diff --git a/README.md b/README.md index 13ffe68..05f252b 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,11 @@ CI Badge -# Ansible template role -basic Role to use going forward because I forget pieces +# ipa-getcert Ansible Role +A very basic ipa-getcert role used for certificates issued for internal communication. This assumes the client is enrolled with FreeIPA. + +This is loosely based on another project on github with some heavy modifications and adapted for the Rocky Linux infrastructure. It may be used and copied. + +**Note**: Note that the certificates should auto-renew when requested via `ipa-getcert`. However. if you turn on the chain, you will have to renew that manually. ## Getting started Ensure all dependencies are installed and then follow the below process @@ -9,7 +13,7 @@ Ensure all dependencies are installed and then follow the below process 2. `pre-commit install` Install the pre-commit hooks 3. Make edits as explained in the customization section 4. `pre-commit` Make sure existing code is good -5. `do development` Dont ask me :D +5. `do development` You know what to do 6. `pre-commit` Make sure the edits are good to go 7. `molecule converge` @@ -20,21 +24,14 @@ This repo expects 3 things installed on the local machine 3. [yamllint](https://github.com/adrienverge/yamllint) Ensures all yaml is well formed ### Customization -There are a few files that are required to be updated when using this template -1. [molecule/requirements.yml](molecule/requirements.yml) - Update with any required roles or collections -2. [molecule/default/converge.yml](molecule/default/converge.yml) - update with new role name -3. [molecule/default/molecule.yml](molecule/default/molecule.yml) - update with desired distributions and extra playbooks -4. [github](github) - Rename to `.github` and push, this will set up yamllint, ansible-lint and a CI check job for the `main` branch - 1. NOTE: If you are using a SAML token this may fail. You can created the files within the Github web app +If you can come up with a customization to this, go for it! ### Optional The github actions are configured to automatically run the molecule tests but if you want to load them locally you will also need molecule installed on the development machine ## Advanced - There are numerous other options within the [defaults/main.yml](./defaults/main.yml) that can change other parts of the behavior of the system ## Changelog The [changelog](./CHANGELOG.md) is stored externally - diff --git a/defaults/main.yml b/defaults/main.yml index 7faaf71..d215bed 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,17 @@ --- -# ansible default variables - most variables live here \ No newline at end of file +# ansible default variables - most variables live here +ipa_getcert_key_location: /etc/pki/tls/private +ipa_getcert_cert_location: /etc/pki/tls/certs + +# List of hostnames that should be requested +ipa_getcert_requested_hostnames: + - "{{ ansible_fqdn }}" + +ipa_getcert_fqdn_symlink: true +ipa_getcert_chain: false +ipa_getcert_chain_location: /etc/pki/tls/chains + +# If an application user/service account needs to be able to +# view the certificate, set the group here. This is only needed +# for when chain is true. +ipa_getcert_group: root diff --git a/meta/main.yml b/meta/main.yml index 568c597..2d39771 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,53 +1,8 @@ galaxy_info: - author: your name - description: your role description - company: your company (optional) - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 + author: Louis Abel + description: Basic ipa-getcert role + company: Rocky Linux Foundation license: MIT - min_ansible_version: 2.8 - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. - \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 2583e53..ac153d6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,76 @@ --- -# tasks \ No newline at end of file +# Request the certificate for the host from IPA +# System must be enrolled as an IPA Client and must be ran as root +- name: Check if host is IPA enrolled + shell: /usr/sbin/ipa-client-install --unattended 2>&1 | grep "already configured" + register: ipacheck + ignore_errors: true + +- name: IPA Certificate Operations + block: + - name: Request Certificate + command: ipa-getcert request -r -w \ + -I "{{ item }}" \ + -N "CN={{ item }}" \ + -D "{{ item }}" \ + -k "{{ ipa_getcert_key_location }}" \ + -f "{{ ipa_getcert_cert_location }}" \ + -K "host/{{ item }}" + args: + creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt" + with_items: "{{ ipa_getcert_requested_hostnames }}" + register: ipa_cert_request + + - name: Symlink the fqdn certificate as localhost + file: + state: link + force: true + src: "{{ item.src }}" + path: "{{ item.path }}" + owner: root + group: root + with_items: + - src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key" + path: "{{ ipa_getcert_cert_location }}/localhost.crt" + - src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key" + path: "{{ ipa_getcert_key_location }}/localhost.key" + + - name: Chain link certificates + block: + - name: Create chain directory + file: + state: directory + path: "{{ ipa_getcert_chain_location }}" + owner: root + group: "{{ ipa_getcert_group }}" + mode: '0750' + + - name: Chain link certs + file: + state: link + src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt" + dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt" + owner: root + group: root + with_items: "{{ ipa_getcert_requested_hostnames }}" + + - name: Chain link keys + file: + state: link + src: "{{ ipa_getcert_key_location }}/{{ item }}.key" + path: "{{ ipa_getcert_chain_location }}/{{ item }}.key" + owner: root + group: root + with_items: "{{ ipa_getcert_requested_hostnames }}" + + - name: Assemble the chain + assemble: + src: "{{ ipa_getcert_chain_location }}" + dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem" + regexp: "^{{ item }}.(crt|key)$" + owner: root + group: "{{ ipa_getcert_group }}" + mode: '0640' + with_items: "{{ ipa_getcert_requested_hostnames }}" + when: ipa_getcert_chain + when: ipacheck.rc == 0