/
main.yml
165 lines (140 loc) · 5.48 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
---
# Copyright 2021, BBC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# CA certificates to create
pki_authorities: []
# Global enable/disable of CA generation
pki_create_ca: true
# Variable name pattern to search ansible vars for other authority definitions
pki_search_authorities_pattern: "pki_authorities_"
# Example variables defining a certificate authorities
# pki_authorities_roots:
# - name: "SnakeRoot"
# provider: selfsigned
# email_address: "pki@snakeoil.com"
# basic_constraints: "CA:TRUE"
# cn: "Snake Oil Corp Root CA"
# country_name: "GB"
# state_or_province_name: "England"
# organization_name: "Snake Oil Corporation"
# organizational_unit_name: "IT Security"
# key_usage:
# - digitalSignature
# - cRLSign
# - keyCertSign
# not_after: "+3650d"
#pki_authorities_intermediates:
# - name: "SnakeRootIntermediate"
# email_address: "pki@snakeoil.com"
# provider: ownca
# cn: "Snake Oil Corp Openstack Infrastructure Intermediate CA"
# country_name: "GB"
# state_or_province_name: "England"
# organization_name: "Snake Oil Corporation"
# organizational_unit_name: "IT Security"
# key_usage:
# - digitalSignature
# - cRLSign
# - keyCertSign
# not_after: "+365d"
# signed_by: "SnakeRoot"
# example variable of CA to install
# pki_install_ca:
# # CA created but the PKI role
# - name: SnakeRoot
#
# # user provided CA copied from the deploy host (src), to the target (filename)
# - src: /opt/my-ca/MyRoot.crt
# filename: /etc/ssl/certs/MyRoot.crt
#
pki_install_ca: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_ca_pattern: "pki_install_ca_"
# set this to the name of a CA to regenerate, or to 'true' to regenerate all
pki_regen_ca: ''
# locations of system trust stores to install CA certs to
pki_trust_store_location:
apt: /usr/local/share/ca-certificates/
dnf: /etc/pki/ca-trust/source/anchors/
# Server certificates to create
pki_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_certificates_pattern: "pki_certificates_"
# Example variable defining a server certificate
# pki_certificates_default:
# - name: "SnakeWeb"
# provider: ownca
# cn: "www.snakeoil.com"
# san: "DNS:www.snakeoil.com,DNS:snakeoil.com"
# - name: "SnakeMail"
# signed_by: "SnakeRootIntermediate"
# provider: ownca
# cn: "imap.snakeoil.com"
# signed_by: "SnakeRootIntermediate"
# Example variable defining a server certificate from ansible host variables
# pki_certificates_default:
# - name: "myservice_{{ ansible_facts['hostname'] }}"
# cn: "{{ ansible_facts['hostname'] }}"
# provider: ownca
# san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_facts['default_ipv4'] }}"
# signed_by: "SnakeRootIntermediate"
# set this to the name of the certificate to regenerate, or to 'true' to regenerate all
pki_regen_cert: ''
# host where the generated PKI files are kept
pki_setup_host: localhost
# Python interpreter that will be used during cert generation
pki_setup_host_python_interpreter: "{{ (pki_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}"
# base directory for the CA and server certificates
pki_dir: "/etc/pki"
# subdirectories to be created for holding CA certs/keys/csr
pki_ca_dirs: "{{ _pki_ca_dirs }}"
# subdirectories to be created for holding server certs/keys/csr
pki_cert_dirs: "{{ _pki_cert_dirs }}"
# certificates to install
pki_install_certificates: []
# Variable name pattern to search ansible vars for other certificate definitions
pki_search_install_certificates_pattern: "pki_install_certificates_"
# Example variable for installation of server certificates with optional user supplied cert override
# pki_install_certificates:
# # server certificate
# - src: "{{ user_ssl_cert | default(pki_dir ~ '/certs/certs/myservice_' ~ ansible_facts['hostname'] ~ '.crt') }}"
# dest: "{{ myservice_ssl_cert }}"
# owner: "root"
# group: "root"
# mode: "0644"
# #private key
# - src: "{{ myservice_user_ssl_key | default(pki_dir ~ 'certs/keys/myservice_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
# dest: "{{ myservice_ssl_key }}"
# owner: "myservice"
# group: "myservice"
# mode: "0600"
# # intermediate CA
# - src: "{{ myservice_user_ssl_ca_cert | default(pki_dir ~ '/roots/SnakeRootIntermediate/certs/SnakeRootIntermediate.crt' }}"
# dest: "{{ myservice_ssl_ca_cert }}"
# owner: "myservice"
# group: "myservice"
# mode: "0644"
# method used to create the certificates
pki_method: standalone
# Handlers naming
pki_handler_ca_changed: "ca cert changed"
pki_handler_cert_changed: "cert changed"
pki_handler_cert_installed: "cert installed"
# Default permissions used on pki_setup_host
# pki_owner: "root"
# pki_group: "root"
pki_cert_mode: "0644"
pki_cert_dir_mode: "0755"
pki_key_mode: "0600"
pki_key_dir_mode: "0700"