infra/ansible/roles/common/tasks/FreeBSD_pki.yml

---
- name: ensure root cert exists
  copy:
    content: "{{ vault_ca_cert_payload }}"
    dest: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
    mode: 0644
    owner: root
    group: staff
  register: root_ca

- name: hash cert
  shell: "openssl x509 -noout -hash -in /etc/ssl/certs/{{ vault_ca_cert_name }}"
  when: root_ca.changed
  register: root_ca_hash
  failed_when: False
  args:
    executable: /usr/local/bin/bash

- name: create hash symlink for cert
  file:
    state: link
    src: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
    dest: "/etc/ssl/certs/{{ root_ca_hash.stdout }}"
  when: root_ca_hash.changed

- name: check vault version
  shell:
    cmd: "vault --version | head -1 | cut -d'v' -f2"
  args:
    executable: /usr/local/bin/bash
  changed_when: False
  failed_when: False
  register: installed_vault_version
  check_mode: False

- name: get vault
  unarchive:
    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_freebsd_amd64.zip"
    dest: /usr/local/bin/
    mode: 0755
    owner: root
    group: staff
    remote_src: True
  when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)

- name: ensure pki cert directory
  file:
    path: /etc/pki/certs
    state: directory
    owner: root
    group: staff
    mode: 0755

- name: ensure main pki directory
  file:
    path: /etc/pki/keys
    state: directory
    owner: root
    group: staff
    mode: 0700

- name: ensure root cert exists for general use
  copy:
    content: "{{ vault_ca_cert_payload }}"
    dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
    mode: 0644
    owner: root
    group: staff
  register: root_ca

- name: check if server cert is expiring in the next 5 days
  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
  args:
    executable: /usr/local/bin/bash
  failed_when: False
  check_mode: False
  changed_when: False
  register: exp

- name: get cert
  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }}.name ttl=43200m"
  args:
    executable: /usr/local/bin/bash
  environment:
    VAULT_ADDR: http://ivyking.minhas.io:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
  when: exp.rc != 0

- name: write cert data to server
  copy:
    content: "{{ item.content }}"
    dest: "/etc/pki/{{ item.path }}"
    mode: '{{ item.mode }}'
    owner: root
    group: staff
  when: cert_data.changed
  loop:
    - {
        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
        path: "certs/{{ inventory_hostname_short }}.crt",
        mode: "0755"
    }
    - {
        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
        path: "keys/{{ inventory_hostname_short }}.key",
        mode: "0600"
    }
...
Add pki to common 2020-08-30 00:21:40 +00:00			`---`
			`- name: ensure root cert exists`
			`copy:`
			`content: "{{ vault_ca_cert_payload }}"`
			`dest: "/etc/ssl/certs/{{ vault_ca_cert_name }}"`
			`mode: 0644`
			`owner: root`
			`group: staff`
			`register: root_ca`

			`- name: hash cert`
			`shell: "openssl x509 -noout -hash -in /etc/ssl/certs/{{ vault_ca_cert_name }}"`
			`when: root_ca.changed`
			`register: root_ca_hash`
			`failed_when: False`
			`args:`
			`executable: /usr/local/bin/bash`

			`- name: create hash symlink for cert`
			`file:`
			`state: link`
			`src: "/etc/ssl/certs/{{ vault_ca_cert_name }}"`
			`dest: "/etc/ssl/certs/{{ root_ca_hash.stdout }}"`
			`when: root_ca_hash.changed`

			`- name: check vault version`
			`shell:`
			`cmd: "vault --version \| head -1 \| cut -d'v' -f2"`
			`args:`
			`executable: /usr/local/bin/bash`
			`changed_when: False`
			`failed_when: False`
			`register: installed_vault_version`
			`check_mode: False`

			`- name: get vault`
			`unarchive:`
			`src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_freebsd_amd64.zip"`
			`dest: /usr/local/bin/`
			`mode: 0755`
			`owner: root`
			`group: staff`
			`remote_src: True`
			`when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)`

			`- name: ensure pki cert directory`
			`file:`
			`path: /etc/pki/certs`
			`state: directory`
			`owner: root`
			`group: staff`
			`mode: 0755`

			`- name: ensure main pki directory`
			`file:`
			`path: /etc/pki/keys`
			`state: directory`
			`owner: root`
			`group: staff`
			`mode: 0700`

			`- name: ensure root cert exists for general use`
			`copy:`
			`content: "{{ vault_ca_cert_payload }}"`
			`dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"`
			`mode: 0644`
			`owner: root`
			`group: staff`
			`register: root_ca`

			`- name: check if server cert is expiring in the next 5 days`
			`shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"`
			`args:`
			`executable: /usr/local/bin/bash`
			`failed_when: False`
			`check_mode: False`
			`changed_when: False`
			`register: exp`

			`- name: get cert`
			`shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }}.name ttl=43200m"`
			`args:`
			`executable: /usr/local/bin/bash`
			`environment:`
			`VAULT_ADDR: http://ivyking.minhas.io:8200`
			`VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"`
			`VAULT_FORMAT: json`
			`register: cert_data`
			`when: exp.rc != 0`

			`- name: write cert data to server`
			`copy:`
			`content: "{{ item.content }}"`
			`dest: "/etc/pki/{{ item.path }}"`
			`mode: '{{ item.mode }}'`
			`owner: root`
			`group: staff`
			`when: cert_data.changed`
			`loop:`
			`- {`
			`content: "{{ (cert_data.stdout \| from_json).data.certificate }}",`
			`path: "certs/{{ inventory_hostname_short }}.crt",`
			`mode: "0755"`
			`}`
			`- {`
			`content: "{{ (cert_data.stdout \| from_json).data.private_key }}",`
			`path: "keys/{{ inventory_hostname_short }}.key",`
			`mode: "0600"`
			`}`
			`...`