jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-01 19:13

Browse Source
This commit is contained in:
Daniel Berteaud
2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
roles/openxpki/templates/bin/crl_update.j2 Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
export PERL5LIB={{ pki_root_dir }}/lib/perl5
export OPENXPKI_CONF_PATH={{ pki_root_dir }}/etc/config.d
{% for realm in pki_realms %}
{{ pki_root_dir }}/bin/openxpkicmd --socketfile={{ pki_root_dir }}/run/openxpki.socket --realm {{ realm.name }} crl_issuance
{{ pki_root_dir }}/bin/openxpkicmd --socketfile={{ pki_root_dir }}/run/openxpki.socket --realm {{ realm.name }} ca_publish
{% endfor %}

8
roles/openxpki/templates/bin/notify_expiry.j2 Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
export PERL5LIB={{ pki_root_dir }}/lib/perl5
export OPENXPKI_CONF_PATH={{ pki_root_dir }}/etc/config.d
{% for realm in pki_realms %}
{{ pki_root_dir }}/bin/openxpkicmd --socketfile={{ pki_root_dir }}/run/openxpki.socket --realm {{ realm.name }} notify_expiry
{% endfor %}

5
roles/openxpki/templates/bin/openxpkiadm.j2 Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
export PERL5LIB={{ pki_root_dir }}/lib/perl5
export OPENXPKI_CONF_PATH={{ pki_root_dir }}/etc/config.d
exec {{ pki_root_dir }}/bin/openxpkiadm "$@"

5
roles/openxpki/templates/bin/openxpkicmd.j2 Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
export PERL5LIB={{ pki_root_dir }}/lib/perl5
export OPENXPKI_CONF_PATH={{ pki_root_dir }}/etc/config.d
exec {{ pki_root_dir }}/bin/openxpkicmd --socketfile={{ pki_root_dir }}/run/openxpki.socket "$@"

22
roles/openxpki/templates/config.d/realm/auth/handler.yaml.j2 Normal file
View File

@@ -0,0 +1,22 @@
{% for map in item.0.auth.role_map | sort(attribute='priority') %}
LDAP Auth {{ map.role }}:
type: Command
label: LDAP Authentication {{ map.role }}
description: Authenticate {{ map.role }} against an LDAP server
role: {{ map.role }}
command: [ '{{ pki_root_dir }}/bin/openxpki-auth-ldap', '-H', '{{ item.0.auth.ldap_uri }}', '-b', '{{ item.0.auth.ldap_base }}', '{{ item.0.auth.ldap_start_tls | ternary('--starttls','') }}', '-U', 'LOGIN', '-P', 'PASSWD', '--extra-filter={{ map.filter }}', '--user-attr={{ item.0.auth.ldap_user_attr }}'{% if item.0.auth.ldap_bind_dn is defined and item.0.auth.ldap_bind_pass is defined %}, '-D', 'BIND_DN', '-W', 'BIND_PASS'{% endif %} ]
env:
PERL5LIB: {{ pki_root_dir }}/lib/perl5
LOGIN: "[% username %]"
PASSWD: "[% password %]"
{% if item.0.auth.ldap_bind_dn is defined and item.0.auth.ldap_bind_pass is defined %}
BIND_DN: {{ item.0.auth.ldap_bind_dn }}
BIND_PASS: '{{ item.0.auth.ldap_bind_pass }}'
{% endif %}
{% endfor %}
System:
type: Anonymous
label: System
role: System

9
roles/openxpki/templates/config.d/realm/auth/stack.yaml.j2 Normal file
View File

@@ -0,0 +1,9 @@
User:
description: I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_USER
handler:
{% for map in item.0.auth.role_map | sort(attribute='priority') %}
- LDAP Auth {{ map.role }}
{% endfor %}
_System:
handler: System

37
roles/openxpki/templates/config.d/realm/crypto.yaml.j2 Normal file
View File

@@ -0,0 +1,37 @@
type:
certsign: signer-key
datasafe: vault-key
scep: scep-key
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: {{ pki_root_dir }}/etc/ssl/[% PKI_REALM %]/[% ALIAS %].pem
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
shell: /usr/bin/openssl
wrapper: ''
randfile: {{ pki_root_dir }}/data/rand
secret: default
signer-key:
inherit: default
vault-key:
inherit: default
scep-key:
inherit: default
backend: OpenXPKI::Crypto::Tool::SCEP
shell: /usr/bin/openca-scep
secret:
default:
label: Default secret group of this realm
export: 0
method: literal
value: '{{ pki_secret }}'
cache: daemon

