jslay88/docker-tls.yml

## docker-tls.yml
---
- name: Setup Docker engine with specific configuration and secure TCP socket
  hosts: all
  become: yes
  vars:
    ca_key: /etc/docker/ssl/ca-key.pem
    ca_cert: /etc/docker/ssl/ca.pem
    server_key: /etc/docker/ssl/server-key.pem
    server_cert: /etc/docker/ssl/server-cert.pem
    client_key: /etc/docker/ssl/client-key.pem
    client_cert: /etc/docker/ssl/client-cert.pem
    docker_socket: /run/docker.sock
    docker_tcp_port: 2376

  tasks:
    - name: Delete Docker SSL Directory
      ansible.builtin.file:
        path: /etc/docker/ssl/
        state: absent
      become: yes
      tags:
        - reset

    - name: Install Docker and OpenSSL
      apt:
        name:
          - docker.io
          - openssl
        state: present
        update_cache: yes

    - name: Create Docker SSL Directory
      file:
        path: /etc/docker/ssl
        state: directory

    - name: Generate CA Key
      community.crypto.openssl_privatekey:
        path: "{{ ca_key }}"
        type: RSA
        size: 4096
      become: yes

    - name: Generate CA CSR
      community.crypto.openssl_csr:
        path: "/tmp/ca.csr"
        privatekey_path: "{{ ca_key }}"
        common_name: "{{ ansible_host }}"
        basic_constraints:
          - 'CA:TRUE'
        basic_constraints_critical: true
      become: yes

    - name: Generate CA Certificate
      community.crypto.x509_certificate:
        provider: selfsigned
        path: "{{ ca_cert }}"
        csr_path: "/tmp/ca.csr"
        privatekey_path: "{{ ca_key }}"
        selfsigned_digest: sha256
        selfsigned_not_before: 20220331000000Z
        selfsigned_not_after: 20330330235959Z
      become: yes

    - name: Generate Server Key
      community.crypto.openssl_privatekey:
        path: "{{ server_key }}"
        type: RSA
        size: 4096
      become: yes

    - name: Generate Server CSR
      community.crypto.openssl_csr:
        path: "/tmp/server.csr"
        privatekey_path: "{{ server_key }}"
        common_name: "{{ ansible_host }}"
        extended_key_usage:
          - serverAuth
        subject_alt_name:
          - "IP:{{ ansible_host }}"
          - "IP:127.0.0.1"
      become: yes

    - name: Generate Server Certificate
      community.crypto.x509_certificate:
        provider: ownca
        path: "{{ server_cert }}"
        csr_path: "/tmp/server.csr"
        ownca_path: "{{ ca_cert }}"
        ownca_privatekey_path: "{{ ca_key }}"
        ownca_not_before: "20010101000000Z"
        ownca_not_after: "20380119031400Z"
      become: yes
      notify: "reload and restart docker"

    - name: Generate Client Key
      community.crypto.openssl_privatekey:
        group: docker
        mode: 0640
        path: "{{ client_key }}"
        type: RSA
        size: 4096
      become: yes

    - name: Generate Client CSR
      community.crypto.openssl_csr:
        path: "/tmp/client.csr"
        privatekey_path: "{{ client_key }}"
        common_name: client
        extended_key_usage:
          - TLS Web Client Authentication
      become: yes

    - name: Generate Client Certificate
      community.crypto.x509_certificate:
        group: docker
        provider: ownca
        path: "{{ client_cert }}"
        csr_path: "/tmp/client.csr"
        ownca_path: "{{ ca_cert }}"
        ownca_privatekey_path: "{{ ca_key }}"
        ownca_not_before: "20010101000000Z"
        ownca_not_after: "20380119031400Z"
      become: yes

    - name: Configure /etc/docker/daemon.json
      copy:
        content: |
          {
            "hosts": [
              "unix://{{ docker_socket }}",
              "tcp://0.0.0.0:{{ docker_tcp_port }}"
            ],
            "tlsverify": true,
            "tlscacert": "{{ ca_cert }}",
            "tlscert": "{{ server_cert }}",
            "tlskey": "{{ server_key }}"
          }
        dest: /etc/docker/daemon.json
        owner: root
        group: root
        mode: 0644
      become: yes
      notify: "reload and restart docker"

    - name: Remove -H fd:// flag from Docker service file
      ansible.builtin.lineinfile:
        path: /lib/systemd/system/docker.service
        regexp: '^(ExecStart=.*) -H fd://(.*)$'
        line: '\1\2'
        backrefs: yes
      become: yes
      notify: "reload and restart docker"

    - name: Open Docker TCP port in firewall
      ansible.builtin.ufw:
        rule: allow
        port: "{{ docker_tcp_port }}"
        proto: tcp
      become: yes

    - name: Download CA Certificate
      fetch:
        dest: ca.pem
        flat: true
        src: /etc/docker/ssl/ca.pem

    - name: Download Client Certificate
      fetch:
        dest: client-cert.pem
        flat: true
        src: /etc/docker/ssl/client-cert.pem

    - name: Download Client Key
      fetch:
        dest: client-key.pem
        flat: true
        src: /etc/docker/ssl/client-key.pem
      become: yes


  handlers:
    - name: Reload systemd configuration
      ansible.builtin.systemd:
        daemon_reload: yes
      become: yes
      listen: "reload and restart docker"

