Update to 2021-12-01 19:13

roles/openxpki/tasks/archive_post.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ pki_root_dir }}"
+    - version: "{{ pki_current_version }}"
+  tags: pki
+

roles/openxpki/tasks/archive_pre.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Create archive dir
+  file: path={{ pki_root_dir }}/archives/{{ pki_current_version }} state=directory mode=700
+  tags: pki
+
+- name: Archive previous version
+  synchronize:
+    src: "{{ pki_root_dir }}"
+    dest: "{{ pki_root_dir }}/archives/{{ pki_current_version }}/"
+    delete: True
+    compress: False
+    rsync_opts:
+      - '--exclude=archives/'
+      - '--exclude=run/'
+  delegate_to: "{{ inventory_hostname }}"
+  tags: pki
+
+- name: Dump the database
+  mysql_db:
+    state: dump
+    name: "{{ pki_db_name }}"
+    target: "{{ pki_root_dir }}/archives/{{ pki_current_version }}/{{ pki_db_name }}.sql"
+    login_host: "{{ pki_db_server | default(mysql_server) }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    quick: True
+    single_transaction: True
+  tags: pki
+

roles/openxpki/tasks/cleanup.yml

@@ -0,0 +1,24 @@
+---
+
+- name: List sources
+  shell: find {{ pki_root_dir }}/src -maxdepth 1 -mindepth 1 -exec basename "{}" \;
+  register: pki_sources
+  changed_when: False
+  tags: pki
+
+  # Note : we keep sources and tgz for the currently installed version
+- name: Remove previous sources
+  file: path={{ pki_root_dir }}/src/{{ item }} state=absent
+  loop: "{{ pki_sources.stdout_lines }}"
+  when:
+    - item != 'openxpki-' ~ pki_version
+    - item != 'openxpki-' ~ pki_version ~ '.tar.gz'
+    - item != 'openxpki-config-' ~ pki_config_version
+    - item != 'openxpki-config-' ~ pki_config_version ~ '.tar.gz'
+  tags: pki
+
+- name: Remove obsolete and temp files and directories
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ pki_root_dir }}/db_dumps"
+  tags: pki

