feat: rename playbooks for certificates and credentials

2024-08-28 23:22:22 +02:00 · 2024-08-28 23:22:22 +02:00 · 367d5481f6
commit 367d5481f6
parent 41d8254fa8
2 changed files with 106 additions and 0 deletions
--- a/playbooks/certificates.yml
+++ b/playbooks/certificates.yml
@ -0,0 +1,21 @@
+---
+# hashistack generate certificates playbook
+- name: "Generate certificates"
+  hosts: all, !deployment
+  strategy: linear
+  gather_facts: true
+  become: true
+  tasks:
+    - name: "Import variables"
+      ansible.builtin.include_role:
+        name: ednz_cloud.hashistack.hashistack
+      tags:
+        - always
+
+    - name: "Create Certificate Authority"
+      ansible.builtin.include_role:
+        name: ednz_cloud.hashistack.hashistack_ca
+        apply:
+          delegate_to: localhost
+      tags:
+        - always
--- a/playbooks/credentials.yml
+++ b/playbooks/credentials.yml
@ -0,0 +1,85 @@
+---
+# hashistack generate certificates playbook
+- name: "Generate credentials"
+  hosts: deployment
+  strategy: linear
+  gather_facts: true
+  become: true
+  tasks:
+    - name: "Generate consul credentials"
+      block:
+        - name: "Generate consul gossip encryption key"
+          block:
+            - name: "Generate 24 random bytes and base64 encode"
+              ansible.builtin.shell:
+                cmd: |
+                  set -o pipefail
+                  dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
+                executable: /bin/bash
+              changed_when: false
+              register: _consul_random_base64_string
+
+            - name: "Generate consul gossip encryption key"
+              ansible.builtin.set_fact:
+                _consul_gossip_encryption_key: "{{ _consul_random_base64_string.stdout }}"
+
+        - name: "Generate consul root credentials"
+          ansible.builtin.set_fact:
+            _consul_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul agents credentials"
+          ansible.builtin.set_fact:
+            _consul_agents_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_agents_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul vault credentials"
+          ansible.builtin.set_fact:
+            _consul_vault_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_vault_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul nomad server credentials"
+          ansible.builtin.set_fact:
+            _consul_nomad_server_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_nomad_server_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+        - name: "Generate consul nomad client credentials"
+          ansible.builtin.set_fact:
+            _consul_nomad_client_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_nomad_client_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+    - name: "Generate nomad credentials"
+      block:
+        - name: "Generate nomad gossip encryption key"
+          block:
+            - name: "Generate 24 random bytes and base64 encode"
+              ansible.builtin.shell:
+                cmd: |
+                  set -o pipefail
+                  dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
+                executable: /bin/bash
+              changed_when: false
+              register: _nomad_random_base64_string
+
+            - name: "Generate nomad gossip encryption key"
+              ansible.builtin.set_fact:
+                _nomad_gossip_encryption_key: "{{ _nomad_random_base64_string.stdout }}"
+
+        - name: "Generate nomad root credentials"
+          ansible.builtin.set_fact:
+            _nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+
+    - name: "Ensure secrets directory is created"
+      ansible.builtin.file:
+        path: "{{ hashistack_sub_configuration_directories['secrets'] }}"
+        state: directory
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: '0755'
+
+    - name: "Write credentials file"
+      ansible.builtin.template:
+        src: templates/credentials.yml.j2
+        dest: "{{ hashistack_sub_configuration_directories['secrets'] }}/{{ hashistack_configuration_credentials_vars_file }}"
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: '0644'