ansible-role-nebula/tasks/setup_ca.yml

81 lines
2.9 KiB
YAML
Raw Permalink Normal View History

---
- name: Verify that there isn't a CA key already
ansible.builtin.stat:
path: "{{ nebula_config_dir }}/ca.key"
register: ca_key_check
- name: Verify that there isn't a CA cert already
ansible.builtin.stat:
path: "{{ nebula_config_dir }}/ca.crt"
register: ca_cert_check
- name: Create a nebula CA certificate
ansible.builtin.command:
cmd: '{{ nebula_bin_dir }}/nebula-cert ca -name "{{ nebula_ca_name }}" -duration {{ nebula_ca_duration }} -out-key {{ nebula_config_dir }}/ca.key -out-crt {{ nebula_config_dir }}/ca.crt'
creates: "{{ nebula_config_dir }}/ca.key"
when:
- not ca_key_check.stat.exists|bool
- not ca_cert_check.stat.exists|bool
- name: Perform steps for non-ansible members
when: nebula_nonmanaged_member_certs | length > 0
block:
- name: Write out the public keys of non-ansible members if needed
delegate_to: "{{ nebula_ca_host }}"
ansible.builtin.copy:
dest: "{{ nebula_config_dir }}/{{ item.key }}.pub"
content: "{{ item.value['public_key'] }}"
mode: '0600'
when: item.value['public_key'] is defined
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
- name: Create nebula certs for non-ansible members
ansible.builtin.template:
src: non-managed.sh.j2
dest: "/var/tmp/{{ item.key }}-generator.sh"
mode: "0755"
owner: root
group: root
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
- name: Run the generator
ansible.builtin.command:
cmd: "/bin/bash /var/tmp/{{ item.key }}-generator.sh"
creates: "{{ nebula_config_dir }}/{{ item.key }}.crt"
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
- name: Create an archive of certs that do not have a private key
community.general.archive:
format: zip
path:
- "{{ nebula_config_dir }}/ca.crt"
- "{{ nebula_config_dir }}/{{ item.key }}.crt"
dest: "{{ nebula_config_dir }}/{{ item.key }}.zip"
mode: '0600'
owner: root
group: root
when: item.value['public_key'] is defined
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
- name: Create an archive of certs that do have a private key
community.general.archive:
format: zip
path:
- "{{ nebula_config_dir }}/ca.crt"
- "{{ nebula_config_dir }}/{{ item.key }}.crt"
- "{{ nebula_config_dir }}/{{ item.key }}.key"
dest: "{{ nebula_config_dir }}/{{ item.key }}.zip"
mode: '0600'
owner: root
group: root
when: item.value['public_key'] is not defined
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
- name: Copy the nonmanaged certs
ansible.builtin.fetch:
src: "{{ nebula_config_dir }}/{{ item.key }}.zip"
dest: "{{ nebula_nonmanaged_certs_download_dir }}/{{ item.key }}.zip"
flat: true
loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
...