feat(roles): add hashistack_ca role to manage clusters certificates

playbooks/preflight.yml

@@ -7,8 +7,10 @@
   become: true
   tasks:
     - name: "Import variables"
-      ansible.builtin.import_tasks:
-        file: tasks/load_vars.yml
+      ansible.builtin.include_role:
+        name: ednz_cloud.hashistack.hashistack
+      tags:
+        - always
 
     - name: "Checking vault inventory"
       ansible.builtin.assert:
@@ -46,44 +48,44 @@
       when:
         - enable_nomad | bool
 
-    - name: "Checking directory {{ configuration_directory }}"  # noqa: run-once[task]
+    - name: "Checking directory {{ hashistack_configuration_directory }}"  # noqa: run-once[task]
       delegate_to: localhost
       run_once: true
       block:
-        - name: "Stat directory {{ configuration_directory }}"
+        - name: "Stat directory {{ hashistack_configuration_directory }}"
           ansible.builtin.stat:
-            path: "{{ configuration_directory }}"
+            path: "{{ hashistack_configuration_directory }}"
           register: _stat_config_dir
 
         - name: "Stat nomad_servers config directory"
           ansible.builtin.stat:
-            path: "{{ sub_configuration_directories.nomad_servers }}"
+            path: "{{ hashistack_sub_configuration_directories.nomad_servers }}"
           register: _stat_config_dir_nomad_servers
           when:
             - enable_nomad | bool
 
         - name: "Stat consul_servers config directory"
           ansible.builtin.stat:
-            path: "{{ sub_configuration_directories.consul_servers }}"
+            path: "{{ hashistack_sub_configuration_directories.consul_servers }}"
           register: _stat_config_dir_consul_servers
           when:
             - enable_consul | bool
 
         - name: "Stat vault_servers config directory"
           ansible.builtin.stat:
-            path: "{{ sub_configuration_directories.vault_servers }}"
+            path: "{{ hashistack_sub_configuration_directories.vault_servers }}"
           register: _stat_config_dir_vault_servers
           when:
             - enable_vault | bool
 
-        - name: "Make sure directory exists: {{ configuration_directory }}"
+        - name: "Make sure directory exists: {{ hashistack_configuration_directory }}"
           ansible.builtin.assert:
             that:
               - _stat_config_dir.stat.exists
               - _stat_config_dir.stat.isdir
               - _stat_config_dir.stat.writeable
 
-        - name: "Make sure directory exists: {{ sub_configuration_directories.nomad_servers }}"
+        - name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.nomad_servers }}"
           ansible.builtin.assert:
             that:
               - _stat_config_dir_nomad_servers.stat.exists
@@ -92,7 +94,7 @@
           when:
             - enable_nomad | bool
 
-        - name: "Make sure directory exists: {{ sub_configuration_directories.consul_servers }}"
+        - name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.consul_servers }}"
           ansible.builtin.assert:
             that:
               - _stat_config_dir_consul_servers.stat.exists
@@ -101,7 +103,7 @@
           when:
             - enable_consul | bool
 
-        - name: "Make sure directory exists: {{ sub_configuration_directories.vault_servers }}"
+        - name: "Make sure directory exists: {{ hashistack_sub_configuration_directories.vault_servers }}"
           ansible.builtin.assert:
             that:
               - _stat_config_dir_vault_servers.stat.exists

roles/hashistack/tasks/load_host_vars.yml

@@ -1,4 +1,5 @@
 ---
+# task/load_host_vars file for hashistack
 - name: "Variables | Stat host specific config file"
   ansible.builtin.stat:
     path: "{{ hashistack_configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ hashistack_configuration_global_vars_file }}"

roles/hashistack/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-# task/main file for hashi_vars
+# task/main file for hashistack
 - name: "Variables | Load global variables"
   ansible.builtin.include_tasks: load_global_vars.yml
   when: not hashistack_only_load_credentials