roles/openxpki/tasks/conf.yml

@@ -0,0 +1,118 @@
+---
+
+- name: Deploy JS config
+  template: src=localconfig.js.j2 dest={{ pki_root_dir }}/web/htdocs/localconfig.js
+  tags: pki
+
+- name: Check if notification is a link or a dir
+  stat: path={{ pki_root_dir }}/etc/notification
+  register: pki_notif_config
+  tags: pki
+
+- name: Remove notification dir from the config
+  file: path={{ pki_root_dir }}/etc/notification state=absent
+  when:
+    - pki_notif_config.stat.isdir is defined
+    - pki_notif_config.stat.isdir
+  tags: pki
+
+- name: Copy default configuration
+  synchronize:
+    src: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/"
+    dest: "{{ pki_root_dir }}/etc/"
+    compress: False
+    rsync_opts:
+      - '--exclude=config.d/realm/democa'
+  delegate_to: "{{ inventory_hostname }}"
+  when: pki_install_mode != 'none' # or pki_patches.changed
+  tags: pki
+
+- name: Create realm config directories
+  file: path={{ pki_root_dir }}/etc/config.d/realm/{{ item.name }} state=directory
+  with_items: "{{ pki_realms }}"
+  register: pki_new_realms
+  tags: pki
+
+- name: Populate realm config
+  synchronize:
+    src: "{{ pki_root_dir }}/etc/config.d/realm.tpl/"
+    dest: "{{ pki_root_dir }}/etc/config.d/realm/{{ item.item.name }}/"
+    compress: False
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: item.changed or pki_install_mode != 'none'
+  with_items: "{{ pki_new_realms.results }}"
+  tags: pki
+
+- name: Create per realm links to the scep script handler
+  file: src=scep.fcgi dest={{ pki_root_dir }}/web/cgi-bin/scep_{{ item.name }}.fcgi state=link
+  when: item.scep.enabled
+  with_items: "{{ pki_realms }}"
+  tags: pki
+
+- name: Remove scep for realms who has disabled it
+  file: path={{ pki_root_dir }}/web/cgi-bin/scep_{{ item.name }}.fcgi state=absent
+  when: not item.scep.enabled
+  with_items: "{{ pki_realms }}"
+  tags: pki
+
+- name: Deploy system configuration
+  template: src={{ item }}.j2 dest={{ pki_root_dir }}/etc/{{ item }}
+  with_items:
+    - config.d/system/crypto.yaml
+    - config.d/system/database.yaml
+    - config.d/system/realms.yaml
+    - config.d/system/server.yaml
+    - config.d/system/watchdog.yaml
+    - notification/email/_footer.txt
+    - notification/email/_footer.html
+  notify: restart openxpki
+  tags: pki
+
+- name: Deploy realm configuration
+  template: src=config.d/realm/{{ item.1 }}.j2 dest={{ pki_root_dir }}/etc/config.d/realm/{{ item.0.name }}/{{ item.1 }}
+  with_nested:
+    - "{{ pki_realms }}"
+    - - crypto.yaml
+      - nice.yaml
+      - notification/smtp.yaml
+      - publishing.yaml
+      - profile/default.yaml
+      - profile/signer.yaml
+      - profile/tls_client.yaml
+      - profile/tls_server.yaml
+      - profile/user_auth_enc.yaml
+      - auth/stack.yaml
+      - auth/handler.yaml
+      - workflow/global/validator/password_quality.yaml
+      - scep/scep-server.yaml
+  notify: restart openxpki
+  tags: pki
+
+- name: Deploy per realm scep configuration
+  template: src=scep/default.conf.j2 dest={{ pki_root_dir }}/etc/scep/{{ item.name }}.conf
+  with_items: "{{ pki_realms }}"
+  notify: restart openxpki fcgi
+  tags: pki
+
+- name: Deploy general configuration
+  template: src={{ item }}.j2 dest={{ pki_root_dir }}/etc/{{ item }}
+  with_items:
+    - log.conf
+    - openssl.cnf
+    - scep/log.conf
+  tags: pki
+
+- name: Deploy webui configuration
+  template: src={{ item }}.j2 dest={{ pki_root_dir }}/etc/{{ item }}
+  with_items:
+    - webui/default.conf
+    - webui/log.conf
+  notify: restart openxpki fcgi
+  tags: pki
+
+- name: Deploy httpd config
+  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/10-openxpki.conf
+  notify: reload httpd
+  tags: pki
+

roles/openxpki/tasks/directories.yml

@@ -0,0 +1,52 @@
+---
+
+- name: Create directories
+  file: path={{ pki_root_dir }}/{{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  with_items:
+    - path: /
+      group: apache
+      mode: 750
+    - path: etc/config.d/realm
+      owner: "{{ pki_user }}"
+      group: apache
+      mode: 750
+    - path: etc/ssl/root
+      owner: "{{ pki_user }}"
+      group: "{{ pki_user }}"
+      mode: 700
+    - path: log
+      owner: "{{ pki_user }}"
+      mode: 700
+    - path: data
+      owner: "{{ pki_user }}"
+      group: apache
+      mode: 750
+    - path: run
+      owner: "{{ pki_user }}"
+      group: apache
+      mode: 750
+    - path: tmp
+      owner: "{{ pki_user }}"
+      group: apache
+      mode: 770
+    - path: meta
+      mode: 700
+    - path: locale
+    - path: web
+    - path: backup
+      mode: 700
+    - path: src
+    - path: archives
+      mode: 700
+  tags: pki
+
+- name: Create data directories for realms
+  file: path={{ pki_root_dir }}/data/{{ item.name }} state=directory owner={{ pki_user }} group=apache mode=750
+  with_items: "{{ pki_realms }}"
+  tags: pki
+
+- name: Create CA's directory
+  file: path={{ pki_root_dir }}/etc/ssl/{{ item.name }} state=directory
+  with_items: "{{ pki_realms }}"
+  tags: pki
+