5
roles/openxpki/templates/config.d/realm/nice.yaml.j2 Normal file
View File

@@ -0,0 +1,5 @@
backend: Local
api:
use_revocation_id: 1

118
roles/openxpki/templates/config.d/realm/notification/smtp.yaml.j2 Normal file
View File

@@ -0,0 +1,118 @@
backend:
class: OpenXPKI::Server::Notification::SMTP
host: localhost
port: 25
debug: 0
use_html: 1
# No SMIME for now
default:
to: "[% cert_info.requestor_email %]"
from: no-reply@{{ ansible_domain }}
reply: {{ item.0.notif.admin_email }}
cc: {{ item.0.notif.admin_email }}
prefix: PKI [% meta_wf_id %]
images:
banner: head.png
# template settings
template:
dir: {{ pki_root_dir }}/etc/notification/email/
message:
testmail:
default:
template: testmail
subject: SMTP Notification Test
to: "[% data.rcpt %]"
from: no-reply@{{ ansible_domain }}
reply: ''
cc: ''
prefix: ''
csr_created:
default:
template: csr_created_user
subject: CSR for [% cert_subject %]
raop:
template: csr_created_raop
to: {{ item.0.notif.admin_email }}
cc: ''
reply: "[% cert_info.requestor_email %]"
subject: CSR for [% cert_subject %]
csr_rejected:
default:
template: csr_rejected
subject: CSR rejected for [% cert_subject %]
cert_issued:
default:
template: cert_issued
subject: certificate issued for [% cert_subject %]
cert_expiry:
default:
to: {{ item.0.notif.admin_email }}
{% if item.0.notif.expiry_send_requestor %}
cc: "[% data.notify_to %]
{% endif %}
template: cert_expiry
subject: Certificate Expiry Warning
scpu_notify:
default:
template: scpu_notify_user
subject: Smartcard Enrollment Verification Notice
to: "[% data.requestor_mail %]"
auth1:
template: scpu_notify_authcontact
to: "[% data.auth1_mail %]"
reply: "[% data.requestor_mail %]"
subject: Smartcard Enrollment Verification Request for [% data.requestor_name %]
auth2:
template: scpu_notify_authcontact
to: "[% data.auth2_mail %]"
reply: "[% data.requestor_mail %]"
subject: Smartcard Enrollment Verification Request for [% data.requestor_name %]
# notifies for the scep server
scep_auth_denied:
requestor:
template: scep_auth_denied
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request REJECTED - [% cert_subject %]
scep_approval_pending:
requestor:
template: scep_approval_pending_requestor
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request PENDING - [% cert_subject %]
raop:
template: scep_approval_pending_raop
to: reg-office@mycompany.local
cc: ''
subject: SCEP request PENDING - [% cert_subject %]
scep_approval_rejected:
requestor:
template: scep_approval_rejected
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request REJECTED - [% cert_subject %]
scep_cert_issued:
requestor:
template: scep_cert_issued
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request ISSUED - [% cert_subject %]

69
roles/openxpki/templates/config.d/realm/profile/default.yaml.j2 Normal file
View File

@@ -0,0 +1,69 @@
key:
alg:
- rsa
- ec
- dsa
enc:
- aes256
generate: both
rsa:
key_length:
- 2048
- 4096
ec:
curve_name:
- prime256v1
- secp384r1
- secp521r1
dsa:
key_length:
- 2048
- 4096
validity:
notafter: +01
digest: sha256
increasing_serials: 1
randomized_serial_bytes: 8
publish:
- disk
extensions:
basic_constraints:
critical: 1
ca: 0
path_length: 0
subject_key_identifier:
critical: 0
hash: 1
authority_key_identifier:
critical: 0
keyid: 1
issuer: 0
issuer_alt_name:
critical: 0
copy: 0
crl_distribution_points:
critical: 0
uri:
- {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/crl
authority_info_access:
critical: 0
ca_issuers: {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/ca
ocsp: {{ pki_base_url }}
policy_identifier:
critical: 0

52
roles/openxpki/templates/config.d/realm/profile/signer.yaml.j2 Normal file
View File

