openstack
/
ansible-role-thales-hsm
Code Issues Proposed changes
ansible-role-thales-hsm/tasks/client.yaml

107 lines
3.0 KiB
YAML
Raw Blame History

---
- name: Create working directory
ansible.builtin.file:
path: "{{ thales_client_working_dir }}"
state: directory
mode: '755'
- name: Create nfast group
ansible.builtin.group:
name: nfast
gid: "{{ thales_client_gid }}"
- name: Create nfast user
ansible.builtin.user:
name: nfast
uid: "{{ thales_client_uid }}"
group: "{{ thales_client_gid }}"
create_home: true
home: /opt/nfast
- name: Set selinux bool to allow barbican containers to access /opt/nfast
ansible.posix.seboolean:
name: os_barbican_write_pki
state: true
persistent: true
when: ansible_os_family | lower == 'redhat'
- name: Ensure unzip is avaliable to unzip ISO file
ansible.builtin.yum:
name: unzip
state: present
- name: Download and unzip Security World ISO file from given url
ansible.builtin.unarchive:
src: "{{ security_world_iso_zip_url }}"
dest: "{{ thales_client_working_dir }}"
remote_src: true
- name: Set Security World ISO file path
ansible.builtin.set_fact:
security_world_iso: "{{ thales_client_working_dir }}/{{ security_world_iso_zip_url | basename | splitext | first }}"
- name: Extract RPMs and key from Security World ISO
community.general.iso_extract:
image: "{{ security_world_iso }}"
dest: "{{ thales_client_working_dir }}"
files:
- linux-rpms/amd64/nShield-hwsp.rpm
- linux-rpms/amd64/nShield-ctls.rpm
- linux-rpms/amd64/nShield-ncsnmp.rpm
- linux-rpms/amd64/pubkey.asc
- name: Import Security World RPM key
ansible.builtin.rpm_key:
state: present
key: "{{ thales_client_working_dir }}/pubkey.asc"
- name: Install Security World RPMs
ansible.builtin.yum:
name: "{{ packages }}"
vars:
packages:
- "{{ thales_client_working_dir }}/nShield-hwsp.rpm"
- "{{ thales_client_working_dir }}/nShield-ctls.rpm"
- "{{ thales_client_working_dir }}/nShield-ncsnmp.rpm"
- name: Run installer
ansible.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install
- name: Create cknfastrc
ansible.builtin.template:
src: cknfastrc.j2
dest: /opt/nfast/cknfastrc
mode: '644'
- name: Create snmp.conf
ansible.builtin.copy:
dest: /opt/nfast/etc/snmp/snmp.conf
content: |
defaultPort 21161
force: true
mode: '644'
- name: Enroll client to hsms
ansible.builtin.include_tasks: client_enroll.yaml
loop: "{{ nshield_hsms }}"
- name: Set selinux contexts for /opt/nfast
ansible.builtin.command: restorecon -R /opt/nfast
- name: Restart hardserver
ansible.builtin.command: /opt/nfast/sbin/init.d-ncipher restart
- name: Do an enquiry to confirm connection
ansible.builtin.command: /opt/nfast/bin/enquiry
register: enquiry
- name: Enquiry result
ansible.builtin.debug:
var: enquiry
- name: Set up rfs_sync
ansible.builtin.command: set -o pipefail && echo "yes" | /opt/nfast/bin/rfs-sync --setup {{ thales_rfs_server_ip_address }}
- name: Get keys from rfs server
ansible.builtin.command: /opt/nfast/bin/rfs-sync --update
View Git Blame Copy Permalink