feat: Initialize the keylime_server system role

This is an ansible role for configuring and deploying the server
components for Keylime Remote Attestation.

It currently supports Fedora 36+, CentOS Stream 9.1+ and RHEL 9.1+

Signed-off-by: Sergio Correia <scorreia@redhat.com>

.fmf/version

@@ -0,0 +1 @@
+1

.packit.yaml

@@ -0,0 +1,13 @@
+jobs:
+- job: tests
+  trigger: pull_request
+  targets:
+    centos-stream-9-x86_64:
+      distros: [RHEL-9.2.0-Nightly]
+  use_internal_tf: True
+  skip_build: true
+  tf_extra_params:
+    environments:
+      - tmt:
+          context:
+            target_PR_branch: "main"

README.md

@@ -1,99 +1,55 @@
-# Role Name
+# keylime_server
 
-![template](https://github.com/linux-system-roles/template/workflows/tox/badge.svg)
+Ansible role for configuring and deploying the server components for Keylime Remote Attestation.
 
-A template for an ansible role that configures some GNU/Linux subsystem or
-service. A brief description of the role goes here.
+## Supported Distributions
 
-## Requirements
-
-Any prerequisites that may not be covered by Ansible itself or the role should
-be mentioned here.  This includes platform dependencies not managed by the
-role, hardware requirements, external collections, etc.  There should be a
-distinction between *control node* requirements (like collections) and
-*managed node* requirements (like special hardware, platform provisioning).
-
-
-### Collection requirements
-
-For instance, if the role depends on some collections and
-has a `meta/collection-requirements.yml` file for installing those
-dependencies, it should be mentioned here that the user should run
-
-```
-ansible-galaxy collection install -vv -r meta/collection-requirements.yml
-```
-
-on the *control node* before using the role.
+* RHEL-9.1+, CentOS Stream 9.1+
+* Fedora 36+
 
 ## Role Variables
 
-A description of all input variables (i.e. variables that are defined in
-`defaults/main.yml`) for the role should go here as these form an API of the
-role.  Each variable should have its own section e.g.
-
-### template_foo
-
-This variable is required.  It is a string that lists the foo of the role.
-There is no default value.
-
-### template_bar
-
-This variable is optional.  It is a boolean that tells the role to disable bar.
-The default value is `true`.
-
-Variables that are not intended as input, like variables defined in
-`vars/main.yml`, variables that are read from other roles and/or the global
-scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in
-mind that as these are probably not part of the role API they may change during
-the lifetime.
-
-Example of setting the variables:
+These are the variables that can be passed to the role:
+
+| **Variable** | **Default/Choices** | **Description** |
+|----------|-------------|------|
+`keylime_server_verifier_ip` |  127.0.0.1 |
+`keylime_server_verifier_port` | 8881 |
+`keylime_server_verifier_database_url` | |
+`keylime_server_verifier_tls_dir` | generate |
+`keylime_server_verifier_server_key` |  default |
+`keylime_server_verifier_server_key_passphrase` | default |
+`keylime_server_verifier_server_cert` | default |
+`keylime_server_verifier_trusted_client_ca` |  default |
+`keylime_server_verifier_client_key` | default |
+`keylime_server_verifier_client_key_passphrase` | default |
+`keylime_server_verifier_client_cert` | default |
+`keylime_server_verifier_trusted_server_ca` | default |
+`keylime_server_registrar_ip` |  127.0.0.1 |
+`keylime_server_registrar_port` | 8891 |
+`keylime_server_registrar_database_url` | sqlite |
+`keylime_server_registrar_tls_dir` | default |
+`keylime_server_registrar_server_key` |  default |
+`keylime_server_registrar_server_key_passphrase` | default |
+`keylime_server_registrar_server_cert` | default |
+`keylime_server_registrar_trusted_client_ca` | default |
+
+
+## Example Playbooks
 
