diff --git a/defaults/main.yml b/defaults/main.yml index d215bed..5c39f50 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,17 +1,25 @@ --- # ansible default variables - most variables live here -ipa_getcert_key_location: /etc/pki/tls/private -ipa_getcert_cert_location: /etc/pki/tls/certs +ipa_getcert_key_default_location: /etc/pki/tls/private +ipa_getcert_cert_default_location: /etc/pki/tls/certs +ipa_getcert_owner_default: root # List of hostnames that should be requested ipa_getcert_requested_hostnames: - - "{{ ansible_fqdn }}" + - name: "{{ ansible_fqdn }}" + key_location: /etc/pki/tls/private + cert_location: /etc/pki/tls/certs + +# If you need a different ownership, you can setup the above sort of like this: +# ipa_getcert_requested_hostnames: +# - name: name +# postcmd: "/bin/systemctl restart ejabberd" +# owner: ejabberd +# key_location: /opt/ejabberd/conf/pki +# cert_location: /opt/ejabberd/conf/pki + +# This feature coming soon +#ipa_getcert_fqdn_symlink: true -ipa_getcert_fqdn_symlink: true ipa_getcert_chain: false ipa_getcert_chain_location: /etc/pki/tls/chains - -# If an application user/service account needs to be able to -# view the certificate, set the group here. This is only needed -# for when chain is true. -ipa_getcert_group: root diff --git a/tasks/main.yml b/tasks/main.yml index ac153d6..8cdb688 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,34 +6,35 @@ register: ipacheck ignore_errors: true +- name: Check certificate existence + stat: + path: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt" + register: cert_results + with_items: "{{ ipa_getcert_requested_hostnames }}" + ignore_errors: true + +- name: Verify certificate existence + assert: + that: + - not item.stat.exists | mandatory + fail_msg: "Certificate already exists!" + success_msg: "Certificate doesn't exist, moving on" + quiet: true + with_items: "{{ cert_results.results }}" + - name: IPA Certificate Operations block: - - name: Request Certificate - command: ipa-getcert request -r -w \ - -I "{{ item }}" \ - -N "CN={{ item }}" \ - -D "{{ item }}" \ - -k "{{ ipa_getcert_key_location }}" \ - -f "{{ ipa_getcert_cert_location }}" \ - -K "host/{{ item }}" - args: - creates: "{{ ipa_getcert_cert_location }}/{{ item }}.crt" - with_items: "{{ ipa_getcert_requested_hostnames }}" - register: ipa_cert_request - - - name: Symlink the fqdn certificate as localhost - file: - state: link - force: true - src: "{{ item.src }}" - path: "{{ item.path }}" + - name: Deploy ipa-getcert script + template: + src: "get_cert.sh.j2" + dest: "/root/get_cert.sh" owner: root group: root - with_items: - - src: "{{ ipa_getcert_cert_location }}/{{ ipa_getcert_requested_hostnames | first }}.key" - path: "{{ ipa_getcert_cert_location }}/localhost.crt" - - src: "{{ ipa_getcert_key_location }}/{{ ipa_getcert_requested_hostnames | first }}.key" - path: "{{ ipa_getcert_key_location }}/localhost.key" + mode: '0750' + + - name: Request Certificate + raw: /root/get_cert.sh + register: ipa_cert_request - name: Chain link certificates block: @@ -48,29 +49,31 @@ - name: Chain link certs file: state: link - src: "{{ ipa_getcert_cert_location }}/{{ item }}.crt" - dest: "{{ ipa_getcert_chain_location }}/{{ item }}.crt" - owner: root - group: root + src: "{{ item.cert_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.crt" + dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.crt" + owner: "{{ item.owner | default(ipa_getcert_owner_default) }}" + group: "{{ item.owner | default(ipa_getcert_owner_default) }}" with_items: "{{ ipa_getcert_requested_hostnames }}" - name: Chain link keys file: state: link - src: "{{ ipa_getcert_key_location }}/{{ item }}.key" - path: "{{ ipa_getcert_chain_location }}/{{ item }}.key" - owner: root - group: root + src: "{{ item.key_location | default(ipa_getcert_cert_default_location) }}/{{ item.name }}.key" + path: "{{ ipa_getcert_chain_location }}/{{ item.name }}.key" + owner: "{{ item.owner | default(ipa_getcert_owner_default) }}" + group: "{{ item.owner | default(ipa_getcert_owner_default) }}" with_items: "{{ ipa_getcert_requested_hostnames }}" - name: Assemble the chain assemble: src: "{{ ipa_getcert_chain_location }}" - dest: "{{ ipa_getcert_chain_location }}/{{ item }}.pem" - regexp: "^{{ item }}.(crt|key)$" - owner: root - group: "{{ ipa_getcert_group }}" + dest: "{{ ipa_getcert_chain_location }}/{{ item.name }}.pem" + regexp: "^{{ item.name }}.(crt|key)$" + owner: "{{ item.owner | default(ipa_getcert_owner_default) }}" + group: "{{ item.owner | default(ipa_getcert_owner_default) }}" mode: '0640' with_items: "{{ ipa_getcert_requested_hostnames }}" when: ipa_getcert_chain - when: ipacheck.rc == 0 + when: + - ipacheck.rc == 0 + - ipa_cert_request.rc == 0 diff --git a/templates/get_cert.sh.j2 b/templates/get_cert.sh.j2 new file mode 100644 index 0000000..c146d04 --- /dev/null +++ b/templates/get_cert.sh.j2 @@ -0,0 +1,21 @@ +#!/bin/bash +# This script will take care of the certificate process for IPA. +# There may be more than one request done based on the vars of the playbook. + +{% for ipahosts in ipa_getcert_requested_hostnames %} +/usr/bin/ipa-getcert request -r -w \ + -I "{{ ipahosts.name }}" \ + -N "CN={{ ipahosts.name }}" \ + -D "{{ ipahosts.name }}" \ + -k "{{ ipahosts.key_location | default(ipa_getcert_key_default_location) }}" \ + -f "{{ ipahosts.cert_location | default(ipa_getcert_cert_default_location) }}" \ + {% if ipahosts.postcmd %} + -C "{{ ipahosts.postcmd }}" \ + {% endif %} + {% if ipahosts.owner %} + -O "{{ ipahosts.owner }}" \ + -o "{{ ipahosts.owner }}" \ + {% endif %} + -K "host/{{ ipahosts.name }}" + +{% endfor %} diff --git a/vars/main.yml b/vars/main.yml index 0d75ed2..77c8bb1 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,2 @@ --- # vars file - Nothing should really go here but dynamic imports -# and truely static items \ No newline at end of file