#!/usr/bin/env ansible-playbook
---
#==============================================================#
# File      :   cert.yml
# Desc      :   issue certificates with local CA
# Ctime     :   2022-11-19
# Mtime     :   2023-02-07
# Path      :   cert.yml
# Author    :   Ruohang Feng (rh@vonng.com)
# License   :   AGPLv3
#==============================================================#


#---------------------------------------------------------------
# Example:
#  issue postgres admin/monitor user client certificate:
#      ./cert.yml -e cn=dbuser_dba
#      ./cert.yml -e cn=dbuser_monitor
#  cert are generated under files/pki/misc/<cn>.{key,crt} by default
#---------------------------------------------------------------
- name: Issue Cert
  hosts: localhost
  gather_facts: no
  become: no
  vars:

    # CERT INFORMATION
    cn: pigsty                       # add cn here, required  [INPUT]
    san:                             # add subject alternative names here
      - DNS:localhost               # dns records
      - IP:127.0.0.1                # ip addresses
    org: pigsty                      # organization name
    unit: pigsty                     # organization unit name
    expire: 7300d                    # 20 years
    #key: files/pki/misc/misc.key    # private key path       [OUTPUT]
    #crt: files/pki/misc/misc.crt    # certificate file path  [OUTPUT]
    csr: files/pki/csr/tmp.csr       # temporary csr file path

  tasks:

    # if key & crt path are not specified, generate them with cn
    - name: set crt, key, csr path
      when: key is not defined and crt is not defined
      set_fact:
        key: "files/pki/misc/{{ cn }}.key"
        crt: "files/pki/misc/{{ cn }}.crt"
        csr: "files/pki/csr/{{ cn }}.csr"

    - name: generate key {{ key_path }}
      connection: local
      openssl_privatekey:
        path: "{{ key }}"
        mode: 0600

    - name: generate csr {{ csr_path }}
      connection: local
      openssl_csr:
        path: "{{ csr }}"
        privatekey_path: "{{ key }}"
        common_name: "{{ cn }}"
        organization_name: "{{ org }}"
        organizational_unit_name: "{{ unit }}"
        subject_alt_name: "{{ san }}"
        force: true

    - name: signing crt {{ csr_path }}
      connection: local
      openssl_certificate:
        path: "{{ crt }}"
        csr_path: "{{ csr }}"
        ownca_path: files/pki/ca/ca.crt
        ownca_privatekey_path: files/pki/ca/ca.key
        provider: ownca
        selfsigned_not_after: "+{{ expire }}"
        mode: 0600

    - name: print summary
      debug:
        msg: "{{ key }} {{ crt }}"

...