-
Notifications
You must be signed in to change notification settings - Fork 0
/
non-production.yml
54 lines (47 loc) · 1.62 KB
/
non-production.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
---
# tested via a proxy - 'non-production-molecule.yml'
- name: Setup Step CA Server
hosts: "{{ target_ca | default('ca-server') }}"
become: true
gather_facts: true
vars_files:
- ca-vars.yml
- ca-provisioners.yml
roles:
- name: Install Step CLI
role: trfore.smallstep.step_cli
- name: Install Step Certificates
role: trfore.smallstep.step_ca
- name: Add Provisioners to Step CA
role: trfore.smallstep.step_provisioner
post_tasks:
- name: Get Root CA Fingerprint
ansible.builtin.command: step certificate fingerprint /etc/step-ca/certs/root_ca.crt
register: ca_fingerprint
changed_when: false
failed_when: ca_fingerprint.rc == 1
- name: Setup Step CA Clients (Servers)
hosts: "{{ target_clients | default('ca_clients') }}"
become: true
gather_facts: true
vars_files:
- ssh-client-vars.yml
roles:
- name: Install Step CLI
role: trfore.smallstep.step_cli
- name: Bootstrap Step CA Root Certificate
role: trfore.smallstep.step_ca_cert
vars:
step_ca_fingerprint: "{{ hostvars['ca-server'].ca_fingerprint.stdout }}" # noqa: var-naming[no-role-prefix]
step_ca_url: "https://ca.example.com" # noqa: var-naming[no-role-prefix]
- name: Request x509 Certificate
role: trfore.smallstep.step_cert
vars:
step_cert_list:
- name: "{{ ansible_fqdn }}"
subject: "{{ ansible_fqdn }}"
path: /etc/step/certs/
san_0: "{{ ansible_default_ipv4.address }}"
provisioner: "acme"
- name: Configure Host for SSH Certificates
role: trfore.smallstep.step_ssh