roles/openxpki/tasks/facts.yml

@@ -0,0 +1,83 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: pki
+
+  # Merge realm config
+- name: Build PKI realm config
+  set_fact: pki_realms_conf={{ pki_realms_conf | default([]) + [ pki_realm_conf | combine(item, recursive=True) ] }}
+  with_items: "{{ pki_realms }}"
+  tags: pki
+- set_fact: pki_realms={{ pki_realms_conf | default([]) }}
+  tags: pki
+
+  # Detect if its an initial install, an upgrade, or none
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ pki_root_dir }}"
+    - version: "{{ pki_version }}"
+  tags: pki
+- set_fact: pki_install_mode={{ (install_mode == 'upgrade' and not pki_manage_upgrade) | ternary('none',install_mode) }}
+  tags: pki
+- set_fact: pki_current_version={{ current_version | default('') }}
+  tags: pki
+
+  # Generate various password and secrets, if they are not defined
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ pki_root_dir }}/meta/ansible_secret_cookie"
+  tags: pki
+- set_fact: pki_secret_cookie={{ rand_pass }}
+  tags: pki
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ pki_root_dir }}/meta/ansible_secret"
+  when: pki_secret is not defined
+  tags: pki
+- set_fact: pki_secret={{ rand_pass }}
+  when: pki_secret is not defined
+  tags: pki
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ pki_root_dir }}/meta/ansible_scep_hmac"
+  when: pki_scep_hmac is not defined
+  tags: pki
+- set_fact: pki_scep_hmac={{ rand_pass }}
+  when: pki_scep_hmac is not defined
+  tags: pki
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ pki_root_dir }}/meta/ansible_scep_challenge"
+  when: pki_scep_challenge is not defined
+  tags: pki
+- set_fact: pki_scep_challenge={{ rand_pass }}
+  when: pki_scep_challenge is not defined
+  tags: pki
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ pki_root_dir }}/meta/ansible_dbpass"
+  when: pki_db_pass is not defined
+  tags: pki
+- set_fact: pki_db_pass={{ rand_pass }}
+  when: pki_db_pass is not defined
+  tags: pki
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ pki_root_dir }}/meta/ansible_session_dbpass"
+  when: pki_db_session_pass is not defined
+  tags: pki
+- set_fact: pki_db_session_pass={{ rand_pass }}
+  when: pki_db_session_pass is not defined
+  tags: pki
+
+

