81 lines
2.9 KiB
YAML
81 lines
2.9 KiB
YAML
|
---
|
||
|
- name: Verify that there isn't a CA key already
|
||
|
ansible.builtin.stat:
|
||
|
path: "{{ nebula_config_dir }}/ca.key"
|
||
|
register: ca_key_check
|
||
|
|
||
|
- name: Verify that there isn't a CA cert already
|
||
|
ansible.builtin.stat:
|
||
|
path: "{{ nebula_config_dir }}/ca.crt"
|
||
|
register: ca_cert_check
|
||
|
|
||
|
- name: Create a nebula CA certificate
|
||
|
ansible.builtin.command:
|
||
|
cmd: '{{ nebula_bin_dir }}/nebula-cert ca -name "{{ nebula_ca_name }}" -duration {{ nebula_ca_duration }} -out-key {{ nebula_config_dir }}/ca.key -out-crt {{ nebula_config_dir }}/ca.crt'
|
||
|
creates: "{{ nebula_config_dir }}/ca.key"
|
||
|
when:
|
||
|
- not ca_key_check.stat.exists|bool
|
||
|
- not ca_cert_check.stat.exists|bool
|
||
|
|
||
|
- name: Perform steps for non-ansible members
|
||
|
when: nebula_nonmanaged_member_certs | length > 0
|
||
|
block:
|
||
|
- name: Write out the public keys of non-ansible members if needed
|
||
|
delegate_to: "{{ nebula_ca_host }}"
|
||
|
ansible.builtin.copy:
|
||
|
dest: "{{ nebula_config_dir }}/{{ item.key }}.pub"
|
||
|
content: "{{ item.value['public_key'] }}"
|
||
|
mode: '0600'
|
||
|
when: item.value['public_key'] is defined
|
||
|
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
|
||
|
|
||
|
- name: Create nebula certs for non-ansible members
|
||
|
ansible.builtin.template:
|
||
|
src: non-managed.sh.j2
|
||
|
dest: "/var/tmp/{{ item.key }}-generator.sh"
|
||
|
mode: "0755"
|
||
|
owner: root
|
||
|
group: root
|
||
|
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
|
||
|
|
||
|
- name: Run the generator
|
||
|
ansible.builtin.command:
|
||
|
cmd: "/bin/bash /var/tmp/{{ item.key }}-generator.sh"
|
||
|
creates: "{{ nebula_config_dir }}/{{ item.key }}.crt"
|
||
|
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
|
||
|
|
||
|
- name: Create an archive of certs that do not have a private key
|
||
|
community.general.archive:
|
||
|
format: zip
|
||
|
path:
|
||
|
- "{{ nebula_config_dir }}/ca.crt"
|
||
|
- "{{ nebula_config_dir }}/{{ item.key }}.crt"
|
||
|
dest: "{{ nebula_config_dir }}/{{ item.key }}.zip"
|
||
|
mode: '0600'
|
||
|
owner: root
|
||
|
group: root
|
||
|
when: item.value['public_key'] is defined
|
||
|
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
|
||
|
|
||
|
- name: Create an archive of certs that do have a private key
|
||
|
community.general.archive:
|
||
|
format: zip
|
||
|
path:
|
||
|
- "{{ nebula_config_dir }}/ca.crt"
|
||
|
- "{{ nebula_config_dir }}/{{ item.key }}.crt"
|
||
|
- "{{ nebula_config_dir }}/{{ item.key }}.key"
|
||
|
dest: "{{ nebula_config_dir }}/{{ item.key }}.zip"
|
||
|
mode: '0600'
|
||
|
owner: root
|
||
|
group: root
|
||
|
when: item.value['public_key'] is not defined
|
||
|
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
|
||
|
|
||
|
- name: Copy the nonmanaged certs
|
||
|
ansible.builtin.fetch:
|
||
|
src: "{{ nebula_config_dir }}/{{ item.key }}.zip"
|
||
|
dest: "{{ nebula_nonmanaged_certs_download_dir }}/{{ item.key }}.zip"
|
||
|
flat: true
|
||
|
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
|
||
|
...
|