diff options
| author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-13 20:05:25 -0500 |
|---|---|---|
| committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-13 20:05:52 -0500 |
| commit | 8c2dccad6652a535a6c549a2c4133afd9eb251ed (patch) | |
| tree | 6760ba328fe606693601f9c1c51bfd7b010a974b /roles/getcert_request | |
| parent | 3e94667b6b73c588ea8503138b5e201b45686978 (diff) | |
| download | selfhosted-8c2dccad6652a535a6c549a2c4133afd9eb251ed.tar.gz selfhosted-8c2dccad6652a535a6c549a2c4133afd9eb251ed.zip | |
add docs
Diffstat (limited to 'roles/getcert_request')
| -rw-r--r-- | roles/getcert_request/README.md | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/roles/getcert_request/README.md b/roles/getcert_request/README.md new file mode 100644 index 0000000..024527a --- /dev/null +++ b/roles/getcert_request/README.md @@ -0,0 +1,48 @@ +getcert-request +=============== + +Description +----------- + +The `getcert_request` role retrieves a TLS certificate from FreeIPA via the +`getcert` command. It uses [Certmonger](https://www.freeipa.org/page/Certmonger) +to track certificate renewals. + + +Variables +--------- + +This role **accepts** the following variables: + +Variable | Default | Description +-------------------------|-------------------------------------|------------ +`certificate_sans` | `{{ [ansible_fqdn] + cnames }}` | Subject Alternative Names +`certificate_service` | `HTTP` | FreeIPA service prinicpal to own certificate (will be created) +`certificate_type` | `rsa` | Either `ecdsa` or `rsa` +`certificate_size` | 2048 | RSA key size (bits) +`certificate_path` | | Path of store certificate file +`certificate_key_path` | | Path of certificate key file +`certificate_owner` | `root` | Owner of certificate files (or `owner:group`) +`certificate_mode` | 0400 | File mode of certificate files +`certificate_hook` | | Command to `exec` after certificate renewal +`certificate_resubmit` | no | Resubmit the certificate request, even if certificate file already exists +`certificate_hook_name` | `{{ certificate_path | basename }}` | Filename of generated hook script (you probably don't need to change this) + + +Usage +----- + +Example task: + +````yaml +- name: request internal TLS certificate + include_role: + name: getcert_request + vars: + certificate_sans: + - wiki1.ipa.example.com + - wiki.ipa.example.com + certificate_path: /etc/pki/tls/certs/wiki1.crt + certificate_key_path: /etc/pki/tls/private/wiki1.key + certificate_hook: systemctl reload httpd +```` |