roles/hashistack_ca/defaults/main.yml

@@ -0,0 +1,67 @@
+---
+# defaults file for hashistack_ca
+hashistack_ca_directory: "/etc/hashistack/certificates"
+hashistack_ca_use_cryptography: false
+hashistack_ca_action: "noop"
+hashistack_ca_domain: example.com
+
+##############################
+# Root Certificate Authority #
+##############################
+hashistack_ca_root_org_name: EDNZ Cloud
+hashistack_ca_root_country: FR
+hashistack_ca_root_locality: Paris
+hashistack_ca_root_common_name: "{{ hashistack_ca_domain }} Root CA"
+hashistack_ca_root_email:
+hashistack_ca_root_key_usage:
+  - keyCertSign
+  - cRLSign
+hashistack_ca_root_key_usage_critical: true
+hashistack_ca_root_basic_constraints:
+  - CA:TRUE
+hashistack_ca_root_basic_constraints_critical: true
+
+# Optional fields
+hashistack_ca_root_state_or_province_name:
+hashistack_ca_root_email_address:
+
+# Validity
+hashistack_ca_root_valid_for: 1825d
+hashistack_ca_root_renew_threshold: 180d
+
+######################################
+# Intermediate Certificate Authority #
+######################################
+hashistack_ca_intermediate_org_name: EDNZ Cloud Intermediate
+hashistack_ca_intermediate_country: FR
+hashistack_ca_intermediate_locality: Paris
+hashistack_ca_intermediate_common_name: "{{ hashistack_ca_domain }} Intermediate CA"
+hashistack_ca_intermediate_email:
+hashistack_ca_intermediate_key_usage:
+  - keyCertSign
+  - cRLSign
+hashistack_ca_intermediate_key_usage_critical: true
+hashistack_ca_intermediate_basic_constraints:
+  - CA:TRUE
+  - pathlen:0
+hashistack_ca_intermediate_basic_constraints_critical: true
+
+# Optional fields
+hashistack_ca_intermediate_state_or_province_name:
+hashistack_ca_intermediate_email_address:
+
+# Validity
+hashistack_ca_intermediate_valid_for: 365d
+hashistack_ca_intermediate_renew_threshold: 90d
+
+# Name Constraints
+hashistack_ca_intermediate_name_constraints_permitted:
+  - DNS:.nomad
+  - DNS:.consul
+  - DNS:.example.com
+  - DNS:localhost
+  - IP:192.168.0.0/16
+  - IP:172.16.0.0/16
+  - IP:10.0.0.0/8
+  - IP:127.0.0.0/8
+hashistack_ca_intermediate_name_constraints_critical: "{{ (hashistack_ca_intermediate_name_constraints_permitted is defined and hashistack_ca_intermediate_name_constraints_permitted | length > 0) }}"

roles/hashistack_ca/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for hashistack_ca

