ssl_certificates
Ansible Role: SSL Certificates
An Ansible role that installs SSL certificates.
Table of Contents
Requirements
- Ansible 2.4+
Role Variables
This role only needs one variable, although this one looks a bit verbose at
first. The variable is basically a list of certificates. Each certificate
requires a key and a cert, and optionally a chain.
ssl_certificates:
- name: somehosts ssl certificate for blah.example.com
key:
content: '{{ vault_ssl_certificate_key }}'
dest: /path/to/key.pem
cert:
src: path/to/cert.pem
dest: /path/to/cert.pem
chain:
src: path/to/chain
dest: /path/to/chain
- name: somehosts ssl certificate for bippy.example.com
key:
...
Note: It is recommended to put the key in a vault!
Note: Ensure that Ansible can find the src files. group_vars/group and
host_vars/host are not automatically searched. If you want to keep the files
there, use e.g. host_vars/host/example.com.pem.
Note: key, cert and chain also allow to set a custom setype,
default is cert_t.
Note: key also allows a list to give additional read permissions via ACL
entries. This is for services that need access to the key which do not start as
root and then drop privileges.
ssl_certificates:
- name: somehosts ssl certificate for blah.example.com
key:
content: '{{ vault_ssl_certificate_key }}'
dest: /path/to/key.pem
acl_users:
- service-user-a
- service-user-b
cert:
...
Re-Use Destination Variables
You can re-use the destination variables for the configuration variables of other roles, e.g.:
---
ssl_certificates:
- name: somehosts ssl certificate for blah.example.com
...
- name: ...
...
# because ssl_certificates is a list, you need to index with [n]
apache_ssl_cert_key_file: '{{ ssl_certificates[0].key.dest }}'
apache_ssl_cert_file: '{{ ssl_certificates[0].cert.dest }}'
apache_ssl_cert_chain_file: '{{ ssl_certificates[0].chain.dest }}'
# here, the second key is used for postfix
postfix_smtp_tls_key_file: '{{ ssl_certificates[1].key.dest }}'
postfix_smtp_tls_cert_file: '{{ ssl_certificates[1].cert.dest }}'
postfix_smtpd_tls_key_file: '{{ ssl_certificates[1].key.dest }}'
postfix_smtpd_tls_cert_file: '{{ ssl_certificates[1].cert.dest }}'
...
Dependencies
None.
Example Playbook
Add to requirements.yml:
---
- src: idiv-biodiversity.ssl_certificates
...
Download:
$ ansible-galaxy install -r requirements.yml
Top-Level Playbook
Write a top-level playbook:
---
- name: head server
hosts: head
roles:
- role: idiv-biodiversity.ssl_certificates
tags:
- certificates
- ssl-certificates
...
Role Dependency
Define the role dependency in meta/main.yml:
---
dependencies:
- role: idiv-biodiversity.ssl_certificates
tags:
- certificates
- ssl-certificates
...
License
MIT
Author Information
This role was created in 2019 by Christian Krause aka wookietreiber at GitHub and Dirk Sarpe aka dirks at GitHub, both systems administrators at the German Centre for Integrative Biodiversity Research (iDiv), based on a draft by Ben Langenberg aka sloan87 at GitHub.
ansible-galaxy install idiv-biodiversity/ssl-certificates