From 19a7af377eaddfeae275bc2e7a5116986945835b Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Mon, 13 May 2024 18:14:16 +0200 Subject: [PATCH] feat: Manage EasyRSA CA and certificates Signed-off-by: Julien Riou --- TODO.md | 2 +- group_vars/README.md | 21 ++++++++++++ main.yml | 3 ++ renew.yml | 10 ++++++ tasks/easyrsa-certs-delete.yml | 9 +++++ tasks/easyrsa.yml | 63 ++++++++++++++++++++++++++++++---- 6 files changed, 100 insertions(+), 8 deletions(-) create mode 100644 renew.yml create mode 100644 tasks/easyrsa-certs-delete.yml diff --git a/TODO.md b/TODO.md index 298ed07..11bcaae 100644 --- a/TODO.md +++ b/TODO.md @@ -1,3 +1,3 @@ # TODO -* EasyRSA tasks +- EasyRSA: Protect CA with a passphrase diff --git a/group_vars/README.md b/group_vars/README.md index 36904c3..eea9993 100644 --- a/group_vars/README.md +++ b/group_vars/README.md @@ -291,6 +291,27 @@ bacula_storages: media_type: File ``` +## easyrsa_ca_dir + +Path to the CA directory to create. + +```yaml +easyrsa_ca_dir: /var/lib/easyrsa +``` + +## easyrsa_clients + +List of client hostnames that will have RSA certificates. + +```yaml +easyrsa_clients: + - pilote + - storage1 + - storage2 + - storage3 + - vps +``` + ## hostname Name of the remote host. diff --git a/main.yml b/main.yml index 992ddd7..a413b86 100644 --- a/main.yml +++ b/main.yml @@ -53,3 +53,6 @@ - name: Configure vim ansible.builtin.include_tasks: tasks/vim.yml + + - name: Configure EasyRSA + ansible.builtin.include_tasks: tasks/easyrsa.yml diff --git a/renew.yml b/renew.yml new file mode 100644 index 0000000..2686afe --- /dev/null +++ b/renew.yml @@ -0,0 +1,10 @@ +--- +- name: Renew client RSA certificates + hosts: pilote + gather_facts: false + tasks: + - name: Delete client certificates + ansible.builtin.include_tasks: tasks/easyrsa-certs-delete.yml + + - name: Configure EasyRSA + ansible.builtin.include_tasks: tasks/easyrsa.yml diff --git a/tasks/easyrsa-certs-delete.yml b/tasks/easyrsa-certs-delete.yml new file mode 100644 index 0000000..33421f6 --- /dev/null +++ b/tasks/easyrsa-certs-delete.yml @@ -0,0 +1,9 @@ +--- +- name: Delete EasyRSA certificates + ansible.builtin.file: + name: "{{ item }}" + state: absent + loop: + - "{{ easyrsa_ca_dir }}/pki/reqs/{{ client_name }}.req" + - "{{ easyrsa_ca_dir }}/pki/private/{{ client_name }}.key" + - "{{ easyrsa_ca_dir }}/pki/issued/{{ client_name }}.crt" diff --git a/tasks/easyrsa.yml b/tasks/easyrsa.yml index 9e53fd2..d1ebda7 100644 --- a/tasks/easyrsa.yml +++ b/tasks/easyrsa.yml @@ -1,13 +1,62 @@ --- -# TODO -- name: Copy easyrsa sources to /root - ansible.builtin.copy: - src: files/easyrsa/EasyRSA-v3.0.6 - dest: /root/ - mode: preserve +- name: Install EasyRSA + ansible.builtin.package: + name: easy-rsa - name: Add easyrsa binary to path ansible.builtin.file: - src: /root/EasyRSA-v3.0.6/easyrsa + src: /usr/share/easy-rsa/easyrsa dest: /usr/local/sbin/easyrsa state: link + +- name: Create CA directory + ansible.builtin.command: + cmd: "make-cadir {{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}" + +- name: Init PKI + ansible.builtin.command: + cmd: easyrsa init-pki + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki" + environment: + EASYRSA_BATCH: "1" + +- name: Create symlinks + ansible.builtin.file: + src: "{{ easyrsa_ca_dir }}/{{ item }}" + dest: "{{ easyrsa_ca_dir }}/pki/{{ item }}" + state: link + loop: + - x509-types + - openssl-easyrsa.cnf + +- name: Create random file + ansible.builtin.command: + cmd: "openssl rand -writerand {{ easyrsa_ca_dir }}/pki/.rnd" + creates: "{{ easyrsa_ca_dir }}/pki/.rnd" + +- name: Build CA + ansible.builtin.command: + cmd: easyrsa build-ca nopass + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki/ca.crt" + environment: + EASYRSA_BATCH: "1" + +- name: Generate DH parameters + ansible.builtin.command: + cmd: easyrsa gen-dh + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki/dh.pem" + environment: + EASYRSA_BATCH: "1" + +- name: Generate client certificates + ansible.builtin.command: + cmd: "easyrsa build-client-full {{ item }} nopass" + chdir: "{{ easyrsa_ca_dir }}" + creates: "{{ easyrsa_ca_dir }}/pki/private/{{ item }}.key" + environment: + EASYRSA_BATCH: "1" + loop: "{{ easyrsa_clients | default([]) }}"