roles/hashistack_ca/meta/main.yml

@@ -0,0 +1,2 @@
+---
+# meta file for hashistack_ca

roles/hashistack_ca/tasks/cleanup_backups.yml

@@ -0,0 +1,73 @@
+---
+# tasks/cleanup_backups file for hashistack_ca
+- name: "Cleanup | Check if root CA backup directory exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_root_backup_dir }}"
+  register: _hashistack_ca_root_backup_dir_stat
+  delegate_to: localhost
+
+- name: "Cleanup | Check if intermediate CA backup directory exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_intermediate_backup_dir }}"
+  register: _hashistack_ca_intermediate_backup_dir_stat
+  delegate_to: localhost
+
+- name: "Cleanup | Root CA backups"
+  when:
+    - _hashistack_ca_root_backup_dir_stat.stat.exists
+    - _hashistack_ca_root_backup_dir_stat.stat.isdir
+  delegate_to: localhost
+  block:
+    - name: "Root CA | Find root CA backup certificates"
+      ansible.builtin.find:
+        paths: "{{ hashistack_ca_root_backup_dir }}"
+        patterns: "*.crt"
+      register: _root_backup_files
+
+    - name: "Root CA | Check expiration for root CA backup certificates"
+      when: _root_backup_files.matched > 0
+      community.crypto.x509_certificate_info:
+        path: "{{ item.path }}"
+      register: _root_cert_info
+      loop: "{{ _root_backup_files.files }}"
+      loop_control:
+        label: "{{ item.path }}"
+      failed_when: false
+      ignore_errors: true
+
+    - name: "Root CA | Remove expired root CA backup certificates"
+      when: item.item.expired | default(false)
+      ansible.builtin.file:
+        path: "{{ item.item.path }}"
+        state: absent
+      loop: "{{ _root_cert_info.results }}"
+
+- name: "Cleanup | Intermediate CA backups"
+  when:
+    - _hashistack_ca_intermediate_backup_dir_stat.stat.exists
+    - _hashistack_ca_intermediate_backup_dir_stat.stat.isdir
+  delegate_to: localhost
+  block:
+    - name: "Intermediate CA | Find intermediate CA backup certificates"
+      ansible.builtin.find:
+        paths: "{{ hashistack_ca_intermediate_backup_dir }}"
+        patterns: "*.crt"
+      register: _intermediate_backup_files
+
+    - name: "Intermediate CA | Check expiration for intermediate CA backup certificates"
+      when: _intermediate_backup_files.matched > 0
+      community.crypto.x509_certificate_info:
+        path: "{{ item.path }}"
+      register: _intermediate_cert_info
+      loop: "{{ _intermediate_backup_files.files }}"
+      loop_control:
+        label: "{{ item.path }}"
+      failed_when: false
+      ignore_errors: true
+
+    - name: "Intermediate CA | Remove expired intermediate CA backup certificates"
+      when: item.item.expired | default(false)
+      ansible.builtin.file:
+        path: "{{ item.item.path }}"
+        state: absent
+      loop: "{{ _intermediate_cert_info.results }}"

roles/hashistack_ca/tasks/generate/generate_intermediate.yml

@@ -0,0 +1,49 @@
+---
+# task/generate_intermediate for hashistack_ca
+- name: "Intermediate CA | Create temporary cert directory in {{ hashistack_ca_directory }}/intermediate"
+  ansible.builtin.file:
+    path: "{{ hashistack_ca_intermediate_dir }}"
+    state: directory
+    owner: "{{ lookup('env', 'USER') }}"
+    group: "{{ lookup('env', 'USER') }}"
+    mode: "0755"
+  delegate_to: localhost
+
+- name: "Intermediate CA | Generate internal certificates"
+  delegate_to: localhost
+  block:
+    - name: "Intermediate CA | Create intermediate CA private key"
+      community.crypto.openssl_privatekey:
+        path: "{{ hashistack_ca_intermediate_key_path }}"
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+
+    - name: "Intermediate CA | Create intermediate CA signing request"
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: "{{ hashistack_ca_intermediate_key_path }}"
+        common_name: "{{ omit if hashistack_ca_intermediate_common_name is not defined else hashistack_ca_intermediate_common_name }}"
+        organization_name: "{{ omit if hashistack_ca_intermediate_org_name is not defined else hashistack_ca_intermediate_org_name }}"
+        country_name: "{{ omit if hashistack_ca_intermediate_country is not defined else hashistack_ca_intermediate_country }}"
+        locality_name: "{{ omit if hashistack_ca_intermediate_locality is not defined else hashistack_ca_intermediate_locality }}"
+        state_or_province_name: "{{ omit if hashistack_ca_intermediate_state_or_province_name is not defined else hashistack_ca_intermediate_state_or_province_name }}"
+        email_address: "{{ omit if hashistack_ca_intermediate_email is not defined else hashistack_ca_intermediate_email }}"
+        basic_constraints: "{{ hashistack_ca_intermediate_basic_constraints }}"
+        basic_constraints_critical: true
+        name_constraints_permitted: "{{ hashistack_ca_intermediate_name_constraints_permitted if hashistack_ca_intermediate_name_constraints_permitted | length > 0 else omit }}"
+        name_constraints_critical: "{{ hashistack_ca_intermediate_name_constraints_critical }}"
+        key_usage: "{{ hashistack_ca_intermediate_key_usage }}"
+        key_usage_critical: true
+        use_common_name_for_san: false
+        select_crypto_backend: "{{ 'cryptography' if hashistack_ca_use_cryptography else 'auto' }}"
+      register: _hashistack_intermediate_ca_csr
+
+    - name: "Intermediate CA | Create signed intermediate CA certificate from CSR"
+      community.crypto.x509_certificate:
+        path: "{{ hashistack_ca_intermediate_cert_path }}"
+        csr_content: "{{ _hashistack_intermediate_ca_csr.csr }}"
+        ownca_path: "{{ hashistack_ca_root_cert_path }}"
+        ownca_privatekey_path: "{{ hashistack_ca_root_key_path }}"
+        provider: ownca
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        ownca_not_after: "+{{ hashistack_ca_intermediate_valid_for }}"

