84 lines
3.0 KiB
YAML
84 lines
3.0 KiB
YAML
---
|
|
- name: Create CNAME dns record
|
|
community.general.ipa_dnsrecord:
|
|
ipa_user: "{{ ansible_user }}"
|
|
ipa_pass: "{{ ansible_password }}"
|
|
zone_name: "{{ ansible_facts['domain'] }}"
|
|
record_name: "{{ rproxy_service_name }}"
|
|
record_type: 'CNAME'
|
|
record_value: "{{ ansible_facts['hostname'] }}"
|
|
state: present
|
|
ignore_errors: true
|
|
|
|
- name: Kinit
|
|
ansible.builtin.shell:
|
|
cmd: "echo '{{ ansible_password }}' | kinit"
|
|
become: false
|
|
become_user: "{{ ansible_user }}"
|
|
|
|
- name: Create fake host for certificate
|
|
ansible.builtin.shell:
|
|
cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
|
|
become: false
|
|
become_user: "{{ ansible_user }}"
|
|
ignore_errors: true
|
|
|
|
- name: Create SPN for HTTP
|
|
ansible.builtin.shell:
|
|
cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
|
|
become: false
|
|
become_user: "{{ ansible_user }}"
|
|
ignore_errors: true
|
|
|
|
- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN"
|
|
ansible.builtin.shell:
|
|
cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
|
|
become: false
|
|
become_user: "{{ ansible_user }}"
|
|
ignore_errors: true
|
|
|
|
- name: Kdestroy
|
|
ansible.builtin.shell:
|
|
cmd: kdestroy
|
|
become: false
|
|
become_user: "{{ ansible_user }}"
|
|
|
|
- name: Get all tracking certificates
|
|
ansible.builtin.shell:
|
|
cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
|
|
register: tracking_list
|
|
|
|
- name: Remove certificates from IPA tracking
|
|
ansible.builtin.shell:
|
|
cmd: "ipa-getcert stop-tracking -i {{ item }}"
|
|
loop: "{{ tracking_list.stdout_lines }}"
|
|
ignore_errors: true
|
|
|
|
- name: Request certificate via ipa-getcert
|
|
ansible.builtin.command: >
|
|
ipa-getcert request
|
|
-f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
|
|
-k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
|
|
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
|
|
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
|
|
|
|
- name: Wait for certificate to appear
|
|
ansible.builtin.wait_for:
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
|
|
timeout: 60
|
|
|
|
- name: Change certificate permissions
|
|
ansible.builtin.file:
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
|
|
mode: "0744"
|
|
|
|
- name: Wait for certificate key to appear
|
|
ansible.builtin.wait_for:
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
|
|
timeout: 60
|
|
|
|
- name: Change certificate key permissions
|
|
ansible.builtin.file:
|
|
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
|
|
mode: "0744"
|