diff --git a/meta/argument_specs.yaml b/meta/argument_specs.yaml new file mode 100644 index 0000000..5cbd3b1 --- /dev/null +++ b/meta/argument_specs.yaml @@ -0,0 +1,228 @@ +--- +argument_specs: + main: + short_description: "Role to create and manage an existing PKI infrastructure" + description: + - "This Ansible role can be used to create a root and intermediate certificate authority and issue client certificates from them." + - "Additionally offers the ansible role the feature to import the certificates of the authority into the systems trust store." + author: "Markus Pesch" + options: + # Root Certificate Authority (CA) + certificate_authority_root_ca_skip: + description: "Skip creation or import of a root certificate authority in general." + type: bool + default: false + certificate_authority_root_ca_create: + description: "Create root certificate from scratch or import via certificate_authority_root_ca_tls prefixed variables." + type: bool + default: true + certificate_authority_root_ca_import: + description: "Import the TLS certificate of the root certificate authority into the systems trust store." + type: bool + default: true + certificate_authority_root_ca_path: + description: "Directory where the private and public TLS key of the root certificate authority should be stored." + type: str + default: "/etc/ansible-playbook/pki/ca" + certificate_authority_root_ca_common_name: + description: "Common Name (CN) of the root certificate authority." + type: str + default: "Ansible Root CA" + certificate_authority_root_ca_country_name: + description: "Common Name (CN) of the root certificate authority. For example US, FR or DE." + type: str + default: "" + certificate_authority_root_ca_email_address: + description: "E-Mail Address of the root certificate authority owner." + type: str + default: "" + certificate_authority_root_ca_organization_name: + description: "Organization name of the root certificate authority owner." + type: str + default: "" + certificate_authority_root_ca_organizational_unit_name: + description: "Organizational unit name of the root certificate authority." + type: str + default: "" + certificate_authority_root_ca_state_or_province_name: + description: "State or province name where the owner of the root certificate authority is located." + type: str + default: "" + certificate_authority_root_ca_subject_alternative_names: + description: "Subject Alternative Names (SAN) of the root certificate authority." + type: list + elements: str + default: [] + certificate_authority_root_ca_not_after: + description: "Time in the future from now when the TLS certificate should expire" + type: str + default: "+3650d" + certificate_authority_root_ca_not_before: + description: "Time in the past from now when the TLS certificate should be valid." + type: str + default: "+0s" + certificate_authority_root_ca_tls_key_content: + description: "Content of a custom used root certificate authority. Will only be imported, when certificate_authority_root_ca_create: false." + type: str + default: "" + certificate_authority_root_ca_tls_crt_content: + description: "Content of a custom used certificate of the certificate authority. Will only be imported, when certificate_authority_root_ca_create: false." + type: str + default: "" + certificate_authority_root_ca_tls_key_passphrase: + description: "Passphrase for the private key of the generated or imported root certificate authority." + type: str + default: "" + no_log: true + certificate_authority_root_ca_tls_key_type: + description: "Algorithm of the private key of the root certificate authority." + type: str + default: "RSA" + choices: + - RSA + - DSA + - ECC + + # Intermediate Certificate Authority (CA) + certificate_authority_intermediate_ca_skip: + description: "Skip creation or import of a intermediate certificate authority in general." + type: bool + default: false + certificate_authority_intermediate_ca_create: + description: "Create intermediate certificate from scratch or import via certificate_authority_intermediate_ca_tls prefixed variables." + type: bool + default: true + certificate_authority_intermediate_ca_path: + description: "Directory where the private and public TLS key of the intermediate certificate authority should be stored." + type: str + default: "/etc/ansible-playbook/pki/intermediate" + certificate_authority_intermediate_ca_common_name: + description: "Common Name (CN) of the intermediate certificate authority." + type: str + default: "Ansible Intermediate CA" + certificate_authority_intermediate_ca_country_name: + description: "Country name of the intermediate certificate authority. For example US, FR or DE." + type: str + default: "" + certificate_authority_intermediate_ca_email_address: + description: "E-Mail Address of the intermediate certificate authority owner." + type: str + default: "" + certificate_authority_intermediate_ca_organization_name: + description: "Organization name of the intermediate certificate authority owner." + type: str + default: "" + certificate_authority_intermediate_ca_organizational_unit_name: + description: "Organizational unit name of the intermediate certificate authority." + type: str + default: "" + certificate_authority_intermediate_ca_state_or_province_name: + description: "State or province name where the owner of the intermediate certificate authority is located." + type: str + default: "" + certificate_authority_intermediate_ca_subject_alternative_names: + description: "Subject Alternative Names (SAN) of the intermediate certificate authority." + type: list + elements: str + default: [] + certificate_authority_intermediate_ca_not_after: + description: "Time in the future from now when the TLS certificate should expire" + type: str + default: "+1825d" + certificate_authority_intermediate_ca_not_before: + description: "Time in the past from now when the TLS certificate should be valid." + type: str + default: "+0s" + certificate_authority_intermediate_ca_tls_key_content: + description: "Content of a custom used intermediate certificate authority. Will only be imported, when certificate_authority_intermediate_ca_create: false." + type: str + default: "" + certificate_authority_intermediate_ca_tls_crt_content: + description: "Content of a custom used certificate of the certificate authority. Will only be imported, when certificate_authority_intermediate_ca_create: false." + type: str + default: "" + certificate_authority_intermediate_ca_tls_key_passphrase: + description: "Passphrase for the private key of the generated or imported intermediate certificate authority." + type: str + default: "" + no_log: true + certificate_authority_intermediate_ca_tls_key_type: + description: "Algorithm of the private key of the intermediate certificate authority." + type: str + default: "RSA" + choices: + - RSA + - DSA + - ECC + + # Client Certificate + certificate_authority_client_skip: + description: "Skip creation or import of a client certificate in general." + type: bool + default: true + certificate_authority_client_create: + description: "Create client certificate from scratch or import via certificate_authority_client_tls prefixed variables." + type: bool + default: true + certificate_authority_client_path: + description: "Directory where the private and public TLS key of the client certificate authority should be stored." + type: str + default: "/etc/ansible-playbook/pki/client" + certificate_authority_client_common_name: + description: "Common Name (CN) of the client certificate." + type: str + default: "Ansible Client Certificate" + certificate_authority_client_country_name: + description: "Country Name (CN) of the client certificate. For example US, FR or DE." + type: str + default: "" + certificate_authority_client_email_address: + description: "E-Mail Address of the client certificate owner." + type: str + default: "" + certificate_authority_client_organization_name: + description: "Organization name of the client certificate owner." + type: str + default: "" + certificate_authority_client_organizational_unit_name: + description: "Common Name (CN) of the client certificate." + type: str + default: "" + certificate_authority_client_state_or_province_name: + description: "State or province name where the owner of the client certificate is located." + type: str + default: "" + certificate_authority_client_subject_alternative_names: + description: "Subject Alternative Names (SAN) of the client certificate." + type: list + elements: str + default: [] + certificate_authority_client_not_after: + description: "Time in the future from now when the TLS certificate should expire" + type: str + default: "+397d" + certificate_authority_client_not_before: + description: "Time in the past from now when the TLS certificate should be valid." + type: str + default: "+0s" + certificate_authority_client_tls_key_passphrase: + description: "Passphrase for the private key of the generated or imported client certificate." + type: str + default: "" + no_log: true + certificate_authority_client_tls_key_type: + description: "Algorithm of the private key of the client certificate." + type: str + default: "RSA" + choices: + - RSA + - DSA + - ECC + certificate_authority_client_tls_crt_content: + description: "Passphrase for the private key of the generated or imported client certificate." + type: str + default: "" + certificate_authority_client_tls_key_content: + description: "Algorithm of the private key of the client certificate" + type: str + default: ""