124 lines
3.1 KiB
YAML
124 lines
3.1 KiB
YAML
---
|
|
- name: Create working directory
|
|
file:
|
|
path: "{{ thales_client_working_dir }}"
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: create thales group
|
|
group:
|
|
name: nfast
|
|
gid: "{{ thales_client_gid }}"
|
|
|
|
- name: create thales user
|
|
user:
|
|
name: nfast
|
|
uid: "{{ thales_client_uid }}"
|
|
group: "{{ thales_client_gid }}"
|
|
create_home: true
|
|
home: /opt/nfast
|
|
|
|
- name: set selinux bool to allow barbican containers to access /opt/nfast
|
|
seboolean:
|
|
name: os_barbican_write_pki
|
|
state: yes
|
|
persistent: yes
|
|
when: ansible_os_family | lower == 'redhat'
|
|
|
|
- name: Download Thales client tarball
|
|
get_url:
|
|
url: "{{ thales_client_tarball_location }}"
|
|
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
|
force: no
|
|
|
|
- name: Unpack tarball to working directory
|
|
unarchive:
|
|
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
|
dest: "{{ thales_client_working_dir }}"
|
|
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
|
|
remote_src: yes
|
|
|
|
- name: Unpack tarball to /opt/nfast
|
|
shell: |
|
|
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
|
|
tar -C / -xvf $i ;
|
|
done
|
|
args:
|
|
creates: /opt/nfast/sbin/install
|
|
|
|
- name: check for libnsl dependency
|
|
stat:
|
|
path: /lib64/libnsl.so.1
|
|
register: st
|
|
|
|
- name: ensure libnsl dependency is installed
|
|
package:
|
|
name: libnsl
|
|
state: present
|
|
when: not st.stat.exists
|
|
|
|
- name: run installer # noqa 306
|
|
shell: echo "1" | /opt/nfast/sbin/install
|
|
args:
|
|
creates: /opt/nfast/kmdata
|
|
|
|
- name: Get the security world data
|
|
get_url:
|
|
url: "{{ thales_km_data_location }}"
|
|
dest: "/root/{{ thales_km_data_tarball_name }}"
|
|
force: no
|
|
|
|
- name: remove the old km_data
|
|
file:
|
|
path: /opt/nfast/kmdata
|
|
state: absent
|
|
|
|
- name: replace kmdata
|
|
unarchive:
|
|
src: "/root/{{ thales_km_data_tarball_name }}"
|
|
dest: /opt/nfast
|
|
remote_src: yes
|
|
|
|
- name: run anonkneti to get hash
|
|
command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
|
|
register: anonkneti
|
|
|
|
- name: output of anonkneti
|
|
debug: var=anonkneti.stdout_lines
|
|
|
|
- name: create cknfastrc
|
|
copy:
|
|
dest: /opt/nfast/cknfastrc
|
|
content: |
|
|
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
|
|
force: no
|
|
|
|
- name: create snmp.conf
|
|
copy:
|
|
dest: /opt/nfast/etc/snmp/snmp.conf
|
|
content: |
|
|
defaultPort 21161
|
|
force: yes
|
|
|
|
- name: enroll client to HSM
|
|
command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }}
|
|
|
|
- name: set selinux contexts for /opt/nfast
|
|
command: restorecon -R /opt/nfast
|
|
|
|
- name: restart hardserver
|
|
command: /opt/nfast/sbin/init.d-ncipher restart
|
|
|
|
- name: do an enquiry to confirm connection
|
|
command: /opt/nfast/bin/enquiry
|
|
register: enquiry
|
|
|
|
- name: enquiry result
|
|
debug: var=enquiry
|
|
|
|
- name: set up rfs_sync
|
|
command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
|
|
|
|
- name: get keys from rfs server
|
|
command: /opt/nfast/bin/rfs-sync --update
|