Projet

Général

Profil

main.yml

roles/pki/tasks/main.yml - Benjamin Bohard, 29/08/2022 16:18

Télécharger (1,89 ko)

 
1 
---
2 
- name: Install step
3 
  apt:
4 
    deb: https://github.com/smallstep/cli/releases/download/v0.21.0/step-cli_0.21.0_amd64.deb
5 

    		
  

  

    
      6
    
    
      
- name: Install step-ca


    		
  

  

    
      7
    
    
      
  apt:


    		
  

  

    
      8
    
    
      
    deb: https://github.com/smallstep/certificates/releases/download/v0.21.0/step-ca_0.21.0_amd64.deb


    		
  

  

    
      9
    
    
      

    		
  

  

    
      10
    
    
      
- name: Enable and start step-ca service


    		
  

  

    
      11
    
    
      
  block:


    		
  

  

    
      12
    
    
      
    - name: Copy step-ca service file


    		
  

  

    
      13
    
    
      
      copy:


    		
  

  

    
      14
    
    
      
        src: step-ca.service


    		
  

  

    
      15
    
    
      
        dest: /etc/systemd/system/step-ca.service


    		
  

  

    
      16
    
    
      

    		
  

  

    
      17
    
    
      
    - name:


    		
  

  

    
      18
    
    
      
      systemd:


    		
  

  

    
      19
    
    
      
        name: step-ca.service


    		
  

  

    
      20
    
    
      
        daemon-reload: yes


    		
  

  

    
      21
    
    
      
        enabled: yes


    		
  

  

    
      22
    
    
      
        state: started


    		
  

  

    
      23
    
    
      
      register: stepca_status


    		
  

  

    
      24
    
    
      
      ignore_errors: yes


    		
  

  

    
      25
    
    
      

    		
  

  

    
      26
    
    
      
- name: Configure step-ca


    		
  

  

    
      27
    
    
      
  block:


    		
  

  

    
      28
    
    
      
    - name: Install pexpect


    		
  

  

    
      29
    
    
      
      apt:


    		
  

  

    
      30
    
    
      
        name: python3-pexpect


    		
  

  

    
      31
    
    
      
        state: present


    		
  

  

    
      32
    
    
      

    		
  

  

    
      33
    
    
      
    - name: Copy password file


    		
  

  

    
      34
    
    
      
      template:


    		
  

  

    
      35
    
    
      
        src: step_password.jinja


    		
  

  

    
      36
    
    
      
        dest: /root/step_password


    		
  

  

    
      37
    
    
      
        mode: "0400"


    		
  

  

    
      38
    
    
      

    		
  

  

    
      39
    
    
      
    - name: Init CA


    		
  

  

    
      40
    
    
      
      shell:


    		
  

  

    
      41
    
    
      
        cmd: "step ca init --name={{ inventory_hostname }} --dns={{ inventory_hostname }} --address=0.0.0.0:9443 --provisioner=bbohard@cadoles.com --password-file=/root/step_password"


    		
  

  

    
      42
    
    
      
      register: init_result


    		
  

  

    
      43
    
    
      

    		
  

  

    
      44
    
    
      
    - name: Remove pexpect


    		
  

  

    
      45
    
    
      
      apt:


    		
  

  

    
      46
    
    
      
        name: python3-pexpect


    		
  

  

    
      47
    
    
      
        state: absent


    		
  

  

    
      48
    
    
      

    		
  

  

    
      49
    
    
      
    - name:


    		
  

  

    
      50
    
    
      
      systemd:


    		
  

  

    
      51
    
    
      
        name: step-ca.service


    		
  

  

    
      52
    
    
      
        enabled: yes


    		
  

  

    
      53
    
    
      
        state: started


    		
  

  

    
      54
    
    
      
  when: stepca_status.status.SubState == 'dead'


    		
  

  

    
      55
    
    
      

    		
  

  

    
      56
    
    
      
- name: Wait for valid status


    		
  

  

    
      57
    
    
      
  wait_for:


    		
  

  

    
      58
    
    
      
    port: 9443


    		
  

  

    
      59
    
    
      
    host: "{{ inventory_hostname }}"


    		
  

  

    
      60
    
    
      
    delay: 1


    		
  

  

    
      61
    
    
      
    timeout: 30


    		
  

  

    
      62
    
    
      
  delegate_to: localhost


    		
  

  

    
      63
    
    
      

    		
  

  

    
      64
    
    
      
- name: Create acme provisioner


    		
  

  

    
      65
    
    
      
  shell:


    		
  

  

    
      66
    
    
      
    cmd: step ca provisioner add acme --type ACME


    		
  

  

    
      67
    
    
      
  ignore_errors: yes


    		
  

  

    
      68
    
    
      

    		
  

  

    
      69
    
    
      
- name: Restart step-ca


    		
  

  

    
      70
    
    
      
  systemd:


    		
  

  

    
      71
    
    
      
    name: step-ca


    		
  

  

    
      72
    
    
      
    state: restarted


    		
  

  

    
      73
    
    
      
- name: Fetch root certificate


    		
  

  

    
      74
    
    
      
  fetch:


    		
  

  

    
      75
    
    
      
    dest: "fetched"


    		
  

  

    
      76
    
    
      
    src: "/root/.step/certs/root_ca.crt"


    		
  

  

    
      77
    
    
      

    		
  

  

    
      78
    
    
      
- name: Fetch intermediate certificate


    		
  

  

    
      79
    
    
      
  fetch:


    		
  

  

    
      80
    
    
      
    dest: "fetched"


    		
  

  

    
      81
    
    
      
    src: "/root/.step/certs/intermediate_ca.crt"