use self signed cert for internal domain arcodange.lab

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/defaults/main.yml

@@ -0,0 +1,21 @@
+step_ca_primary: pi1
+step_ca_user: step
+step_ca_home: /home/step
+step_ca_dir: /home/step/.step
+
+step_ca_name: "Arcodange Lab CA"
+step_ca_fqdn: ssl-ca.arcodange.lab
+step_ca_listen_address: ":8443"
+
+step_ca_password: "{{ vault_step_ca_password }}"
+step_ca_force_reinit: false
+
+step_ca_provisioner_name: cert-manager
+step_ca_provisioner_type: JWK
+step_ca_jwk_dir: "{{ step_ca_dir }}/provisioners"
+step_ca_jwk_key: "{{ step_ca_jwk_dir }}/cert-manager.jwk"
+step_ca_jwk_password: "{{ vault_step_ca_jwk_password }}"
+step_ca_jwk_password_file: "{{ step_ca_dir }}/secrets/cert-manager.jwk.pass"
+
+step_ca_url: "https://{{ step_ca_fqdn }}{{ step_ca_listen_address }}"
+step_ca_root: "{{ step_ca_dir }}/certs/root_ca.crt"

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart step-ca
+  systemd:
+    name: step-ca
+    state: restarted

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/tasks/init.yml

@@ -0,0 +1,67 @@
+# can be called with -e step_ca_force_reinit=true
+
+# 1️⃣ Vérifier si le CA est déjà initialisé
+- name: Check if CA already initialized
+  stat:
+    path: "{{ step_ca_dir }}/config/ca.json"
+  register: step_ca_initialized
+  when: inventory_hostname == step_ca_primary
+
+# 2️⃣ Arrêter step-ca si reinit forcée
+- name: Stop step-ca service (reinit)
+  systemd:
+    name: step-ca
+    state: stopped
+  when:
+    - inventory_hostname == step_ca_primary
+    - step_ca_force_reinit | bool
+  ignore_errors: true
+
+# 3️⃣ Wipe complet du CA si reinit forcée
+- name: Wipe existing step-ca data
+  file:
+    path: "{{ step_ca_dir }}"
+    state: absent
+  when:
+    - inventory_hostname == step_ca_primary
+    - step_ca_force_reinit | bool
+
+# 4️⃣ Recréer le dossier CA proprement
+- name: Recreate step-ca directory
+  file:
+    path: "{{ step_ca_dir }}"
+    state: directory
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0700"
+  when:
+    - inventory_hostname == step_ca_primary
+    - step_ca_force_reinit | bool
+
+# 5️⃣ Installer le fichier de mot de passe
+- name: Install step-ca password file
+  copy:
+    dest: "{{ step_ca_home }}/.step-pass"
+    content: "{{ step_ca_password }}"
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0600"
+  when: inventory_hostname == step_ca_primary
+
+# 6️⃣ Initialiser step-ca (non interactif)
+- name: Initialize step-ca
+  become: true
+  become_user: "{{ step_ca_user }}"
+  command: >
+    step ca init
+    --name "{{ step_ca_name }}"
+    --dns "{{ step_ca_fqdn }}"
+    --address "{{ step_ca_listen_address }}"
+    --provisioner admin
+    --password-file {{ step_ca_home }}/.step-pass
+  args:
+    creates: "{{ step_ca_dir }}/config/ca.json"
+  when:
+    - inventory_hostname == step_ca_primary
+    - step_ca_force_reinit | bool or not step_ca_initialized.stat.exists
+  notify: restart step-ca

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/tasks/install.yml

@@ -0,0 +1,51 @@
+- name: Install base packages
+  apt:
+    name:
+      - curl
+      - vim
+      - gpg
+      - ca-certificates
+    state: present
+    update_cache: yes
+    install_recommends: no
+
+- name: Download Smallstep apt signing key
+  get_url:
+    url: https://packages.smallstep.com/keys/apt/repo-signing-key.gpg
+    dest: /etc/apt/trusted.gpg.d/smallstep.asc
+    mode: "0644"
+
+- name: Add Smallstep apt repository
+  copy:
+    dest: /etc/apt/sources.list.d/smallstep.list
+    mode: "0644"
+    content: |
+      deb [signed-by=/etc/apt/trusted.gpg.d/smallstep.asc] https://packages.smallstep.com/stable/debian debs main
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Install step-cli and step-ca
+  apt:
+    name:
+      - step-cli
+      - step-ca
+    state: present
+
+
+
+- name: Create step user
+  user:
+    name: "{{ step_ca_user }}"
+    system: true
+    shell: /usr/sbin/nologin
+    home: "{{ step_ca_home }}"
+
+- name: Secure step directory
+  file:
+    path: "{{ step_ca_dir }}"
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0700"
+    recurse: yes

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/tasks/main.yml

@@ -0,0 +1,5 @@
+- import_tasks: install.yml
+- import_tasks: init.yml
+- import_tasks: sync.yml
+- import_tasks: systemd.yml
+- import_tasks: provisioners.yml