roles/openxpki/tasks/install.yml

@@ -0,0 +1,284 @@
+---
+
+- name: Install dependencies
+  yum: name={{ pki_packages }}
+  tags: pki
+
+- name: Download OpenXPKI
+  get_url:
+    url: "{{ pki_archive_url }}"
+    dest: "{{ pki_root_dir }}/src"
+    checksum: "sha1:{{ pki_archive_sha1 }}"
+  register: pki_download
+  tags: pki
+
+- name: Download OpenXPKI config
+  get_url:
+    url: "{{ pki_config_archive_url }}"
+    dest: "{{ pki_root_dir }}/src"
+    checksum: "sha1:{{ pki_config_archive_sha1 }}"
+  register: pki_config_download
+  tags: pki
+
+- name: Extract OpenXPKI
+  unarchive:
+    src: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}.tar.gz"
+    dest: "{{ pki_root_dir }}/src"
+    remote_src: True
+  when: pki_download.changed
+  tags: pki
+
+- name: Extract OpenXPKI config
+  unarchive:
+    src: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}.tar.gz"
+    dest: "{{ pki_root_dir }}/src"
+    remote_src: True
+  when: pki_config_download.changed
+  tags: pki
+
+  # This is needed or make will fail
+- name: Write version in source dir
+  copy: content={{ pki_version }} dest={{ pki_root_dir }}/src/openxpki-{{ pki_version }}/VERSION
+  tags: pki
+
+- name: Stop openxpki during upgrade
+  service: name=openxpki state=stopped
+  when: pki_install_mode == 'upgrade'
+  tags: pki
+
+  # With this, we ensure we update all perl modules each time we update OpenXPKI
+- name: Wipe local lib dir
+  file: path={{ pki_root_dir }}/lib/perl5 state=absent
+  when: pki_install_mode == 'upgrade'
+  tags: pki
+
+- when: pki_install_mode != 'none'
+  block:
+    - name: Install perl module without tests
+      cpanm:
+        name: "{{ item }}"
+        locallib: "{{ pki_root_dir }}"
+        notest: True
+      with_items:
+        - Git::PurePerl
+        - Connector    # This module tries to fetch web content without checking proxy from env
+        - Net::Server  # 2 tests are failing on el8 t/SSL_test.t and t/SSLEAY_test.t
+
+    - name: Install OpenXPKI dependencies
+      cpanm:
+        locallib: "{{ pki_root_dir }}"
+        installdeps: True
+        from_path: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server"
+      environment:
+        PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+        PATH: "{{ pki_root_dir }}/bin:{{ ansible_env.PATH }}"
+
+    - name: Install additional perl modules
+      cpanm:
+        name: "{{ item }}"
+        locallib: "{{ pki_root_dir }}"
+      with_items:
+        - Devel::CheckLib  # Needed to build BDB::mysql >= 4.047
+        - DBD::mysql
+        - Log::Log4perl::Appender::Screen # Log::Log4perl::Appender::Journald is broken on systemd > 209
+        - Data::Dump       # Needed for the external ldap auth script
+        - String::Escape   # Needed for the external ldap auth script
+        - TINITA/YAML-1.30.tar.gz
+
+    - name: Build OpenXPKI
+      cpanm:
+        locallib: "{{ pki_root_dir }}"
+        from_path: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server"
+        notest: True
+      environment:
+        PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+        PATH: "{{ pki_root_dir }}/bin:{{ ansible_env.PATH }}"
+
+    - name: Install OpenXPKI
+      command: make install
+      args:
+        chdir: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server"
+      notify: restart openxpki
+
+      # This is needed so the build-pot.pl script finds msg labels in config
+      # during the make scan step in next task
+    - name: Copy default conf in server source directory
+      synchronize:
+        src: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/"
+        dest: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/config/"
+        delete: True
+        compress: False
+      delegate_to: "{{ inventory_hostname }}"
+
+    - name: Scan, build and install translations
+      shell: make scan && make && make install LOCALE_DIR={{ pki_root_dir }}/locale
+      args:
+        chdir: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/i18n"
+
+    - name: Install the web UI
+      synchronize:
+        src: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server/{{ item }}"
+        dest: "{{ pki_root_dir }}/web/"
+        compress: False
+      delegate_to: "{{ inventory_hostname }}"
+      with_items:
+        - cgi-bin
+        - htdocs
+
+  tags: pki
+
