main.yml
1 |
---
|
---|---|
2 |
- name: Install step
|
3 |
apt:
|
4 |
deb: https://github.com/smallstep/cli/releases/download/v0.21.0/step-cli_0.21.0_amd64.deb |
5 |
|
6 |
- name: Install step-ca
|
7 |
apt:
|
8 |
deb: https://github.com/smallstep/certificates/releases/download/v0.21.0/step-ca_0.21.0_amd64.deb |
9 |
|
10 |
- name: Enable and start step-ca service
|
11 |
block:
|
12 |
- name: Copy step-ca service file
|
13 |
copy:
|
14 |
src: step-ca.service |
15 |
dest: /etc/systemd/system/step-ca.service |
16 |
|
17 |
- name:
|
18 |
systemd:
|
19 |
name: step-ca.service |
20 |
daemon-reload: yes |
21 |
enabled: yes |
22 |
state: started |
23 |
register: stepca_status |
24 |
ignore_errors: yes |
25 |
|
26 |
- name: Configure step-ca
|
27 |
block:
|
28 |
- name: Install pexpect
|
29 |
apt:
|
30 |
name: python3-pexpect |
31 |
state: present |
32 |
|
33 |
- name: Copy password file
|
34 |
template:
|
35 |
src: step_password.jinja |
36 |
dest: /root/step_password |
37 |
mode: "0400" |
38 |
|
39 |
- name: Init CA
|
40 |
shell:
|
41 |
cmd: "step ca init --name={{ inventory_hostname }} --dns={{ inventory_hostname }} --address=0.0.0.0:9443 --provisioner=bbohard@cadoles.com --password-file=/root/step_password" |
42 |
register: init_result |
43 |
|
44 |
- name: Remove pexpect
|
45 |
apt:
|
46 |
name: python3-pexpect |
47 |
state: absent |
48 |
|
49 |
- name:
|
50 |
systemd:
|
51 |
name: step-ca.service |
52 |
enabled: yes |
53 |
state: started |
54 |
when: stepca_status.status.SubState == 'dead' |
55 |
|
56 |
- name: Wait for valid status
|
57 |
wait_for:
|
58 |
port: 9443 |
59 |
host: "{{ inventory_hostname }}" |
60 |
delay: 1 |
61 |
timeout: 30 |
62 |
delegate_to: localhost |
63 |
|
64 |
- name: Create acme provisioner
|
65 |
shell:
|
66 |
cmd: step ca provisioner add acme --type ACME |
67 |
ignore_errors: yes |
68 |
|
69 |
- name: Restart step-ca
|
70 |
systemd:
|
71 |
name: step-ca |
72 |
state: restarted |
73 |
- name: Fetch root certificate
|
74 |
fetch:
|
75 |
dest: "fetched" |
76 |
src: "/root/.step/certs/root_ca.crt" |
77 |
|
78 |
- name: Fetch intermediate certificate
|
79 |
fetch:
|
80 |
dest: "fetched" |
81 |
src: "/root/.step/certs/intermediate_ca.crt" |