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/tasks/provisioners.yml

@@ -0,0 +1,73 @@
+- name: Ensure provisioner directory exists
+  file:
+    path: "{{ step_ca_jwk_dir }}"
+    state: directory
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0700"
+  when: inventory_hostname == step_ca_primary
+
+- name: Check if JWK provisioner already exists
+  command: >
+    step ca provisioner list
+    --ca-url {{ step_ca_url }}
+    --root {{ step_ca_root }}
+  register: step_ca_provisioners
+  changed_when: false
+  become: true
+  become_user: "{{ step_ca_user }}"
+  when: inventory_hostname == step_ca_primary
+
+- name: Check if cert-manager provisioner exists
+  set_fact:
+    step_ca_provisioner_exists: >-
+      {{
+        (step_ca_provisioners.stdout | from_json
+        | selectattr('name', 'equalto', step_ca_provisioner_name)
+        | list
+        | length) > 0
+      }}
+  when: inventory_hostname == step_ca_primary
+
+- name: Install JWK password file
+  copy:
+    dest: "{{ step_ca_jwk_password_file }}"
+    content: "{{ step_ca_jwk_password }}"
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0400"
+  when: inventory_hostname == step_ca_primary
+
+- name: Generate JWK key for cert-manager
+  command: >
+    step crypto jwk create
+    {{ step_ca_jwk_key }}.pub
+    {{ step_ca_jwk_key }}
+    --password-file "{{ step_ca_jwk_password_file }}"
+  args:
+    creates: "{{ step_ca_jwk_key }}"
+  become: true
+  become_user: "{{ step_ca_user }}"
+  when: inventory_hostname == step_ca_primary
+
+- name: Add JWK provisioner to step-ca
+  command: >
+    step ca provisioner add {{ step_ca_provisioner_name }}
+    --type JWK
+    --public-key {{ step_ca_jwk_key }}.pub
+    --private-key {{ step_ca_jwk_key }}
+  become: true
+  become_user: "{{ step_ca_user }}"
+  when:
+    - inventory_hostname == step_ca_primary
+    - step_ca_provisioner_name not in step_ca_provisioners.stdout
+  notify: restart step-ca
+
+- name: Secure JWK keys permissions
+  file:
+    path: "{{ step_ca_jwk_dir }}"
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0700"
+    recurse: yes
+  when: inventory_hostname == step_ca_primary

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/tasks/sync.yml

@@ -0,0 +1,121 @@
+# 1️⃣ Lock sur le primaire (évite double sync concurrente)
+- name: Create sync lock on primary
+  file:
+    path: "{{ step_ca_dir }}/.sync.lock"
+    state: touch
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0600"
+  delegate_to: "{{ step_ca_primary }}"
+  run_once: true
+
+# 2️⃣ Calcul du checksum du CA sur le primaire
+- name: Compute deterministic checksum of CA directory on primary
+  shell: |
+    set -o pipefail
+    tar --sort=name \
+        --mtime='UTC 1970-01-01' \
+        --owner=0 --group=0 --numeric-owner \
+        -cf - {{ step_ca_dir }} \
+    | sha256sum | awk '{print $1}'
+  args:
+    executable: /bin/bash
+  register: step_ca_primary_checksum
+  changed_when: false
+  delegate_to: "{{ step_ca_primary }}"
+  run_once: true
+
+# 3️⃣ Charger le checksum précédent (s'il existe)
+- name: Load previous checksum (controller)
+  slurp:
+    src: /tmp/step-ca-sync/.checksum
+  register: step_ca_previous_checksum
+  failed_when: false
+  changed_when: false
+  run_once: true
+  become: false
+  delegate_to: localhost
+
+# 4️⃣ Décider si une synchronisation est nécessaire
+- name: Decide if sync is required
+  set_fact:
+    step_ca_sync_required: >-
+      {{
+        step_ca_previous_checksum.content | default('') | b64decode
+        != step_ca_primary_checksum.stdout
+      }}
+  run_once: true
+
+- name: Ensure temporary sync directory exists on controller
+  file:
+    path: /tmp/step-ca-sync
+    state: directory
+    mode: "0700"
+  delegate_to: localhost
+  become: false
+  run_once: true
+
+# 5️⃣ Pull depuis le primaire vers le contrôleur
+- name: Fetch CA data from primary to controller
+  synchronize:
+    rsync_path: "sudo -u {{ step_ca_user }} rsync"
+    src: "{{ step_ca_dir }}/"
+    dest: "/tmp/step-ca-sync/"
+    mode: pull
+    recursive: yes
+    delete: no
+  delegate_to: localhost
+  become: false
+  when: step_ca_sync_required
+  run_once: true
+
+# 6️⃣ Sauvegarder le nouveau checksum (controller)
+- name: Save new checksum on controller
+  copy:
+    dest: /tmp/step-ca-sync/.checksum
+    content: "{{ step_ca_primary_checksum.stdout }}"
+    mode: "0600"
+  when: step_ca_sync_required
+  run_once: true
+  become: false
+  delegate_to: localhost
+
+# 7️⃣ Push vers les standby
+- name: Push CA data to standby nodes
+  synchronize:
+    rsync_path: "sudo -u {{ step_ca_user }} rsync"
+    src: "/tmp/step-ca-sync/"
+    dest: "{{ step_ca_dir }}/"
+    mode: push
+    recursive: yes
+    delete: no
+  when:
+    - inventory_hostname != step_ca_primary
+    - step_ca_sync_required
+
+- name: Wipe temporary CA sync directory on controller
+  file:
+    path: /tmp/step-ca-sync
+    state: absent
+  delegate_to: localhost
+  run_once: true
+  become: false
+  when: step_ca_sync_required
+
+# 8️⃣ Forcer permissions correctes (sécurité)
+- name: Fix step directory permissions
+  file:
+    path: "{{ step_ca_dir }}"
+    owner: "{{ step_ca_user }}"
+    group: "{{ step_ca_user }}"
+    mode: "0700"
+    recurse: yes
+  notify: restart step-ca
+
+# 9️⃣ Retirer le lock sur le primaire
+- name: Remove sync lock on primary
+  file:
+    path: "{{ step_ca_dir }}/.sync.lock"
+    state: absent
+  delegate_to: "{{ step_ca_primary }}"
+  run_once: true