    - name: Restart Docker service
      ansible.builtin.systemd:
        name: docker
        state: restarted
        enabled: yes
      become: yes
      listen: "reload and restart docker"
	---
	- name: Setup Docker engine with specific configuration and secure TCP socket
	hosts: all
	become: yes
	vars:
	ca_key: /etc/docker/ssl/ca-key.pem
	ca_cert: /etc/docker/ssl/ca.pem
	server_key: /etc/docker/ssl/server-key.pem
	server_cert: /etc/docker/ssl/server-cert.pem
	client_key: /etc/docker/ssl/client-key.pem
	client_cert: /etc/docker/ssl/client-cert.pem
	docker_socket: /run/docker.sock
	docker_tcp_port: 2376

	tasks:
	- name: Delete Docker SSL Directory
	ansible.builtin.file:
	path: /etc/docker/ssl/
	state: absent
	become: yes
	tags:
	- reset

	- name: Install Docker and OpenSSL
	apt:
	name:
	- docker.io
	- openssl
	state: present
	update_cache: yes

	- name: Create Docker SSL Directory
	file:
	path: /etc/docker/ssl
	state: directory

	- name: Generate CA Key
	community.crypto.openssl_privatekey:
	path: "{{ ca_key }}"
	type: RSA
	size: 4096
	become: yes

	- name: Generate CA CSR
	community.crypto.openssl_csr:
	path: "/tmp/ca.csr"
	privatekey_path: "{{ ca_key }}"
	common_name: "{{ ansible_host }}"
	basic_constraints:
	- 'CA:TRUE'
	basic_constraints_critical: true
	become: yes

	- name: Generate CA Certificate
	community.crypto.x509_certificate:
	provider: selfsigned
	path: "{{ ca_cert }}"
	csr_path: "/tmp/ca.csr"
	privatekey_path: "{{ ca_key }}"
	selfsigned_digest: sha256
	selfsigned_not_before: 20220331000000Z
	selfsigned_not_after: 20330330235959Z
	become: yes

	- name: Generate Server Key
	community.crypto.openssl_privatekey:
	path: "{{ server_key }}"
	type: RSA
	size: 4096
	become: yes

	- name: Generate Server CSR
	community.crypto.openssl_csr:
	path: "/tmp/server.csr"
	privatekey_path: "{{ server_key }}"
	common_name: "{{ ansible_host }}"
	extended_key_usage:
	- serverAuth
	subject_alt_name:
	- "IP:{{ ansible_host }}"
	- "IP:127.0.0.1"
	become: yes

	- name: Generate Server Certificate
	community.crypto.x509_certificate:
	provider: ownca
	path: "{{ server_cert }}"
	csr_path: "/tmp/server.csr"
	ownca_path: "{{ ca_cert }}"
	ownca_privatekey_path: "{{ ca_key }}"
	ownca_not_before: "20010101000000Z"
	ownca_not_after: "20380119031400Z"
	become: yes
	notify: "reload and restart docker"

	- name: Generate Client Key
	community.crypto.openssl_privatekey:
	group: docker
	mode: 0640
	path: "{{ client_key }}"
	type: RSA
	size: 4096
	become: yes

	- name: Generate Client CSR
	community.crypto.openssl_csr:
	path: "/tmp/client.csr"
	privatekey_path: "{{ client_key }}"
	common_name: client
	extended_key_usage:
	- TLS Web Client Authentication
	become: yes

	- name: Generate Client Certificate
	community.crypto.x509_certificate:
	group: docker
	provider: ownca
	path: "{{ client_cert }}"
	csr_path: "/tmp/client.csr"
	ownca_path: "{{ ca_cert }}"
	ownca_privatekey_path: "{{ ca_key }}"
	ownca_not_before: "20010101000000Z"
	ownca_not_after: "20380119031400Z"
	become: yes

	- name: Configure /etc/docker/daemon.json
	copy:
	content: \|
	{
	"hosts": [
	"unix://{{ docker_socket }}",
	"tcp://0.0.0.0:{{ docker_tcp_port }}"
	],
	"tlsverify": true,
	"tlscacert": "{{ ca_cert }}",
	"tlscert": "{{ server_cert }}",
	"tlskey": "{{ server_key }}"
	}
	dest: /etc/docker/daemon.json
	owner: root
	group: root
	mode: 0644
	become: yes
	notify: "reload and restart docker"

	- name: Remove -H fd:// flag from Docker service file
	ansible.builtin.lineinfile:
	path: /lib/systemd/system/docker.service
	regexp: '^(ExecStart=.) -H fd://(.)$'
	line: '\1\2'
	backrefs: yes
	become: yes
	notify: "reload and restart docker"

	- name: Open Docker TCP port in firewall
	ansible.builtin.ufw:
	rule: allow
	port: "{{ docker_tcp_port }}"
	proto: tcp
	become: yes

	- name: Download CA Certificate
	fetch:
	dest: ca.pem
	flat: true
	src: /etc/docker/ssl/ca.pem

	- name: Download Client Certificate
	fetch:
	dest: client-cert.pem
	flat: true
	src: /etc/docker/ssl/client-cert.pem

	- name: Download Client Key
	fetch:
	dest: client-key.pem
	flat: true
	src: /etc/docker/ssl/client-key.pem
	become: yes


	handlers:
	- name: Reload systemd configuration
	ansible.builtin.systemd:
	daemon_reload: yes
	become: yes
	listen: "reload and restart docker"

	- name: Restart Docker service
	ansible.builtin.systemd:
	name: docker
	state: restarted
	enabled: yes
	become: yes
	listen: "reload and restart docker"