Christian Lempa 1 éve
szülő
commit
73b5981f75

+ 52 - 0
ansible/configuration/docker/docker-certs-enable.yaml

@@ -0,0 +1,52 @@
+---
+- name: "Docker Certs enable"
+  hosts: "{{ target_hosts | default('all') }}"
+  become: true
+  vars:
+    certs_path: "/root/docker-certs"
+
+  tasks:
+    - name: Check if docker certs are existing
+      ansible.builtin.stat:
+        path: "{{ certs_path }}"
+      register: certs_dir
+
+    - name: Fail if docker certs are not existing
+      ansible.builtin.fail:
+        msg: "Docker certificates are not existing in /root/docker-certs."
+      when: not certs_dir.stat.exists
+
+    - name: Get machine's primary internal ip address from eth0 interface
+      ansible.builtin.setup:
+      register: ip_address
+
+    - name: Set machine's primary internal ip address
+      ansible.builtin.set_fact:
+        ip_address: "{{ ip_address.ansible_facts.ansible_default_ipv4.address }}"
+
+    - name: Check if ip_address is a valid ip address
+      ansible.builtin.assert:
+        that:
+          - ip_address is match("^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$")
+        fail_msg: "ip_address is not a valid ip address."
+        success_msg: "ip_address is a valid ip address."
+
+    - name: Change docker daemon to use certs
+      ansible.builtin.lineinfile:
+        path: /lib/systemd/system/docker.service
+        line: >
+          ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
+          -H tcp://{{ ip_address }}:2376 --tlsverify --tlscacert={{ certs_path }}/ca.pem
+          --tlscert={{ certs_path }}/server-cert.pem --tlskey={{ certs_path }}/server-key.pem
+        regexp: '^ExecStart='
+        state: present
+
+    - name: Reload systemd daemon
+      ansible.builtin.systemd:
+        daemon_reload: true
+
+    - name: Restart docker daemon
+      ansible.builtin.systemd:
+        name: docker
+        state: restarted
+        enabled: true

