7573636fb8
This implements bare minimal functionality for the HTTPD role. It needs to be extended according to specific use-cases with follow-up patches Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/938571 Change-Id: I7c0dd550c82cc11d2edba724b3f3030a41c0d354
72 lines
2.6 KiB
YAML
72 lines
2.6 KiB
YAML
---
|
|
# Copyright 2024, Cleura AB
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
_httpd_vhosts_with_ssl: "{{ httpd_vhosts | selectattr('ssl', 'defined') | selectattr('ssl') }}"
|
|
|
|
_httpd_pki_generate_certificates_vhosts: |-
|
|
{% set certs_to_generate = [] %}
|
|
{% for vhost in _httpd_vhosts_with_ssl %}
|
|
{% if not ('cert' in vhost['ssl'] and 'key' in vhost['ssl']) %}
|
|
{% set _ = certs_to_generate.append({
|
|
'name': ['httpd', inventory_hostname, vhost['name']] | join('_'),
|
|
'provider': 'ownca',
|
|
'cn': inventory_hostname,
|
|
'san': vhost['ssl']['san'] | default(httpd_pki_default_san),
|
|
'signed_by': httpd_pki_intermediate_cert_name,
|
|
})
|
|
%}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{{ certs_to_generate }}
|
|
|
|
_httpd_pki_install_certificates_vhosts: |-
|
|
{% set certs_to_install = [] %}
|
|
{% for vhost in _httpd_vhosts_with_ssl %}
|
|
{% set cert_name = ['httpd', inventory_hostname, vhost['name']] | join('_') %}
|
|
{% if not ('cert' in vhost['ssl'] and 'key' in vhost['ssl']) %}
|
|
{% set _ = vhost['ssl'].update({
|
|
'cert': httpd_pki_certs_path ~ cert_name ~ '-chain.crt',
|
|
'key': httpd_pki_keys_path ~ cert_name ~ '.key.pem'
|
|
})
|
|
%}
|
|
{% endif %}
|
|
{% set _ = certs_to_install.append({
|
|
'src': vhost['ssl']['cert'],
|
|
'dest': httpd_ssl_certs_dir ~ cert_name ~ '.pem',
|
|
'owner': httpd_service_user_name,
|
|
'group': httpd_service_group_name,
|
|
'mode': '0640'
|
|
})
|
|
%}
|
|
{% set _ = certs_to_install.append({
|
|
'src': vhost['ssl']['key'],
|
|
'dest': httpd_ssl_keys_dir ~ cert_name ~ '.key',
|
|
'owner': httpd_service_user_name,
|
|
'group': httpd_service_group_name,
|
|
'mode': '0600'
|
|
})
|
|
%}
|
|
{% set _ = certs_to_install.append({
|
|
'src': vhost['ssl'].get('ca'),
|
|
'dest': httpd_ssl_certs_dir ~ cert_name ~ '-ca.pem',
|
|
'owner': httpd_service_user_name,
|
|
'group': httpd_service_group_name,
|
|
'mode': '0644',
|
|
'condition': 'ca' in vhost['ssl']
|
|
})
|
|
%}
|
|
{% endfor %}
|
|
{{ certs_to_install }}
|