56 lines
1.5 KiB
Text
56 lines
1.5 KiB
Text
ca-easy-rsa-maint:
|
|
pkg.installed:
|
|
- name: easy-rsa
|
|
|
|
#temporary - easy-rsa package is broken and uses wrong working direcotry
|
|
easy-rsa-vars-maint:
|
|
file.managed:
|
|
- name: "/etc/easy-rsa/vars"
|
|
- source: salt://roles/maintain/ca/vars
|
|
|
|
#initialize ca if necessary
|
|
#--vars=./vars is temporary until package is fixed
|
|
gen-ca-key:
|
|
cmd.run:
|
|
- name: "easyrsa --vars=./vars init-pki;easyrsa --batch --vars=./vars build-ca nopass batch"
|
|
- cwd: "/etc/easy-rsa"
|
|
- onlyif: 'test ! -e /etc/easy-rsa/pki/ca.crt'
|
|
|
|
#generate keys if needed
|
|
#--vars=./vars is temporary until package is fixed
|
|
{%- if pillar['ca'] is defined -%}
|
|
{%- for name in pillar['ca'] %}
|
|
gen-{{name}}-cert:
|
|
cmd.run:
|
|
- name: "easyrsa --batch --vars=./vars gen-req {{name}} nopass;easyrsa --batch --vars=./vars sign-req {{pillar['ca'][name]['type']}} {{name}};"
|
|
- cwd: "/etc/easy-rsa"
|
|
- onlyif: 'test ! -e /etc/easy-rsa/pki/reqs/{{name}}.req'
|
|
#set ownership to root:ca and mod to 640
|
|
{{name}}-cert-perms:
|
|
file.managed:
|
|
- name: /etc/easy-rsa/pki/issued/{{name}}.crt
|
|
- group: ca
|
|
- mode: 640
|
|
{{name}}-key-perms:
|
|
file.managed:
|
|
- name: /etc/easy-rsa/pki/private/{{name}}.key
|
|
- group: ca
|
|
- mode: 640
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
#set directory perms
|
|
pki-perms:
|
|
file.directory:
|
|
- name: /etc/easy-rsa/pki/
|
|
- group: ca
|
|
- mode: 750
|
|
issued-perms:
|
|
file.directory:
|
|
- name: /etc/easy-rsa/pki/issued/
|
|
- group: ca
|
|
- mode: 750
|
|
private-perms:
|
|
file.directory:
|
|
- name: /etc/easy-rsa/pki/private
|
|
- group: ca
|
|
- mode: 750
|