+- name: Install OpenXPKI CGI::Session driver
+  copy:
+    src: "{{ pki_root_dir }}/src/openxpki-{{ pki_version }}/core/server/CGI_Session_Driver/openxpki.pm"
+    dest: "{{ pki_root_dir }}/lib/perl5/CGI/Session/Driver/openxpki.pm"
+    remote_src: True
+  tags: pki
+
+
+- name: Fix relative URL in the index page
+  command: sed -i -e 's|/openxpki/|{{ pki_web_alias }}|g' {{ pki_root_dir }}/web/htdocs/default.html
+  changed_when: False
+  tags: pki
+
+- name: Install wrapper scripts
+  template: src=bin/{{ item }}.j2 dest=/usr/local/bin/{{ item }} mode=755
+  with_items:
+    - openxpkiadm
+    - openxpkicmd
+  tags: pki
+
+- name: Deploy cron scripts
+  template: src=bin/{{ item }}.j2 dest={{ pki_root_dir }}/bin/{{ item }} mode=755
+  with_items:
+    - crl_update
+    - notify_expiry
+  tags: pki
+
+- name: Setup cronjobs
+  cron:
+    name: "{{ item.script }}"
+    cron_file: openxpki
+    user: "{{ pki_user }}"
+    job: /bin/systemd-cat {{ pki_root_dir }}/bin/{{ item.script }}
+    special_time: "{{ item.freq }}"
+  with_items:
+    - script: crl_update
+      freq: hourly
+    - script: notify_expiry
+      freq: weekly
+  tags: pki
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ pki_db_name }}"
+    - db_user: "{{ pki_db_user }}"
+    - db_server: "{{ pki_db_server }}"
+    - db_pass: "{{ pki_db_pass }}"
+  tags: pki
+
+- name: Inject MySQL schema
+  mysql_db:
+    name: "{{ pki_db_name }}"
+    state: import
+    target: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/contrib/sql/schema-mysql.sql"
+    login_host: "{{ pki_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  when:
+    - pki_install_mode == 'install'
+    - db_created.changed
+  tags: pki
+
+- name: Copy additional sql scripts
+  copy: src={{ item }} dest={{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/contrib/sql/{{ item }}
+  loop:
+    - session_table.sql
+    - upgrade_to_v3.sql
+  tags: pki
+
+- name: Create session table
+  mysql_db:
+    name: "{{ pki_db_name }}"
+    state: import
+    target: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/contrib/sql/session_table.sql"
+    login_host: "{{ pki_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  when:
+    - pki_install_mode != 'none'
+  tags: pki
+
+- name: Create user for session table
+  mysql_user:
+    name: "{{ pki_db_session_user }}"
+    password: "{{ pki_db_session_pass }}"
+    priv: "{{ pki_db_name }}.frontend_session:SELECT,INSERT,UPDATE,DELETE"
+    append_privs: "{{ append_privs | default(False) }}"
+    host: "{{ ( pki_db_server == 'localhost' ) | ternary('localhost', item ) }}"
+    login_host: "{{ pki_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    state: present
+  with_items: "{{ ansible_all_ipv4_addresses }}"
+  tags: pki
+
+- name: Upgrade database from v2 to v3
+  mysql_db:
+    name: "{{ pki_db_name }}"
+    state: import
+    target: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/contrib/sql/upgrade_to_v3.sql"
+    login_host: "{{ pki_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  when:
+    - pki_install_mode == 'upgrade'
+    - pki_current_version is match('^2')
+  tags: pki
+
+- name: Copy DB upgrades scripts
+  copy: src=upgrade_to_v{{ item }}.sql dest={{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/contrib/sql/
+  loop:
+    - '3.4'
+    - '3.8'
+    - '3.14'
+  tags: pki
+
+- name: Apply db upgrades
+  mysql_db:
+    name: "{{ pki_db_name }}"
+    state: import
+    target: "{{ pki_root_dir }}/src/openxpki-config-{{ pki_config_version }}/contrib/sql/upgrade_to_v{{ item }}.sql"
+    login_host: "{{ pki_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  loop:
+    - '3.4'
+    - '3.8'
+    - '3.14'
+  when:
+    - pki_install_mode == 'upgrade'
+    - pki_current_version is version(item, '<')
+  tags: pki
+
+- name: Deploy systemd unit
+  template: src=openxpki.service.j2 dest=/etc/systemd/system/openxpki.service
+  register: pki_unit
+  tags: pki
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: pki_unit.changed
+  tags: pki
+
+- name: Deploy authentication script helpers
+  copy: src={{ item }} dest={{ pki_root_dir }}/bin/{{ item }} mode=755
+  with_items:
+    - openxpki-auth-ldap
+  tags: pki
+
+- name: Install pre and post backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/openxpki mode=750
+  loop:
+    - pre
+    - post
+  tags: pki