@@ -0,0 +1,52 @@
label: Signer
validity:
notafter: +0006
style:
00_user_basic_style:
label: signer
description: Application authenticity and deployment security
ui:
subject:
- username
- realname
- department
- email
info:
- comment
subject:
dn: CN=[% realname %]+UID=[% username %][% IF department %],DC=[% department %][% END %],{{ item.0.subj_suffix }}
san:
email: "[% email.lower %]"
metadata:
requestor: "[% realname %]"
email: "[% email %]"
department: "[% department %]"
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 1
key_encipherment: 1
data_encipherment: 0
key_agreement: 0
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
client_auth: 0
server_auth: 0
email_protection: 0
code_signing: 1
time_stamping: 1
ocsp_signing: 0
# MS Smartcard Logon
1.3.6.1.4.1.311.20.2.2: 0

58
roles/openxpki/templates/config.d/realm/profile/tls_client.yaml.j2 Normal file
View File

@@ -0,0 +1,58 @@
# The name of the file equals the name of the profile
label: I18N_OPENXPKI_UI_PROFILE_TLS_CLIENT_LABEL
validity:
notafter: +01
style:
00_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
subject:
- hostname
- application_name
info:
- requestor_gname
- requestor_name
- requestor_email
- requestor_affiliation
- comment
subject:
dn: CN=[% hostname %]:[% application_name %],{{ item.0.subj_suffix }}
metadata:
requestor: "[% requestor_gname %] [% requestor_name %]"
email: "[% requestor_email %]"
entity: "[% hostname FILTER lower %]"
enroll:
subject:
dn: CN=[% CN.0 %],{{ item.0.subj_suffix }}
# Profile extensions - set 0/1 as needed
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 0
key_encipherment: 0
data_encipherment: 0
key_agreement: 0
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
client_auth: 1
server_auth: 0
email_protection: 0
code_signing: 0
time_stamping: 0
ocsp_signing: 0

123
roles/openxpki/templates/config.d/realm/profile/tls_server.yaml.j2 Normal file
View File

@@ -0,0 +1,123 @@
# The name of the file equals the name of the profile
label: I18N_OPENXPKI_UI_PROFILE_TLS_SERVER_LABEL
validity:
notafter: +0006
style:
00_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
subject:
- hostname
- hostname2
- port
info:
- requestor_gname
- requestor_name
- requestor_email
- requestor_affiliation
- comment
subject:
dn: CN=[% hostname.lower %][% IF port AND port != 443 %]:[% port %][% END %],{{ item.0.subj_suffix }}
san:
DNS:
- "[% hostname.lower %]"
- "[% FOREACH entry = hostname2 %][% entry.lower %] | [% END %]"
metadata:
requestor: "[% requestor_gname %] [% requestor_name %]"
email: "[% requestor_email %]"
entity: "[% hostname FILTER lower %]"
05_advanced_style:
label: I18N_OPENXPKI_UI_PROFILE_ADVANCED_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_ADVANCED_STYLE_DESC
ui:
subject:
- cn
- o
- ou
- dc
- c
san:
- san_ipv4
- san_dns
info:
- requestor_gname
- requestor_name
- requestor_email
- requestor_affiliation
- comment
subject:
dn: CN=[% CN %][% IF OU %][% FOREACH entry = OU %],OU=[% entry %][% END %][% END %][% IF O %],O=[% O %][% END %][% FOREACH entry = DC %],DC=[% entry %][% END %][% IF C %],C=[% C %][% END %]
# no san definitions here as items from ui.san are directly written to the SAN
enroll:
subject:
dn: CN=[% CN.0 %],{{ item.0.subj_suffix }}
san:
dns: "[% FOREACH entry = SAN_DNS %][% entry.lower %] | [% END %]"
metadata:
system_id: "[% data.cust_id %]"
server_id: "[% data.server_id %]"
entity: "[% CN.0 FILTER lower %]"
# Profile extensions - set 0/1 as needed
# Also see sections defined in default.yaml
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 0
key_encipherment: 1
data_encipherment: 0
key_agreement: 1
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
# these are OIDs, some OIDs are known and have names
client_auth: 0
server_auth: 1
email_protection: 0
code_signing: 0
time_stamping: 0
ocsp_signing: 0
# This is really outdated and should not be used unless really necessary
netscape:
comment:
critical: 0
text: This is a generic certificate. Generated with OpenXPKI trustcenter software.
certificate_type:
critical: 0
ssl_client: 0
smime_client: 0
object_signing: 0
ssl_client_ca: 0
smime_client_ca: 0
object_signing_ca: 0
cdp:
critical: 0
uri: http://localhost/cacrl.crt
ca_uri: http://localhost/cacrl.crt
# end of netscape section
# end of extensions
# Define the input fields you used below here
#template:

