ansible-roles/roles/openxpki/defaults/main.yml

---

pki_version: '3.14.4'
pki_archive_url: https://github.com/openxpki/openxpki/archive/v{{ pki_version }}.tar.gz
pki_archive_sha1: 1f2e1adc50ab61ec0a77feb7910bc49237afc8ba

pki_config_version: '3.12'
pki_config_archive_url: https://github.com/openxpki/openxpki-config/archive/v{{ pki_config_version }}.tar.gz
pki_config_archive_sha1: 115db2522c7ca1657520a4bbc86d1940a76065bc

# Should ansible handle updates or only initial install
pki_manage_upgrade: True

pki_root_dir: /opt/openxpki
pki_user: openxpki

# Database settings
pki_db_server: "{{ mysql_server | default('localhost') }}"
pki_db_port: 3306
pki_db_name: openxpki
pki_db_user: openxpki
# If not defined, a random pass will be generated and stored in the meta directory
# pki_db_pass: 

# For sessions, use a distinct user, with only access to the frontend_session table
pki_db_session_user: openxpki_session
# pki_db_session_pass

# Base URL of the PKI
#pki_base_url: https://pki.domain.tld/openxpki
# Just a shortcut to get only the path of the url
pki_web_alias: "{{ pki_base_url | urlsplit('path') }}"

# You may restrict access to the web interface by IP
pki_src_ip:
  - 0.0.0.0/0
# This is to restrict access to the public endpoints. Eg downloads of CRL
pki_pub_src_ip: "{{ pki_src_ip }}"

# Optional prefix and suffix to append to the Root CA, vault and scep certificates
pki_cn_prefix: ''
pki_cn_suffix: ''
pki_root_ca_cn: "{{ pki_cn_prefix }}Root CA{{ pki_cn_suffix }}"
pki_vault_cn: "{{ pki_cn_prefix }}Vault Certificate{{ pki_cn_suffix }}"
pki_scep_cn: "{{ pki_cn_prefix }}SCEP Certificate{{ pki_cn_suffix }}"
pki_default_realm:
  subj_c: FR
  subj_st: Aquitaine
  subj_l: Bordeaux
  subj_o: Firewall Services
  subj_ou: Security
  validity: 7300 # Root CA will use the double of this value
  keysize: 4096  # Root CA will use the double of this value
  subj_suffix: DC=PKI,DC=Firewall Services,DC=com
  scep:
    enabled: True
    iprange: 0.0.0.0/0
    # hmac: SecretHMAC
    # challenge: SecretChallenge
    profile: I18N_OPENXPKI_PROFILE_TLS_SERVER
  notif:
    admin_email: "{{ system_admin_email }}"
    expiry_send_requestor: False   # Should requestor be notified about expiry
  auth:
    ldap_uri: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | default(ansible_domain) | lower, ldap_uri) }}"
    ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), ldap_base) }}"
    ldap_start_tls: True
    ldap_user_attr: "{{ ad_auth | default(False) | ternary('samaccountname','uid') }}"
    #ldap_bind_dn:
    #ldap_bind_pass:
    role_map:
      - priority: 10
        filter: "{{ ad_auth | default(False) | ternary('|(memberOf=CN=Domain Admins,CN=Users,DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=') + ')(memberOf=CN=Domain Admins,OU=Groups,DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=') + ')', 'posixMemberOf=admins') }}"
        role: 'RA Operator'
      - priority: 20
        filter: "{{ ad_auth | default(False) | ternary('memberOf=CN=Equipe,OU=Groups,DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), 'posixMemberOf=equipe') }}"
        role: 'User'
      - priority: 30
        filter: 'cn=*'
        role: 'Anonymous'
  passwd_quality: normal
  # passwd_quality can either be string none, normal or strong.

# pki_extra_realm just lets you override some of the defaults, without
# redefining the whole dict
pki_extra_realm: {}
pki_realm_conf: "{{ pki_default_realm | combine(pki_extra_realm, recursive=True) }}"

# Auto-generated if not defined
# those will be used as default HMAC and challenge for realms
# which doesn't have them defined
# pki_scep_hmac: 
# pki_scep_challenge: 

pki_realms:
  - name: vpn
    description: VPN CA
  - name: users
    description: Users CA

pki_email_footer_txt: ''
pki_email_footer_html: ''