roles/openxpki/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: pki_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+- include: pki.yml
+- include: service.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: pki_install_mode == 'upgrade'
+- include: cleanup.yml
+
+#### TODO #####
+# * Cron to renew at least issuing CA (and maybe Root CA later)
+# * Add/Modify workflow to allow passwordless certs to be stored
+# * Profile for OCSP signing
+# * OCSP responder

roles/openxpki/tasks/pki.yml

@@ -0,0 +1,211 @@
+---
+
+- name: Create global certificates
+  command: >
+    openssl req
+    -config {{ pki_root_dir }}/etc/openssl.cnf
+    -extensions v3_ca
+    -x509
+    -newkey rsa:{{ pki_realm_conf.keysize * 2 }}
+    -keyout {{ pki_root_dir }}/etc/ssl/root/{{ item.name }}-key-1.pem
+    -out {{ pki_root_dir }}/etc/ssl/root/{{ item.name }}-cert-1.pem
+    -sha256
+    -days {{ pki_realm_conf.validity * 2 }}
+    -subj '/C={{ pki_realm_conf.subj_c }}/ST={{ pki_realm_conf.subj_st }}/L={{ pki_realm_conf.subj_l }}/O={{ pki_realm_conf.subj_o }}/OU={{ pki_realm_conf.subj_ou }}/CN={{ item.cn }}'
+    -passout stdin
+  args:
+    creates:  "{{ pki_root_dir }}/etc/ssl/root/{{ item.name }}-cert-1.pem"
+    stdin: "{{ pki_secret }}"
+  with_items:
+    - name: signer
+      cn: "{{ pki_root_ca_cn }}"
+    - name: vault
+      cn: "{{ pki_vault_cn }}"
+    - name: scep
+      cn: "{{ pki_scep_cn }}"
+  register: pki_root_created
+  tags: pki
+
+- name: Check if the index file for the root CA exists
+  stat: path={{ pki_root_dir }}/etc/ssl/root/index.txt
+  register: pki_root_ca_index
+  tags: pki
+
+- name: Create the index file
+  file: path={{ pki_root_dir }}/etc/ssl/root/index.txt state=touch
+  when: not pki_root_ca_index.stat.exists
+  tags: pki
+
+- name: Create the serial file
+  shell: echo 1000 > {{ pki_root_dir }}/etc/ssl/root/serial
+  args:
+    creates: "{{ pki_root_dir }}/etc/ssl/root/serial"
+  tags: pki
+
+- name: Import the certificates in the global namespace of OpenXPKI DB
+  command: >
+    {{ pki_root_dir }}/bin/openxpkiadm certificate import
+    --file {{ pki_root_dir }}/etc/ssl/root/{{ item.item.name }}-cert-1.pem
+    --config={{ pki_root_dir }}/etc/config.d/
+  environment:
+    - PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+  with_items: "{{ pki_root_created.results }}"
+  #no_log: True
+  when: item.changed
+  tags: pki
+
+  # Vault and SCEP certificates are global, so just link them from the root dir in every realm dir
+- name: Link vault and SCEP keys from the root to the realms
+  file: src=../root/{{ item.1 }}-key-1.pem dest={{ pki_root_dir }}/etc/ssl/{{ item.0.name }}/{{ item.1 }}-key-1.pem state=link
+  with_nested:
+    - "{{ pki_realms }}"
+    - [vault,scep]
+  tags: pki
+
+  # For each realm, we create only the signer CA. Vault and SCEP will use the global ones
+- name: Create issuing CA's private keys
+  command: >
+    openssl genrsa
+    -out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-key-1.pem
+    -aes256
+    -passout stdin
+    {{ item.keysize }}
+  args:
+    creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-key-1.pem"
+    stdin: "{{ pki_secret }}"
+  with_items: "{{ pki_realms }}"
+  #no_log: True
+  tags: pki
+
+- name: Create issuing CA's CSR
+  command: >
+    openssl req
+    -config {{ pki_root_dir }}/etc/openssl.cnf
+    -new
+    -sha256
+    -key {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-key-1.pem
+    -out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem
+    -subj '/C={{ item.subj_c | default(pki_realm_conf.subj_c) }}/ST={{ item.subj_st | default(pki_realm_conf.subj_st) }}/L={{ item.subj_l | default(pki_realm_conf.subj_l) }}/O={{ item.subj_o | default(pki_realm_conf.subj_o) }}/OU={{ item.subj_ou | default(pki_realm_conf.subj_ou) }}/CN={{ item.name }}'
+    -extensions v3_intermediate_ca
+    -passin stdin
+  args:
+    creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem"
+    stdin: "{{ pki_secret }}"
+  with_items: "{{ pki_realms }}"
+  #no_log: True
+  tags: pki
+
+  # Now we create issuing CA. First, iterate over those who do not have a parent defined. Which means they are a child of the root CA
