项目作者: jtyr

项目描述 :
Ansible role which helps to add/remove system CA certificates.
高级语言:
项目地址: git://github.com/jtyr/ansible-system_ca.git
创建时间: 2018-08-31T20:13:53Z
项目社区:https://github.com/jtyr/ansible-system_ca

开源协议:MIT License

下载


system_ca

Ansible role which helps to add/remove system CA certificates.

The configuration of the role is done in such way that it should not be necessary
to change the role for any kind of configuration. All can be done either by
changing role parameters or by declaring completely new configuration as a
variable. That makes this role absolutely universal. See the examples below for
more details.

Please report any issues or send PR.

Examples

  1. ---
  2. - name: Deploy CA certs
  3. hosts: all
  4. become: yes
  5. vars:
  6. # List of CAs
  7. system_ca_certs:
  8. # Creates CA called 'thawte_Primary_Root_CA.crt'
  9. - name: thawte_Primary_Root_CA
  10. # The content of the CA specified as test
  11. content: |
  12. -----BEGIN CERTIFICATE-----
  13. MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
  14. qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
  15. Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
  16. MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
  17. BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
  18. NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
  19. LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
  20. A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
  21. IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
  22. SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
  23. W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
  24. 3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
  25. 6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
  26. Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
  27. NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
  28. MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
  29. r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
  30. DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
  31. YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
  32. xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
  33. /qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
  34. LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
  35. jVaMaA==
  36. -----END CERTIFICATE-----
  37. # Creates CA called 'InternalRootCA.crt'
  38. - name: InternalRootCA
  39. # Optionally specify file permissions
  40. owner: sys
  41. group: nobody
  42. mode: "0640"
  43. # The content of the CA specified a file
  44. content: "{{ lookup('file', 'InternalRootCA.crt') }}"
  45. # Blacklist CA called 'CompanyRootCA.crt' (works only on RedHat!)
  46. - name: CompanyRootCA
  47. # Places the cert into /etc/pki/ca-trust/source/blacklist instead of /etc/pki/ca-trust/source/anchors
  48. subdir: blacklist
  49. content: "{{ lookup('file', 'CompanyRootCA.crt') }}"
  50. # Removes CA named 'test.crt'
  51. - name: test
  52. state: absent
  53. roles:
  54. - system_ca

Role variables

Variables used by the role:

  1. # Base dir for RedHat CAs
  2. system_ca_redhat_dest_base: /etc/pki/ca-trust/source
  3. # Subdirectory in the /etc/pki/ca-trust/source
  4. # (set it to empty string to place files in /etc/pki/ca-trust/source)
  5. system_ca_redhat_dest_subdir: anchors
  6. # Base dir for Debian/Ubuntu CAs
  7. system_ca_debian_dest_base: /usr/local/share/ca-certificates
  8. # Default cert owner
  9. system_ca_owner: root
  10. # Default cert group
  11. system_ca_group: root
  12. # Defautl cert mode
  13. system_ca_mode: "0644"
  14. # Update command for RedHat
  15. system_ca_redhat_update_cmd: update-ca-trust extract
  16. # Update command for Debian/Ubuntu
  17. system_ca_debian_update_cmd: update-ca-certificates
  18. # List of certificates (see README for more details)
  19. system_ca_certs: []

License

MIT

Author

Jiri Tyr