94 lines
2.3 KiB
YAML
94 lines
2.3 KiB
YAML
---
|
|
- name: Create hostkey group
|
|
ansible.builtin.group:
|
|
name: hostkey
|
|
system: true
|
|
|
|
- name: Copy ca certificate
|
|
ansible.builtin.copy:
|
|
src: "/srv/ca/certs/ca.crt"
|
|
dest: "{{ tls_certs }}/ca.crt"
|
|
mode: "0644"
|
|
owner: root
|
|
group: "{{ ansible_wheel }}"
|
|
|
|
- name: Get ca certificate hash
|
|
ansible.builtin.command:
|
|
argv:
|
|
- openssl
|
|
- x509
|
|
- -in
|
|
- /srv/ca/certs/ca.crt
|
|
- -noout
|
|
- -hash
|
|
delegate_to: localhost
|
|
register: result
|
|
changed_when: false
|
|
check_mode: false
|
|
|
|
- name: Store ca certificate hash
|
|
ansible.builtin.set_fact:
|
|
pki_cacert_hash: "{{ result.stdout }}"
|
|
|
|
- name: Patch mtree to set correct permissions on /etc/ssl/private
|
|
ansible.posix.patch:
|
|
dest: /etc/mtree/4.4BSD.dist
|
|
src: mtree.patch
|
|
when: ansible_system == "OpenBSD"
|
|
|
|
- name: Fix private key directory permissions
|
|
ansible.builtin.file:
|
|
path: "{{ tls_private }}"
|
|
mode: "0750"
|
|
owner: root
|
|
group: hostkey
|
|
when: ansible_system == "OpenBSD"
|
|
|
|
- name: Copy host certificate
|
|
ansible.builtin.copy:
|
|
src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
|
|
dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
|
|
mode: "0644"
|
|
owner: root
|
|
group: "{{ ansible_wheel }}"
|
|
|
|
- name: Add ansible certificate fact
|
|
ansible.builtin.copy:
|
|
content: |
|
|
#!/bin/sh
|
|
[ -f {{ tls_certs }}/{{ inventory_hostname }}.crt ] && awk '
|
|
BEGIN { printf "\"" }
|
|
{ if (!/^-\-/) printf "%s",$0 }
|
|
END { print "\"" }
|
|
' {{ tls_certs }}/{{ inventory_hostname }}.crt
|
|
|
|
dest: /etc/ansible/facts.d/ansible_certificate.fact
|
|
mode: "0755"
|
|
owner: root
|
|
group: "{{ ansible_wheel }}"
|
|
|
|
- name: Create full chain certificate contents
|
|
ansible.builtin.command:
|
|
argv:
|
|
- cat
|
|
- "{{ tls_certs }}/{{ inventory_hostname }}.crt"
|
|
- "{{ tls_certs }}/ca.crt"
|
|
changed_when: false
|
|
check_mode: false
|
|
register: pki_host_fullchain
|
|
|
|
- name: Copy full chain certificate file
|
|
ansible.builtin.copy:
|
|
dest: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
|
|
content: "{{ pki_host_fullchain.stdout }}"
|
|
mode: "0640"
|
|
owner: root
|
|
group: "{{ ansible_wheel }}"
|
|
|
|
- name: Copy host key
|
|
ansible.builtin.copy:
|
|
src: "/srv/ca/private/{{ inventory_hostname }}.key"
|
|
dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
|
|
mode: "0640"
|
|
owner: root
|
|
group: hostkey
|