+- name: Sign intermediate CA with the Root CA
+  command: >
+    openssl ca
+    -config {{ pki_root_dir }}/etc/openssl.cnf
+    -keyfile {{ pki_root_dir }}/etc/ssl/root/signer-key-1.pem
+    -cert {{ pki_root_dir }}/etc/ssl/root/signer-cert-1.pem
+    -in {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem
+    -out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem
+    -passin stdin
+    -extensions v3_intermediate_ca
+    -days {{ item.validity | default('3650') }}
+    -notext
+    -batch
+  args:
+    creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem"
+    stdin: "{{ pki_secret }}"
+  when: item.parent is not defined
+  register: pki_ca_issuing_created
+  with_items: "{{ pki_realms }}"
+  #no_log: True
+  tags: pki
+
+- name: Import certificates for CA signed by the Root CA in OpenXPKI DB
+  command: >
+    {{ pki_root_dir }}/bin/openxpkiadm certificate import
+    --file {{ pki_root_dir }}/etc/ssl/{{ item.item.name }}/signer-cert-1.pem
+    --realm {{ item.item.name }}
+    --token certsign
+    --config={{ pki_root_dir }}/etc/config.d/
+  when: item.changed
+  with_items: "{{ pki_ca_issuing_created.results }}"
+  environment:
+    - PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+  #no_log: True
+  tags: pki
+
+  # And now the same with intermediate CA
+- name: Sign intermediate CA with their parent CA
+  command: >
+    openssl ca
+    -config {{ pki_root_dir }}/etc/openssl.cnf
+    -keyfile {{ pki_root_dir }}/etc/ssl/{{ item.parent }}/signer-key-1.pem
+    -cert {{ pki_root_dir }}/etc/ssl/{{ item.parent }}/signer-cert-1.pem
+    -in {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-csr-1.pem
+    -out {{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem
+    -passin stdin
+    -extensions v3_intermediate_ca
+    -days {{ item.validity | default('3650') }}
+    -notext
+    -batch
+  args:
+    creates: "{{ pki_root_dir }}/etc/ssl/{{ item.name }}/signer-cert-1.pem"
+    stdin: "{{ pki_secret }}"
+  when: item.parent is defined
+  register: pki_ca_intermediate_created
+  with_items: "{{ pki_realms }}"
+  tags: pki
+
+  # Once added in the DB, each certs gets an ID. We need to get this ID for
+  # the two global certs (vault and scep) so we can create an alias for each realm
+- name: Get ID of the global vault certificate
+  command: >
+    {{ pki_root_dir }}/bin/openxpkiadm certificate id
+    --file {{ pki_root_dir }}/etc/ssl/root/vault-cert-1.pem
+    --config={{ pki_root_dir }}/etc/config.d/
+  environment:
+    - PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+  register: pki_global_vault_id
+  changed_when: False
+  tags: pki
+
+- name: Get ID of the global scep certificate
+  command: >
+    {{ pki_root_dir }}/bin/openxpkiadm certificate id
+    --file {{ pki_root_dir }}/etc/ssl/root/scep-cert-1.pem
+    --config={{ pki_root_dir }}/etc/config.d/
+  environment:
+    - PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+  register: pki_global_scep_id
+  changed_when: False
+  tags: pki
+
+- name: Create an alias for the vault
+  command: >
+    {{ pki_root_dir }}/bin/openxpkiadm alias --realm {{ item.item.name }}
+    --token datasafe --identifier {{ pki_global_vault_id.stdout }}
+    --config {{ pki_root_dir }}/etc/config.d/
+  environment:
+    - PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+  with_items: "{{ pki_ca_issuing_created.results + pki_ca_intermediate_created.results }}"
+  when: item.changed
+  tags: pki
+
+- name: Create an alias for the scep certificate
+  command: >
+    {{ pki_root_dir }}/bin/openxpkiadm alias --realm {{ item.item.name }}
+    --token scep --identifier {{ pki_global_scep_id.stdout }}
+    --config {{ pki_root_dir }}/etc/config.d/
+  environment:
+    - PERL5LIB: "{{ pki_root_dir }}/lib/perl5"
+  with_items: "{{ pki_ca_issuing_created.results + pki_ca_intermediate_created.results }}"
+  #no_log: True
+  when: item.changed
+  tags: pki
+
+- name: Deploy permission script
+  template: src=perms.sh.j2 dest={{ pki_root_dir }}/bin/perms.sh mode=755
+  tags: pki
+
+- name: Fix permissions on key files
+  command: "{{ pki_root_dir }}/bin/perms.sh }}"
+  changed_when: False
+  tags: pki