roles/hashistack_ca/tasks/generate/generate_root.yml

@@ -0,0 +1,56 @@
+---
+# task/generate_root for hashistack_ca
+- name: "Root CA | Create temporary cert directory in {{ hashistack_ca_directory }}" # noqa: run-once[task]
+  ansible.builtin.file:
+    path: "{{ hashistack_ca_root_dir }}"
+    state: directory
+    owner: "{{ lookup('env', 'USER') }}"
+    group: "{{ lookup('env', 'USER') }}"
+    mode: "0755"
+  delegate_to: localhost
+
+- name: "Root CA | Generate root Authority"
+  delegate_to: localhost
+  run_once: true
+  block:
+    - name: "Root CA | Create CA private key"
+      community.crypto.openssl_privatekey:
+        path: "{{ hashistack_ca_root_key_path }}"
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+
+    - name: "Root CA | Create CA signing request"
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: "{{ hashistack_ca_root_key_path }}"
+        common_name: "{{ omit if hashistack_ca_root_common_name is not defined else hashistack_ca_root_common_name }}"
+        organization_name: "{{ omit if hashistack_ca_root_org_name is not defined else hashistack_ca_root_org_name }}"
+        country_name: "{{ omit if hashistack_ca_root_country is not defined else hashistack_ca_root_country }}"
+        locality_name: "{{ omit if hashistack_ca_root_locality is not defined else hashistack_ca_root_locality }}"
+        state_or_province_name: "{{ omit if hashistack_ca_root_state is not defined else hashistack_ca_root_state }}"
+        email_address: "{{ omit if hashistack_ca_root_email is not defined else hashistack_ca_root_email }}"
+        basic_constraints: "{{ hashistack_ca_root_basic_constraints }}"
+        basic_constraints_critical: true
+        key_usage: "{{ hashistack_ca_root_key_usage }}"
+        key_usage_critical: true
+        use_common_name_for_san: false
+        select_crypto_backend: "{{ 'cryptography' if hashistack_ca_use_cryptography else 'auto' }}"
+      register: _hashistack_root_ca_csr
+
+    - name: "Root CA | Create self-signed CA certificate from CSR"
+      community.crypto.x509_certificate:
+        path: "{{ hashistack_ca_root_cert_path }}"
+        csr_content: "{{ _hashistack_root_ca_csr.csr }}"
+        privatekey_path: "{{ hashistack_ca_root_key_path }}"
+        provider: selfsigned
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+
+    - name: "Root CA | Create self-signed CA certificate from CSR"
+      community.crypto.x509_certificate:
+        path: "{{ hashistack_ca_root_cert_path }}"
+        csr_content: "{{ _hashistack_root_ca_csr.csr }}"
+        privatekey_path: "{{ hashistack_ca_root_key_path }}"
+        selfsigned_not_after: "+{{ hashistack_ca_root_valid_for }}"
+        provider: selfsigned
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"

