jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-08-09 18:16:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-01 19:13

Browse Source
This commit is contained in:
Daniel Berteaud
2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
roles/openxpki/templates/config.d/realm/auth/handler.yaml.j2 Normal file
View File

@@ -0,0 +1,22 @@
{% for map in item.0.auth.role_map | sort(attribute='priority') %}
LDAP Auth {{ map.role }}:
type: Command
label: LDAP Authentication {{ map.role }}
description: Authenticate {{ map.role }} against an LDAP server
role: {{ map.role }}
command: [ '{{ pki_root_dir }}/bin/openxpki-auth-ldap', '-H', '{{ item.0.auth.ldap_uri }}', '-b', '{{ item.0.auth.ldap_base }}', '{{ item.0.auth.ldap_start_tls | ternary('--starttls','') }}', '-U', 'LOGIN', '-P', 'PASSWD', '--extra-filter={{ map.filter }}', '--user-attr={{ item.0.auth.ldap_user_attr }}'{% if item.0.auth.ldap_bind_dn is defined and item.0.auth.ldap_bind_pass is defined %}, '-D', 'BIND_DN', '-W', 'BIND_PASS'{% endif %} ]
env:
PERL5LIB: {{ pki_root_dir }}/lib/perl5
LOGIN: "[% username %]"
PASSWD: "[% password %]"
{% if item.0.auth.ldap_bind_dn is defined and item.0.auth.ldap_bind_pass is defined %}
BIND_DN: {{ item.0.auth.ldap_bind_dn }}
BIND_PASS: '{{ item.0.auth.ldap_bind_pass }}'
{% endif %}
{% endfor %}
System:
type: Anonymous
label: System
role: System

9
roles/openxpki/templates/config.d/realm/auth/stack.yaml.j2 Normal file
View File

@@ -0,0 +1,9 @@
User:
description: I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_USER
handler:
{% for map in item.0.auth.role_map | sort(attribute='priority') %}
- LDAP Auth {{ map.role }}
{% endfor %}
_System:
handler: System

37
roles/openxpki/templates/config.d/realm/crypto.yaml.j2 Normal file
View File

@@ -0,0 +1,37 @@
type:
certsign: signer-key
datasafe: vault-key
scep: scep-key
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: {{ pki_root_dir }}/etc/ssl/[% PKI_REALM %]/[% ALIAS %].pem
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
shell: /usr/bin/openssl
wrapper: ''
randfile: {{ pki_root_dir }}/data/rand
secret: default
signer-key:
inherit: default
vault-key:
inherit: default
scep-key:
inherit: default
backend: OpenXPKI::Crypto::Tool::SCEP
shell: /usr/bin/openca-scep
secret:
default:
label: Default secret group of this realm
export: 0
method: literal
value: '{{ pki_secret }}'
cache: daemon

5
roles/openxpki/templates/config.d/realm/nice.yaml.j2 Normal file
View File

@@ -0,0 +1,5 @@
backend: Local
api:
use_revocation_id: 1

118
roles/openxpki/templates/config.d/realm/notification/smtp.yaml.j2 Normal file
View File

