add Final Infrastructure Setup

2026-03-29 13:45:10 +02:00 · 2026-03-29 13:45:10 +02:00 · 7733dde658
commit 7733dde658
174 changed files with 204949 additions and 0 deletions
--- a/infrastructure/ansible/roles/mft-create-certificates/tasks/main.yml
+++ b/infrastructure/ansible/roles/mft-create-certificates/tasks/main.yml
@ -0,0 +1,203 @@
+---
+# NOTE: There are also ansible modules that help generating certificates
+# http://docs.ansible.com/ansible/latest/list_of_crypto_modules.html
+#
+# but I trust direct calls to openssl more..
+
+- name: Delete local temporary directory for certificate generation
+  file:
+    path: "{{ local_sign_dir }}"
+    state: absent
+  become: false
+  delegate_to: localhost
+
+- name: Create local temporary directory for certificate generation
+  file:
+    path: "{{ local_sign_dir }}"
+    state: directory
+    mode: 0755
+  become: false
+  delegate_to: localhost
+
+- name: Remove certificates if they already exist
+  file:
+    path: "{{ item }}"
+    state: absent
+  become: false
+  delegate_to: localhost
+  with_items:
+    - "{{ cert_key_path.local }}"
+    - "{{ cert_csr_path }}"
+    - "{{ cert_single_cert_path }}"
+    - "{{ cert_cert_path.local }}"
+    - "{{ cert_pcks12_cert_path.local }}"
+
+- name: Use current_host_config.hostname as common name (CN) in certificate generation
+  set_fact:
+    cert_host_fields: "/C={{cert_country}}/ST={{cert_state}}/L={{cert_locality}}/O={{cert_organization}}/OU=sub/CN={{ current_host_config.hostname }}"
+  when: (current_host_config.contains_setup is not defined or current_host_config.contains_setup is defined) and ("mft-cluster-node" not in current_host_config.contains_setup or "fx-cluster" not in current_host_config.contains_setup)
+
+- name: Use current_host_config.cluster_hostname as common name (CN) in certificate generation if operating as a MFT cluster node
+  set_fact:
+    cert_host_fields: "/C={{cert_country}}/ST={{cert_state}}/L={{cert_locality}}/O={{cert_organization}}/OU=sub/CN={{ current_host_config.cluster_hostname }}"
+  when: current_host_config.contains_setup is defined and ("mft-cluster-node" in current_host_config.contains_setup or "fx-cluster" in current_host_config.contains_setup)
+
+- name: Create local temporary openssl config
+  template:
+    src: openssl.cnf.j2
+    dest: "{{ cert_config_path }}"
+  become: false
+  delegate_to: localhost
+
+- name: Generate intermediate CSR
+  command: >
+    openssl req
+    -newkey rsa:{{ cert_key_size }}
+    -nodes
+    -keyout {{ cert_inter_key_path }}
+    -out {{ cert_inter_csr_path }}
+    -days {{ cert_days_valid }}
+    -subj "{{ cert_inter_fields }}"
+  args:
+    creates:  "{{ cert_inter_csr_path }}"
+  become: false
+  delegate_to: localhost
+
+- name: Generate intermediate certificate
+  command: >
+    openssl x509
+    -extfile {{ cert_config_path }}
+    -extensions v3_intermediate_ca
+    -CA {{ cert_ca_cert_path.local }}
+    -CAkey {{ cert_ca_key_path }}
+    -req -in {{ cert_inter_csr_path }}
+    -out {{ cert_inter_cert_path }}
+    -days {{ cert_days_valid }}
+    -CAcreateserial
+  args:
+    creates:  "{{ cert_inter_cert_path }}"
+  become: false
+  delegate_to: localhost
+
+- name: Generate PKCS12 store
+  command: >
+    keytool -storetype PKCS12 -noprompt
+    -storepass {{ cert_pkcs12_pass }}
+    -importcert -file {{ cert_ca_cert_path.local }}
+    -alias ca
+    -keystore {{ cert_truststore_path.local }}
+  args:
+    creates:  "{{ cert_truststore_path.local }}"
+  become: false
+  delegate_to: localhost
+
+- name: Create host key
+  command: >
+    openssl req -new
+    -newkey rsa:{{ cert_key_size }}
+    -nodes
+    -out {{ cert_csr_path }}
+    -keyout {{ cert_key_path.local }}
+    -days {{ cert_days_valid }}
+    -subj "{{ cert_host_fields }}"
+    -config "{{ cert_config_path }}"
+    -extensions v3_req
+  args:
+    creates:  "{{ cert_key_path.local }}"
+  become: false
+  delegate_to: localhost
+
+- name: Create host certificate
+  command: >
+    openssl x509
+    -CA {{ cert_inter_cert_path }}
+    -CAkey {{ cert_inter_key_path }}
+    -req -in {{ cert_csr_path }}
+    -out {{ cert_single_cert_path }}
+    -days {{ cert_days_valid }}
+    -CAcreateserial
+    -extfile "{{ cert_config_path }}"
+    -extensions v3_req
+  args:
+    creates:  "{{ cert_single_cert_path }}"
+  become: false
+  delegate_to: localhost
+
+- name: Concat certificate chain
+  shell: >
+    cat {{ cert_single_cert_path }}
+    {{ cert_inter_cert_path }}
+    {{ cert_ca_cert_path.local }} > {{ cert_cert_path.local }}
+  args:
+    creates:  "{{ cert_cert_path.local }}"
+  become: false
+  delegate_to: localhost
+
+- name: Export host certificate to PCKS12 format
+  command: >
+    openssl pkcs12 -export
+    -inkey {{ cert_key_path.local }}
+    -in {{ cert_cert_path.local }}
+    -chain -CAfile {{ cert_cert_path.local }}
+    -name {{ ansible_hostname }}
+    -out {{ cert_pcks12_cert_path.local }}
+    -passout pass:{{ cert_pkcs12_pass }}
+    -noiter -nomaciter
+  args:
+    creates:  "{{ cert_pcks12_cert_path.local }}"
+  become: false
+  delegate_to: localhost
+
+- name: Copy certificates to host linux
+  copy:
+    src: "{{ item.local }}"
+    dest: "{{ item.remote }}"
+    owner: "{{ cert_owner }}"
+    group: "{{ cert_group }}"
+    mode: 0600
+  with_items:
+    - "{{ cert_key_path }}"
+    - "{{ cert_cert_path }}"
+    - "{{ cert_pcks12_cert_path }}"
+    - "{{ cert_ca_cert_path }}"
+    - "{{ cert_truststore_path }}"
+  when: ansible_os_family != "Windows" and (fx_version is not defined or fx_version is version('3.0.0', '<'))
+  become: true
+
+- name: Copy certificates to host linux
+  copy:
+    src: "{{ item.local }}"
+    dest: "{{ item.remote_v3 }}"
+    owner: "{{ cert_owner }}"
+    group: "{{ cert_group }}"
+    mode: 0600
+  with_items:
+    - "{{ cert_key_path }}"
+    - "{{ cert_cert_path }}"
+    - "{{ cert_pcks12_cert_path }}"
+    - "{{ cert_ca_cert_path }}"
+    - "{{ cert_truststore_path }}"
+  when: fx_version is defined and ansible_os_family != "Windows" and fx_version is version('3.0.0', '>=')
+  become: true
+
+
+- name: Copy certificates to host windows
+  win_copy:
+    src: "{{ item.local }}"
+    dest: "{{ item.remote }}"
+  with_items:
+    - "{{ cert_key_path }}"
+    - "{{ cert_cert_path }}"
+    - "{{ cert_pcks12_cert_path }}"
+    - "{{ cert_ca_cert_path }}"
+    - "{{ cert_truststore_path }}"
+  when: ansible_os_family == "Windows"
+  ignore_errors: true
+
+- name: Disable selinux
+  command: setenforce 0
+  ignore_errors: true
+
+
+
+# vim:ft=ansible
--- a/infrastructure/ansible/roles/mft-create-certificates/templates/openssl.cnf.j2
+++ b/infrastructure/ansible/roles/mft-create-certificates/templates/openssl.cnf.j2
@ -0,0 +1,28 @@
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+# pathlen 0: no more intermediates beyond this
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[ req_distinguished_name ]
+CN = {{ current_host_config.hostname }}
+
+[ v3_req ]
+#basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = DNS:{{ current_host_config.hostname }}