ansible-role-thales-hsm/tasks/main.yaml

103 lines
2.5 KiB
YAML

---
- name: Create working directory
file:
path: "{{thales_client_working_dir}}"
state: directory
mode: 0755
- name: create thales group
group:
name: nfast
gid: "{{thales_client_gid}}"
- name: create thales user
user:
name: nfast
uid: "{{thales_client_uid}}"
group: "{{thales_client_gid}}"
create_home: true
home: /opt/nfast
- name: Download Thales client tarball
get_url:
url: "{{thales_client_tarball_location}}"
dest: "{{thales_client_working_dir}}/{{thales_client_tarball_name}}"
force: no
- name: Unpack tarball to working directory
unarchive:
src: "{{thales_client_working_dir}}/{{thales_client_tarball_name}}"
dest: "{{thales_client_working_dir}}"
creates: "{{thales_client_working_dir}}/{{thales_client_path}}"
remote_src: yes
- name: Unpack tarball to /opt/nfast
shell: |
for i in `find "{{thales_client_working_dir}}/{{thales_client_path}}" -name *.tar` ; do
tar -C / -xvf $i ;
done
args:
creates: /opt/nfast/sbin/install
- name: run installer
shell: echo "1" | /opt/nfast/sbin/install
args:
creates: /opt/nfast/kmdata
- name: Get the security world data
get_url:
url: "{{thales_km_data_location}}"
dest: "/root/{{thales_km_data_tarball_name}}"
force: no
- name: remove the old km_data
file:
path: /opt/nfast/kmdata
state: absent
- name: replace kmdata
unarchive:
src: "/root/{{thales_km_data_tarball_name}}"
dest: /opt/nfast
remote_src: yes
- name: run anonkneti to get hash
command: /opt/nfast/bin/anonkneti "{{thales_hsm_ip_address}}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: create cknfastrc
copy:
dest: /opt/nfast/cknfastrc
content: |
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
force: no
- name: create snmp.conf
copy:
dest: /opt/nfast/etc/snmp/snmp.conf
content: |
defaultPort 21161
force: yes
- name: enroll client to HSM
command: /opt/nfast/bin/nethsmenroll --force {{thales_hsm_ip_address}} {{anonkneti.stdout_lines[0]}}
- name: set selinux contexts for /opt/nfast
command: restorecon -R /opt/nfast
- name: restart hardserver
command: /opt/nfast/sbin/init.d-ncipher restart
- name: do an enquiry to confirm connection
command: /opt/nfast/bin/enquiry
register: enquiry
- name: enquiry result
debug: var=enquiry
- name: set up rfs_sync
command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{thales_rfs_server_ip_address}}