From 403e63d36d77a33bcf973d101c2c5465b3cbe35c Mon Sep 17 00:00:00 2001 From: Daniel Segura Date: Sun, 22 Sep 2024 13:11:29 +0200 Subject: [PATCH] feat: initial commit --- .ansible-lint | 5 ++++ .editorconfig | 10 ++++++++ .github/workflows/bump.yml | 33 ++++++++++++++++++++++++++ .github/workflows/lint.yml | 19 +++++++++++++++ .github/workflows/release.yml | 18 ++++++++++++++ CHANGELOG.md | 7 ++++++ LICENSE | 21 +++++++++++++++++ README.md | 44 +++++++++++++++++++++++++++++++++++ bumpver.toml | 11 +++++++++ defaults/main.yml | 2 ++ meta/main.yml | 12 ++++++++++ renovate.json | 39 +++++++++++++++++++++++++++++++ requirements-ansible.txt | 2 ++ requirements-bumpver.txt | 1 + tasks/main.yml | 24 +++++++++++++++++++ 15 files changed, 248 insertions(+) create mode 100644 .ansible-lint create mode 100644 .editorconfig create mode 100644 .github/workflows/bump.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/release.yml create mode 100644 CHANGELOG.md create mode 100644 LICENSE create mode 100644 README.md create mode 100644 bumpver.toml create mode 100644 defaults/main.yml create mode 100644 meta/main.yml create mode 100644 renovate.json create mode 100644 requirements-ansible.txt create mode 100644 requirements-bumpver.txt create mode 100644 tasks/main.yml diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..6730ec8 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,5 @@ +--- +skip_list: + - name[casing] +exclude_paths: + - .github diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..1a54ff2 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,10 @@ +root = true + +[*] +indent_style = space +indent_size = 2 +tab_width = 4 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml new file mode 100644 index 0000000..3113c96 --- /dev/null +++ b/.github/workflows/bump.yml @@ -0,0 +1,33 @@ +name: bump version + +on: + workflow_dispatch: + +permissions: + contents: write + +jobs: + tag: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4.1.7 + with: + token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + - run: | + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git tag $(awk -F'"' '/current_version/ {print $2; exit}' bumpver.toml) + git push --tags + + bump: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4.1.7 + - uses: actions/setup-python@v5.2.0 + with: + python-version: 3.12.6 + - run: | + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + pip install -r requirements-bumpver.txt + bumpver update --patch diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..c34b36a --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,19 @@ +name: lint + +on: + push: + branches: + - '*' + pull_request: + +jobs: + lint: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4.1.7 + - uses: actions/setup-python@v5.2.0 + with: + python-version: 3.12.6 + - run: | + pip install -r requirements-ansible.txt + ansible-lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..efd62df --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,18 @@ +name: release + +on: + push: + tags: + - '*' + +jobs: + release: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4.1.7 + - uses: actions/setup-python@v5.2.0 + with: + python-version: 3.12.6 + - run: | + pip install -r requirements-ansible.txt + ansible-galaxy role import --token "${{ secrets.ANSIBLE_GALAXY_TOKEN }}" $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..99a8d5b --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,7 @@ +# Changelog + +## 1.0.0 (2024-09-22) + +### Features: + +- Initial release. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..65c69fc --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 Daniel Segura + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..7535ce6 --- /dev/null +++ b/README.md @@ -0,0 +1,44 @@ +# Ansible Role: Nomad TLS Certificate Generation + +This Ansible role generates TLS certificates for [HashiCorp Nomad](https://www.nomadproject.io/) using the built-in `nomad tls` commands. It creates a self-signed certificate authority (CA), a server certificate, a client certificate, and a CLI certificate. The certificates are stored in the specified directory. + +## Features + +- **Automated TLS Certificate Creation**: Automatically generates Nomad TLS certificates (CA, server, client, and CLI certificates) using the `nomad tls` commands. +- **Customizable Directory**: Certificates can be stored in a directory of your choice by overriding the `nomad_tls_certificates_directory` variable. +- **Idempotent Execution**: Each certificate creation task checks if the certificate already exists and skips the task if the certificate is already present, ensuring that the role can be run multiple times without overwriting existing files + +## Requirements + +- The `nomad` CLI must be installed on the target machine where this role is being executed. + +## Role Variables + +Here are the role variables and their default values. You will need to override them in your playbook or inventory to suit your environment: + +| Variable | Description | Default | +| - | - | - | +| nomad_tls_certificates_directory | Path to the directory where certificates will be stored. Defaults to the playbook's directory. | "{{ playbook_dir }}" | + +## Example Playbook + +```yaml +- hosts: servers + become: true + roles: + - role: dsegurag.nomad_tls_certificates + vars: + nomad_tls_certificates_directory: "/etc/nomad/tls" +``` + +## Dependencies + +- **Nomad CLI**: The `nomad` CLI is required to create the TLS certificates. If Nomad is not installed on your target machine, you can use [this Ansible role](https://github.com/dsegurag/ansible-role-nomad-installation) to install Nomad easily. + +## License + +MIT License + +## Author Information + +This role was created by Daniel Segura. diff --git a/bumpver.toml b/bumpver.toml new file mode 100644 index 0000000..b6c3a52 --- /dev/null +++ b/bumpver.toml @@ -0,0 +1,11 @@ +[bumpver] +current_version = "1.0.0" +version_pattern = "MAJOR.MINOR.PATCH" +commit_message = "chore: bump version {old_version} -> {new_version}" +tag_message = "{new_version}" +tag_scope = "default" +pre_commit_hook = "" +post_commit_hook = "" +commit = true +tag = false +push = true diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..dab0593 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,2 @@ +--- +nomad_tls_certificates_directory: "{{ playbook_dir }}" diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..8b0035d --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,12 @@ +--- +dependencies: [] + +galaxy_info: + role_name: nomad_tls_certificates + author: dsegurag + description: An Ansible role for generating HashiCorp Nomad TLS certificates. + license: MIT + min_ansible_version: 2.17.4 + platforms: + - name: Debian + - name: Ubuntu diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..e504e63 --- /dev/null +++ b/renovate.json @@ -0,0 +1,39 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + "group:all", + ":automergeMinor", + ":automergeDigest", + ":separateMultipleMajorReleases" + ], + "timezone": "Europe/Madrid", + "labels": [ + "renovate" + ], + "major": { + "addLabels": [ + "major" + ] + }, + "minor": { + "addLabels": [ + "minor" + ] + }, + "patch": { + "addLabels": [ + "patch" + ] + }, + "pin": { + "addLabels": [ + "pin" + ] + }, + "digest": { + "addLabels": [ + "digest" + ] + } +} diff --git a/requirements-ansible.txt b/requirements-ansible.txt new file mode 100644 index 0000000..5f5e809 --- /dev/null +++ b/requirements-ansible.txt @@ -0,0 +1,2 @@ +ansible==10.4.0 +ansible-lint==24.9.2 diff --git a/requirements-bumpver.txt b/requirements-bumpver.txt new file mode 100644 index 0000000..4a25861 --- /dev/null +++ b/requirements-bumpver.txt @@ -0,0 +1 @@ +bumpver==2023.1129 diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..7253cd7 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: create a self signed certificate authority + ansible.builtin.command: nomad tls ca create + args: + chdir: "{{ nomad_tls_certificates_directory }}" + creates: nomad-agent-ca-key.pem + +- name: generate server certificate + ansible.builtin.command: nomad tls cert create -server + args: + chdir: "{{ nomad_tls_certificates_directory }}" + creates: global-server-nomad-key.pem + +- name: generate client certificate + ansible.builtin.command: nomad tls cert create -client + args: + chdir: "{{ nomad_tls_certificates_directory }}" + creates: global-client-nomad-key.pem + +- name: generate cli certificate + ansible.builtin.command: nomad tls cert create -cli + args: + chdir: "{{ nomad_tls_certificates_directory }}" + creates: global-cli-nomad-key.pem