infra/deploy-ca.yml

- name: add acme CA
  hosts: ca
  become: yes
  roles:
    - role: maxhoesel.smallstep.step_ca
  tasks:
    - name: add an acme provisioner to the ca
      maxhoesel.smallstep.step_ca_provisioner:
        name: ACME
        type: ACME
      become_user: step-ca
    - name: restart step-ca
      ansible.builtin.systemd_service: 
        name: step-ca
        state: restarted 
        enabled: true 
    - name: allow step-ca port traffic on vpn
      ufw:
        rule: allow
        from: 100.64.0.0/10
        port: "{{ step_ca_port }}" 
    - name: restart ufw
      ansible.builtin.systemd_service: 
        name: ufw
        state: restarted 
        enabled: true 

- name: configure trust to internal ca on all hosts
  hosts: all
  roles:
    - ca
ldap, internal CA, internal webserver, dns, etc. 2024-01-05 16:13:01 -05:00			`- name: add acme CA`
			`hosts: ca`
			`become: yes`
			`roles:`
			`- role: maxhoesel.smallstep.step_ca`
			`tasks:`
			`- name: add an acme provisioner to the ca`
			`maxhoesel.smallstep.step_ca_provisioner:`
			`name: ACME`
			`type: ACME`
			`become_user: step-ca`
			`- name: restart step-ca`
			`ansible.builtin.systemd_service:`
			`name: step-ca`
			`state: restarted`
			`enabled: true`
			`- name: allow step-ca port traffic on vpn`
			`ufw:`
			`rule: allow`
			`from: 100.64.0.0/10`
			`port: "{{ step_ca_port }}"`
			`- name: restart ufw`
			`ansible.builtin.systemd_service:`
			`name: ufw`
			`state: restarted`
			`enabled: true`

			`- name: configure trust to internal ca on all hosts`
			`hosts: all`
			`roles:`
			`- ca`