idiv-biodiversity.ssl_certificates

Ansible Role: SSL Certificates

This Ansible role installs SSL certificates.

Requirements
Role Variables
- Re-Use Destination Variables
Dependencies
Example Playbook
- Top-Level Playbook
- Role Dependency
License
Author Information

Requirements

Ansible version 2.4 or higher

Role Variables

This role requires one main variable, which is a list of certificates. Each certificate must include a key and a cert, with an optional chain.

ssl_certificates:
  - name: SSL certificate for blah.example.com
    key:
      content: '{{ vault_ssl_certificate_key }}'
      dest: /path/to/key.pem
    cert:
      src: path/to/cert.pem
      dest: /path/to/cert.pem
    chain:
      src: path/to/chain
      dest: /path/to/chain
  - name: SSL certificate for bippy.example.com
    key:
      ...

Important Notes:

It's a good idea to store the key in a vault.
Ensure Ansible can find the src files; group_vars/group and host_vars/host are not checked automatically.
You can set a custom setype for key, cert, and chain (default is cert_t).
The key can also specify extra read permissions for users who need access to the key but don't run as root.

ssl_certificates:
  - name: SSL certificate for blah.example.com
    key:
      content: '{{ vault_ssl_certificate_key }}'
      dest: /path/to/key.pem
      acl_users:
        - service-user-a
        - service-user-b
    cert:
      ...

Re-Use Destination Variables

You can reuse the destination variables for other roles' configurations. For example:

ssl_certificates:
  - name: SSL certificate for blah.example.com
    ...
  - name: ...
    ...

apache_ssl_cert_key_file: '{{ ssl_certificates[0].key.dest }}'
apache_ssl_cert_file: '{{ ssl_certificates[0].cert.dest }}'
apache_ssl_cert_chain_file: '{{ ssl_certificates[0].chain.dest }}'

postfix_smtp_tls_key_file: '{{ ssl_certificates[1].key.dest }}'
postfix_smtp_tls_cert_file: '{{ ssl_certificates[1].cert.dest }}'

postfix_smtpd_tls_key_file: '{{ ssl_certificates[1].key.dest }}'
postfix_smtpd_tls_cert_file: '{{ ssl_certificates[1].cert.dest }}'

Dependencies

None.

Example Playbook

Add to your requirements.yml:

- src: idiv-biodiversity.ssl_certificates

To download, use the following command:

$ ansible-galaxy install -r requirements.yml

Top-Level Playbook

Write a top-level playbook like this:

- name: Head server
  hosts: head

  roles:
    - role: idiv-biodiversity.ssl_certificates
      tags:
        - certificates
        - ssl-certificates

Role Dependency

List the role dependency in meta/main.yml:

dependencies:
  - role: idiv-biodiversity.ssl_certificates
    tags:
      - certificates
      - ssl-certificates

License

MIT

Author Information

This role was created in 2019 by Christian Krause and Dirk Sarpe, who are systems administrators at the German Centre for Integrative Biodiversity Research (iDiv). It was based on a draft by Ben Langenberg.

Informazioni sul progetto