@@ -0,0 +1,118 @@
backend:
class: OpenXPKI::Server::Notification::SMTP
host: localhost
port: 25
debug: 0
use_html: 1
# No SMIME for now
default:
to: "[% cert_info.requestor_email %]"
from: no-reply@{{ ansible_domain }}
reply: {{ item.0.notif.admin_email }}
cc: {{ item.0.notif.admin_email }}
prefix: PKI [% meta_wf_id %]
images:
banner: head.png
# template settings
template:
dir: {{ pki_root_dir }}/etc/notification/email/
message:
testmail:
default:
template: testmail
subject: SMTP Notification Test
to: "[% data.rcpt %]"
from: no-reply@{{ ansible_domain }}
reply: ''
cc: ''
prefix: ''
csr_created:
default:
template: csr_created_user
subject: CSR for [% cert_subject %]
raop:
template: csr_created_raop
to: {{ item.0.notif.admin_email }}
cc: ''
reply: "[% cert_info.requestor_email %]"
subject: CSR for [% cert_subject %]
csr_rejected:
default:
template: csr_rejected
subject: CSR rejected for [% cert_subject %]
cert_issued:
default:
template: cert_issued
subject: certificate issued for [% cert_subject %]
cert_expiry:
default:
to: {{ item.0.notif.admin_email }}
{% if item.0.notif.expiry_send_requestor %}
cc: "[% data.notify_to %]
{% endif %}
template: cert_expiry
subject: Certificate Expiry Warning
scpu_notify:
default:
template: scpu_notify_user
subject: Smartcard Enrollment Verification Notice
to: "[% data.requestor_mail %]"
auth1:
template: scpu_notify_authcontact
to: "[% data.auth1_mail %]"
reply: "[% data.requestor_mail %]"
subject: Smartcard Enrollment Verification Request for [% data.requestor_name %]
auth2:
template: scpu_notify_authcontact
to: "[% data.auth2_mail %]"
reply: "[% data.requestor_mail %]"
subject: Smartcard Enrollment Verification Request for [% data.requestor_name %]
# notifies for the scep server
scep_auth_denied:
requestor:
template: scep_auth_denied
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request REJECTED - [% cert_subject %]
scep_approval_pending:
requestor:
template: scep_approval_pending_requestor
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request PENDING - [% cert_subject %]
raop:
template: scep_approval_pending_raop
to: reg-office@mycompany.local
cc: ''
subject: SCEP request PENDING - [% cert_subject %]
scep_approval_rejected:
requestor:
template: scep_approval_rejected
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request REJECTED - [% cert_subject %]
scep_cert_issued:
requestor:
template: scep_cert_issued
to: "[% data.notify_to %]"
cc: "[% data.notify_cc %]"
subject: SCEP request ISSUED - [% cert_subject %]

69
roles/openxpki/templates/config.d/realm/profile/default.yaml.j2 Normal file
View File

@@ -0,0 +1,69 @@
key:
alg:
- rsa
- ec
- dsa
enc:
- aes256
generate: both
rsa:
key_length:
- 2048
- 4096
ec:
curve_name:
- prime256v1
- secp384r1
- secp521r1
dsa:
key_length:
- 2048
- 4096
validity:
notafter: +01
digest: sha256
increasing_serials: 1
randomized_serial_bytes: 8
publish:
- disk
extensions:
basic_constraints:
critical: 1
ca: 0
path_length: 0
subject_key_identifier:
critical: 0
hash: 1
authority_key_identifier:
critical: 0
keyid: 1
issuer: 0
issuer_alt_name:
critical: 0
copy: 0
crl_distribution_points:
critical: 0
uri:
- {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/crl
authority_info_access:
critical: 0
ca_issuers: {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/ca
ocsp: {{ pki_base_url }}
policy_identifier:
critical: 0

52
roles/openxpki/templates/config.d/realm/profile/signer.yaml.j2 Normal file
View File

@@ -0,0 +1,52 @@
label: Signer
validity:
notafter: +0006
style:
00_user_basic_style:
label: signer
description: Application authenticity and deployment security
ui:
subject:
- username
- realname
- department
- email
info:
- comment
subject:
dn: CN=[% realname %]+UID=[% username %][% IF department %],DC=[% department %][% END %],{{ item.0.subj_suffix }}
san:
email: "[% email.lower %]"
metadata:
requestor: "[% realname %]"
email: "[% email %]"
department: "[% department %]"
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 1
key_encipherment: 1
data_encipherment: 0
key_agreement: 0
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
client_auth: 0
server_auth: 0
email_protection: 0
code_signing: 1
time_stamping: 1
ocsp_signing: 0
# MS Smartcard Logon
1.3.6.1.4.1.311.20.2.2: 0

58
roles/openxpki/templates/config.d/realm/profile/tls_client.yaml.j2 Normal file
View File

