--- - name: Create working directory file: path: "{{ thales_client_working_dir }}" state: directory mode: 0755 - name: create thales group group: name: nfast gid: "{{ thales_client_gid }}" - name: create thales user user: name: nfast uid: "{{ thales_client_uid }}" group: "{{ thales_client_gid }}" create_home: true home: /opt/nfast - name: set selinux bool to allow barbican containers to access /opt/nfast seboolean: name: os_barbican_write_pki state: yes persistent: yes when: ansible_os_family | lower == 'redhat' - name: Download Thales client tarball get_url: url: "{{ thales_client_tarball_location }}" dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" force: no - name: Unpack tarball to working directory unarchive: src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" dest: "{{ thales_client_working_dir }}" creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}" remote_src: yes - name: Unpack tarball to /opt/nfast shell: | for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do tar -C / -xvf $i ; done args: creates: /opt/nfast/sbin/install - name: check for libnsl dependency stat: path: /lib64/libnsl.so.1 register: st - name: ensure libnsl dependency is installed package: name: libnsl state: present when: not st.stat.exists - name: run installer # noqa 306 shell: echo "1" | /opt/nfast/sbin/install args: creates: /opt/nfast/kmdata - name: Get the security world data get_url: url: "{{ thales_km_data_location }}" dest: "/root/{{ thales_km_data_tarball_name }}" force: no - name: remove the old km_data file: path: /opt/nfast/kmdata state: absent - name: replace kmdata unarchive: src: "/root/{{ thales_km_data_tarball_name }}" dest: /opt/nfast remote_src: yes - name: run anonkneti to get hash command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}" register: anonkneti - name: output of anonkneti debug: var=anonkneti.stdout_lines - name: create cknfastrc copy: dest: /opt/nfast/cknfastrc content: | CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness force: no - name: create snmp.conf copy: dest: /opt/nfast/etc/snmp/snmp.conf content: | defaultPort 21161 force: yes - name: enroll client to HSM command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }} - name: set selinux contexts for /opt/nfast command: restorecon -R /opt/nfast - name: restart hardserver command: /opt/nfast/sbin/init.d-ncipher restart - name: do an enquiry to confirm connection command: /opt/nfast/bin/enquiry register: enquiry - name: enquiry result debug: var=enquiry - name: set up rfs_sync command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }} - name: get keys from rfs server command: /opt/nfast/bin/rfs-sync --update