roles/hashistack_ca/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+# task/main file for hashistack_ca
+- name: "CA | Import generate_root.yml"
+  ansible.builtin.include_tasks: generate/generate_root.yml
+  when: hashistack_ca_generate_root
+
+- name: "CA | Import generate_intermediate.yml"
+  ansible.builtin.include_tasks: generate/generate_intermediate.yml
+  when: hashistack_ca_generate_intermediate
+
+- name: "CA | Import renew_root.yml"
+  ansible.builtin.include_tasks: renew/renew_root.yml
+  when: hashistack_ca_renew_root
+
+- name: "CA | Import renew_intermediate.yml"
+  ansible.builtin.include_tasks: renew/renew_intermediate.yml
+  when: hashistack_ca_renew_intermediate
+
+- name: "CA | Import prepare_ca_to_copy.yml"
+  ansible.builtin.include_tasks: prepare_ca_to_copy.yml
+
+- name: "CA | Import cleanup_backups.yml"
+  ansible.builtin.include_tasks: cleanup_backups.yml

roles/hashistack_ca/tasks/prepare_ca_to_copy.yml

@@ -0,0 +1,35 @@
+---
+# task/prepare_ca_to_copy file for hashistack_ca
+- name: "CA | Check if CA directory exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_root_dir }}"
+  register: _hashistack_ca_root_dir
+  delegate_to: localhost
+
+- name: "CA | Find custom CA certificates to copy"
+  ansible.builtin.find:
+    paths: "{{ hashistack_ca_root_dir }}"
+    patterns: "*.crt"
+  register: hashistack_ca_root_dir_files
+  delegate_to: localhost
+  when: _hashistack_ca_root_dir.stat.exists and _hashistack_ca_root_dir.stat.isdir
+
+- name: "CA | Ensure public CA directory exists"
+  ansible.builtin.file:
+    path: "{{ hashistack_ca_public_dir }}"
+    state: directory
+    owner: "{{ lookup('env', 'USER') }}"
+    group: "{{ lookup('env', 'USER') }}"
+    mode: 0755
+  delegate_to: localhost
+
+- name: "CA | Copy root CA certificates"
+  ansible.builtin.copy:
+    src: "{{ item.path }}"
+    dest: "{{ hashistack_ca_public_dir }}/{{ item.path | basename }}"
+    owner: "{{ lookup('env', 'USER') }}"
+    group: "{{ lookup('env', 'USER') }}"
+    mode: 0644
+  loop: "{{ hashistack_ca_root_dir_files.files }}"
+  delegate_to: localhost
+  when: not hashistack_ca_root_dir_files.skipped | default(False)