+ 158 - 0
ansible/configuration/docker/docker-certs.yaml

@@ -0,0 +1,158 @@
+---
+- name: "Docker Certs"
+  hosts: "{{ target_hosts | default('all') }}"
+  become: true
+  vars:
+    certs_path: "/root/docker-certs"
+    cert_validity_days: 3650
+    cn_domain: "clcreative.de"
+
+  tasks:
+    - name: Check if docker certs are existing
+      ansible.builtin.stat:
+        path: "{{ certs_path }}"
+      register: certs_dir
+
+    - name: Create docker certs directory (if needed)
+      ansible.builtin.file:
+        path: "{{ certs_path }}"
+        state: directory
+        mode: '0700'
+      when: not certs_dir.stat.exists
+
+    - name: Check if docker certs directory is empty
+      ansible.builtin.command: ls -A "{{ certs_path }}"
+      register: certs_list
+      when: certs_dir.stat.exists
+      changed_when: false
+      ignore_errors: true
+
+    - name: Fail if docker certs already exist
+      ansible.builtin.fail:
+        msg: "Docker certificates already exist in /root/docker-certs."
+      when: certs_list.stdout | default('') != ''
+
+    - name: Get machine's primary internal ip address from eth0 interface
+      ansible.builtin.setup:
+      register: ip_address
+
+    - name: Set machine's primary internal ip address
+      ansible.builtin.set_fact:
+        ip_address: "{{ ip_address.ansible_facts.ansible_default_ipv4.address }}"
+
+    - name: Check if ip_address is a valid ip address
+      ansible.builtin.assert:
+        that:
+          - ip_address is match("^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$")
+        fail_msg: "ip_address is not a valid ip address."
+        success_msg: "ip_address is a valid ip address."
+
+    - name: Generate CA private key
+      ansible.builtin.command:
+        cmd: >
+          openssl genrsa -out "{{ certs_path }}/ca-key.pem" 4096
+      args:
+        creates: "{{ certs_path }}/ca-key.pem"
+
+    - name: Generate CA certificate
+      ansible.builtin.command:
+        cmd: >
+          openssl req -sha256 -new -x509
+            -subj "/CN={{ cn_domain }}"
+            -days "{{ cert_validity_days }}"
+            -key "{{ certs_path }}/ca-key.pem"
+            -out "{{ certs_path }}/ca.pem"
+      args:
+        creates: "{{ certs_path }}/ca.pem"
+
+    - name: Generate server private key
+      ansible.builtin.command:
+        cmd: >
+          openssl genrsa -out "{{ certs_path }}/server-key.pem" 4096
+        creates: "{{ certs_path }}/server-key.pem"
+
+    - name: Generate server certificate signing request
+      ansible.builtin.command:
+        cmd: >
+          openssl req -sha256 -new
+            -subj "/CN={{ inventory_hostname }}"
+            -key "{{ certs_path }}/server-key.pem"
+            -out "{{ certs_path }}/server.csr"
+        creates: "{{ certs_path }}/server.csr"
+
+    - name: Generate server certificate extension file
+      ansible.builtin.shell: |
+        echo "subjectAltName = DNS:{{ inventory_hostname }},IP:{{ ip_address }},IP:127.0.0.1" >> "{{ certs_path }}/extfile.cnf"
+        echo "extendedKeyUsage = serverAuth" >> "{{ certs_path }}/extfile.cnf"
+      args:
+        creates: "{{ certs_path }}/extfile.cnf"
+
+    - name: Generate server certificate
+      ansible.builtin.command:
+        cmd: >
+          openssl x509 -req -days "{{ cert_validity_days }}" -sha256
+            -in "{{ certs_path }}/server.csr"
+            -CA "{{ certs_path }}/ca.pem"
+            -CAkey "{{ certs_path }}/ca-key.pem"
+            -CAcreateserial -out "{{ certs_path }}/server-cert.pem"
+            -extfile "{{ certs_path }}/extfile.cnf"
+        creates: "{{ certs_path }}/server-cert.pem"
+
+    - name: Generate client private key
+      ansible.builtin.command:
+        cmd: >
+          openssl genrsa -out "{{ certs_path }}/key.pem" 4096
+        creates: "{{ certs_path }}/key.pem"
+
+    - name: Generate client certificate signing request
+      ansible.builtin.command:
+        cmd: >
+          openssl req -sha256 -new
+            -subj "/CN=client"
+            -key "{{ certs_path }}/key.pem"
+            -out "{{ certs_path }}/client.csr"
+        creates: "{{ certs_path }}/client.csr"
+
+    - name: Generate client certificate extension file
+      ansible.builtin.shell: |
+        echo "extendedKeyUsage = clientAuth" >> "{{ certs_path }}/client-extfile.cnf"
+      args:
+        creates: "{{ certs_path }}/client-extfile.cnf"
+
+    - name: Generate client certificate
+      ansible.builtin.command:
+        cmd: >
+          openssl x509 -req -days "{{ cert_validity_days }}"
+            -sha256 -in "{{ certs_path }}/client.csr"
+            -CA "{{ certs_path }}/ca.pem"
+            -CAkey "{{ certs_path }}/ca-key.pem"
+            -CAcreateserial -out "{{ certs_path }}/cert.pem"
+            -extfile "{{ certs_path }}/client-extfile.cnf"
+        creates: "{{ certs_path }}/cert.pem"
+
+    - name: Remove client certificate signing request
+      ansible.builtin.file:
+        path: "{{ certs_path }}/server.csr"
+        state: absent
+
+    - name: Remove client certificate signing request
+      ansible.builtin.file:
+        path: "{{ certs_path }}/client.csr"
+        state: absent
+
+    - name: Remove server certificate extension file
+      ansible.builtin.file:
+        path: "{{ certs_path }}/extfile.cnf"
+        state: absent
+
+    - name: Remove client certificate extension file
+      ansible.builtin.file:
+        path: "{{ certs_path }}/client-extfile.cnf"
+        state: absent
+
+    - name: Set permissions for docker certs
+      ansible.builtin.file:
+        path: "{{ certs_path }}"
+        mode: '0700'
+        recurse: true
+        follow: true