From 367d5481f6a8db302e017f64140806af8f737725 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Wed, 28 Aug 2024 23:22:22 +0200
Subject: [PATCH] feat: rename playbooks for certificates and credentials

---
 playbooks/certificates.yml | 21 ++++++++++
 playbooks/credentials.yml  | 85 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)
 create mode 100644 playbooks/certificates.yml
 create mode 100644 playbooks/credentials.yml

diff --git a/playbooks/certificates.yml b/playbooks/certificates.yml
new file mode 100644
index 0000000..5da90dc
--- /dev/null
+++ b/playbooks/certificates.yml
@@ -0,0 +1,21 @@
+---
+# hashistack generate certificates playbook
+- name: "Generate certificates"
+  hosts: all, !deployment
+  strategy: linear
+  gather_facts: true
+  become: true
+  tasks:
+    - name: "Import variables"
+      ansible.builtin.include_role:
+        name: ednz_cloud.hashistack.hashistack
+      tags:
+        - always
+
+    - name: "Create Certificate Authority"
+      ansible.builtin.include_role:
+        name: ednz_cloud.hashistack.hashistack_ca
+        apply:
+          delegate_to: localhost
+      tags:
+        - always
diff --git a/playbooks/credentials.yml b/playbooks/credentials.yml
new file mode 100644
index 0000000..a705d11
--- /dev/null
+++ b/playbooks/credentials.yml
@@ -0,0 +1,85 @@
+---
+# hashistack generate certificates playbook
+- name: "Generate credentials"
+  hosts: deployment
+  strategy: linear
+  gather_facts: true
+  become: true
+  tasks:
+    - name: "Generate consul credentials"
+      block:
+        - name: "Generate consul gossip encryption key"
+          block:
+            - name: "Generate 24 random bytes and base64 encode"
+              ansible.builtin.shell:
+                cmd: |
+                  set -o pipefail
+                  dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
+                executable: /bin/bash
+              changed_when: false
+              register: _consul_random_base64_string
+
+            - name: "Generate consul gossip encryption key"
+              ansible.builtin.set_fact:
+                _consul_gossip_encryption_key: "{{ _consul_random_base64_string.stdout }}"
+
+        - name: "Generate consul root credentials"
+          ansible.builtin.set_fact:
+            _consul_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul agents credentials"
+          ansible.builtin.set_fact:
+            _consul_agents_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_agents_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul vault credentials"
+          ansible.builtin.set_fact:
+            _consul_vault_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_vault_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul nomad server credentials"
+          ansible.builtin.set_fact:
+            _consul_nomad_server_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_nomad_server_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul nomad client credentials"
+          ansible.builtin.set_fact:
+            _consul_nomad_client_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_nomad_client_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+    - name: "Generate nomad credentials"
+      block:
+        - name: "Generate nomad gossip encryption key"
+          block:
+            - name: "Generate 24 random bytes and base64 encode"
+              ansible.builtin.shell:
+                cmd: |
+                  set -o pipefail
+                  dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
+                executable: /bin/bash
+              changed_when: false
+              register: _nomad_random_base64_string
+
+            - name: "Generate nomad gossip encryption key"
+              ansible.builtin.set_fact:
+                _nomad_gossip_encryption_key: "{{ _nomad_random_base64_string.stdout }}"
+
+        - name: "Generate nomad root credentials"
+          ansible.builtin.set_fact:
+            _nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+    - name: "Ensure secrets directory is created"
+      ansible.builtin.file:
+        path: "{{ hashistack_sub_configuration_directories['secrets'] }}"
+        state: directory
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: '0755'
+
+    - name: "Write credentials file"
+      ansible.builtin.template:
+        src: templates/credentials.yml.j2
+        dest: "{{ hashistack_sub_configuration_directories['secrets'] }}/{{ hashistack_configuration_credentials_vars_file }}"
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: '0644'