feat: initial commit

.ansible-lint

@@ -0,0 +1,5 @@
+---
+skip_list:
+  - name[casing]
+exclude_paths:
+  - .github

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+tab_width = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.github/workflows/bump.yml

@@ -0,0 +1,33 @@
+name: bump version
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  tag:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/[email protected]
+        with:
+          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+      - run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git tag $(awk -F'"' '/current_version/ {print $2; exit}' bumpver.toml)
+          git push --tags
+
+  bump:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/[email protected]
+      - uses: actions/[email protected]
+        with:
+          python-version: 3.12.6
+      - run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          pip install -r requirements-bumpver.txt
+          bumpver update --patch

.github/workflows/lint.yml

@@ -0,0 +1,19 @@
+name: lint
+
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+
+jobs:
+  lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/[email protected]
+      - uses: actions/[email protected]
+        with:
+          python-version: 3.12.6
+      - run: |
+          pip install -r requirements-ansible.txt
+          ansible-lint

.github/workflows/release.yml

@@ -0,0 +1,18 @@
+name: release
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  release:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/[email protected]
+      - uses: actions/[email protected]
+        with:
+          python-version: 3.12.6
+      - run: |
+          pip install -r requirements-ansible.txt
+          ansible-galaxy role import --token "${{ secrets.ANSIBLE_GALAXY_TOKEN }}" $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog
+
+## 1.0.0 (2024-09-22)
+
+### Features:
+
+- Initial release.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Daniel Segura
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,44 @@
+# Ansible Role: Nomad TLS Certificate Generation
+
+This Ansible role generates TLS certificates for [HashiCorp Nomad](https://www.nomadproject.io/) using the built-in `nomad tls` commands. It creates a self-signed certificate authority (CA), a server certificate, a client certificate, and a CLI certificate. The certificates are stored in the specified directory.
+
+## Features
+
+- **Automated TLS Certificate Creation**: Automatically generates Nomad TLS certificates (CA, server, client, and CLI certificates) using the `nomad tls` commands.
+- **Customizable Directory**: Certificates can be stored in a directory of your choice by overriding the `nomad_tls_certificates_directory` variable.
+- **Idempotent Execution**: Each certificate creation task checks if the certificate already exists and skips the task if the certificate is already present, ensuring that the role can be run multiple times without overwriting existing files
+
+## Requirements
+
+- The `nomad` CLI must be installed on the target machine where this role is being executed.
+
+## Role Variables
+
+Here are the role variables and their default values. You will need to override them in your playbook or inventory to suit your environment:
+
+| Variable | Description | Default |
+| - | - | - |
+| nomad_tls_certificates_directory | Path to the directory where certificates will be stored. Defaults to the playbook's directory. | "{{ playbook_dir }}" |
+
+## Example Playbook
+
+```yaml
+- hosts: servers
+  become: true
+  roles:
+    - role: dsegurag.nomad_tls_certificates
+      vars:
+        nomad_tls_certificates_directory: "/etc/nomad/tls"
+```
+
+## Dependencies
+
+- **Nomad CLI**: The `nomad` CLI is required to create the TLS certificates. If Nomad is not installed on your target machine, you can use [this Ansible role](https://github.com/dsegurag/ansible-role-nomad-installation) to install Nomad easily.
+
+## License
+
+MIT License
+
+## Author Information
+
+This role was created by Daniel Segura.

bumpver.toml

@@ -0,0 +1,11 @@
+[bumpver]
+current_version = "1.0.0"
+version_pattern = "MAJOR.MINOR.PATCH"
+commit_message = "chore: bump version {old_version} -> {new_version}"
+tag_message = "{new_version}"
+tag_scope = "default"
+pre_commit_hook = ""
+post_commit_hook = ""
+commit = true
+tag = false
+push = true

defaults/main.yml

@@ -0,0 +1,2 @@
+---
+nomad_tls_certificates_directory: "{{ playbook_dir }}"

meta/main.yml

@@ -0,0 +1,12 @@
+---
+dependencies: []
+
+galaxy_info:
+  role_name: nomad_tls_certificates
+  author: dsegurag
+  description: An Ansible role for generating HashiCorp Nomad TLS certificates.
+  license: MIT
+  min_ansible_version: 2.17.4
+  platforms:
+    - name: Debian
+    - name: Ubuntu

renovate.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "group:all",
+    ":automergeMinor",
+    ":automergeDigest",
+    ":separateMultipleMajorReleases"
+  ],
+  "timezone": "Europe/Madrid",
+  "labels": [
+    "renovate"
+  ],
+  "major": {
+    "addLabels": [
+      "major"
+    ]
+  },
+  "minor": {
+    "addLabels": [
+      "minor"
+    ]
+  },
+  "patch": {
+    "addLabels": [
+      "patch"
+    ]
+  },
+  "pin": {
+    "addLabels": [
+      "pin"
+    ]
+  },
+  "digest": {
+    "addLabels": [
+      "digest"
+    ]
+  }
+}

requirements-ansible.txt

@@ -0,0 +1,2 @@
+ansible==10.4.0
+ansible-lint==24.9.2

requirements-bumpver.txt

@@ -0,0 +1 @@
+bumpver==2023.1129

tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: create a self signed certificate authority
+  ansible.builtin.command: nomad tls ca create
+  args:
+    chdir: "{{ nomad_tls_certificates_directory }}"
+    creates: nomad-agent-ca-key.pem
+
+- name: generate server certificate
+  ansible.builtin.command: nomad tls cert create -server
+  args:
+    chdir: "{{ nomad_tls_certificates_directory }}"
+    creates: global-server-nomad-key.pem
+
+- name: generate client certificate
+  ansible.builtin.command: nomad tls cert create -client
+  args:
+    chdir: "{{ nomad_tls_certificates_directory }}"
+    creates: global-client-nomad-key.pem
+
+- name: generate cli certificate
+  ansible.builtin.command: nomad tls cert create -cli
+  args:
+    chdir: "{{ nomad_tls_certificates_directory }}"
+    creates: global-cli-nomad-key.pem