-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook.yml
186 lines (160 loc) · 6.54 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# Generate and provision mTLS certificates
- name: Generate certificates for mTLS
hosts: localhost
vars:
- server_hostname: pssid-db.miserver.it.umich.edu
- client_certs_dir: /etc/ssl/pssid-data-pipline-ssl/client_certs/
- server_certs_dir: /etc/ssl/pssid-data-pipline-ssl/server_certs/
- db_server_certs_dir: /home/wmarcoyu/logstash-pipeline/
- ca_private_key: /etc/ssl/pssid-data-pipline-ssl/server_certs/ca.key
- ca_certificate: /etc/ssl/pssid-data-pipline-ssl/server_certs/ca.crt
- logstash_private_key: /etc/ssl/pssid-data-pipline-ssl/server_certs/logstash.key
- logstash_certificate: /etc/ssl/pssid-data-pipline-ssl/server_certs/logstash.crt
tasks:
# Generate ca and server certificates
- name: Create directory for server certificates
ansible.builtin.file:
path: "{{ server_certs_dir }}"
state: directory
mode: '0755'
- name: Generate Certificate Authority (CA) private key
community.crypto.openssl_privatekey:
path: "{{ ca_private_key }}"
type: RSA
size: 2048
format: pkcs8
- name: Generate ca certificate signing request (CSR)
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ ca_private_key }}"
common_name: "{{ server_hostname }}"
basic_constraints:
- 'CA:TRUE'
# basic_constraints_critical: true
key_usage:
- keyCertSign
# key_usage_critical: true
register: ca_csr
- name: Generate CA certificate (self-signed) from CSR
community.crypto.x509_certificate:
path: "{{ ca_certificate }}"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ ca_private_key }}"
provider: selfsigned
- name: Generate Logstash private key
community.crypto.openssl_privatekey:
path: "{{ logstash_private_key }}"
type: RSA
size: 2048
format: pkcs8
- name: Generate Logstash certificate signing request (CSR)
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ logstash_private_key }}"
common_name: "{{ server_hostname }}"
register: csr
- name: Sign Logstash CSR with the CA to create logstash.crt
community.crypto.x509_certificate:
path: "{{ logstash_certificate }}"
csr_content: "{{csr.csr}}"
ownca_path: "{{ ca_certificate }}"
ownca_privatekey_path: "{{ ca_private_key }}"
provider: ownca
# Generate unique client certificates for each host
- name: Create directory for client certificates
ansible.builtin.file:
path: "{{ client_certs_dir }}"
state: directory
mode: '0755'
- name: Generate client private key and CSR for each Raspberry Pi
community.crypto.openssl_privatekey:
path: "{{ client_certs_dir }}/{{ item }}.key"
type: RSA
size: 2048
format: pkcs8
loop: "{{ groups['raspberry_pis'] }}"
register: client_keys
- name: Generate client CSR
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ client_certs_dir }}/{{ item }}.key"
common_name: "{{ item }}"
loop: "{{ groups['raspberry_pis'] }}"
register: client_csrs
- name: Debug client_csrs and raspberry_pis
debug:
msg:
- "client_csrs: {{ client_csrs.results }}"
- "raspberry_pis: {{ groups['raspberry_pis'] }}"
- "{{ client_csrs.results | zip(groups['raspberry_pis']) | list }}"
- name: Sign client CSR with the CA to create client.crt
community.crypto.x509_certificate:
path: "{{ client_certs_dir }}/{{ item[1] }}.crt"
csr_content: "{{ item[0].csr }}"
ownca_path: "{{ ca_certificate }}"
ownca_privatekey_path: "{{ ca_private_key }}"
provider: ownca
loop: "{{ client_csrs.results | zip(groups['raspberry_pis']) | list }}"
# Provision server certificates, keys to server
- name: Provision server certificates to servers
hosts: servers
vars:
- ca_certificate: /etc/ssl/pssid-data-pipline-ssl/server_certs/ca.crt
- logstash_private_key: /etc/ssl/pssid-data-pipline-ssl/server_certs/logstash.key
- logstash_certificate: /etc/ssl/pssid-data-pipline-ssl/server_certs/logstash.crt
- db_server_certs_dir: /home/wmarcoyu/logstash-pipeline/
tasks:
- name: Copy server private key to the server
ansible.builtin.copy:
src: "{{ logstash_private_key }}"
dest: "{{db_server_certs_dir}}/logstash.key"
mode: '0600'
- name: Copy server certificate to the server
ansible.builtin.copy:
src: "{{ logstash_certificate }}"
dest: "{{db_server_certs_dir}}/logstash.crt"
mode: '0644'
- name: Copy CA certificate to the server
ansible.builtin.copy:
src: "{{ ca_certificate }}"
dest: "{{db_server_certs_dir}}/ca.crt"
mode: '0644'
# $$ bug: bolckinfile does not generate indentation, use j2
- name: Add mTLS configuration block after a specific line
ansible.builtin.blockinfile:
path: "/home/wmarcoyu/logstash-pipeline/logstash.conf"
block: |
input {
beats {
port => 9400
ssl => true
ssl_certificate => "/usr/share/logstash/pipeline/logstash.crt"
ssl_key => "/usr/share/logstash/pipeline/logstash.key"
ssl_verify_mode => "force_peer"
ssl_certificate_authorities => ["/usr/share/logstash/pipeline/ca.crt"]
}
}
insertafter: "input {"
marker: "# ANSIBLE MANAGED BLOCK: mTLS configuration"
# Provision the certificates to each Raspberry Pi
# $$ setting up ssh key for pssid-dev (gui) server ? and --limit raspberry-pis in hosts.ini during provision.
- name: Provision client certificates
hosts: raspberry_pis
tasks:
- name: Copy client private key to Raspberry Pi
ansible.builtin.copy:
src: "{{ client_certs_dir }}/{{ inventory_hostname }}.key"
dest: "/etc/filebeat/{{ inventory_hostname }}.key"
mode: '0600'
- name: Copy client certificate to Raspberry Pi
ansible.builtin.copy:
src: "{{ client_certs_dir }}/{{ inventory_hostname }}.crt"
dest: "/etc/filebeat/{{ inventory_hostname }}.crt"
mode: '0644'
- name: Copy CA certificate to Raspberry Pi
ansible.builtin.copy:
src: "{{ ca_certificate }}"
dest: "/etc/filebeat/ca.crt"
mode: '0644'
- name: Deploy filebeat.yml configuration from template
ansible.builtin.template:
src: templates/filebeat.yml.j2
dest: /etc/filebeat/filebeat.yml
mode: '0644'