{"id":16238932,"url":"https://github.com/trombik/ansible-role-cfssl","last_synced_at":"2026-05-05T23:32:21.068Z","repository":{"id":45940997,"uuid":"266442505","full_name":"trombik/ansible-role-cfssl","owner":"trombik","description":"ansible role for cfssl","archived":false,"fork":false,"pushed_at":"2021-11-26T02:15:58.000Z","size":133,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-08T09:17:14.457Z","etag":null,"topics":["ansible","ansible-role","cfssl","freebsd"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trombik.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-05-24T00:25:59.000Z","updated_at":"2021-11-26T02:15:48.000Z","dependencies_parsed_at":"2022-08-28T17:11:18.371Z","dependency_job_id":null,"html_url":"https://github.com/trombik/ansible-role-cfssl","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/trombik/ansible-role-cfssl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trombik%2Fansible-role-cfssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trombik%2Fansible-role-cfssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trombik%2Fansible-role-cfssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trombik%2Fansible-role-cfssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trombik","download_url":"https://codeload.github.com/trombik/ansible-role-cfssl/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trombik%2Fansible-role-cfssl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32672618,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-05T11:29:49.557Z","status":"ssl_error","status_checked_at":"2026-05-05T11:29:48.587Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","cfssl","freebsd"],"created_at":"2024-10-10T13:41:46.029Z","updated_at":"2026-05-05T23:32:21.048Z","avatar_url":"https://github.com/trombik.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `trombik.cfssl`\n\n`ansible` role for `cfssl`. The API server (`cfssl serve`) is supported.\n\n## For all users\n\nAs few distributions support the API server in their packages, `cfssl_db_*`\nrole variables are subject to change.\n\nTo run `cfssl` as a server, your distribution package must provide startup\nscript, and other modifications to the package. AFAIK, the one from Ubuntu\ndoes not. Thus, API server support is not implemented for Debian-variants.\n\n# Requirements\n\nNone\n\n# Role Variables\n\n| Variable | Description | Default |\n|----------|-------------|---------|\n| `cfssl_user` | user name of `cfssl` | `{{ __cfssl_user }}` |\n| `cfssl_group` | group name of `cfssl` | `{{ __cfssl_group }}` |\n| `cfssl_package` | package name of `cfssl` | `{{ __cfssl_package }}` |\n| `cfssl_extra_packages` | list of extra packages to install | `[]` |\n| `cfssl_ca_root_dir` | path to root CA directory | `{{ __cfssl_ca_root_dir }}` |\n| `cfssl_ca_secret_key_file` | path to root secret key file | `{{ cfssl_ca_root_dir }}/ca-key.pem` |\n| `cfssl_ca_public_key_file` | path to root public key file | `{{ cfssl_ca_root_dir }}/ca.pem` |\n| `cfssl_ca_csr_file` | path to CSR JSON file of the root CA | `{{ cfssl_ca_root_dir }}/ca.csr` |\n| `cfssl_ca_csr_config` | content of `cfssl_ca_csr_config_file` | `{}` |\n| `cfssl_ca_config_file` | path to CA's configuration file in JSON | `{{ cfssl_ca_root_dir }}/ca-config.json` |\n| `cfssl_ca_csr_config_file` | path to CA's CSR config file in JSON | `\"{{ cfssl_ca_root_dir }}/ca-csr.json\"` |\n| `cfssl_ca_config` | content of `cfssl_ca_config_file` | `{}` |\n| `cfssl_certs_dir` | path to directory to keep signed certificates | `{{ cfssl_ca_root_dir }}/certs` |\n| `cfssl_service` | Service name of `cfssl` | `cfssl` |\n| `cfssl_db_config` | Database configuration in YAML. See [certdb/README.nd](https://github.com/cloudflare/cfssl/tree/master/certdb/README.md) in the upstream source code for more details. | `{}` |\n| `cfssl_db_type` | The type of the database. Supported value is `sqlite` only. If specified, the role runs specific tasks for the database, and starts `cfssl` as server. | `\"\"` |\n| `cfssl_db_dir` | Path to the database directory | `{{ __cfssl_db_dir }}` |\n| `cfssl_db_sqlite_bin` | File name of `sqlite` command | `sqlite3` |\n| `cfssl_db_sqlite_database_file` | Path to `sqlite` database file | `{{ cfssl_db_dir }}/certdb.db` |\n| `cfssl_db_sqlite_sql_file_dir` | Path to a directory where SQL files are stored. | `{{ __cfssl_db_sqlite_sql_file_dir }}` |\n| `cfssl_db_migration_dir` | Path to database migration directory | `{{ cfssl_ca_root_dir }}/goose/{{ cfssl_db_type }}` |\n| `cfssl_db_migration_config` | Configuration for database migration | `{}` |\n| `cfssl_db_migration_environment` | Environment for database migration | `development` |\n| `cfssl_flags` | Additional options for startup script | `\"\"` |\n| `cfssl_certs` | list of certificates to sign (see below) | `\"\"` |\n\n## `cfssl_certs`\n\nThis is a list of dict. An element represents a CSR.