61
roles/openxpki/templates/config.d/realm/profile/user_auth_enc.yaml.j2 Normal file
View File

@@ -0,0 +1,61 @@
# The name of the file equals the name of the profile
label: I18N_OPENXPKI_UI_PROFILE_USER_LABEL
validity:
notafter: +0006
style:
00_user_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
subject:
- username
- realname
- department
- email
info:
- comment
subject:
dn: CN=[% realname %]+UID=[% username %][% IF department %],DC=[% department %][% END %],{{ item.0.subj_suffix }}
san:
email: "[% email.lower %]"
metadata:
requestor: "[% realname %]"
email: "[% email %]"
department: "[% department %]"
# Profile extensions - set 0/1 as needed
# Also see sections defined in default.yaml
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 1
key_encipherment: 1
data_encipherment: 0
key_agreement: 0
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
client_auth: 1
server_auth: 0
email_protection: 1
code_signing: 0
time_stamping: 0
ocsp_signing: 0
# MS Smartcard Logon
1.3.6.1.4.1.311.20.2.2: 1
# Define the input fields you used below here or in template.yaml
#template:

28
roles/openxpki/templates/config.d/realm/publishing.yaml.j2 Normal file
View File

@@ -0,0 +1,28 @@
entity:
disk@: connector:publishing.connectors.local
crl:
crl@: connector:publishing.connectors.cdp
cacert:
disk@: connector:publishing.connectors.cacert
connectors:
local:
class: Connector::Builtin::File::Path
LOCATION: {{ pki_root_dir }}/data/{{ item.0.name }}
file: "[% ARGS.0 %].crt"
content: "[% pem %]"
cdp:
class: Connector::Builtin::File::Path
LOCATION: {{ pki_root_dir }}/data/{{ item.0.name }}
file: "crl.pem"
content: "[% pem %]"
cacert:
class: Connector::Builtin::File::Path
LOCATION: {{ pki_root_dir }}/data/{{ item.0.name }}
file: "ca.pem"
content: "[% pem %]"

60
roles/openxpki/templates/config.d/realm/scep/scep-server.yaml.j2 Normal file
View File

@@ -0,0 +1,60 @@
renewal:
notbefore: 000014
notafter: 0
revoke_on_replace:
reason_code: keyCompromise
delay_revocation_time: +000014
workflow:
type: certificate_enroll
param:
transaction_id: transaction_id
signer_cert: signer_cert
pkcs10: pkcs10
_url_params: url_params
key_size:
rsaEncryption: 1020-4096
hash_type:
- sha1
- sha256
- sha512
authorized_signer:
rule1:
subject: CN=.+:scepclient,.*
rule2:
subject: CN=.+:pkiclient,.*
policy:
allow_man_authen: 1
allow_anon_enroll: 0
allow_man_approv: 1
allow_eligibility_recheck: 0
approval_points: 1
max_active_certs: 1
allow_expired_signer: 0
auto_revoke_existing_certs: 1
allow_replace: 1
response:
getcacert_strip_root: 1
profile:
cert_profile: {{ item.0.scep.profile }}
cert_subject_style: enroll
profile_map:
pc-client: I18N_OPENXPKI_PROFILE_USER_AUTHENTICATION
hmac: "{{ item.0.scep.hmac | default(pki_scep_hmac) }}"
challenge:
value: "{{ item.0.scep.challenge | default(pki_scep_challenge) }}"
eligible:
renewal:
value: 1

22
roles/openxpki/templates/config.d/realm/workflow/global/validator/password_quality.yaml.j2 Normal file
View File

