feat: Manage EasyRSA CA and certificates

Signed-off-by: Julien Riou <julien@riou.xyz>
2024-05-13 18:14:16 +02:00 · 2024-05-13 18:14:16 +02:00 · 19a7af377e
commit 19a7af377e
parent f3930ea7d4
6 changed files with 100 additions and 8 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,3 +1,3 @@
 # TODO
-* EasyRSA tasks
+- EasyRSA: Protect CA with a passphrase
--- a/group_vars/README.md
+++ b/group_vars/README.md
@ -291,6 +291,27 @@ bacula_storages:
    media_type: File
 ```
 ## easyrsa_ca_dir
 Path to the CA directory to create.
 ```yaml
 easyrsa_ca_dir: /var/lib/easyrsa
 ```
 ## easyrsa_clients
 List of client hostnames that will have RSA certificates.
 ```yaml
 easyrsa_clients:
  - pilote
  - storage1
  - storage2
  - storage3
  - vps
 ```
 ## hostname
 Name of the remote host.
--- a/main.yml
+++ b/main.yml
@ -53,3 +53,6 @@
    - name: Configure vim
      ansible.builtin.include_tasks: tasks/vim.yml
    - name: Configure EasyRSA
      ansible.builtin.include_tasks: tasks/easyrsa.yml
--- a/renew.yml
+++ b/renew.yml
@ -0,0 +1,10 @@
 ---
 - name: Renew client RSA certificates
  hosts: pilote
  gather_facts: false
  tasks:
    - name: Delete client certificates
      ansible.builtin.include_tasks: tasks/easyrsa-certs-delete.yml
    - name: Configure EasyRSA
      ansible.builtin.include_tasks: tasks/easyrsa.yml
--- a/tasks/easyrsa-certs-delete.yml
+++ b/tasks/easyrsa-certs-delete.yml
@ -0,0 +1,9 @@
 ---
 - name: Delete EasyRSA certificates
  ansible.builtin.file:
    name: "{{ item }}"
    state: absent
  loop:
    - "{{ easyrsa_ca_dir }}/pki/reqs/{{ client_name }}.req"
    - "{{ easyrsa_ca_dir }}/pki/private/{{ client_name }}.key"
    - "{{ easyrsa_ca_dir }}/pki/issued/{{ client_name }}.crt"
--- a/tasks/easyrsa.yml
+++ b/tasks/easyrsa.yml
@ -1,13 +1,62 @@
 ---
-# TODO
+- name: Install EasyRSA
- name: Copy easyrsa sources to /root
+  ansible.builtin.package:
-  ansible.builtin.copy:
+    name: easy-rsa
    src: files/easyrsa/EasyRSA-v3.0.6
    dest: /root/
    mode: preserve
 - name: Add easyrsa binary to path
  ansible.builtin.file:
-    src: /root/EasyRSA-v3.0.6/easyrsa
+    src: /usr/share/easy-rsa/easyrsa
    dest: /usr/local/sbin/easyrsa
    state: link
 - name: Create CA directory
  ansible.builtin.command:
    cmd: "make-cadir {{ easyrsa_ca_dir }}"
    creates: "{{ easyrsa_ca_dir }}"
 - name: Init PKI
  ansible.builtin.command:
    cmd: easyrsa init-pki
    chdir: "{{ easyrsa_ca_dir }}"
    creates: "{{ easyrsa_ca_dir }}/pki"
  environment:
    EASYRSA_BATCH: "1"
 - name: Create symlinks
  ansible.builtin.file:
    src: "{{ easyrsa_ca_dir }}/{{ item }}"
    dest: "{{ easyrsa_ca_dir }}/pki/{{ item }}"
    state: link
  loop:
    - x509-types
    - openssl-easyrsa.cnf
 - name: Create random file
  ansible.builtin.command:
    cmd: "openssl rand -writerand {{ easyrsa_ca_dir }}/pki/.rnd"
    creates: "{{ easyrsa_ca_dir }}/pki/.rnd"
 - name: Build CA
  ansible.builtin.command:
    cmd: easyrsa build-ca nopass
    chdir: "{{ easyrsa_ca_dir }}"
    creates: "{{ easyrsa_ca_dir }}/pki/ca.crt"
  environment:
    EASYRSA_BATCH: "1"
 - name: Generate DH parameters
  ansible.builtin.command:
    cmd: easyrsa gen-dh
    chdir: "{{ easyrsa_ca_dir }}"
    creates: "{{ easyrsa_ca_dir }}/pki/dh.pem"
  environment:
    EASYRSA_BATCH: "1"
 - name: Generate client certificates
  ansible.builtin.command:
    cmd: "easyrsa build-client-full {{ item }} nopass"
    chdir: "{{ easyrsa_ca_dir }}"
    creates: "{{ easyrsa_ca_dir }}/pki/private/{{ item }}.key"
  environment:
    EASYRSA_BATCH: "1"
  loop: "{{ easyrsa_clients | default([]) }}"
`@ -1,3 +1,3 @@`
	`# TODO`	`# TODO`

	`* EasyRSA tasks`	`- EasyRSA: Protect CA with a passphrase`