pki: Use FQCN and general cleanup
This commit is contained in:
parent
97b0f32806
commit
1996ec8f1a
1 changed files with 31 additions and 14 deletions
|
|
@ -1,12 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: create hostkey group
|
- name: create hostkey group
|
||||||
group:
|
ansible.builtin.group:
|
||||||
name: hostkey
|
name: hostkey
|
||||||
system: true
|
system: true
|
||||||
|
|
||||||
- name: copy ca certificate
|
- name: copy ca certificate
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "/srv/ca/certs/ca.crt"
|
src: "/srv/ca/certs/ca.crt"
|
||||||
dest: "{{ tls_certs }}/ca.crt"
|
dest: "{{ tls_certs }}/ca.crt"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
@ -14,16 +13,24 @@
|
||||||
group: "{{ ansible_wheel }}"
|
group: "{{ ansible_wheel }}"
|
||||||
|
|
||||||
- name: get ca certificate hash
|
- name: get ca certificate hash
|
||||||
command: "openssl x509 -in /srv/ca/certs/ca.crt -noout -hash"
|
ansible.builtin.command:
|
||||||
|
argv:
|
||||||
|
- openssl
|
||||||
|
- x509
|
||||||
|
- -in
|
||||||
|
- /srv/ca/certs/ca.crt
|
||||||
|
- -noout
|
||||||
|
- -hash
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
register: result
|
register: result
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
- name: store ca certificate hash
|
- name: store ca certificate hash
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
pki_cacert_hash: "{{ result.stdout }}"
|
pki_cacert_hash: "{{ result.stdout }}"
|
||||||
|
|
||||||
- name: copy host certificate
|
- name: copy host certificate
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
|
src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
|
||||||
dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
|
dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
@ -31,7 +38,7 @@
|
||||||
group: "{{ ansible_wheel }}"
|
group: "{{ ansible_wheel }}"
|
||||||
|
|
||||||
- name: add ansible certificate fact
|
- name: add ansible certificate fact
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
content: |
|
content: |
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
[ -f {{ tls_certs }}/{{ inventory_hostname }}.crt ] && awk '
|
[ -f {{ tls_certs }}/{{ inventory_hostname }}.crt ] && awk '
|
||||||
|
|
@ -45,15 +52,25 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ ansible_wheel }}"
|
group: "{{ ansible_wheel }}"
|
||||||
|
|
||||||
- name: create full chain of host certficate and ca
|
- name: create full chain certificate contents
|
||||||
shell: "cat {{ tls_certs }}/{{ inventory_hostname }}.crt \
|
ansible.builtin.command:
|
||||||
{{ tls_certs }}/ca.crt > \
|
argv:
|
||||||
{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
|
- cat
|
||||||
args:
|
- "{{ tls_certs }}/{{ inventory_hostname }}.crt"
|
||||||
creates: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
|
- "{{ tls_certs }}/ca.crt"
|
||||||
|
changed_when: false
|
||||||
|
register: pki_host_fullchain
|
||||||
|
|
||||||
|
- name: copy full chain certificate file
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
|
||||||
|
content: "{{ pki_host_fullchain }}"
|
||||||
|
mode: 0640
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
|
||||||
- name: copy host key
|
- name: copy host key
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "/srv/ca/private/{{ inventory_hostname }}.key"
|
src: "/srv/ca/private/{{ inventory_hostname }}.key"
|
||||||
dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
|
dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
|
||||||
mode: 0640
|
mode: 0640
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue