WIP: Set up step-ca
Unsure of the best way to setup bootstrapping the system. Do I run an ansible playbook to generate certificates offline and then bootstrap with that? Can I bring it online after and schedule with Nomad?
This commit is contained in:
parent
f2ce718b33
commit
7658cfd0fe
@ -13,6 +13,12 @@ all:
|
|||||||
group: "bin"
|
group: "bin"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
read_only: false
|
read_only: false
|
||||||
|
- name: step-ca-data
|
||||||
|
path: /srv/volumes/step-ca-data
|
||||||
|
owner: "root"
|
||||||
|
group: "bin"
|
||||||
|
mode: "0700"
|
||||||
|
read_only: false
|
||||||
# consul_auto_encrypt:
|
# consul_auto_encrypt:
|
||||||
# enabled: true
|
# enabled: true
|
||||||
# dns_san: ["services.thefij"]
|
# dns_san: ["services.thefij"]
|
||||||
@ -31,3 +37,7 @@ all:
|
|||||||
vault_instances:
|
vault_instances:
|
||||||
children:
|
children:
|
||||||
servers: {}
|
servers: {}
|
||||||
|
ca_servers:
|
||||||
|
hosts:
|
||||||
|
nomad0.thefij:
|
||||||
|
step_path: /srv/volumes/step-ca-data
|
||||||
|
1
ca/.gitignore
vendored
Normal file
1
ca/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
step_path
|
19
ca/Makefile
Normal file
19
ca/Makefile
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
STEPPATH ?= ./step_path
|
||||||
|
|
||||||
|
.PHONY: bootstrap
|
||||||
|
bootstrap: $(STEPPATH)/config/ca.json
|
||||||
|
|
||||||
|
$(STEPPATH)/config/ca.json:
|
||||||
|
env STEPPATH=$(STEPPATH) \
|
||||||
|
step ca init \
|
||||||
|
--ssh \
|
||||||
|
--deployment-type standalone \
|
||||||
|
--name TheFij \
|
||||||
|
--dns ca.thefij.rocks \
|
||||||
|
--address 0.0.0.0:9443 \
|
||||||
|
--provisioner ian@iamthefij.com
|
||||||
|
|
||||||
|
.PHONY: run
|
||||||
|
run: $(STEPPATH)/config/ca.json
|
||||||
|
env STEPPATH=$(STEPPATH) \
|
||||||
|
step-ca $(STEPPATH)/config/ca.json
|
35
ca/setup-ca.yml
Normal file
35
ca/setup-ca.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
- name: Set up CA
|
||||||
|
hosts: ca_servers
|
||||||
|
become: true
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Create step_path
|
||||||
|
file:
|
||||||
|
path: "{{ step_path }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
mode: "0700"
|
||||||
|
|
||||||
|
- name: Install step-ca
|
||||||
|
include_role:
|
||||||
|
name: maxhoesel.smallstep.step_ca
|
||||||
|
vars:
|
||||||
|
step_ca_name: TheFij CA
|
||||||
|
step_ca_root_password: ...
|
||||||
|
step_ca_intermediate_password: ...
|
||||||
|
step_cli_steppath: "{{ step_path }}"
|
||||||
|
|
||||||
|
- name: Read fingerprint
|
||||||
|
command: "step-cli certificate fingerprint {{ step_path }}/certs/root_ca.crt"
|
||||||
|
register: root_ca_fp
|
||||||
|
|
||||||
|
- name: Bootstrap other hosts
|
||||||
|
hosts: servers
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Boostrap hosts to trust CA
|
||||||
|
include_role:
|
||||||
|
name: maxhoesel.smallstep.step_bootstrap_host
|
||||||
|
vars:
|
||||||
|
step_bootstrap_ca_url: http
|
Loading…
Reference in New Issue
Block a user