@@ -0,0 +1,58 @@
# The name of the file equals the name of the profile
label: I18N_OPENXPKI_UI_PROFILE_TLS_CLIENT_LABEL
validity:
notafter: +01
style:
00_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
subject:
- hostname
- application_name
info:
- requestor_gname
- requestor_name
- requestor_email
- requestor_affiliation
- comment
subject:
dn: CN=[% hostname %]:[% application_name %],{{ item.0.subj_suffix }}
metadata:
requestor: "[% requestor_gname %] [% requestor_name %]"
email: "[% requestor_email %]"
entity: "[% hostname FILTER lower %]"
enroll:
subject:
dn: CN=[% CN.0 %],{{ item.0.subj_suffix }}
# Profile extensions - set 0/1 as needed
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 0
key_encipherment: 0
data_encipherment: 0
key_agreement: 0
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
client_auth: 1
server_auth: 0
email_protection: 0
code_signing: 0
time_stamping: 0
ocsp_signing: 0

123
roles/openxpki/templates/config.d/realm/profile/tls_server.yaml.j2 Normal file
View File

@@ -0,0 +1,123 @@
# The name of the file equals the name of the profile
label: I18N_OPENXPKI_UI_PROFILE_TLS_SERVER_LABEL
validity:
notafter: +0006
style:
00_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
subject:
- hostname
- hostname2
- port
info:
- requestor_gname
- requestor_name
- requestor_email
- requestor_affiliation
- comment
subject:
dn: CN=[% hostname.lower %][% IF port AND port != 443 %]:[% port %][% END %],{{ item.0.subj_suffix }}
san:
DNS:
- "[% hostname.lower %]"
- "[% FOREACH entry = hostname2 %][% entry.lower %] | [% END %]"
metadata:
requestor: "[% requestor_gname %] [% requestor_name %]"
email: "[% requestor_email %]"
entity: "[% hostname FILTER lower %]"
05_advanced_style:
label: I18N_OPENXPKI_UI_PROFILE_ADVANCED_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_ADVANCED_STYLE_DESC
ui:
subject:
- cn
- o
- ou
- dc
- c
san:
- san_ipv4
- san_dns
info:
- requestor_gname
- requestor_name
- requestor_email
- requestor_affiliation
- comment
subject:
dn: CN=[% CN %][% IF OU %][% FOREACH entry = OU %],OU=[% entry %][% END %][% END %][% IF O %],O=[% O %][% END %][% FOREACH entry = DC %],DC=[% entry %][% END %][% IF C %],C=[% C %][% END %]
# no san definitions here as items from ui.san are directly written to the SAN
enroll:
subject:
dn: CN=[% CN.0 %],{{ item.0.subj_suffix }}
san:
dns: "[% FOREACH entry = SAN_DNS %][% entry.lower %] | [% END %]"
metadata:
system_id: "[% data.cust_id %]"
server_id: "[% data.server_id %]"
entity: "[% CN.0 FILTER lower %]"
# Profile extensions - set 0/1 as needed
# Also see sections defined in default.yaml
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 0
key_encipherment: 1
data_encipherment: 0
key_agreement: 1
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
# these are OIDs, some OIDs are known and have names
client_auth: 0
server_auth: 1
email_protection: 0
code_signing: 0
time_stamping: 0
ocsp_signing: 0
# This is really outdated and should not be used unless really necessary
netscape:
comment:
critical: 0
text: This is a generic certificate. Generated with OpenXPKI trustcenter software.
certificate_type:
critical: 0
ssl_client: 0
smime_client: 0
object_signing: 0
ssl_client_ca: 0
smime_client_ca: 0
object_signing_ca: 0
cdp:
critical: 0
uri: http://localhost/cacrl.crt
ca_uri: http://localhost/cacrl.crt
# end of netscape section
# end of extensions
# Define the input fields you used below here
#template:

61
roles/openxpki/templates/config.d/realm/profile/user_auth_enc.yaml.j2 Normal file
View File

