36 lines
1.6 KiB
YAML
36 lines
1.6 KiB
YAML
---
|
|
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
|
# What: Requests and signs a certificate from an IPA CA
|
|
# What is expected:
|
|
# -> getcert_name: Name of the certificate (FQDN)
|
|
# -> getcert_owner: what account owns the certificate files
|
|
# -> getcert_key: path to the certificate key
|
|
# -> getcert_cert: path to the certificate
|
|
# -> getcert_postcmd: command to run after a certificate renews
|
|
# -> getcert_chain: true/false, should cert and key be chained together
|
|
# -> getcert_chain_location: location for the chain
|
|
# -> getcert_service: service name (eg HTTP, host), defaults to host
|
|
# TODO: Add CNAME/SAN support
|
|
|
|
- name: Request and sign an IPA Certificate
|
|
hosts: all
|
|
become: true
|
|
vars:
|
|
ipa_getcert_requested_hostnames:
|
|
- name: "{{ getcert_name|default(ansible_fqdn) }}"
|
|
owner: "{{ getcert_owner|default('root') }}"
|
|
key_location: "{{ getcert_key|default('/etc/pki/tls/private/newcert.key') }}"
|
|
cert_location: "{{ getcert_cert|default('/etc/pki/tls/certs/newcert.crt') }}"
|
|
nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}"
|
|
nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}"
|
|
postcmd: "{{ getcert_postcmd|default(false) }}"
|
|
service: "{{ getcert_service|default('host') }}"
|
|
ipa_getcert_chain: "{{ getcert_chain|default(false) }}"
|
|
ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}"
|
|
ipa_getcert_nss: "{{ getcert_nss|default(false) }}"
|
|
|
|
roles:
|
|
- role: rockylinux.ipagetcert
|
|
state: present
|
|
...
|