\n\n| Key | Description | Mandatory? |\n|-----|-------------|------------|\n| `name` | relative file name from `cfssl_certs_dir` | yes |\n| `SAN` | list of Subject Alternative Name | no |\n| `profile` | profile name to use when signing | yes |\n| `json` | content of request JSON file in YAML format | yes |\n| `owner` | Unix user name of owner of the private key file (default is `cfssl_user`) | no |\n\n## Including `trombik.cfssl`\n\nYou may include the role from your tasks or roles. Use `vars` to define\nspecific role variables by `vars`.\n\n```yaml\n- name: Include role trombik.cfssl\n include_role:\n name: trombik.cfssl\n vars:\n cfssl_extra_packages:\n - zsh\n```\n\nHowever, when you want to pass a single variable that includes the role\nvariables, you need to pass your variable to a special bridge role variable,\n`cfssl_vars`.\n\n```yaml\n- name: Include role trombik.cfssl\n include_role:\n name: trombik.cfssl\n vars:\n cfssl_vars: \"{{ my_variable }}\"\n```\n\nThe following example does NOT work:\n\n```yaml\n- name: Include role trombik.cfssl\n include_role:\n name: trombik.cfssl\n vars: \"{{ my_variable }}\"\n```\n\nsee [tests/serverspec/intermediate.yml](tests/serverspec/intermediate.yml),\nwhich includes the role multiple times to create intermediate CAs.\n\n## Debian\n\n| Variable | Default |\n|----------|---------|\n| `__cfssl_user` | `cfssl` |\n| `__cfssl_group` | `cfssl` |\n| `__cfssl_package` | `golang-cfssl` |\n| `__cfssl_ca_root_dir` | `/etc/cfssl` |\n| `__cfssl_db_dir` | `/var/lib/cfssl` |\n| `__cfssl_db_sqlite_sql_file_dir` | `\"\"` |\n\n## FreeBSD\n\n| Variable | Default |\n|----------|---------|\n| `__cfssl_user` | `cfssl` |\n| `__cfssl_group` | `cfssl` |\n| `__cfssl_package` | `security/cfssl` |\n| `__cfssl_ca_root_dir` | `/usr/local/etc/cfssl` |\n| `__cfssl_db_dir` | `/var/db/cfssl` |\n| `__cfssl_db_sqlite_sql_file_dir` | `/usr/local/share/cfssl/certdb/sqlite/migrations` |\n\n## OpenBSD\n\n| Variable | Default |\n|----------|---------|\n| `__cfssl_user` | `_cfssl` |\n| `__cfssl_group` | `_cfssl` |\n| `__cfssl_package` | `cfssl` |\n| `__cfssl_ca_root_dir` | `/etc/cfssl` |\n| `__cfssl_db_dir` | `/var/db/cfssl` |\n| `__cfssl_db_sqlite_sql_file_dir` | `/usr/local/share/cfssl/certdb/sqlite/migrations` |\n\n# Dependencies\n\nNone\n\n# Example Playbook\n\nThis example manages `cfssl`, and signs a few certificates.\n\nFor an example for API server, see [tests/serverspec/api.yml](tests/serverspec/api.yml).\n\nFor an example for multiple intermediate CAs under a root CA,\nsee [tests/serverspec/intermediate.yml](tests/serverspec/intermediate.yml).\n\n```yaml\n---\n- hosts: localhost\n roles:\n - role: ansible-role-cfssl\n vars:\n # this test case follows the same steps described at\n # https://docs.sensu.io/sensu-go/latest/guides/generate-certificates/\n cfssl_certs:\n - name: agent1.example.com.json\n # Subject Alternative Name, or SAN in short\n SAN: []\n profile: agent\n owner: nobody\n json:\n CN: agent1.example.com\n hosts:\n - \"\"\n key:\n algo: rsa\n size: 2048\n - name: backend-1.example.com.json\n SAN:\n - localhost\n - 127.0.0.1\n - 10.0.0.1\n - backend-1\n profile: backend\n json:\n CN: backend-1.example.com\n hosts:\n - \"\"\n key:\n algo: rsa\n size: 2048\n - name: backend-2.example.com.json\n SAN:\n - localhost\n - 127.0.0.1\n - 10.0.0.2\n - backend-2\n profile: backend\n json:\n CN: backend-2.example.com\n hosts:\n - \"\"\n key:\n algo: rsa\n size: 2048\n - name: backend-3.example.com.json\n SAN:\n - localhost\n - 127.0.0.1\n - 10.0.0.3\n - backend-3\n profile: backend\n json:\n CN: backend-3.example.com\n hosts:\n - \"\"\n key:\n algo: rsa\n size: 2048\n cfssl_ca_config:\n signing:\n default:\n expiry: 17520h\n usages:\n - signing\n - key encipherment\n - client auth\n profiles:\n backend:\n expiry: 4320h\n usages:\n - signing\n - key encipherment\n - server auth\n agent:\n expiry: 4320h\n usages:\n - signing\n - key encipherment\n - client auth\n\n cfssl_ca_csr_config:\n CN: Sensu Test CA\n key:\n algo: rsa\n size: 2048\n```\n\n# License\n\n```\nCopyright (c) 2020 Tomoyuki Sakurai \u003cy@trombik.org\u003e\n\nPermission to use, copy, modify, and distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n```\n\n# Author Information\n\nTomoyuki Sakurai \u003cy@trombik.org\u003e\n\nThis README was created by [qansible](https://github.com/trombik/qansible)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrombik%2Fansible-role-cfssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrombik%2Fansible-role-cfssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrombik%2Fansible-role-cfssl/lists"}