@@ -0,0 +1,22 @@
class: OpenXPKI::Server::Workflow::Validator::PasswordQuality
arg:
- $_password
param:
checks:
- length
{% if item.0.passwd_quality is string %}
{% if item.0.passwd_quality == 'none' %}
minlen: 1
maxlen: 64
{% elif item.0.passwd_quality == 'normal' %}
- entropy
min_entropy: 20
minlen: 6
maxlen: 64
{% elif item.0.passwd_quality == 'strong' %}
- entropy
min_entropy: 60
minlen: 10
maxlen: 64
{% endif %}
{% endif %}

23
roles/openxpki/templates/config.d/system/crypto.yaml.j2 Normal file
View File

@@ -0,0 +1,23 @@
tokenapi:
certsign: OpenXPKI::Crypto::Backend::API
crlsign: OpenXPKI::Crypto::Backend::API
datasafe: OpenXPKI::Crypto::Backend::API
scep: OpenXPKI::Crypto::Tool::LibSCEP::API
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
api: OpenXPKI::Crypto::Backend::API
engine: OpenSSL
key_store: OPENXPKI
shell: /usr/bin/openssl
wrapper: ''
randfile: {{ pki_root_dir }}/data/rand
javaks:
backend: OpenXPKI::Crypto::Tool::CreateJavaKeystore
api: OpenXPKI::Crypto::Tool::CreateJavaKeystore::API
engine: OpenSSL
key_store: OPENXPKI
shell: /usr/bin/keytool
randfile: {{ pki_root_dir }}/data/rand

8
roles/openxpki/templates/config.d/system/database.yaml.j2 Normal file
View File

@@ -0,0 +1,8 @@
main:
debug: 0
type: MySQL
name: '{{ pki_db_name }}'
host: '{{ pki_db_server }}'
port: '{{ pki_db_port }}'
user: '{{ pki_db_user }}'
passwd: '{{ pki_db_pass | regex_replace("'","''") }}'

6
roles/openxpki/templates/config.d/system/realms.yaml.j2 Normal file
View File

@@ -0,0 +1,6 @@
{% for realm in pki_realms %}
{{ realm.name }}:
label: {{ realm.description | default(realm.name) }}
baseurl: {{ realm.url | default(pki_base_url) }}
{% endfor %}

37
roles/openxpki/templates/config.d/system/server.yaml.j2 Normal file
View File

@@ -0,0 +1,37 @@
name: main
log4perl: {{ pki_root_dir }}/etc/log.conf
user: {{ pki_user }}
group: apache
socket_file: {{ pki_root_dir }}/run/openxpki.socket
pid_file: {{ pki_root_dir }}/run/openxpkid.pid
stderr: /dev/stdout
tmpdir: {{ pki_root_dir }}/tmp
environment:
PERL5LIB: {{ pki_root_dir }}/lib/perl5
OPENXPKI_CONF_PATH: {{ pki_root_dir }}/etc/config.d
session:
type: Database
table: frontend_session
transport:
Simple: 1
service:
Default:
enabled: 1
idle_timeout: 120
LibSCEP:
enabled: 1
# settings for i18n
i18n:
locale_directory: {{ pki_root_dir }}/locale
default_language: C
prefork:
min_servers: 5
min_spare_servers: 5
max_servers: 25
max_spare_servers: 10

15
roles/openxpki/templates/config.d/system/watchdog.yaml.j2 Normal file
View File

@@ -0,0 +1,15 @@
max_fork_redo: 5
max_exception_threshhold: 10
interval_sleep_exception: 60
max_tries_hanging_workflows: 3
interval_wait_initial: 10
interval_loop_idle: 5
interval_loop_run: 1
interval_sleep_overload: 15
interval_session_purge: 300
# You should not change this unless you know what you are doing
max_instance_count: 1
disabled: 0