@@ -0,0 +1,61 @@
# The name of the file equals the name of the profile
label: I18N_OPENXPKI_UI_PROFILE_USER_LABEL
validity:
notafter: +0006
style:
00_user_basic_style:
label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
ui:
subject:
- username
- realname
- department
- email
info:
- comment
subject:
dn: CN=[% realname %]+UID=[% username %][% IF department %],DC=[% department %][% END %],{{ item.0.subj_suffix }}
san:
email: "[% email.lower %]"
metadata:
requestor: "[% realname %]"
email: "[% email %]"
department: "[% department %]"
# Profile extensions - set 0/1 as needed
# Also see sections defined in default.yaml
extensions:
key_usage:
critical: 1
digital_signature: 1
non_repudiation: 1
key_encipherment: 1
data_encipherment: 0
key_agreement: 0
key_cert_sign: 0
crl_sign: 0
encipher_only: 0
decipher_only: 0
extended_key_usage:
critical: 1
client_auth: 1
server_auth: 0
email_protection: 1
code_signing: 0
time_stamping: 0
ocsp_signing: 0
# MS Smartcard Logon
1.3.6.1.4.1.311.20.2.2: 1
# Define the input fields you used below here or in template.yaml
#template:

28
roles/openxpki/templates/config.d/realm/publishing.yaml.j2 Normal file
View File

@@ -0,0 +1,28 @@
entity:
disk@: connector:publishing.connectors.local
crl:
crl@: connector:publishing.connectors.cdp
cacert:
disk@: connector:publishing.connectors.cacert
connectors:
local:
class: Connector::Builtin::File::Path
LOCATION: {{ pki_root_dir }}/data/{{ item.0.name }}
file: "[% ARGS.0 %].crt"
content: "[% pem %]"
cdp:
class: Connector::Builtin::File::Path
LOCATION: {{ pki_root_dir }}/data/{{ item.0.name }}
file: "crl.pem"
content: "[% pem %]"
cacert:
class: Connector::Builtin::File::Path
LOCATION: {{ pki_root_dir }}/data/{{ item.0.name }}
file: "ca.pem"
content: "[% pem %]"

60
roles/openxpki/templates/config.d/realm/scep/scep-server.yaml.j2 Normal file
View File

@@ -0,0 +1,60 @@
renewal:
notbefore: 000014
notafter: 0
revoke_on_replace:
reason_code: keyCompromise
delay_revocation_time: +000014
workflow:
type: certificate_enroll
param:
transaction_id: transaction_id
signer_cert: signer_cert
pkcs10: pkcs10
_url_params: url_params
key_size:
rsaEncryption: 1020-4096
hash_type:
- sha1
- sha256
- sha512
authorized_signer:
rule1:
subject: CN=.+:scepclient,.*
rule2:
subject: CN=.+:pkiclient,.*
policy:
allow_man_authen: 1
allow_anon_enroll: 0
allow_man_approv: 1
allow_eligibility_recheck: 0
approval_points: 1
max_active_certs: 1
allow_expired_signer: 0
auto_revoke_existing_certs: 1
allow_replace: 1
response:
getcacert_strip_root: 1
profile:
cert_profile: {{ item.0.scep.profile }}
cert_subject_style: enroll
profile_map:
pc-client: I18N_OPENXPKI_PROFILE_USER_AUTHENTICATION
hmac: "{{ item.0.scep.hmac | default(pki_scep_hmac) }}"
challenge:
value: "{{ item.0.scep.challenge | default(pki_scep_challenge) }}"
eligible:
renewal:
value: 1

22
roles/openxpki/templates/config.d/realm/workflow/global/validator/password_quality.yaml.j2 Normal file
View File

@@ -0,0 +1,22 @@
class: OpenXPKI::Server::Workflow::Validator::PasswordQuality
arg:
- $_password
param:
checks:
- length
{% if item.0.passwd_quality is string %}
{% if item.0.passwd_quality == 'none' %}
minlen: 1
maxlen: 64
{% elif item.0.passwd_quality == 'normal' %}
- entropy
min_entropy: 20
minlen: 6
maxlen: 64
{% elif item.0.passwd_quality == 'strong' %}
- entropy
min_entropy: 60
minlen: 10
maxlen: 64
{% endif %}
{% endif %}