forked from TrueCloudLab/certificates
44 lines
1.7 KiB
YAML
44 lines
1.7 KiB
YAML
|
|
- name: "Ensure provisioners directories exist"
|
|
file:
|
|
path: "/etc/ssl/smallstep/provisioners/{{ item.context }}/{{ item.provisioner_name }}"
|
|
state: directory
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
with_items: "{{ smallstep_leaf_certs }}"
|
|
no_log: true
|
|
|
|
- name: "Ensure provisioner passwords are up to date"
|
|
copy:
|
|
dest: "/etc/ssl/smallstep/provisioners/{{ item.context }}/{{ item.provisioner_name }}/provisioner-pass.txt"
|
|
content: "{{ item.provisioner_password }}"
|
|
mode: 0700
|
|
owner: root
|
|
group: root
|
|
with_items: "{{ smallstep_leaf_certs }}"
|
|
no_log: true
|
|
|
|
- name: "Get root certs for CAs"
|
|
command:
|
|
cmd: "step ca bootstrap --context {{ item.context }} --ca-url {{ item.ca_url }} --fingerprint {{ item.ca_fingerprint }}"
|
|
with_items: "{{ smallstep_root_certs }}"
|
|
no_log: true
|
|
|
|
- name: "Get leaf certs"
|
|
command:
|
|
cmd: "step ca certificate --context {{ item.context }} {{ item.cert_subject }} {{ item.cert_path }} {{ item.key_path }} --force --console --provisioner {{ item.provisioner_name }} --provisioner-password-file /etc/ssl/smallstep/provisioners/{{ item.context }}/{{ item.provisioner_name }}/provisioner-pass.txt"
|
|
with_items: "{{ smallstep_leaf_certs }}"
|
|
no_log: true
|
|
|
|
- name: Ensure cron to renew leaf certs is up to date
|
|
cron:
|
|
user: "root"
|
|
name: "renew leaf cert {{ item.cert_subject }}"
|
|
cron_file: smallstep
|
|
job: "step ca renew --context {{ item.context }} {{ item.cert_path }} {{ item.key_path }} --expires-in 6h --force >> /var/log/smallstep-{{ item.cert_subject }}.log 2>&1"
|
|
state: present
|
|
minute: "*/30"
|
|
with_items: "{{ smallstep_leaf_certs }}"
|
|
when: "{{ item.cron_renew }}"
|
|
no_log: true
|