roles/hashistack_ca/tasks/renew/renew_intermediate.yml

@@ -0,0 +1,71 @@
+---
+# tasks/renew/renew_intermediate.yml file for hashistack_ca
+- name: "Intermediate CA | Check if intermediate CA certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_intermediate_cert_path }}"
+  register: _hashistack_ca_intermediate_cert_stat
+  delegate_to: localhost
+
+- name: "Intermediate CA | Check if root CA certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_root_cert_path }}"
+  register: _hashistack_ca_root_cert_stat
+  delegate_to: localhost
+
+- name: "Intermediate CA | Check CA for renewal"
+  when:
+    - _hashistack_ca_intermediate_cert_stat.stat.exists
+    - _hashistack_ca_intermediate_cert_stat.stat.isreg
+    - _hashistack_ca_root_cert_stat.stat.exists
+    - _hashistack_ca_root_cert_stat.stat.isreg
+  delegate_to: localhost
+  block:
+    - name: "Intermediate CA | Get intermediate CA certificate expiration date"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_intermediate_cert_path }}"
+        valid_at:
+          renew_threshold: "+{{ hashistack_ca_intermediate_renew_threshold }}"
+      register: _hashistack_ca_intermediate_cert_info
+
+    - name: "Root CA | Get root CA certificate info"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_root_cert_path }}"
+      register: _hashistack_ca_root_cert_info
+
+    - name: "Intermediate CA | Check if intermediate CA certificate is expiring within the threshold"
+      ansible.builtin.set_fact:
+        _hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_intermediate_cert_info.valid_at.renew_threshold }}"
+
+    - name: "Intermediate CA | Check if root CA has been renewed"
+      ansible.builtin.set_fact:
+        _hashistack_ca_root_renewed: "{{ _hashistack_ca_root_cert_info.not_before > _hashistack_ca_intermediate_cert_info.not_before }}"
+
+- name: "Intermediate CA | Renew CA if expiring soon or root CA has been renewed"
+  when:
+    - _hashistack_ca_is_expiring_soon or _hashistack_ca_root_renewed
+  delegate_to: localhost
+  block:
+    - name: "Intermediate CA | Create backup directory for intermediate CA"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_intermediate_backup_dir }}"
+        state: directory
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: "0755"
+
+    - name: "Intermediate CA | Format expiration date for backup"
+      ansible.builtin.set_fact:
+        _hashistack_ca_intermediate_expiration_date: "{{ _hashistack_ca_intermediate_cert_info.not_after[:8] | regex_replace('^([0-9]{4})([0-9]{2})([0-9]{2})$', '\\1_\\2_\\3') }}"
+
+    - name: "Intermediate CA | Backup existing intermediate CA certificate"
+      ansible.builtin.command:
+        cmd: mv {{ hashistack_ca_intermediate_cert_path }} {{ hashistack_ca_intermediate_backup_dir }}/intermediate_ca_expire_{{ _hashistack_ca_intermediate_expiration_date }}.crt
+      changed_when: false
+
+    - name: "Intermediate CA | Backup existing intermediate CA key"
+      ansible.builtin.command:
+        cmd: mv {{ hashistack_ca_intermediate_key_path }} {{ hashistack_ca_intermediate_backup_dir }}/intermediate_ca_expire_{{ _hashistack_ca_intermediate_expiration_date }}.key
+      changed_when: false
+
+    - name: "Intermediate CA | Generate new intermediate CA if backups were successful"
+      ansible.builtin.include_tasks: ../generate/generate_intermediate.yml

