--- # This playbook is meant to be used with callable variables, like adhoc or AWX. # What: Requests and signs a certificate from an IPA CA # What is expected: # -> getcert_name: Name of the certificate (FQDN) # -> getcert_owner: what account owns the certificate files # -> getcert_key: path to the certificate key # -> getcert_cert: path to the certificate # -> getcert_postcmd: command to run after a certificate renews # -> getcert_chain: true/false, should cert and key be chained together # -> getcert_chain_location: location for the chain # -> getcert_service: service name (eg HTTP, host), defaults to host # TODO: Add CNAME/SAN support - name: Request and sign an IPA Certificate hosts: "{{ host }}" become: true vars: ipa_getcert_requested_hostnames: - name: "{{ getcert_name|default(ansible_fqdn) }}" owner: "{{ getcert_owner|default('root') }}" key_location: "{{ getcert_key|default('/etc/pki/tls/private/newcert.key') }}" cert_location: "{{ getcert_cert|default('/etc/pki/tls/certs/newcert.crt') }}" nss_db_dir: "{{ getcert_nss_db_dir|default('/etc/pki/tls/db') }}" nss_nickname: "{{ getcert_nss_nickname|default(ansible_fqdn) }}" postcmd: "{{ getcert_postcmd|default(false) }}" service: "{{ getcert_service|default('host') }}" ipa_getcert_chain: "{{ getcert_chain|default(false) }}" ipa_getcert_chain_location: "{{ getcert_chain_location|default('/etc/pki/tls/chain') }}" ipa_getcert_nss: "{{ getcert_nss|default(false) }}" roles: - role: rockylinux.ipagetcert state: present