|
|
|
---
|
|
|
|
|
|
|
|
pki_version: 3.6.1
|
|
|
|
pki_archive_url: https://github.com/openxpki/openxpki/archive/v{{ pki_version }}.tar.gz
|
|
|
|
pki_archive_sha1: 95573cbdcd75f654f5b79c1e0f5f3ca576f97b76
|
|
|
|
|
|
|
|
pki_config_version: 3.6
|
|
|
|
pki_config_archive_url: https://github.com/openxpki/openxpki-config/archive/v{{ pki_config_version }}.tar.gz
|
|
|
|
pki_config_archive_sha1: 22178afe883e636aebb607952c297e944cfe0023
|
|
|
|
|
|
|
|
# Should ansible handle updates or only initial install
|
|
|
|
pki_manage_upgrade: True
|
|
|
|
|
|
|
|
pki_root_dir: /opt/openxpki
|
|
|
|
pki_user: openxpki
|
|
|
|
|
|
|
|
# Database settings
|
|
|
|
pki_db_server: "{{ mysql_server | default('localhost') }}"
|
|
|
|
pki_db_port: 3306
|
|
|
|
pki_db_name: openxpki
|
|
|
|
pki_db_user: openxpki
|
|
|
|
# If not defined, a random pass will be generated and stored in the meta directory
|
|
|
|
# pki_db_pass:
|
|
|
|
|
|
|
|
# For sessions, use a distinct user, with only access to the frontend_session table
|
|
|
|
pki_db_session_user: openxpki_session
|
|
|
|
# pki_db_session_pass
|
|
|
|
|
|
|
|
# Base URL of the PKI
|
|
|
|
#pki_base_url: https://pki.domain.tld/openxpki
|
|
|
|
# Just a shortcut to get only the path of the url
|
|
|
|
pki_web_alias: "{{ pki_base_url | urlsplit('path') }}"
|
|
|
|
|
|
|
|
# You may restrict access to the web interface by IP
|
|
|
|
pki_src_ip:
|
|
|
|
- 0.0.0.0/0
|
|
|
|
# This is to restrict access to the public endpoints. Eg downloads of CRL
|
|
|
|
pki_pub_src_ip: "{{ pki_src_ip }}"
|
|
|
|
|
|
|
|
# Optional prefix and suffix to append to the Root CA, vault and scep certificates
|
|
|
|
pki_cn_prefix: ''
|
|
|
|
pki_cn_suffix: ''
|
|
|
|
pki_root_ca_cn: "{{ pki_cn_prefix }}Root CA{{ pki_cn_suffix }}"
|
|
|
|
pki_vault_cn: "{{ pki_cn_prefix }}Vault Certificate{{ pki_cn_suffix }}"
|
|
|
|
pki_scep_cn: "{{ pki_cn_prefix }}SCEP Certificate{{ pki_cn_suffix }}"
|
|
|
|
pki_default_realm:
|
|
|
|
subj_c: FR
|
|
|
|
subj_st: Aquitaine
|
|
|
|
subj_l: Bordeaux
|
|
|
|
subj_o: Firewall Services
|
|
|
|
subj_ou: Security
|
|
|
|
validity: 7300 # Root CA will use the double of this value
|
|
|
|
keysize: 4096 # Root CA will use the double of this value
|
|
|
|
subj_suffix: DC=PKI,DC=Firewall Services,DC=com
|
|
|
|
scep:
|
|
|
|
enabled: True
|
|
|
|
iprange: 0.0.0.0/0
|
|
|
|
# hmac: SecretHMAC
|
|
|
|
# challenge: SecretChallenge
|
|
|
|
profile: I18N_OPENXPKI_PROFILE_TLS_SERVER
|
|
|
|
notif:
|
|
|
|
admin_email: "{{ system_admin_email }}"
|
|
|
|
expiry_send_requestor: False # Should requestor be notified about expiry
|
|
|
|
auth:
|
|
|
|
ldap_uri: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | default(ansible_domain) | lower, ldap_uri) }}"
|
|
|
|
ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), ldap_base) }}"
|
|
|
|
ldap_start_tls: True
|
|
|
|
ldap_user_attr: "{{ ad_auth | default(False) | ternary('samaccountname','uid') }}"
|
|
|
|
#ldap_bind_dn:
|
|
|
|
#ldap_bind_pass:
|
|
|
|
role_map:
|
|
|
|
- priority: 10
|
|
|
|
filter: "{{ ad_auth | default(False) | ternary('|(memberOf=CN=Domain Admins,CN=Users,DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=') + ')(memberOf=CN=Domain Admins,OU=Groups,DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=') + ')', 'posixMemberOf=admins') }}"
|
|
|
|
role: 'RA Operator'
|
|
|
|
- priority: 20
|
|
|
|
filter: "{{ ad_auth | default(False) | ternary('memberOf=CN=Equipe,OU=Groups,DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), 'posixMemberOf=equipe') }}"
|
|
|
|
role: 'User'
|
|
|
|
- priority: 30
|
|
|
|
filter: 'cn=*'
|
|
|
|
role: 'Anonymous'
|
|
|
|
passwd_quality: normal
|
|
|
|
# passwd_quality can either be string none, normal or strong. Or a dict
|
|
|
|
# for fine grain tuning, with the following keys
|
|
|
|
# minlen: 8
|
|
|
|
# maxlen: 64
|
|
|
|
# groups: 2
|
|
|
|
# dictionary: 4
|
|
|
|
# following: 3
|
|
|
|
# following_keyboard: 3
|
|
|
|
|
|
|
|
# pki_extra_realm just lets you override some of the defaults, without
|
|
|
|
# redefining the whole dict
|
|
|
|
pki_extra_realm: {}
|
|
|
|
pki_realm_conf: "{{ pki_default_realm | combine(pki_extra_realm, recursive=True) }}"
|
|
|
|
|
|
|
|
# Auto-generated if not defined
|
|
|
|
# those will be used as default HMAC and challenge for realms
|
|
|
|
# which doesn't have them defined
|
|
|
|
# pki_scep_hmac:
|
|
|
|
# pki_scep_challenge:
|
|
|
|
|
|
|
|
pki_realms:
|
|
|
|
- name: vpn
|
|
|
|
description: VPN CA
|
|
|
|
- name: users
|
|
|
|
description: Users CA
|
|
|
|
|
|
|
|
pki_email_footer_txt: ''
|
|
|
|
pki_email_footer_html: ''
|
|
|
|
|