update step-ca role

This commit is contained in:
Alexander Gabriel 2021-06-06 17:48:25 +01:00
parent 94feea5298
commit 7f8ed555e8
2 changed files with 31 additions and 22 deletions

View File

@ -45,8 +45,8 @@
backup: no backup: no
remote_src: yes remote_src: yes
with_items: with_items:
- { src: "/opt/ansiblepackages/step_0.15.16/bin/step", dst: "/bin/step" } - { src: "/opt/ansiblepackages/step_0.15.16/bin/step", dst: "/usr/bin/step" }
- { src: "/opt/ansiblepackages/step-ca_0.15.15/bin/step-ca", dst: "/bin/step-ca" } - { src: "/opt/ansiblepackages/step-ca_0.15.15/bin/step-ca", dst: "/usr/bin/step-ca" }
- name: create user for step-ca - name: create user for step-ca
user: user:
@ -65,6 +65,11 @@
group: step group: step
mode: "0770" mode: "0770"
- name: init step-ca
command: sudo -u step step ca init -ssh --name="{{ pki_name }}" --dns {{ ansible_hostname }} --issuer="{{ pki_name }}" --address=:4343 --provisioner="{{ pki_name }}" --password-file=/etc/step-ca/password.txt --provisioner-password-file=/etc/step-ca/password.txt
args:
creates: /etc/step-ca/.step/config
- name: set permissions correct - name: set permissions correct
file: file:
dest: /etc/step-ca dest: /etc/step-ca
@ -73,20 +78,6 @@
mode: "0770" mode: "0770"
recurse: yes recurse: yes
- name: init step-ca
command: sudo -u step step ca init -ssh --name="{{ pki_name }}" --dns {{ ansible_hostname }} --issuer="{{ pki_name }}" --address=:4343 --provisioner="{{ pki_name }}" --password-file=/etc/step-ca/password.txt --provisioner-password-file=/etc/step-ca/password.txt
args:
creates: /etc/step-ca/.step/config
- name: correct badgerValueLogLoadingMode
lineinfile:
path: /etc/step-ca/.step/config/ca.json
line: "{{'\t'}}{{'\t'}},\"badgerValueLogLoadingMode\": \"FileIO\""
state: present
insertafter: "{{'\t'}}{{'\t'}}\"badgerFileLoadingMode\": \"\""
notify:
- restart step-ca
- name: generate /etc/systemd/system/step-ca.service - name: generate /etc/systemd/system/step-ca.service
template: template:
src: step-ca.service.j2 src: step-ca.service.j2
@ -97,6 +88,30 @@
notify: notify:
- reload systemd - reload systemd
- name: correct ca.json step 1
lineinfile:
path: /etc/step-ca/.step/config/ca.json
line: "{{'\t'}}{{'\t'}}\"type\": \"badgerV2\","
state: present
regexp: "^{{'\t'}}{{'\t'}}\"type\": \"badger\","
notify:
- restart step-ca
- name: correct ca.json step 2
lineinfile:
path: /etc/step-ca/.step/config/ca.json
line: "{{'\t'}}{{'\t'}}\"badgerFileLoadingMode\": \"FileIO\""
state: present
regexp: "^{{'\t'}}{{'\t'}}\"badgerFileLoadingMode\":"
notify:
- restart step-ca
# "db": {
# "type": "badgerV2",
# "dataSource": "/etc/step-ca/.step/db",
# "badgerFileLoadingMode": "FileIO"
# },
- name: Flush handlers - name: Flush handlers
meta: flush_handlers meta: flush_handlers

View File

@ -30,19 +30,13 @@ SecureBits=keep-caps
NoNewPrivileges=yes NoNewPrivileges=yes
; Sandboxing ; Sandboxing
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=true PrivateTmp=true
PrivateDevices=true PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true ProtectControlGroups=true
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectKernelModules=true ProtectKernelModules=true
LockPersonality=true LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true RemoveIPC=true
RestrictRealtime=true RestrictRealtime=true
SystemCallFilter=@system-service SystemCallFilter=@system-service