pki: Use FQCN and general cleanup

2022-10-06 15:25:00 +00:00 · 2022-10-06 15:25:00 +00:00 · 1996ec8f1a
commit 1996ec8f1a
parent 97b0f32806
1 changed files with 31 additions and 14 deletions
--- a/roles/pki/tasks/main.yml
+++ b/roles/pki/tasks/main.yml
@ -1,12 +1,11 @@
 ---
-
 - name: create hostkey group
-  group:
+  ansible.builtin.group:
    name: hostkey
    system: true

 - name: copy ca certificate
-  copy:
+  ansible.builtin.copy:
    src: "/srv/ca/certs/ca.crt"
    dest: "{{ tls_certs }}/ca.crt"
    mode: 0644
@ -14,16 +13,24 @@
    group: "{{ ansible_wheel }}"

 - name: get ca certificate hash
-  command: "openssl x509 -in /srv/ca/certs/ca.crt -noout -hash"
+  ansible.builtin.command:
+    argv:
+      - openssl
+      - x509
+      - -in
+      - /srv/ca/certs/ca.crt
+      - -noout
+      - -hash
  delegate_to: localhost
  register: result
  changed_when: false
+
 - name: store ca certificate hash
-  set_fact:
+  ansible.builtin.set_fact:
    pki_cacert_hash: "{{ result.stdout }}"

 - name: copy host certificate
-  copy:
+  ansible.builtin.copy:
    src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
    dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
    mode: 0644
@ -31,7 +38,7 @@
    group: "{{ ansible_wheel }}"

 - name: add ansible certificate fact
-  copy:
+  ansible.builtin.copy:
    content: |
      #!/bin/sh
      [ -f {{ tls_certs }}/{{ inventory_hostname }}.crt ] && awk '
@ -45,15 +52,25 @@
    owner: root
    group: "{{ ansible_wheel }}"

- name: create full chain of host certficate and ca
-  shell: "cat {{ tls_certs }}/{{ inventory_hostname }}.crt \
-   {{ tls_certs }}/ca.crt > \
-   {{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
-  args:
-    creates: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
+- name: create full chain certificate contents
+  ansible.builtin.command:
+    argv:
+      - cat
+      - "{{ tls_certs }}/{{ inventory_hostname }}.crt"
+      - "{{ tls_certs }}/ca.crt"
+  changed_when: false
+  register: pki_host_fullchain
+
+- name: copy full chain certificate file
+  ansible.builtin.copy:
+    dest: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
+    content: "{{ pki_host_fullchain }}"
+    mode: 0640
+    owner: root
+    group: "{{ ansible_wheel }}"

 - name: copy host key
-  copy:
+  ansible.builtin.copy:
    src: "/srv/ca/private/{{ inventory_hostname }}.key"
    dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
    mode: 0640