From 9b5d32d43b90f00519474d2c9c8498d7c3f53866 Mon Sep 17 00:00:00 2001 From: Alexander Gabriel Date: Sun, 6 Jun 2021 16:32:53 +0100 Subject: [PATCH] upated role step-ca --- tasks/main.yml | 54 +++++++++++++----------------------- templates/step-ca.service.j2 | 10 +++---- 2 files changed, 25 insertions(+), 39 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e938824..27f9705 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,25 +28,6 @@ group: step mode: "0770" -- name: link .step to /etc/step-ca - file: - state: link - src: /etc/step-ca - dest: ~/.step - -- name: init step-ca - command: step ca init -ssh --name="{{ pki_name }}" --dns {{ ansible_hostname }} --issuer="{{ pki_name }}" --address=:4343 --provisioner="{{ pki_name }}" --password-file=/etc/step-ca/password.txt --provisioner-password-file=/etc/step-ca/password.txt - args: - creates: /etc/step-ca/config - -- name: create /etc/step-ca/db - file: - state: directory - path: /etc/step-ca/db - owner: step - group: step - mode: "0770" - - name: set permissions correct file: dest: /etc/step-ca @@ -55,14 +36,19 @@ mode: "0770" recurse: yes -- name: correct paths - replace: - path: "{{ item }}" - regexp: '\/root\/.step' - replace: "\/etc\/step-ca" - with_items: - - /etc/step-ca/config/ca.json - - /etc/step-ca/config/defaults.json +- name: init step-ca + command: sudo -u step step ca init -ssh --name="{{ pki_name }}" --dns {{ ansible_hostname }} --issuer="{{ pki_name }}" --address=:4343 --provisioner="{{ pki_name }}" --password-file=/etc/step-ca/password.txt --provisioner-password-file=/etc/step-ca/password.txt + args: + creates: /etc/step-ca/.step/config + +- name: correct badgerValueLogLoadingMode + lineinfile: + path: /etc/step-ca/.step/config/ca.json + line: "{{'\t'}}{{'\t'}},\"badgerValueLogLoadingMode\": \"FileIO\"" + state: present + insertafter: "{{'\t'}}{{'\t'}}\"badgerFileLoadingMode\": \"\"" + notify: + - restart step-ca - name: generate /etc/systemd/system/step-ca.service template: @@ -90,7 +76,7 @@ - name: check for acme privisioner lineinfile: - path: /etc/step-ca/config/ca.json + path: /etc/step-ca/.step/config/ca.json regexp: '.*"type": "ACME",.*' line: "{{'\t'}}{{'\t'}}{{'\t'}}{{'\t'}}\"type\": \"ACME\"," state: present @@ -98,22 +84,22 @@ register: acmepresent - name: add acme provisioner - command: step ca provisioner add acme --type ACME + command: sudo -u step step ca provisioner add acme --type ACME when: acmepresent is changed notify: - restart step-ca - name: check for default JWK privisioner lineinfile: - path: /etc/step-ca/config/ca.json + path: /etc/step-ca/.step/config/ca.json regexp: '.*"type": "JWK",.*' line: "{{'\t'}}{{'\t'}}{{'\t'}}{{'\t'}}\"type\": \"JWK\"," - state: present + state: absent check_mode: yes - register: jwkpresent + register: jwkabsent - name: remove jwk provisioner - command: step ca provisioner remove "{{ pki_name }}" --type JWK - when: jwkpresent is not changed + command: sudo -u step step ca provisioner remove "{{ pki_name }}" --type JWK + when: jwkabsent is changed notify: - restart step-ca \ No newline at end of file diff --git a/templates/step-ca.service.j2 b/templates/step-ca.service.j2 index 4daa145..41d10a3 100644 --- a/templates/step-ca.service.j2 +++ b/templates/step-ca.service.j2 @@ -6,16 +6,16 @@ After=network-online.target Wants=network-online.target StartLimitIntervalSec=30 StartLimitBurst=3 -ConditionFileNotEmpty=/etc/step-ca/config/ca.json +ConditionFileNotEmpty=/etc/step-ca/.step/config/ca.json ConditionFileNotEmpty=/etc/step-ca/password.txt [Service] Type=simple User=step Group=step -Environment=STEPPATH=/etc/step-ca -WorkingDirectory=/etc/step-ca -ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt +Environment=STEPPATH=/etc/step-ca/.step +WorkingDirectory=/etc/step-ca/.step +ExecStart=/usr/bin/step-ca config/ca.json --password-file ../password.txt ExecReload=/bin/kill --signal HUP $MAINPID Restart=on-failure RestartSec=5 @@ -48,7 +48,7 @@ RestrictRealtime=true SystemCallFilter=@system-service SystemCallArchitectures=native MemoryDenyWriteExecute=true -ReadWriteDirectories=/etc/step-ca/db +ReadWriteDirectories=/etc/step-ca/.step/db [Install] WantedBy=multi-user.target \ No newline at end of file