Deploy signer certificate from local deploy host

.gitignore

+files/*.crt
+files/*.key
 inventory/group_vars/geodns.yml
 inventory/group_vars/mdsigner.yml
 .ssh/id_*

files/README

-Download GeoLite2 DB's from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
+This directory should contain:
+
+ * GeoDNS config in yaml format
+ * mdsigner signing certificates (key_spec/cert_spec)

inventory/group_vars/all.yml

@@ -2,7 +2,7 @@
 
 tld: srv.mdx.incubator.geant.org
 
-hosts:
+proxies:
   et2:
     hostname: srv1
     altname: 'server-md2.et2.com'

inventory/group_vars/mdsigner.yml.example

 ---
 
-hosts:
+signers_tld: srv.mdx.incubator.geant.org
+
+signers:
   et2:
+    hostname: srv1
     mdsigner:
       test:
-        signer:
-          name: hsm_signer
-          key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
-        metadir: metadata/test
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
 
   mdxcdn:
+    hostname: srv2
     mdsigner:
       edugain:
-        signer:
-          name: hsm_signer
-          key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
-        metadir: metadata/edugain
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
 
   alternative-mdx:
+    hostname: srv3
     mdsigner:
+      test:
+        name: normal_signer
+        key_spec: "test.key"
+        cert_spec: "test.crt"
       foobar:
-        signer:
-          name: normal_signer
-          key_spec: "meta.key"
-          cert_spec: "meta.crt"
-        metadir: metadata/test
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret

roles/apache/templates/md.conf.j2

-{% if hosts[inventory_hostname].get('mdsigner') %}
+{% if signers is defined and signers[inventory_hostname].get('mdsigner') %}
 <VirtualHost *:80>
-        ServerName {{ hosts[inventory_hostname]['hostname'] }}-signer.{{ tld }}
-{% if hosts[inventory_hostname].get('altname') %}
-        ServerAlias {{ hosts[inventory_hostname]['altname'] }}
+        ServerName {{ signers[inventory_hostname]['hostname'] }}-signer.{{ signers_tld }}
+{% if signers[inventory_hostname].get('altname') %}
+        ServerAlias {{ signers[inventory_hostname]['altname'] }}
 {% endif %}
         DocumentRoot /var/www/html
         AllowEncodedSlashes NoDecode
@@ -11,16 +11,16 @@
 </VirtualHost>
 {% endif %}
 
-{% if hosts[inventory_hostname].get('mdproxy') %}
+{% if proxies is defined and proxies[inventory_hostname].get('mdproxy') %}
 <VirtualHost *:80>
-        ServerName {{ hosts[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
+        ServerName {{ proxies[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
         DocumentRoot /var/www/html
         AllowEncodedSlashes NoDecode
         ProxyPass "/" "http://127.0.0.1:5002/" nocanon
         ProxyPassReverse "/" "http://127.0.0.1:5002/"
 </VirtualHost>
 
-{% set mdproxy = hosts[inventory_hostname]['mdproxy'] %}
+{% set mdproxy = proxies[inventory_hostname]['mdproxy'] %}
 {% for realm, values in mdproxy.items() %}
 <VirtualHost *:80>
         ServerName proxy-{{ realm }}.{{ tld }}
@@ -34,3 +34,4 @@
 </VirtualHost>
 {% endfor %}
 {% endif %}
+

roles/mdproxy/templates/mdproxy.yaml.j2

 ---
-{{ hosts[inventory_hostname]['mdproxy'] | tojson }}
+{% set mdproxies = proxies[inventory_hostname]['mdproxy'] %}
+{% for realm, values in mdproxies.items() %}
+{{ realm }}:
+  signer: {{ values['signer'] }}
+{% if values.get('altname') %}
+  altname: {{ values['altname'] }}
+{% endif %}
+{% endfor %}

roles/mdsigner/tasks/certificates.yml

+- name: check wheter we can copy certificates
+  ansible.builtin.stat:
+    path: "{{ playbook_dir }}/files/{{ item.value.key_spec }}"
+  delegate_to: localhost
+  become: no
+  register: key_spec
+
+- name: Copy certificates when key_spec exists
+  block:
+    - name: Copy Key spec
+      ansible.builtin.copy:
+        src: "{{ item.value.key_spec }}"
+        dest: "{{ altmdx_dir }}/{{ item.value.key_spec }}"
+    - name: Copy Cert spec
+      ansible.builtin.copy:
+        src: "{{ item.value.cert_spec }}"
+        dest: "{{ altmdx_dir }}/{{ item.value.cert_spec }}"
+  when: key_spec.stat.exists

roles/mdsigner/tasks/main.yml

@@ -22,22 +22,11 @@
     path: "{{ altmdx_metadir }}/{{ item.key }}"
     state: directory
     mode: '0755'
-  with_dict: "{{ hosts[inventory_hostname]['mdsigner'] }}"
+  with_dict: "{{ signers[inventory_hostname]['mdsigner'] }}"
 
-- name: Check existence of metadata signing cert
-  stat:
-    path: "{{ altmdx_metadir }}/meta.crt"
-  register: mdcert
-
-- name: create self-signed Metadata Signing SSL certs
-  shell: >
-    openssl genrsa -out "{{ altmdx_dir }}/meta.key" 2048;
-    openssl req -new -nodes -x509 -subj "/C=NL/CN=metadata"
-    -days 3650 -key "{{ altmdx_dir }}/meta.key"
-    -out "{{ altmdx_dir }}/meta.crt" -extensions v3_ca
-  args:
-    creates: "{{ altmdx_dir }}/meta.crt"
-  when: not mdcert.stat.exists
+- name: Copy certificates
+  include_tasks: certificates.yml
+  loop: "{{ signers[inventory_hostname]['mdsigner'] | dict2items }}"
 
 - name: Copy mdsigner service files
   ansible.builtin.template:

roles/mdsigner/templates/mdsigner.yaml.j2

 ---
-{{ hosts[inventory_hostname]['mdsigner'] | to_yaml }}
+{% set mdsigners = signers[inventory_hostname]['mdsigner'] %}
+{% for realm, values in mdsigners.items() %}
+{{ realm }}:
+  signer:
+    name: {{ values['name'] }}
+    key_spec: {{ values.key_spec }}
+    cert_spec: {{ values.get('cert_spec') }}
+  metadir: metadata/{{ realm }}
+{% endfor %}