFIG.ca.pwd | default(none, true) is not none
- CERT_CONFIG.cert.pwd | default(none, true) is none
- CERT_CONFIG.mode == 'ca'
- name: Certificates | Internal | Cert | CA-Signed | Generating certificate (encrypted key; plain ca-key)
community.crypto.x509_certificate:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_cert }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
privatekey_passphrase: "{{ CERT_CONFIG.cert.pwd }}"
csr_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
valid_in: "{{ CERT_CONFIG.cert.valid_days }}d"
provider: ownca
ownca_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_cert }}"
ownca_privatekey_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_key }}"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when:
- CERT_CONFIG.ca.pwd | default(none, true) is none
- CERT_CONFIG.cert.pwd | default(none, true) is not none
- CERT_CONFIG.mode == 'ca'
- name: Certificates | Internal | Cert | CA-Signed | Generating certificate (plain key; plain ca-key)
community.crypto.x509_certificate:
path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_cert }}"
privatekey_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_key }}"
csr_path: "{{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_csr }}"
valid_in: "{{ CERT_CONFIG.cert.valid_days }}d"
provider: ownca
ownca_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_cert }}"
ownca_privatekey_path: "{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_key }}"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
no_log: true
when:
- CERT_CONFIG.ca.pwd | default(none, true) is none
- CERT_CONFIG.cert.pwd | default(none, true) is none
- CERT_CONFIG.mode == 'ca'
- name: Certificates | Internal | Cert | CA-Signed | Creating chained certificate
ansible.builtin.shell: "cat {{ CERT_CONFIG.path }}/{{ name }}.{{ CERT_CONFIG.extension_cert }}
{{ CERT_CONFIG.ca.path }}/ca.{{ CERT_CONFIG.extension_cert }} >
{{ CERT_CONFIG.path }}/{{ name }}.chain.{{ CERT_CONFIG.extension_cert }}"
args:
creates: "{{ CERT_CONFIG.path }}/{{ name }}.chain.{{ CERT_CONFIG.extension_cert }}"
when: CERT_CONFIG.mode == 'ca'
- name: Certificates | Internal | Cert | CA-Signed | Setting privileges on chained certificate
ansible.builtin.file:
path: "{{ CERT_CONFIG.path }}/{{ name }}.chain.{{ CERT_CONFIG.extension_cert }}"
mode: "{{ CERT_CONFIG.mode_cert }}"
owner: "{{ CERT_CONFIG.owner_cert }}"
group: "{{ CERT_CONFIG.group_cert }}"
when: CERT_CONFIG.mode == 'ca'
Reference in New Issue View Git Blame Copy Permalink