59
roles/openxpki/templates/httpd.conf.j2 Normal file
View File

@@ -0,0 +1,59 @@
{% if pki_web_alias == '/' %}
{% set pki_web_alias='' %}
{% endif %}
{% for realm in pki_realms %}
{% if realm.scep | default(True) %}
ScriptAlias {{ pki_web_alias }}/scep/{{ realm.name }} {{ pki_root_dir }}/web/cgi-bin/scep_{{ realm.name }}.fcgi
{% endif %}
Alias {{ pki_web_alias }}/pub/{{ realm.name }}/crl {{ pki_root_dir }}/data/{{ realm.name }}/crl.pem
Alias {{ pki_web_alias }}/pub/{{ realm.name }}/ca {{ pki_root_dir }}/data/{{ realm.name }}/ca.pem
{% endfor %}
#ScriptAlias {{ pki_web_alias }}/soap {{ pki_root_dir }}/web/cgi-bin/soap.fcgi
#ScriptAlias {{ pki_web_alias }}/rpc {{ pki_root_dir }}/web/cgi-bin/rpc.fcgi
#ScriptAlias /.well-known/est {{ pki_root_dir }}/web/cgi-bin/est.fcgi
ScriptAlias {{ pki_web_alias }}/cgi-bin/webui.fcgi {{ pki_root_dir }}/web/cgi-bin/webui.fcgi
ScriptAlias {{ pki_web_alias }}/cgi-bin/download.fcgi {{ pki_root_dir }}/web/cgi-bin/download.fcgi
Alias {{ pki_web_alias }}/ {{ pki_root_dir }}/web/htdocs/
FcgidInitialEnv PERL5LIB {{ pki_root_dir }}/lib/perl5
FcgidInitialEnv OPENXPKI_CLIENT_CONF_DIR {{ pki_root_dir }}/etc/
FcgidInitialEnv OPENXPKI_CONF_PATH {{ pki_root_dir }}/etc/config.d
FcgidInitialEnv OPENXPKI_SCEP_CLIENT_CONF_DIR {{ pki_root_dir }}/etc/scep/
FcgidInitialEnv OPENXPKI_WEBUI_CLIENT_CONF_FILE {{ pki_root_dir }}/etc/webui/default.conf
<LocationMatch {{ pki_web_alias }}/pub/\w+/crl>
Header set "Content-disposition" "attachment; filename=crl.pem"
</LocationMatch>
<LocationMatch {{ pki_web_alias }}/pub/\w+/ca>
Header set "Content-disposition" "attachment; filename=ca.crt"
</LocationMatch>
<Directory {{ pki_root_dir }}/data>
Options None
<FilesMatch "(.*\.pem)">
{% if pki_pub_src_ip | length > 0 and '0.0.0.0/0' not in pki_pub_src_ip and '0.0.0.0/0.0.0.0' not in pki_pub_src_ip %}
Require ip {{ pki_pub_src_ip | join(' ') }}
{% else %}
Require all granted
{% endif %}
</FilesMatch>
</Directory>
<Directory {{ pki_root_dir }}/web/htdocs>
AllowOverride FileInfo
Options FollowSymlinks
{% if pki_src_ip | length > 0 and '0.0.0.0/0' not in pki_src_ip and '0.0.0.0/0.0.0.0' not in pki_src_ip %}
Require ip {{ pki_src_ip | join(' ') }}
{% else %}
Require all granted
{% endif %}
</Directory>
<Directory {{ pki_root_dir }}/web/cgi-bin>
AllowOverride None
AddHandler fcgid-script .fcgi
Options +ExecCGI
{% if pki_src_ip | length > 0 and '0.0.0.0/0' not in pki_src_ip and '0.0.0.0/0.0.0.0' not in pki_src_ip %}
Require ip {{ pki_src_ip | join(' ') }}
{% else %}
Require all granted
{% endif %}
</Directory>

9
roles/openxpki/templates/localconfig.js.j2 Normal file
View File

@@ -0,0 +1,9 @@
window.Em.Application.initializer({
name: "oxi-localconfig",
initialize: function(container, application) {
var cc = application.ConfigController;
cc.reopen({
url: "cgi-bin/webui.fcgi"
});
}
});

