Gitiles
Code Review Sign In
gerrit.opencord.org / platform-install / fc6b64bd2f65d83ce9b4cded5e3928868dcf1324 / . / roles / ssh-pki / tasks / main.yml
blob: 3d25b9c267301fdce2e36508b00e93de570e5c6c [file] [log] [blame]
Matteo Scandolo3896c472017-08-01 13:31:42 -0700[diff] [blame]1
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]17---
18# ssh-pki/tasks/main.yml
19
Zack Williams79286962017-07-10 12:24:37 -0700[diff] [blame]20# if this step fails, may need to include `create-configdir-become` role to
21# create directories using become.
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]22- name: Create SSH CA Directory
Zack Williamsba5549c2017-03-25 15:04:45 -0700[diff] [blame]23 file:
24 dest: "{{ item }}"
25 state: directory
26 owner: "{{ ansible_user_id }}"
27 mode: 0700
28 with_items:
29 - "{{ ssh_pki_dir }}"
30 - "{{ ssh_pki_dir }}/ca"
31 - "{{ ssh_pki_dir }}/client_certs"
32 - "{{ ssh_pki_dir }}/host_certs"
33
34- name: Generate SSH CA Cert
35 command: >
36 ssh-keygen
37 -q -N "{{ ssh_ca_phrase }}"
38 -t {{ ssh_keytype }}
39 -b {{ ssh_keysize }}
40 -C "CORD SSH CA"
41 -f {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
42 args:
43 creates: "{{ ssh_pki_dir }}/ca/cord_ssh_ca_cert.pub"
44
45- name: Generate SSH Client Certs
46 command: >
47 ssh-keygen
48 -q -N ""
49 -t {{ item.keytype | default(ssh_keytype) }}
50 -b {{ item.keysize | default(ssh_keysize) }}
51 -C "CORD SSH client key for {{ item.name }}"
52 -f {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey
53 args:
54 creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub"
55 with_items: "{{ ssh_client_genkeys }}"
56 register: client_ssh_key_generated
57
58- name: Sign SSH Client Certs with SSH CA
59 command: >
60 ssh-keygen
61 -q -P "{{ ssh_ca_phrase }}"
62 -I "{{ item.name }}"
63 -n "{{ item.name }}"
64 -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
65 {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub
66 args:
67 creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey-cert.pub"
68 with_items: "{{ ssh_client_genkeys }}"
69
70- name: Generate SSH Host Certs
71 command: >
72 ssh-keygen
73 -q -N ""
74 -t {{ item.keytype | default(ssh_keytype) }}
75 -b {{ item.keysize | default(ssh_keysize) }}
76 -C "CORD SSH host key for {{ item.name }}"
77 -f {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey
78 args:
79 creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub"
80 with_items: "{{ ssh_host_genkeys }}"
81 register: host_ssh_keys_generated
82
83- name: Generate SSH Host Certs
84 command: >
85 ssh-keygen
86 -q -P "{{ ssh_ca_phrase }}" -h
87 -I "{{ item.name }}"
88 -n "{{ item.name }},{{ item.name }}.{{ site_suffix }}"
89 -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
90 {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub
91 args:
92 creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey-cert.pub"
93 with_items: "{{ ssh_host_genkeys }}"
94