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/tasks/systemd.yml

@@ -0,0 +1,23 @@
+- name: Install step-ca systemd service
+  template:
+    src: step-ca.service.j2
+    dest: /etc/systemd/system/step-ca.service
+    mode: "0644"
+
+- name: Reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: Enable step-ca on primary
+  systemd:
+    name: step-ca
+    enabled: yes
+    state: started
+  when: inventory_hostname == step_ca_primary
+
+- name: Disable step-ca on standby nodes
+  systemd:
+    name: step-ca
+    enabled: no
+    state: stopped
+  when: inventory_hostname != step_ca_primary

ansible/arcodange/factory/playbooks/ssl/roles/step_ca/templates/step-ca.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=Smallstep CA
+After=network.target
+
+[Service]
+User={{ step_ca_user }}
+Group={{ step_ca_user }}
+ExecStart=/usr/bin/step-ca \
+--password-file {{ step_ca_home }}/.step-pass \
+{{ step_ca_dir }}/config/ca.json
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

ansible/arcodange/factory/playbooks/ssl/ssl.yml

@@ -0,0 +1,65 @@
+# - name: step-ca
+#   ansible.builtin.import_playbook: step-ca.yml
+
+- name: Fetch Step-CA root certificate
+  hosts: localhost
+  gather_facts: false
+  vars:
+    step_ca_primary: pi1
+    step_ca_user: step
+    step_ca_root: "/home/step/.step/certs/root_ca.crt"
+    tmp_dir: "/tmp/step-ca-cert-manager"
+  tasks:
+    - name: Ensure local temp directory exists
+      file:
+        path: "{{ tmp_dir }}"
+        state: directory
+        mode: "0700"
+
+    - name: Fetch root CA from step_ca_primary
+      fetch:
+        src: "{{ step_ca_root }}"
+        dest: "{{ tmp_dir }}/root_ca.crt"
+        flat: true
+      delegate_to: "{{ step_ca_primary }}"
+      become: true
+      become_user: "{{ step_ca_user }}"
+      run_once: true
+
+# - name: Distribute Step-CA root certificate
+#   hosts: all
+#   gather_facts: true
+#   become: true
+#   vars:
+#     root_ca_source: "/tmp/step-ca-cert-manager/root_ca.crt"
+#     root_ca_filename: "arcodange-root.crt"
+
+#   tasks:
+#     - name: Ensure root CA file is copied to correct location
+#       copy:
+#         src: "{{ root_ca_source }}"
+#         dest: "{{ ca_dest_path }}"
+#         owner: root
+#         group: root
+#         mode: '0644'
+#       vars:
+#         ca_dest_path: >-
+#           {% if ansible_facts['os_family'] == 'Debian' %}
+#             /usr/local/share/ca-certificates/{{ root_ca_filename }}
+#           {% elif ansible_facts['os_family'] in ['RedHat', 'Fedora'] %}
+#             /etc/pki/ca-trust/source/anchors/{{ root_ca_filename }}
+#           {% else %}
+#             /etc/ssl/certs/{{ root_ca_filename }}
+#           {% endif %}
+
+#     - name: Update CA trust store
+#       command: "{{ ca_update_command }}"
+#       vars:
+#         ca_update_command: >-
+#           {% if ansible_facts['os_family'] == 'Debian' %}
+#             update-ca-certificates
+#           {% elif ansible_facts['os_family'] in ['RedHat', 'Fedora'] %}
+#             update-ca-trust
+#           {% else %}
+#             echo 'Please update the CA trust manually'
+#           {% endif %}

ansible/arcodange/factory/playbooks/ssl/step-ca.yml

@@ -0,0 +1,6 @@
+---
+- name: Setup step-ca on raspberries
+  hosts: step_ca #raspberries:&local
+  become: yes
+  roles:
+    - step_ca