88
roles/openxpki/templates/log.conf.j2 Normal file
View File

@@ -0,0 +1,88 @@
## This is Log::Log4perl configuration.
##
## Please be careful if you change this and
## please always test all changes.
## The example configuration configures the log for all
## loggers/facilities.
# Catch-all root logger
log4perl.rootLogger = ERROR, CatchAll
# The workflow base logger -
log4perl.logger.Workflow = ERROR, Journal
## FACILITY: AUTH
# Anything related to logging into the system
log4perl.category.openxpki.auth = INFO, Journal
## FACILITY: AUDIT
# mainly usage and access of private key material or secrets
log4perl.category.openxpki.audit = INFO, AuditDBI, AuditFile
## FACILITY: SYSTEM
# internal system management like forking/ending process and usage of
# system components such as notification or crypto backend
# NEVER use the OpenXPKI::DBI logger as target for system, see #223
log4perl.category.openxpki.system = WARN, Journal
## FACILITY: WORKFLOW
# INTERNAL logger for the workflow engine, conditions evaluated, actions taken
# This must not be used by implementors, log your stuff to APPLICATION!
log4perl.category.openxpki.workflow = WARN, Journal
## FACILITY: APPLICATION
# info about the workflows, conditions evaluated, actions taken
log4perl.category.openxpki.application = INFO, ApplicationFile, ApplicationDBI
## FACILITY: DEPRECATED
# receives messages when deprecated code is called
# Errors and warnings should be handled immediatly,
# lower levels are mainly for development and debugging
log4perl.category.openxpki.deprecated = WARN, Deprecated
## FACILITY: Connector (outside OXI!)
# internal logging of the config layer, errors indicate missconfiguration
log4perl.category.connector = ERROR, Journal
## Appenders are the modules which do the real work. Different
## facilities/loggers can use the same appenders.
log4perl.filter.FilterIsWorkflow = Log::Log4perl::Filter::MDC
log4perl.filter.FilterIsWorkflow.KeyToMatch = wfid
log4perl.filter.FilterIsWorkflow.RegexToMatch = \d+
log4perl.appender.Journal = Log::Log4perl::Appender::Screen
log4perl.appender.Journal.layout = Log::Log4perl::Layout::SimpleLayout
log4perl.appender.Journal.utf8 = 1
log4perl.appender.CatchAll = Log::Log4perl::Appender::Screen
log4perl.appender.CatchAll.layout = Log::Log4perl::Layout::SimpleLayout
log4perl.appender.CatchAll.utf8 = 1
log4perl.appender.ApplicationDBI = OpenXPKI::Server::Log::Appender::Database
log4perl.appender.ApplicationDBI.Filter = FilterIsWorkflow
log4perl.appender.ApplicationDBI.layout = Log::Log4perl::Layout::PatternLayout
log4perl.appender.ApplicationDBI.layout.ConversionPattern = %m (%X{user})
log4perl.appender.ApplicationDBI.table = application_log
log4perl.appender.ApplicationDBI.microseconds = 1
log4perl.appender.ApplicationFile = Log::Log4perl::Appender::Screen
log4perl.appender.ApplicationFile.Filter = FilterIsWorkflow
log4perl.appender.ApplicationFile.layout = Log::Log4perl::Layout::PatternLayout
log4perl.appender.ApplicationFile.layout.ConversionPattern = %X{wfid} %m %n
log4perl.appender.ApplicationFile.utf8 = 1
log4perl.appender.AuditDBI = OpenXPKI::Server::Log::Appender::Audit
log4perl.appender.AuditDBI.layout = OpenXPKI::Server::Log::Layout::Audit
log4perl.appender.AuditDBI.warp_message = 0
log4perl.appender.AuditFile = Log::Log4perl::Appender::Screen
log4perl.appender.AuditFile.layout = OpenXPKI::Server::Log::Layout::Audit
log4perl.appender.AuditFile.layout.ConversionPattern = %c.%p %m [pid=%P|%i]%n
log4perl.appender.AuditFile.utf8 = 1
log4perl.appender.Deprecated = Log::Log4perl::Appender::Screen
log4perl.appender.Deprecated.layout = Log::Log4perl::Layout::SimpleLayout

1
roles/openxpki/templates/notification/email/_footer.html.j2 Normal file
View File

@@ -0,0 +1 @@
{{ pki_email_footer_html }}

1
roles/openxpki/templates/notification/email/_footer.txt.j2 Normal file
View File

@@ -0,0 +1 @@
{{ pki_email_footer_txt }}

97
roles/openxpki/templates/openssl.cnf.j2 Normal file
View File

@@ -0,0 +1,97 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = {{ pki_root_dir }}/etc/ssl/root/
certs = $dir
crl_dir = $dir
new_certs_dir = $dir
database = $dir/index.txt
serial = $dir/serial
RANDFILE = {{ pki_root_dir }}/data/rand
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

