From 326d017271e980b5746871bacbf0a4f89698c989 Mon Sep 17 00:00:00 2001 From: Asara Date: Sat, 29 Aug 2020 20:21:40 -0400 Subject: [PATCH] Add pki to common --- ansible/playbooks/common.yml | 5 + ansible/playbooks/site.yml | 7 +- ansible/roles/common/tasks/Debian_pki.yml | 100 +++++++++++++++++++ ansible/roles/common/tasks/FreeBSD_pki.yml | 110 +++++++++++++++++++++ ansible/roles/common/tasks/main.yml | 1 + 5 files changed, 219 insertions(+), 4 deletions(-) create mode 100644 ansible/playbooks/common.yml create mode 100644 ansible/roles/common/tasks/Debian_pki.yml create mode 100644 ansible/roles/common/tasks/FreeBSD_pki.yml diff --git a/ansible/playbooks/common.yml b/ansible/playbooks/common.yml new file mode 100644 index 0000000..8aa34d9 --- /dev/null +++ b/ansible/playbooks/common.yml @@ -0,0 +1,5 @@ +--- +- hosts: all + roles: + - role: common +... diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml index fa39ff8..4fdec0b 100644 --- a/ansible/playbooks/site.yml +++ b/ansible/playbooks/site.yml @@ -1,9 +1,8 @@ --- -- hosts: all - roles: - - role: common - +- import_playbook: common.yml - import_playbook: consul-server.yml - import_playbook: vault-server.yml - import_playbook: consul-client.yml +- import_playbook: nomad.yml + #- import_playbook: docker-registry.yml ... diff --git a/ansible/roles/common/tasks/Debian_pki.yml b/ansible/roles/common/tasks/Debian_pki.yml new file mode 100644 index 0000000..f1c7cf6 --- /dev/null +++ b/ansible/roles/common/tasks/Debian_pki.yml @@ -0,0 +1,100 @@ +--- +- name: ensure root cert exists + copy: + content: "{{ vault_ca_cert_payload }}" + dest: "/usr/local/share/ca-certificates/{{ vault_ca_cert_name }}" + mode: 0755 + owner: root + group: root + register: root_ca + +- name: update ca certs + shell: update-ca-certificates + args: + executable: /bin/bash + when: root_ca.changed + +- name: check vault version + shell: + cmd: "vault --version | head -1 | cut -d'v' -f2" + args: + executable: /bin/bash + changed_when: False + register: installed_vault_version + check_mode: False + +- name: get vault + unarchive: + src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip" + dest: /usr/local/bin/ + mode: 0755 + owner: root + group: root + remote_src: True + when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version) + +- name: ensure pki cert directory + file: + path: /etc/pki/certs + state: directory + owner: root + group: root + mode: 0755 + +- name: ensure main pki directory + file: + path: /etc/pki/keys + state: directory + owner: root + group: root + mode: 0600 + +- name: ensure root cert exists for general use + copy: + content: "{{ vault_ca_cert_payload }}" + dest: "/etc/pki/certs/{{ vault_ca_cert_name }}" + mode: 0644 + owner: root + group: root + register: root_ca + +- name: check if server cert is expiring in the next 5 days + shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt" + args: + executable: /bin/bash + failed_when: False + check_mode: False + changed_when: False + register: exp + +- name: get cert + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + args: + executable: /bin/bash + environment: + VAULT_ADDR: http://ivyking.minhas.io:8200 + VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" + VAULT_FORMAT: json + register: cert_data + when: exp.rc != 0 + +- name: write cert data to server + copy: + content: "{{ item.content }}" + dest: "/etc/pki/{{ item.path }}" + mode: '{{ item.mode }}' + owner: root + group: root + when: cert_data.changed + loop: + - { + content: "{{ (cert_data.stdout | from_json).data.certificate }}", + path: "certs/{{ inventory_hostname_short }}.crt", + mode: "0755" + } + - { + content: "{{ (cert_data.stdout | from_json).data.private_key }}", + path: "keys/{{ inventory_hostname_short }}.key", + mode: "0600" + } +... diff --git a/ansible/roles/common/tasks/FreeBSD_pki.yml b/ansible/roles/common/tasks/FreeBSD_pki.yml new file mode 100644 index 0000000..0201da8 --- /dev/null +++ b/ansible/roles/common/tasks/FreeBSD_pki.yml @@ -0,0 +1,110 @@ +--- +- name: ensure root cert exists + copy: + content: "{{ vault_ca_cert_payload }}" + dest: "/etc/ssl/certs/{{ vault_ca_cert_name }}" + mode: 0644 + owner: root + group: staff + register: root_ca + +- name: hash cert + shell: "openssl x509 -noout -hash -in /etc/ssl/certs/{{ vault_ca_cert_name }}" + when: root_ca.changed + register: root_ca_hash + failed_when: False + args: + executable: /usr/local/bin/bash + +- name: create hash symlink for cert + file: + state: link + src: "/etc/ssl/certs/{{ vault_ca_cert_name }}" + dest: "/etc/ssl/certs/{{ root_ca_hash.stdout }}" + when: root_ca_hash.changed + +- name: check vault version + shell: + cmd: "vault --version | head -1 | cut -d'v' -f2" + args: + executable: /usr/local/bin/bash + changed_when: False + failed_when: False + register: installed_vault_version + check_mode: False + +- name: get vault + unarchive: + src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_freebsd_amd64.zip" + dest: /usr/local/bin/ + mode: 0755 + owner: root + group: staff + remote_src: True + when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version) + +- name: ensure pki cert directory + file: + path: /etc/pki/certs + state: directory + owner: root + group: staff + mode: 0755 + +- name: ensure main pki directory + file: + path: /etc/pki/keys + state: directory + owner: root + group: staff + mode: 0700 + +- name: ensure root cert exists for general use + copy: + content: "{{ vault_ca_cert_payload }}" + dest: "/etc/pki/certs/{{ vault_ca_cert_name }}" + mode: 0644 + owner: root + group: staff + register: root_ca + +- name: check if server cert is expiring in the next 5 days + shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt" + args: + executable: /usr/local/bin/bash + failed_when: False + check_mode: False + changed_when: False + register: exp + +- name: get cert + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }}.name ttl=43200m" + args: + executable: /usr/local/bin/bash + environment: + VAULT_ADDR: http://ivyking.minhas.io:8200 + VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" + VAULT_FORMAT: json + register: cert_data + when: exp.rc != 0 + +- name: write cert data to server + copy: + content: "{{ item.content }}" + dest: "/etc/pki/{{ item.path }}" + mode: '{{ item.mode }}' + owner: root + group: staff + when: cert_data.changed + loop: + - { + content: "{{ (cert_data.stdout | from_json).data.certificate }}", + path: "certs/{{ inventory_hostname_short }}.crt", + mode: "0755" + } + - { + content: "{{ (cert_data.stdout | from_json).data.private_key }}", + path: "keys/{{ inventory_hostname_short }}.key", + mode: "0600" + } +... diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 8ebc556..1c91678 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -1,3 +1,4 @@ --- +- include: "{{ ansible_os_family }}_pki.yml" - include: "{{ ansible_os_family }}.yml" ...