roles/openxpki/tasks/selinux.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Set correct SELinux labels
+  sefcontext:
+    target: "{{ pki_root_dir }}/{{ item.path }}(/.*)?"
+    setype: "{{ item.type }}"
+    state: present
+  loop:
+    - path: run
+      type: httpd_var_run_t
+    - path: web/cgi-bin
+      type: httpd_sys_script_exec_t
+    - path: web/htdocs
+      type: httpd_sys_content_t
+    - path: data
+      type: httpd_sys_content_t
+  tags: pki
+
+- name: Restore SElinux contexts
+  command: restorecon -R {{ pki_root_dir }}
+  changed_when: False
+  tags: pki
+
+- name: Copy SElinux policy file
+  copy: src=openxpki.te dest=/etc/selinux/targeted/local/
+  register: pki_selinux_policy
+  tags: pki
+
+- name: Add local policy
+  shell: |
+    cd /etc/selinux/targeted/local/
+    checkmodule -M -m -o openxpki.mod openxpki.te
+    semodule_package -o openxpki.pp -m openxpki.mod
+    semodule -i /etc/selinux/targeted/local/openxpki.pp
+  when: pki_selinux_policy.changed
+  tags: pki
+

roles/openxpki/tasks/service.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Start and enable the daemon
+  service: name=openxpki state=started enabled=True
+  register: pki_started
+  tags: pki
+

roles/openxpki/tasks/user.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Create openxpki system user
+  user:
+    name: "{{ pki_user }}"
+    system: True
+    shell: /sbin/nologin
+    home: "{{ pki_root_dir }}"
+  tags: pki
+

roles/openxpki/tasks/write_version.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Write version
+  copy: content={{ pki_version }} dest={{ pki_root_dir }}/meta/ansible_version
+  tags: pki
+