Role certified

Overview

• Ansible Galaxy page
• GitHub repository
• Travis CI page

The main job of this role is to manage server certificates. It does the following:

• Manages a custom server certificate repository and handles certificate updates.
• Manages a default Certificate Authority (CA) certificate repository.
• Manages a default CA certificate key repository.
• Manages a repository of trusted CA certificates.

Table of Contents

• Installation
• Dependencies
• Usage
• Variables
• Managed Files
• Author

This role is part of the MSMS package. You can find common features in its manual.

Installation

To install the honzamach.certified role from Ansible Galaxy, use the following command:

ansible-galaxy install honzamach.certified

To install the role directly from GitHub by cloning the repository, use this command:

git clone https://github.com/honzamach/ansible-role-certified.git honzamach.certified

Using Git cloning can be helpful because it allows you to easily update the role when a new version is released.

Dependencies

This role doesn't depend on any other roles.

However, the following roles depend on this role:

• alchemist
• griffin [SOFT]
• griffin_watchee [SOFT]
• logged
• logserver
• postgresql [SOFT]

Usage

Here's an example of an inventory file named inventory:

[servers]
your-server

[servers_certified]
your-server

An example of a role playbook file named role_playbook.yml:

- hosts: servers_certified
  remote_user: root
  roles:
    - role: honzamach.certified
  tags:
    - role-certified

To run everything, you can use:

ansible-playbook --ask-vault-pass --inventory inventory role_playbook.yml

Configuration Tips

1. Create or edit the file inventory/group_vars/all/vars.yml to set up some default values for all your servers:

   # This is required for the soft dependency feature to work.
   hm_certified__cert_host_dir: /etc/ssl/servercert
   hm_certified__cert_ca_dir: /etc/ssl/certs
   hm_certified__cert_key_dir: /etc/ssl/private
   hm_certified__trustedcert_ca_dir: /etc/ssl/trusted_ca
   

2. Use inventory/host_vars/[your-server]/vars.yml to customize settings for individual servers. Check the variables section for available options.

3. Place additional certificate authority certificates in the inventory/group_files/servers/honzamach.certified/ca_certs directory. These will be uploaded to all servers.

4. Store server-specific certificates in inventory/host_files/[your-server]/honzamach.certified/host_certs. Remember to encrypt sensitive keys using Ansible Vault.

Variables

Internal Role Variables

• hm_certified__cert_host_dir

  • Path to the directory for the server certificate. This must be globally defined for the soft dependency feature to work.
  • Default: /etc/ssl/servercert

• hm_certified__cert_ca_dir

  • Path to the CA certificate repository.
  • Default: /etc/ssl/certs

• hm_certified__cert_key_dir

  • Path to the private certificate key repository.
  • Default: /etc/ssl/private

• hm_certified__trustedcert_ca_dir

  • Path to the trusted CA certificate repository. This can include any certificates your organization trusts, even self-signed ones.
  • Default: /etc/ssl/trusted_ca

Managed Files

This role uploads certificates to remote directories based on the configuration variables defined above. The default directories are:

• /etc/ssl/servercert [COPY]
• /etc/ssl/certs [COPY]
• /etc/ssl/trusted_ca [COPY]

Author and License

• Copyright: (C) since 2019 Honza Mach honza.mach.ml@gmail.com
• Author: Honza Mach honza.mach.ml@gmail.com
• This role is governed by the MIT license; see the LICENSE file for details.