Initial commit

roles/create_ldap_cert/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+- name: Install ldap directory
+  ansible.builtin.file:
+    path: /etc/pki/ldap.konchin.com
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: Create private key for ldap
+  community.crypto.openssl_privatekey:
+    path: /etc/pki/ldap.konchin.com/cert.key
+
+- name: Create CSR for ldap
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: /etc/pki/ldap.konchin.com/cert.key
+    subject_alt_name:
+      - 'DNS:ldap'
+      - 'DNS:ldaps'
+      - 'DNS:ldap.konchin.com'
+      - 'DNS:ldaps.konchin.com'
+  register: csr
+
+- name: Sign with root ca
+  community.crypto.x509_certificate:
+    path: /etc/pki/ldap.konchin.com/cert.pem
+    csr_content: "{{ csr.csr }}"
+    provider: ownca
+    ownca_path: /etc/pki/konchin.com/rootca.pem
+    ownca_privatekey_path: /etc/pki/konchin.com/rootca.key
+    ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
+    ownca_not_after: +365d  # valid for one year
+    ownca_not_before: "-1d"  # valid since yesterday

roles/create_rootca/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+- name: Install pki directory
+  ansible.builtin.file:
+    path: /etc/pki/
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: Install CA directory
+  ansible.builtin.file:
+    path: /etc/pki/konchin.com/
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: Create private key for root ca
+  community.crypto.openssl_privatekey:
+    path: /etc/pki/konchin.com/rootca.key
+    cipher: auto
+    passphrase: "{{ secret_ca_passphrase }}"
+
+- name: Create CSR for root ca
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: /etc/pki/konchin.com/rootca.key
+    privatekey_passphrase: "{{ secret_ca_passphrase }}"
+    common_name: Konchin.com CA
+    use_common_name_for_san: false
+    basic_constraints:
+      - 'CA:TRUE'
+    basic_constraints_critical: true
+    key_usage:
+      - keyCertSign
+    key_usage_critical: true
+  register: ca_csr
+
+- name: Create cert for root ca
+  community.crypto.x509_certificate:
+    path: /etc/pki/konchin.com/rootca.pem
+    csr_content: "{{ ca_csr.csr }}"
+    privatekey_path: /etc/pki/konchin.com/rootca.key
+    privatekey_passphrase: "{{ secret_ca_passphrase }}"
+    provider: selfsigned

roles/create_www_cert/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Install www directory
+  ansible.builtin.file:
+    path: /etc/pki/www.konchin.com
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: Create private key for www
+  community.crypto.openssl_privatekey:
+    path: /etc/pki/www.konchin.com/cert.key
+
+- name: Create CSR for www
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: /etc/pki/www.konchin.com/cert.key
+    subject_alt_name:
+      - 'DNS:www.konchin.com'
+      - 'DNS:*.konchin.com'
+  register: csr
+
+- name: Sign with root ca
+  community.crypto.x509_certificate:
+    path: /etc/pki/www.konchin.com/cert.pem
+    csr_content: "{{ csr.csr }}"
+    provider: ownca
+    ownca_path: /etc/pki/konchin.com/rootca.pem
+    ownca_privatekey_path: /etc/pki/konchin.com/rootca.key
+    ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
+    ownca_not_after: +365d  # valid for one year
+    ownca_not_before: "-1d"  # valid since yesterday

roles/install_packages/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Upgrade packages
+  community.general.pacman:
+    upgrade: true

roles/install_packages/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Update package cache
+  community.general.pacman:
+    update_cache: true
+
+- name: Install packages
+  community.general.pacman:
+    pkg:
+      - python-pyopenssl
+  notify: Upgrade packages