initial commit

author: Stonewall Jackson <stonewall@sacredheartsc.com> 2023-02-04 01:23:43 -0500
committer: Stonewall Jackson <stonewall@sacredheartsc.com> 2023-02-04 01:52:13 -0500
commit: 0261e875679f1bf63c8d689da7fc7e014597885d (patch)
tree: 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/getcert_request
download: selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz
selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip
3 files changed, 108 insertions, 0 deletions
diff --git a/roles/getcert_request/defaults/main.yml b/roles/getcert_request/defaults/main.yml
new file mode 100644
index 0000000..fcac3cc
--- /dev/null
+++ b/roles/getcert_request/defaults/main.yml
@@ -0,0 +1,11 @@
+certificate_sans: '{{ [ansible_fqdn] + cnames }}'
+certificate_type: RSA
+certificate_size: 2048
+
+certificate_owner: root
+certificate_mode: 0400
+certificate_service: HTTP
+
+certificate_hook_name: '{{ certificate_path | basename }}'
+
+certificate_resubmit: no
diff --git a/roles/getcert_request/tasks/main.yml b/roles/getcert_request/tasks/main.yml
new file mode 100644
index 0000000..d17515e
--- /dev/null
+++ b/roles/getcert_request/tasks/main.yml
@@ -0,0 +1,96 @@
+# NOTE: certmonger post-command are passed directly to exec().
+# Spaces in filenames, quotes, and other shell meta-characters will break your hook!
+---
+- name: check if certificate is already tracked by certmonger
+  command: ipa-getcert list --certfile {{ certificate_path }}
+  failed_when: False
+  changed_when: False
+  register: certmonger_already_tracking
+
+- name: retrieve certificate via certmonger
+  block:
+    - name: create freeipa hosts
+      ipahost:
+        ipaadmin_principal: '{{ ipa_user }}'
+        ipaadmin_password: '{{ ipa_pass }}'
+        name: '{{ certificate_san }}'
+        state: present
+      loop: '{{ certificate_sans }}'
+      loop_control:
+        loop_var: certificate_san
+
+    - name: create freeipa services
+      ipaservice:
+        ipaadmin_principal: '{{ ipa_user }}'
+        ipaadmin_password: '{{ ipa_pass }}'
+        name: '{{ certificate_service }}/{{ certificate_san }}'
+        host: '{{ omit if certificate_san == ansible_fqdn else [ansible_fqdn] }}'
+      loop: '{{ certificate_sans }}'
+      loop_control:
+        loop_var: certificate_san
+      when: "certificate_service != 'host'"
+
+    - name: prepare post-save hook
+      block:
+        - name: create post-save script
+          copy:
+            content: |
+              #!/bin/bash
+              exec 1> >(logger -s -t $(basename "$0")) 2>&1
+              exec {{ certificate_hook }}
+            dest: '{{ certificate_post_save_script }}'
+            mode: 0555
+            setype: certmonger_unconfined_exec_t
+
+        - name: set certmonger_unconfined_exec_t sefcontext on post-save script
+          sefcontext:
+            target: '{{ certificate_post_save_script }}'
+            state: present
+            setype: certmonger_unconfined_exec_t
+          tags: selinux
+          register: certificate_post_save_script_sefcontext
+
+        - name: apply selinux context to post-save script
+          command: restorecon {{ certificate_post_save_script | quote }}
+          when: certificate_post_save_script_sefcontext.changed
+          tags: selinux
+      when: certificate_hook is defined
+
+    - name: submit certificate request
+      command: >
+        ipa-getcert {{ 'resubmit' if certmonger_already_tracking.rc == 0 else 'request' }}
+        --certfile {{ certificate_path | quote }}
+        {% if certmonger_already_tracking.rc != 0 %}
+        --keyfile {{ certificate_key_path | quote }}
+        --key-type {{ certificate_type | quote }}
+        --key-size {{ certificate_size | quote }}
+        {% endif %}
+        --principal {{ certificate_service ~ '/' ~ ansible_fqdn | quote }}
+        --subject-name CN={{ ansible_fqdn | quote }}
+        {% for san in certificate_sans %}
+        --dns {{ san | quote }}
+        {% endfor %}
+        --cert-owner {{ certificate_owner | quote }}
+        --cert-perms {{ '0%0o' % certificate_mode  }}
+        --key-owner {{ certificate_owner | quote }}
+        --key-perms {{ '0%0o' % certificate_mode }}
+        {% if certificate_key_passphrase is defined %}
+        --pin {{ certificate_key_passphrase | quote }}
+        {% endif %}
+        {% if certificate_hook is defined %}
+        --after-command {{ certificate_post_save_script | quote }}
+        {% endif %}
+
+    - name: wait request to complete
+      command: ipa-getcert status --certfile {{ certificate_path | quote }}
+      register: certmonger_status
+      retries: 10
+      delay: 2
+      until: certmonger_status.rc == 0
+  when: certmonger_already_tracking.rc != 0 or certificate_resubmit
+
+- name: enable certmonger daemon
+  systemd:
+    name: certmonger
+    enabled: yes
+    state: started
diff --git a/roles/getcert_request/vars/main.yml b/roles/getcert_request/vars/main.yml
new file mode 100644
index 0000000..5cf6aff
--- /dev/null
+++ b/roles/getcert_request/vars/main.yml
@@ -0,0 +1 @@
+certificate_post_save_script: /etc/pki/tls/certmonger-postsave-{{ certificate_hook_name }}.sh
author	Stonewall Jackson <stonewall@sacredheartsc.com>	2023-02-04 01:23:43 -0500
committer	Stonewall Jackson <stonewall@sacredheartsc.com>	2023-02-04 01:52:13 -0500
commit	0261e875679f1bf63c8d689da7fc7e014597885d (patch)
tree	3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/getcert_request
download	selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip