Add pseudo-namespace to variables

README.md

@@ -5,7 +5,7 @@ Generates self-signed CA, client and server certificates. Runs locally on contro
 Notes:
 - Will not overwrite any files in output cert dir
 - Will not copy the files to the remote servers if the local files are unchanged
-- Will optionally (see `populate_etc_hosts` variable) add to each machine's `/etc/hosts`
+- Will optionally (see `gen_tls_populate_etc_hosts` variable) add to each machine's `/etc/hosts`
   a line for each host in the inventory.
 
 
@@ -56,17 +56,17 @@ the resulting relevant files are `copy`ed to the remote target machine.
       srv2:
         ansible_host: 192.168.123.31
     vars:
-      cert_dir: ./certs
-      generate_ca_cert: true
-      generate_client_cert: true
-      generate_server_cert: true
-      tls_ca_email: me@example.org
-      tls_ca_country: EU
-      tls_ca_state: Italy
-      tls_ca_locality: Rome
-      tls_ca_organization: Example Inc.
-      tls_ca_organizationalunit: SysAdmins
-      populate_etc_hosts: yes
+      gen_tls_cert_dir: ./certs
+      gen_tls_generate_ca_cert: true
+      gen_tls_generate_client_cert: true
+      gen_tls_generate_server_cert: true
+      gen_tls_ca_email: me@example.org
+      gen_tls_ca_country: EU
+      gen_tls_ca_state: Italy
+      gen_tls_ca_locality: Rome
+      gen_tls_ca_organization: Example Inc.
+      gen_tls_ca_organizationalunit: SysAdmins
+      gen_tls_populate_etc_hosts: yes
   ```
 
 If you want to tinker, you can use `vagrant` with the provided `Vagrantfile`.

defaults/main.yml

@@ -1,52 +1,52 @@
 ---
 # defaults file for generate-tls-certs
-generate_tls_certs: true
+gen_tls_generate_certs: true
 # Do not put trailing slash "/"
-cert_dir: ./certs
-remote_certs_dir: /etc/ssl
-remote_ca_certs_dir: /etc/ssl/certs
-generate_ca_cert: false
-generate_client_cert: false
-generate_server_cert: false
+gen_tls_cert_dir: ./certs
+gen_tls_remote_certs_dir: /etc/ssl
+gen_tls_remote_ca_certs_dir: /etc/ssl/certs
+gen_tls_generate_ca_cert: false
+gen_tls_generate_client_cert: false
+gen_tls_generate_server_cert: false
 
 # -------
 # CA CERT
 # -------
-tls_ca_cert: ca.pem
-tls_ca_csr: ca.csr
-tls_ca_key: ca.key
-tls_ca_key_size: 4096
+gen_tls_ca_cert: ca.pem
+gen_tls_ca_csr: ca.csr
+gen_tls_ca_key: ca.key
+gen_tls_ca_key_size: 4096
 # 10 years
-tls_ca_valid_days: 3650
-# tls_ca_country:
-# tls_ca_state:
-# tls_ca_locality:
-# tls_ca_organization:
-# tls_ca_organizationalunit:
-tls_ca_commonname: Certificate Authority
-#tls_ca_email:
+gen_tls_ca_valid_days: 3650
+# gen_tls_ca_country:
+# gen_tls_ca_state:
+# gen_tls_ca_locality:
+# gen_tls_ca_organization:
+# gen_tls_ca_organizationalunit:
+gen_tls_ca_commonname: Certificate Authority
+#gen_tls_ca_email:
 
 # -----------
 # CLIENT CERT
 # -----------
-tls_client_cert: client.pem
-tls_client_key: client.key
-tls_client_csr: client.csr
-tls_client_key_size: 4096
-tls_client_commonname: Client
+gen_tls_client_cert: client.pem
+gen_tls_client_key: client.key
+gen_tls_client_csr: client.csr
+gen_tls_client_key_size: 4096
+gen_tls_client_commonname: Client
 # 2 years
-tls_client_valid_days: 730
+gen_tls_client_valid_days: 730
 
 # -----------
 # SERVER CERT
 # -----------
 # 2 years
-tls_server_valid_days: 730
-tls_server_key_size: 4096
+gen_tls_server_valid_days: 730
+gen_tls_server_key_size: 4096
 # Enable Subject Alternate Name (SAN)
-tls_server_enable_san: true
+gen_tls_server_enable_san: true
 
 # -------------------
 # POPULATE /etc/hosts
 # -------------------
-populate_etc_hosts: false
+gen_tls_populate_etc_hosts: false

inventory.yml

@@ -6,14 +6,14 @@ all:
     srv2:
       ansible_host: 192.168.123.31
   vars:
-    cert_dir: ./certs
-    generate_ca_cert: true
-    generate_client_cert: true
-    generate_server_cert: true
-    tls_ca_email: me@example.org
-    tls_ca_country: EU
-    tls_ca_state: Italy
-    tls_ca_locality: Rome
-    tls_ca_organization: Example Inc.
-    tls_ca_organizationalunit: SysAdmins
-    populate_etc_hosts: yes
+    gen_tls_cert_dir: ./certs
+    gen_tls_generate_ca_cert: true
+    gen_tls_generate_client_cert: true
+    gen_tls_generate_server_cert: true
+    gen_tls_ca_email: me@example.org
+    gen_tls_ca_country: EU
+    gen_tls_ca_state: Italy
+    gen_tls_ca_locality: Rome
+    gen_tls_ca_organization: Example Inc.
+    gen_tls_ca_organizationalunit: SysAdmins
+    gen_tls_populate_etc_hosts: yes

tasks/generate-ca-cert.yaml

@@ -2,61 +2,61 @@
 - name: Check if the CA private key exists
   delegate_to: localhost
   ansible.builtin.stat:
-    path: "{{ cert_dir }}/{{ tls_ca_key }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
   register: ca_key
 
 - name: Generate CA private key
   delegate_to: localhost
   community.crypto.openssl_privatekey:
-    path: "{{ cert_dir }}/{{ tls_ca_key }}"
-    size: "{{ tls_ca_key_size }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
+    size: "{{ gen_tls_ca_key_size }}"
   run_once: true
   when: not ca_key.stat.exists
 
 - name: Check if the CA CSR exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ tls_ca_csr }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_csr }}"
   register: ca_csr
 
 - name: Create CSR for CA
   delegate_to: localhost
   community.crypto.openssl_csr:
-    path: "{{ cert_dir }}/{{ tls_ca_csr }}"
-    privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_csr }}"
+    privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
     basic_constraints:
       - "CA:TRUE"
-    common_name: "{{ tls_ca_commonname|default('') }}"
-    country_name: "{{ tls_ca_country|default('') }}"
-    state_or_province_name: "{{ tls_ca_state|default('') }}"
-    locality_name: "{{ tls_ca_locality|default('') }}"
-    organization_name: "{{ tls_ca_organization|default('') }}"
-    organizational_unit_name: "{{ tls_ca_organizationalunit|default('') }}"
-    email_address: "{{ tls_ca_email }}"
+    common_name: "{{ gen_tls_ca_commonname|default('') }}"
+    country_name: "{{ gen_tls_ca_country|default('') }}"
+    state_or_province_name: "{{ gen_tls_ca_state|default('') }}"
+    locality_name: "{{ gen_tls_ca_locality|default('') }}"
+    organization_name: "{{ gen_tls_ca_organization|default('') }}"
+    organizational_unit_name: "{{ gen_tls_ca_organizationalunit|default('') }}"
+    email_address: "{{ gen_tls_ca_email }}"
     use_common_name_for_san: no
   when: not ca_csr.stat.exists
 
 - name: Check if the CA cert exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ tls_ca_cert }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}"
   register: ca_cert
 
 - name: Create and sign server cert for CA
   delegate_to: localhost
   community.crypto.x509_certificate:
-    path: "{{ cert_dir }}/{{ tls_ca_cert }}"
-    privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}"
-    csr_path: "{{ cert_dir }}/{{ tls_ca_csr }}"
-    selfsigned_not_after: "+{{ tls_ca_valid_days }}d"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}"
+    privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
+    csr_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_csr }}"
+    selfsigned_not_after: "+{{ gen_tls_ca_valid_days }}d"
     provider: selfsigned
   when: not ca_cert.stat.exists
   register: ca_cert_file
 
 - name: Copy the CA certificate to the remote machine
   copy:
-    src: "{{ cert_dir }}/{{ tls_ca_cert }}"
-    dest: "{{ remote_ca_certs_dir }}"
+    src: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}"
+    dest: "{{ gen_tls_remote_ca_certs_dir }}"
     mode: 0644
     owner: root
     group: root

tasks/generate-client-cert.yaml

@@ -4,7 +4,7 @@
   file:
     state: directory
     recurse: yes
-    path: "{{ remote_certs_dir }}/{{ item.path }}"
+    path: "{{ gen_tls_remote_certs_dir }}/{{ item.path }}"
     mode: "{{ item.mode }}"
     owner: root
     group: root
@@ -15,14 +15,14 @@
 - name: Check if the client private key exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ tls_client_key }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}"
   register: client_key
 
 - name: Generate client private key
   delegate_to: localhost
   community.crypto.openssl_privatekey:
-    path: "{{ cert_dir }}/{{ tls_client_key }}"
-    size: "{{ tls_client_key_size}}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}"
+    size: "{{ gen_tls_client_key_size}}"
   when:
     - not client_key.stat.exists
     - generate_client_cert
@@ -31,8 +31,8 @@
 - name: Copy the key on the server
   become: yes
   copy:
-    src: "{{ cert_dir }}/{{ tls_client_key}}"
-    dest: "{{ remote_certs_dir }}/local/certs/"
+    src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key}}"
+    dest: "{{ gen_tls_remote_certs_dir }}/local/certs/"
     mode: 0644
     owner: root
     group: root
@@ -41,15 +41,15 @@
 - name: Check if the client CSR exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ tls_client_csr }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}"
   register: client_csr
 
 - name: Generate CSR and key for client cert
   delegate_to: localhost
   community.crypto.openssl_csr:
-    path: "{{ cert_dir }}/{{ tls_client_csr }}"
-    privatekey_path: "{{ cert_dir }}/{{ tls_client_key }}"
-    common_name: "{{ tls_client_commonname }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}"
+    privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_key }}"
+    common_name: "{{ gen_tls_client_commonname }}"
     extended_key_usage:
       - clientAuth
   when:
@@ -59,17 +59,17 @@
 - name: Check if the client cert exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ tls_client_cert }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}"
   register: client_crt
 
 - name: Create and sign server cert request by CA
   delegate_to: localhost
   community.crypto.x509_certificate:
-    path: "{{ cert_dir }}/{{ tls_client_cert }}"
-    csr_path: "{{ cert_dir }}/{{ tls_client_csr }}"
-    ownca_not_after: "+{{ tls_client_valid_days }}d"
-    ownca_path: "{{ cert_dir }}/{{ tls_ca_cert }}"
-    ownca_privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}"
+    path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}"
+    csr_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_csr }}"
+    ownca_not_after: "+{{ gen_tls_client_valid_days }}d"
+    ownca_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}"
+    ownca_privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
     provider: ownca
   when:
     - not client_crt.stat.exists
@@ -79,8 +79,8 @@
 - name: Copy the certificate to the remote machine
   become: yes
   copy:
-    src: "{{ cert_dir }}/{{ tls_client_cert }}"
-    dest: "{{ remote_certs_dir }}/local/private"
+    src: "{{ gen_tls_cert_dir }}/{{ gen_tls_client_cert }}"
+    dest: "{{ gen_tls_remote_certs_dir }}/local/private"
     mode: 0600
     owner: root
     group: root

tasks/generate-server-cert.yaml

@@ -4,7 +4,7 @@
   file:
     state: directory
     recurse: yes
-    path: "{{ remote_certs_dir }}/{{ item.path }}"
+    path: "{{ gen_tls_remote_certs_dir }}/{{ item.path }}"
     mode: "{{ item.mode }}"
     owner: root
     group: root
@@ -15,21 +15,21 @@
 - name: Check if the server private key exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
+    path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
   register: server_key
 
 - name: Create PEM private key for server
   delegate_to: localhost
   community.crypto.openssl_privatekey:
-    path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
+    path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
   when: not server_key.stat.exists
   register: server_key_file
 
 - name: Copy the key on the server
   become: yes
   copy:
-    src: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
-    dest: "{{ remote_certs_dir }}/local/certs/"
+    src: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
+    dest: "{{ gen_tls_remote_certs_dir }}/local/certs/"
     mode: 0644
     owner: root
     group: root
@@ -38,58 +38,58 @@
 - name: Check if the server CSR exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
+    path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
   register: server_csr
 
 - name: Create CSR for server cert
   delegate_to: localhost
   community.crypto.openssl_csr:
-    path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
-    privatekey_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
+    path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
+    privatekey_path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
     common_name: "{{ inventory_hostname_short }}"
   when:
     - not server_csr.stat.exists
-    - generate_server_cert
-    - not tls_server_enable_san
+    - gen_tls_generate_server_cert
+    - not gen_tls_server_enable_san
 
 - name: Create CSR for server cert
   delegate_to: localhost
   community.crypto.openssl_csr:
-    path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
-    privatekey_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.key"
+    path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
+    privatekey_path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.key"
     common_name: "{{inventory_hostname_short}}"
     subject_alt_name: "DNS:{{inventory_hostname}},DNS:{{inventory_hostname_short}},IP:{{(alt_interface_ip is defined) | ternary(alt_interface_ip, ansible_default_ipv4.address)}},IP:0.0.0.0,IP:127.0.0.1"
   when:
     - not server_csr.stat.exists
-    - generate_server_cert
-    - tls_server_enable_san
+    - gen_tls_generate_server_cert
+    - gen_tls_server_enable_san
 
 - name: Check if the server cert exists
   delegate_to: localhost
   stat:
-    path: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem"
+    path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem"
   register: server_crt
 
 - name: Create and sign server cert request by CA
   delegate_to: localhost
   community.crypto.x509_certificate:
-    path: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem"
-    csr_path: "{{ cert_dir }}/{{ inventory_hostname_short }}.csr"
-    ownca_not_after: "+{{ tls_server_valid_days }}d"
-    ownca_path: "{{ cert_dir }}/{{ tls_ca_cert }}"
-    ownca_privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}"
+    path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem"
+    csr_path: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.csr"
+    ownca_not_after: "+{{ gen_tls_server_valid_days }}d"
+    ownca_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_cert }}"
+    ownca_privatekey_path: "{{ gen_tls_cert_dir }}/{{ gen_tls_ca_key }}"
     provider: ownca
   ignore_errors: true
   when:
     - not server_crt.stat.exists
-    - generate_server_cert
+    - gen_tls_generate_server_cert
   register: server_cert_file
 
 - name: Copy the certificate to the remote machine
   become: yes
   copy:
-    src: "{{ cert_dir }}/{{ inventory_hostname_short }}.pem"
-    dest: "{{ remote_certs_dir }}/local/private"
+    src: "{{ gen_tls_cert_dir }}/{{ inventory_hostname_short }}.pem"
+    dest: "{{ gen_tls_remote_certs_dir }}/local/private"
     mode: 0600
     owner: root
     group: root

tasks/main.yml

@@ -3,21 +3,21 @@
 - name: Generate CA cert
   include_tasks: generate-ca-cert.yaml
   when:
-    - generate_tls_certs
-    - generate_ca_cert|bool
+    - gen_tls_generate_certs
+    - gen_tls_generate_ca_cert|bool
 
 - name: Generate client cert
   include_tasks: generate-client-cert.yaml
   when:
-    - generate_tls_certs
-    - generate_client_cert|bool
+    - gen_tls_generate_certs
+    - gen_tls_generate_client_cert|bool
 
 - name: Generate server cert
   include_tasks: generate-server-cert.yaml
   when:
-    - generate_tls_certs
-    - generate_server_cert|bool
+    - gen_tls_generate_certs
+    - gen_tls_generate_server_cert|bool
 
 - name: Populate /etc/hosts with inventory's hosts
   include_tasks: populate-etc-hosts.yaml
-  when: populate_etc_hosts|bool
+  when: gen_tls_populate_etc_hosts|bool