GregoryDosh
ca2a15469b
All checks were successful
Version Bump Galaxy.yml / Version Bump Galaxy.yml (push) Successful in 5s
135 lines
5.2 KiB
YAML
135 lines
5.2 KiB
YAML
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
# SPDX-FileCopyrightText: 2025 Dosh LLC
|
|
---
|
|
- name: Get existing ACME cert SANs (if exist)
|
|
become: true
|
|
ansible.builtin.shell: |
|
|
STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} certificate inspect {{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_CRT }} --format json | jq --sort-keys '.names'
|
|
no_log: true
|
|
ignore_errors: true
|
|
changed_when: false
|
|
register: _cert_existing_acme_san
|
|
|
|
- name: Get existing SSH cert SANs (if exist)
|
|
become: true
|
|
ansible.builtin.shell: |
|
|
STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} ssh inspect {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_HOST_CERT }} --format json | jq --sort-keys '.Principals'
|
|
no_log: true
|
|
ignore_errors: true
|
|
changed_when: false
|
|
register: _cert_existing_ssh_san
|
|
|
|
- when: _cert_existing_acme_san.stdout | length > 0
|
|
ansible.builtin.set_fact:
|
|
_cert_existing_acme_san_json: |
|
|
{{ _cert_existing_acme_san.stdout | from_json | sort | to_json(indent=4) }}
|
|
|
|
- when: _cert_existing_ssh_san.stdout | length > 0
|
|
ansible.builtin.set_fact:
|
|
_cert_existing_ssh_san_json: |
|
|
{{ _cert_existing_ssh_san.stdout | from_json | sort | to_json(indent=4) }}
|
|
|
|
- when: _cert_existing_acme_san.stdout | length == 0
|
|
ansible.builtin.set_fact:
|
|
_cert_existing_acme_san_json: ""
|
|
|
|
- when: _cert_existing_ssh_san.stdout | length == 0
|
|
ansible.builtin.set_fact:
|
|
_cert_existing_ssh_san_json: ""
|
|
|
|
- ansible.builtin.set_fact:
|
|
_cert_acme_existing_san_match: |
|
|
{{ (_cert_existing_acme_san_json == _cert_san_json) | bool }}
|
|
_cert_ssh_existing_san_match: |
|
|
{{ (_cert_existing_ssh_san_json == _cert_san_json) | bool }}
|
|
|
|
- name: Check if ACME cert needs renewal
|
|
become: true
|
|
ansible.builtin.shell: |
|
|
STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} certificate needs-renewal {{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_CRT }} > /dev/stderr || true
|
|
register: _cert_acme_needs_renewal
|
|
changed_when: "'certificate does not need renewal' not in _cert_acme_needs_renewal.stderr"
|
|
|
|
- name: Check if SSH cert needs renewal
|
|
become: true
|
|
ansible.builtin.shell: |
|
|
STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} ssh needs-renewal {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_HOST_CERT }} > /dev/stderr || true
|
|
register: _cert_ssh_needs_renewal
|
|
changed_when: "'certificate does not need renewal' not in _cert_ssh_needs_renewal.stderr"
|
|
|
|
- name: ACME Cert
|
|
when: (_cert_acme_needs_renewal.changed or not _cert_acme_existing_san_match) or (_cert_ssh_needs_renewal.changed or not _cert_ssh_existing_san_match)
|
|
become: true
|
|
block:
|
|
- name: Create ACME cert
|
|
ansible.builtin.shell: |
|
|
STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} ca certificate \
|
|
{{ SSL_CERT_SAN[0] }} \
|
|
{{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_CRT }} \
|
|
{{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_KEY }} \
|
|
--ca-url {{ STEP_BOOTSTRAP_URL }} \
|
|
--provisioner {{ STEP_CERTS_ACME_CA_PROVISIONER }} \
|
|
{% if STEP_WEBROOT_PATH | length > 0 %}
|
|
--webroot={{ STEP_WEBROOT_PATH }} \
|
|
{% endif %}
|
|
{% for san in SSL_CERT_SAN %}
|
|
--san {{ san }} \
|
|
{% endfor %}
|
|
--force
|
|
register: _create_acme_cert
|
|
|
|
- name: adjust cert permissions
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
mode: "0644"
|
|
loop:
|
|
- "{{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_KEY }}"
|
|
- "{{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_CRT }}"
|
|
|
|
- name: SSH cert
|
|
when: _cert_ssh_needs_renewal.changed or not _cert_ssh_existing_san_match
|
|
become: true
|
|
block:
|
|
- name: Create SSH cert
|
|
ansible.builtin.shell: |
|
|
STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} ssh certificate \
|
|
{{ SSL_CERT_SAN[0] }} \
|
|
{{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_PRIVATE_KEY }} \
|
|
--ca-url {{ STEP_BOOTSTRAP_URL }} \
|
|
--insecure \
|
|
--no-password \
|
|
--host \
|
|
--x5c-cert {{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_CRT }} \
|
|
--x5c-key {{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_KEY }} \
|
|
{% for san in SSL_CERT_SAN %}
|
|
--principal {{ san }} \
|
|
{% endfor %}
|
|
--force
|
|
|
|
- name: ensure SSH cert permissions
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
mode: "0600"
|
|
loop:
|
|
- "{{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_PRIVATE_KEY }}"
|
|
- "{{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_HOST_CERT }}"
|
|
|
|
- name: generate ssh roots for validating user certs
|
|
ansible.builtin.shell: |
|
|
STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} ssh config --roots > {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_TRUSTED_USER_CA_KEYS }}
|
|
changed_when: false
|
|
|
|
- name: Step SSH Config
|
|
become: true
|
|
ansible.builtin.blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
backup: yes
|
|
validate: "{{ SSHD_BIN_ABSOLUTE_PATH }} -T -f %s"
|
|
marker: "# {mark} Step SSH Configuration https://ca.auengun.net (ANSIBLE MANAGED) -->"
|
|
block: |
|
|
Match all
|
|
TrustedUserCAKeys {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_TRUSTED_USER_CA_KEYS }}
|
|
HostKey {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_PRIVATE_KEY }}
|
|
HostCertificate {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_HOST_CERT }}
|
|
notify:
|
|
- "Restart ssh"
|