diff --git a/files/.gitignore b/files/.gitignore new file mode 100644 index 0000000..c776bdf --- /dev/null +++ b/files/.gitignore @@ -0,0 +1 @@ +*.deb \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..2fbffcf --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reload systemd + sudo: yes + command: systemctl daemon-reload diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..4020892 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,104 @@ +--- +- name: Copy Package to host + copy: + src: files/{{ item }} + dest: "/opt/ansiblepackages/{{ item }}" + owner: root + group: root + mode: '0600' + backup: yes + with_items: + - step-cli_0.15.16_amd64.deb + - step-ca_0.15.15_amd64.deb + +- name: install package + apt: + deb: "/opt/ansiblepackages/{{ item }}" + with_items: + - step-cli_0.15.16_amd64.deb + - step-ca_0.15.15_amd64.deb + +- name: create user for step-ca + user: + name: step + state: present + shell: /bin/false + system: yes + createhome: yes + home: /etc/step-ca + +- name: generate /etc/step-ca/password.txt + template: + src: password.txt.j2 + dest: /etc/step-ca/password.txt + owner: step + group: step + mode: "0640" + +- name: link .step to /etc/step-ca + file: + state: link + src: /etc/step-ca + dest: ~/.step + +- name: init step-ca + command: step ca init --name="{{ pki_name }}" --dns stats --issuer="{{ pki_name }}" --address=:4343 --provisioner="{{ pki_name }}" --password-file=/etc/step-ca/password.txt --provisioner-password-file=/etc/step-ca/password.txt + args: + creates: /etc/step-ca/config + +- name: create /etc/step-ca/db + file: + state: directory + path: /etc/step-ca/db + owner: step + group: step + mode: "0770" + +- name: set permissions correct + file: + dest: /etc/step-ca + owner: step + group: step + mode: "0770" + recurse: yes + +- name: correct paths + replace: + path: "{{ item }}" + regexp: '\/root\/.step' + replace: "\/etc\/step-ca" + with_items: + - /etc/step-ca/config/ca.json + - /etc/step-ca/config/defaults.json + +- name: list provisioners + command: step ca provisioner list + register: povisionerlist + +- name: add acme provisioner + command: step ca provisioner add acme --type ACME + when: povisionerlist.stdout.find ("ACME") == -1 + notify: + - restart step-ca + +- name: remove jwk provisioner + command: step ca provisioner remove "{{ pki_name }}" --type JWK + when: povisionerlist.stdout.find ("ACME") == 1 + notify: + - restart step-ca + +- name: generate /etc/systemd/system/step-ca.service + template: + src: step-ca.service.j2 + dest: /etc/systemd/system/step-ca.service + owner: root + group: root + mode: "0644" + notify: + - reload systemd + +- name: enable step-ca + systemd: + name: step-ca + enabled: yes + masked: no \ No newline at end of file diff --git a/templates/password.txt.j2 b/templates/password.txt.j2 new file mode 100644 index 0000000..fd0d6d3 --- /dev/null +++ b/templates/password.txt.j2 @@ -0,0 +1 @@ +{{ pki_password }} \ No newline at end of file diff --git a/templates/step-ca.service.j2 b/templates/step-ca.service.j2 new file mode 100644 index 0000000..4daa145 --- /dev/null +++ b/templates/step-ca.service.j2 @@ -0,0 +1,54 @@ +[Unit] +Description=step-ca service +Documentation=https://smallstep.com/docs/step-ca +Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production +After=network-online.target +Wants=network-online.target +StartLimitIntervalSec=30 +StartLimitBurst=3 +ConditionFileNotEmpty=/etc/step-ca/config/ca.json +ConditionFileNotEmpty=/etc/step-ca/password.txt + +[Service] +Type=simple +User=step +Group=step +Environment=STEPPATH=/etc/step-ca +WorkingDirectory=/etc/step-ca +ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt +ExecReload=/bin/kill --signal HUP $MAINPID +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitInterval=30 +StartLimitBurst=3 + +; Process capabilities & privileges +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +SecureBits=keep-caps +NoNewPrivileges=yes + +; Sandboxing +ProtectSystem=full +ProtectHome=true +RestrictNamespaces=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +PrivateTmp=true +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectKernelTunables=true +ProtectKernelLogs=true +ProtectKernelModules=true +LockPersonality=true +RestrictSUIDSGID=true +RemoveIPC=true +RestrictRealtime=true +SystemCallFilter=@system-service +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +ReadWriteDirectories=/etc/step-ca/db + +[Install] +WantedBy=multi-user.target \ No newline at end of file