roles/hashistack_ca/tasks/renew/renew_root.yml

@@ -0,0 +1,62 @@
+---
+# tasks/renew/renew_root.yml
+- name: "Root CA | Check if root CA certificate exists"
+  ansible.builtin.stat:
+    path: "{{ hashistack_ca_root_cert_path }}"
+  register: _hashistack_ca_root_cert_stat
+  delegate_to: localhost
+
+- name: "Root CA | Check CA for renewal"
+  when:
+    - _hashistack_ca_root_cert_stat.stat.exists
+    - _hashistack_ca_root_cert_stat.stat.isreg
+  delegate_to: localhost
+  block:
+    - name: "Root CA | Get root CA certificate expiration date"
+      community.crypto.x509_certificate_info:
+        path: "{{ hashistack_ca_root_cert_path }}"
+        valid_at:
+          renew_threshold: "+{{ hashistack_ca_root_renew_threshold }}"
+      register: _hashistack_ca_root_cert_info
+
+    - name: "Root CA | Check if root CA certificate is expiring within the threshold"
+      ansible.builtin.set_fact:
+        _hashistack_ca_is_expiring_soon: "{{ not _hashistack_ca_root_cert_info.valid_at.renew_threshold }}"
+
+    - name: "Root CA | Debug certificate expiration status"
+      ansible.builtin.debug:
+        msg: "Is root CA certificate expiring soon? {{ _hashistack_ca_is_expiring_soon }}"
+
+- name: "Root CA | Renew CA if expiring soon"
+  when:
+    - _hashistack_ca_is_expiring_soon
+  delegate_to: localhost
+  block:
+    - name: "Root CA | Create backup directory for root CA"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_root_backup_dir }}"
+        state: directory
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: "0755"
+
+    - name: "Root CA | Format expiration date for backup"
+      ansible.builtin.set_fact:
+        _hashistack_ca_root_expiration_date: "{{ _hashistack_ca_root_cert_info.not_after[:8] | regex_replace('^([0-9]{4})([0-9]{2})([0-9]{2})$', '\\1_\\2_\\3') }}"
+
+    - name: "Root CA | Rename existing root CA certificate"
+      ansible.builtin.command:
+        cmd: mv {{ hashistack_ca_root_cert_path }} {{ hashistack_ca_root_backup_dir }}/ca_expire_{{ _hashistack_ca_root_expiration_date }}.crt
+      changed_when: false
+
+    - name: "Root CA | Remove existing root CA key"
+      ansible.builtin.file:
+        path: "{{ hashistack_ca_root_key_path }}"
+        state: absent
+      changed_when: false
+
+    - name: "Root CA | Generate new root CA if renaming was successful"
+      ansible.builtin.include_tasks: ../generate/generate_root.yml
+
+    - name: "Root CA | Generate new intermediate CA"
+      ansible.builtin.include_tasks: ../generate/generate_intermediate.yml

roles/hashistack_ca/vars/main.yml

@@ -0,0 +1,22 @@
+---
+# vars file for hashistack_ca
+hashistack_ca_action_list: "{{ hashistack_ca_action.split(',') }}"
+
+# possible actions
+hashistack_ca_generate_root: "{{ 'root_ca' in hashistack_ca_action_list }}"
+hashistack_ca_generate_intermediate: "{{ 'int_ca' in hashistack_ca_action_list }}"
+hashistack_ca_renew_intermediate: "{{ 'renew_int' in hashistack_ca_action_list }}"
+hashistack_ca_renew_root: "{{ 'renew_root' in hashistack_ca_action_list }}"
+
+hashistack_ca_public_dir: "{{ hashistack_ca_directory }}/ca"
+
+hashistack_ca_root_dir: "{{ hashistack_ca_directory }}/root"
+hashistack_ca_root_backup_dir: "{{ hashistack_ca_root_dir }}/backup"
+hashistack_ca_root_key_path: "{{ hashistack_ca_root_dir }}/ca.key"
+hashistack_ca_root_cert_path: "{{ hashistack_ca_root_dir }}/ca.crt"
+
+hashistack_ca_intermediate_dir: "{{ hashistack_ca_directory }}/intermediate"
+hashistack_ca_intermediate_backup_dir: "{{ hashistack_ca_intermediate_dir }}/backup"
+hashistack_ca_intermediate_key_path: "{{ hashistack_ca_intermediate_dir }}/ca.key"
+hashistack_ca_intermediate_csr_path: "{{ hashistack_ca_intermediate_dir }}/ca.csr"
+hashistack_ca_intermediate_cert_path: "{{ hashistack_ca_intermediate_dir }}/ca.crt"

roles/nomad/vars/main.yml

@@ -11,7 +11,6 @@ nomad_deb_architecture_map:
 nomad_architecture: "{{ nomad_deb_architecture_map[ansible_architecture] | default(ansible_architecture) }}"
 nomad_service_name: "nomad"
 nomad_github_api: https://api.github.com/repos
-nomad_cni_github_project: containernetworking/plugins
 nomad_github_project: hashicorp/nomad
 nomad_github_url: https://github.com
 nomad_repository_url: https://releases.hashicorp.com/nomad