From dd87d5e724bbd01d1fc7d53bf26ace5fee884978 Mon Sep 17 00:00:00 2001 From: Ruakij Date: Mon, 17 Oct 2022 22:46:20 +0200 Subject: [PATCH] Move cert-generation outside --- netmaker_server/tasks/certs.yml | 34 ++++++++++++++++++++++++++++++ netmaker_server/tasks/rqlite.yml | 36 -------------------------------- 2 files changed, 34 insertions(+), 36 deletions(-) create mode 100644 netmaker_server/tasks/certs.yml diff --git a/netmaker_server/tasks/certs.yml b/netmaker_server/tasks/certs.yml new file mode 100644 index 0000000..86311ee --- /dev/null +++ b/netmaker_server/tasks/certs.yml @@ -0,0 +1,34 @@ +- name: Generate PrivateKey + community.crypto.openssl_privatekey: + path: /opt/netmaker_server/certs/node.key + +- name: Generate Certificate-Signing-Request from privateKey + community.crypto.openssl_csr: + path: /opt/netmaker_server/certs/node.csr + privatekey_path: /opt/netmaker_server/certs/node.key + common_name: "{{ ansible_facts.nodename }}" + subject_alt_name: "DNS:*.{{ ansible_facts.nodename }},DNS:*.{{ netmaker.base_domain }}" + +- name: Fetch CSR + ansible.builtin.fetch: + src: /opt/netmaker_server/certs/node.csr + dest: tmp_files/ + +- name: Sign CSR locally with CA + local_action: community.crypto.x509_certificate + args: + path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/certs/node.crt + csr_path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/certs/node.csr + ownca_path: secret_files/netmaker_server/ca/ca.crt + ownca_privatekey_path: secret_files/netmaker_server/ca/ca.key + provider: ownca + +- name: Copy Signed Certificate + ansible.builtin.copy: + src: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/certs/node.crt + dest: /opt/netmaker_server/certs/node.crt + +- name: Copy CA Certificate + ansible.builtin.copy: + src: secret_files/netmaker_server/ca/ca.crt + dest: /opt/netmaker_server/certs/ca.crt diff --git a/netmaker_server/tasks/rqlite.yml b/netmaker_server/tasks/rqlite.yml index 549f657..465202b 100644 --- a/netmaker_server/tasks/rqlite.yml +++ b/netmaker_server/tasks/rqlite.yml @@ -3,42 +3,6 @@ src: rqlite-config.json.template dest: /opt/netmaker_server/rqlite/config.json -# CERTIFICATE -- name: Generate PrivateKey - community.crypto.openssl_privatekey: - path: /opt/netmaker/rqlite/certs/node.key - -- name: Generate Certificate-Signing-Request from privateKey - community.crypto.openssl_csr: - path: /opt/netmaker/rqlite/certs/node.csr - privatekey_path: /opt/netmaker/rqlite/certs/node.key - common_name: "{{ ansible_facts.nodename }}" - -- name: Fetch CSR - ansible.builtin.fetch: - src: /opt/netmaker/rqlite/certs/node.csr - dest: tmp_files/ - -- name: Sign CSR locally with CA - local_action: community.crypto.x509_certificate - args: - path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.crt - csr_path: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.csr - ownca_path: secret_files/netmaker_server/ca/ca.crt - ownca_privatekey_path: secret_files/netmaker_server/ca/ca.key - provider: ownca - -- name: Copy Signed Certificate - ansible.builtin.copy: - src: tmp_files/{{ inventory_hostname }}/opt/netmaker_server/rqlite/certs/node.crt - dest: /opt/netmaker_server/rqlite/certs/node.crt - -- name: Copy CA Certificate - ansible.builtin.copy: - src: secret_files/netmaker_server/ca/ca.crt - dest: /opt/netmaker_server/rqlite/certs/ca.crt -# CERTIFICATE - - name: Start rqlite service for 1st-node command: "docker-compose --project-directory /opt/netmaker_server/ up -d rqlite" register: command