23
roles/openxpki/templates/openxpki.service.j2 Normal file
View File

@@ -0,0 +1,23 @@
[Unit]
Description=OpenXPKI Trustcenter Backend
After=network.target
[Service]
Type=forking
Environment=PERL5LIB={{ pki_root_dir }}/lib/perl5
ExecStart={{ pki_root_dir }}/bin/openxpkictl --config={{ pki_root_dir }}/etc/config.d/ start
ExecStop={{ pki_root_dir }}/bin/openxpkictl --config={{ pki_root_dir }}/etc/config.d/ stop
ExecReload={{ pki_root_dir }}/bin/openxpkictl --config={{ pki_root_dir }}/etc/config.d/ reload
KillMode=process
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
MemoryLimit=1024M
Restart=on-failure
StartLimitInterval=0
RestartSec=20
[Install]
WantedBy=multi-user.target

8
roles/openxpki/templates/perms.sh.j2 Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
chown -R {{ pki_user }}:{{ pki_user }} {{ pki_root_dir }}/etc/ssl
chmod 700 {{ pki_root_dir }}/etc/ssl
# The root key is not used by OpenXPKI itself, protect it
chown root:root {{ pki_root_dir }}/etc/ssl/root/signer-key-1.pem
# Restrict access to the different keys
chmod 600 {{ pki_root_dir }}/etc/ssl/*/*key*.pem

3
roles/openxpki/templates/post-backup.j2 Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
rm -f {{ pki_root_dir }}/backup/*

12
roles/openxpki/templates/pre-backup.j2 Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/sh
set -eo pipefail
/usr/bin/mysqldump \
{% if pki_db_server not in [ '127.0.0.1', 'localhost' ] %}
--user={{ pki_db_user }} \
--password={{ pki_db_pass | quote }} \
--host={{ pki_db_server }} \
{% endif %}
--quick --single-transaction \
--add-drop-table {{ pki_db_name }} | zstd -c > {{ pki_root_dir }}/backup/{{ pki_db_name }}.sql.zst

10
roles/openxpki/templates/scep/default.conf.j2 Normal file
View File

@@ -0,0 +1,10 @@
[global]
log_config = {{ pki_root_dir }}/etc/scep/log.conf
log_facility = client.scep
service=SCEP
socket={{ pki_root_dir }}/run/openxpki.socket
realm={{ item.name }}
iprange={{ item.scep.iprange | default('0.0.0.0/0') }}
servername=scep-server
encryption_algorithm=3DES
hash_algorithm=SHA256

5
roles/openxpki/templates/scep/log.conf.j2 Normal file
View File

@@ -0,0 +1,5 @@
log4perl.category.client.scep = DEBUG, Logfile
log4perl.appender.Logfile = Log::Log4perl::Appender::Screen
log4perl.appender.Logfile.layout = Log::Log4perl::Layout::PatternLayout
log4perl.appender.Logfile.layout.ConversionPattern = scep
log4perl.appender.Logfile.utf8 = 1

24
roles/openxpki/templates/webui/default.conf.j2 Normal file
View File

@@ -0,0 +1,24 @@
[global]
log_config = {{ pki_root_dir }}/etc/webui/log.conf
socket = {{ pki_root_dir }}/run/openxpki.socket
scripturl = {{ (pki_web_alias == '/') | ternary('',pki_web_alias) }}/cgi-bin/webui.fcgi
locale_directory = {{ pki_root_dir }}/locale
default_language = en_US
[session]
driver = driver:openxpki
timeout = +20m
cookey = {{ pki_secret_cookie }}
[session_driver]
DataSource = dbi:mysql:dbname={{ pki_db_name }};host={{ pki_db_server }};port={{ pki_db_port }}
User = {{ pki_db_session_user }}
Password = {{ pki_db_session_pass }}
EncryptKey = {{ pki_secret_cookie }}
LogIP = 1
[header]
Strict-Transport-Security = max-age=31536000;
X-Frame-Options = SAMEORIGIN;
X-XSS-Protection = 1; mode=block;

6
roles/openxpki/templates/webui/log.conf.j2 Normal file
View File

@@ -0,0 +1,6 @@
log4perl.logger = INFO, Journal
log4perl.appender.Journal = Log::Log4perl::Appender::Screen
log4perl.appender.Journal.layout = Log::Log4perl::Layout::PatternLayout
log4perl.appender.Journal.layout.ConversionPattern = OpenXPKI-WebUI %m
log4perl.appender.Journal.utf8 = 1