feat: Manage EasyRSA CA and certificates

Signed-off-by: Julien Riou <julien@riou.xyz>
2024-05-13 18:14:16 +02:00 · 2024-05-13 18:14:16 +02:00 · 19a7af377e
commit 19a7af377e
parent f3930ea7d4
6 changed files with 100 additions and 8 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,3 +1,3 @@
 # TODO

-* EasyRSA tasks
+- EasyRSA: Protect CA with a passphrase
--- a/group_vars/README.md
+++ b/group_vars/README.md
@ -291,6 +291,27 @@ bacula_storages:
    media_type: File
 ```

+## easyrsa_ca_dir
+
+Path to the CA directory to create.
+
+```yaml
+easyrsa_ca_dir: /var/lib/easyrsa
+```
+
+## easyrsa_clients
+
+List of client hostnames that will have RSA certificates.
+
+```yaml
+easyrsa_clients:
+  - pilote
+  - storage1
+  - storage2
+  - storage3
+  - vps
+```
+
 ## hostname

 Name of the remote host.
--- a/main.yml
+++ b/main.yml
@ -53,3 +53,6 @@

    - name: Configure vim
      ansible.builtin.include_tasks: tasks/vim.yml
+
+    - name: Configure EasyRSA
+      ansible.builtin.include_tasks: tasks/easyrsa.yml
--- a/renew.yml
+++ b/renew.yml
@ -0,0 +1,10 @@
+---
+- name: Renew client RSA certificates
+  hosts: pilote
+  gather_facts: false
+  tasks:
+    - name: Delete client certificates
+      ansible.builtin.include_tasks: tasks/easyrsa-certs-delete.yml
+
+    - name: Configure EasyRSA
+      ansible.builtin.include_tasks: tasks/easyrsa.yml
--- a/tasks/easyrsa-certs-delete.yml
+++ b/tasks/easyrsa-certs-delete.yml
@ -0,0 +1,9 @@
+---
+- name: Delete EasyRSA certificates
+  ansible.builtin.file:
+    name: "{{ item }}"
+    state: absent
+  loop:
+    - "{{ easyrsa_ca_dir }}/pki/reqs/{{ client_name }}.req"
+    - "{{ easyrsa_ca_dir }}/pki/private/{{ client_name }}.key"
+    - "{{ easyrsa_ca_dir }}/pki/issued/{{ client_name }}.crt"
--- a/tasks/easyrsa.yml
+++ b/tasks/easyrsa.yml
@ -1,13 +1,62 @@
 ---
-# TODO
- name: Copy easyrsa sources to /root
-  ansible.builtin.copy:
-    src: files/easyrsa/EasyRSA-v3.0.6
-    dest: /root/
-    mode: preserve
+- name: Install EasyRSA
+  ansible.builtin.package:
+    name: easy-rsa

 - name: Add easyrsa binary to path
  ansible.builtin.file:
-    src: /root/EasyRSA-v3.0.6/easyrsa
+    src: /usr/share/easy-rsa/easyrsa
    dest: /usr/local/sbin/easyrsa
    state: link
+
+- name: Create CA directory
+  ansible.builtin.command:
+    cmd: "make-cadir {{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}"
+
+- name: Init PKI
+  ansible.builtin.command:
+    cmd: easyrsa init-pki
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki"
+  environment:
+    EASYRSA_BATCH: "1"
+
+- name: Create symlinks
+  ansible.builtin.file:
+    src: "{{ easyrsa_ca_dir }}/{{ item }}"
+    dest: "{{ easyrsa_ca_dir }}/pki/{{ item }}"
+    state: link
+  loop:
+    - x509-types
+    - openssl-easyrsa.cnf
+
+- name: Create random file
+  ansible.builtin.command:
+    cmd: "openssl rand -writerand {{ easyrsa_ca_dir }}/pki/.rnd"
+    creates: "{{ easyrsa_ca_dir }}/pki/.rnd"
+
+- name: Build CA
+  ansible.builtin.command:
+    cmd: easyrsa build-ca nopass
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki/ca.crt"
+  environment:
+    EASYRSA_BATCH: "1"
+
+- name: Generate DH parameters
+  ansible.builtin.command:
+    cmd: easyrsa gen-dh
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki/dh.pem"
+  environment:
+    EASYRSA_BATCH: "1"
+
+- name: Generate client certificates
+  ansible.builtin.command:
+    cmd: "easyrsa build-client-full {{ item }} nopass"
+    chdir: "{{ easyrsa_ca_dir }}"
+    creates: "{{ easyrsa_ca_dir }}/pki/private/{{ item }}.key"
+  environment:
+    EASYRSA_BATCH: "1"
+  loop: "{{ easyrsa_clients | default([]) }}"