ssl_certificates

Ansible Role: SSL Certificates

An Ansible role that installs SSL certificates.

Table of Contents

Requirements

  • Ansible 2.4+

Role Variables

This role only needs one variable, although this one looks a bit verbose at first. The variable is basically a list of certificates. Each certificate requires a key and a cert, and optionally a chain.

ssl_certificates:
  - name: somehosts ssl certificate for blah.example.com
    key:
      content: '{{ vault_ssl_certificate_key }}'
      dest: /path/to/key.pem
    cert:
      src: path/to/cert.pem
      dest: /path/to/cert.pem
    chain:
      src: path/to/chain
      dest: /path/to/chain
  - name: somehosts ssl certificate for bippy.example.com
    key:
      ...

Note: It is recommended to put the key in a vault!

Note: Ensure that Ansible can find the src files. group_vars/group and host_vars/host are not automatically searched. If you want to keep the files there, use e.g. host_vars/host/example.com.pem.

Note: key, cert and chain also allow to set a custom setype, default is cert_t.

Note: key also allows a list to give additional read permissions via ACL entries. This is for services that need access to the key which do not start as root and then drop privileges.

ssl_certificates:
  - name: somehosts ssl certificate for blah.example.com
    key:
      content: '{{ vault_ssl_certificate_key }}'
      dest: /path/to/key.pem
      acl_users:
        - service-user-a
        - service-user-b
    cert:
      ...

Re-Use Destination Variables

You can re-use the destination variables for the configuration variables of other roles, e.g.:

---

ssl_certificates:
  - name: somehosts ssl certificate for blah.example.com
    ...
  - name: ...
    ...

# because ssl_certificates is a list, you need to index with [n]

apache_ssl_cert_key_file: '{{ ssl_certificates[0].key.dest }}'
apache_ssl_cert_file: '{{ ssl_certificates[0].cert.dest }}'
apache_ssl_cert_chain_file: '{{ ssl_certificates[0].chain.dest }}'

# here, the second key is used for postfix

postfix_smtp_tls_key_file: '{{ ssl_certificates[1].key.dest }}'
postfix_smtp_tls_cert_file: '{{ ssl_certificates[1].cert.dest }}'

postfix_smtpd_tls_key_file: '{{ ssl_certificates[1].key.dest }}'
postfix_smtpd_tls_cert_file: '{{ ssl_certificates[1].cert.dest }}'

...

Dependencies

None.

Example Playbook

Add to requirements.yml:

---

- src: idiv-biodiversity.ssl_certificates

...

Download:

$ ansible-galaxy install -r requirements.yml

Top-Level Playbook

Write a top-level playbook:

---

- name: head server
  hosts: head

  roles:
    - role: idiv-biodiversity.ssl_certificates
      tags:
        - certificates
        - ssl-certificates

...

Role Dependency

Define the role dependency in meta/main.yml:

---

dependencies:

  - role: idiv-biodiversity.ssl_certificates
    tags:
      - certificates
      - ssl-certificates

...

License

MIT

Author Information

This role was created in 2019 by Christian Krause aka wookietreiber at GitHub and Dirk Sarpe aka dirks at GitHub, both systems administrators at the German Centre for Integrative Biodiversity Research (iDiv), based on a draft by Ben Langenberg aka sloan87 at GitHub.

About

install SSL certificates

Install
ansible-galaxy install idiv-biodiversity/ssl-certificates
GitHub repository
License
mit
Downloads
45981