-```yaml
-template_foo: "oof"
-template_bar: false
-```
-
-## Variables Exported by the Role
-
-This section is optional.  Some roles may export variables for playbooks to
-use later.  These are analogous to "return values" in Ansible modules.  For
-example, if a role performs some action that will require a system reboot, but
-the user wants to defer the reboot, the role might set a variable like
-`template_reboot_needed: true` that the playbook can use to reboot at a more
-convenient time.
-
-Example:
-
-### template_reboot_needed
-
-Default `false` - if `true`, this means a reboot is needed to apply the changes
-made by the role
-
-## Example Playbook
-
-Including an example of how to use your role (for instance, with variables
-passed in as parameters) is always nice for users too:
 
 ```yaml
-- name: Manage the template subsystem
+- name: Manage keylime servers
   hosts: all
+
   vars:
-    template_foo: "foo foo!"
-    template_bar: false
+    keylime_server_verifier_ip: "{{ ansible_host }}"
+    keylime_server_registrar_ip: "{{ ansible_host }}"
+
   roles:
-    - linux-system-roles.template
+    - linux-system-roles.keylime_server
 ```
 
-More examples can be provided in the [`examples/`](examples) directory. These
-can be useful, especially for documentation.
-
 ## License
 
-Whenever possible, please prefer MIT.
-
-## Author Information
-
-An optional section for the role authors to include contact information, or a
-website (HTML is not allowed).
+MIT

defaults/main.yml

@@ -1,8 +1,96 @@
 # SPDX-License-Identifier: MIT
 ---
-# Here is the right place to put the role's input variables.
-# This file also serves as a documentation for such a variables.
 
-# Examples of role input variables:
-template_foo: foo
-template_bar: true
+# Verifier.
+keylime_server_verifier_ip: 127.0.0.1
+keylime_server_verifier_port: 8881
+#
+# An example of database_url value for using sqlite:
+#   sqlite:////var/lib/keylime/cv_data.sqlite
+# An example of database_url value for using mysql:
+#   mysql+pymysql://keylime:keylime@keylime_db:[port]/verifier?charset=utf8
+#
+# If set as 'sqlite' keyword, will use the configuration set by the file located
+# at "/var/lib/keylime/cv_data.sqlite".
+keylime_server_verifier_database_url: sqlite
+keylime_server_verifier_tls_dir: generate
+
+# If set as 'default', 'server-private.pem' is used as value.
+keylime_server_verifier_server_key: default
+
+# Set the password used to decrypt the server private key file.
+# If 'tls_dir = generate', this password will also be used to protect the
+# generated server private key.
+# If left empty, the private key will not be encrypted.
+keylime_server_verifier_server_key_passphrase: default
+
+# The name of the file containing the Keylime verifier server certificate.
+# The file should be stored in the directory set in the 'tls_dir' option.
+#
+# If set as 'default', the value 'server-cert.crt' is used.
+keylime_server_verifier_server_cert: default
+
+# The list of trusted client CA certificates.
+# The files in the list should be stored in the directory set in the
+# 'keylime_server_verifier_tls_dir' option.
+#
+# If set as 'default', the value is set as '[cacert.crt]'
+keylime_server_verifier_trusted_client_ca: default
+
+# The name of the file containing the Keylime verifier client private key.
+# The file should be stored in the directory set in the 'tls_dir' option.
+# This private key is used by the Keylime verifier to connect to the other
+# services using TLS.
+#
+# If set as 'default', the value 'client-private.pem' is used.
+keylime_server_verifier_client_key: default
+
+# Set the password used to decrypt the client private key file.
+# If 'tls_dir = generate', this password will also be used to protect the
+# generated client private key.
+# If left empty, the private key will not be encrypted.
+keylime_server_verifier_client_key_passphrase: default
+
+# The name of the file containing the Keylime verifier client certificate.
+# The file should be stored in the directory set in the 'tls_dir' option.
+# This certificate is used by the Keylime verifier to connect to the other
+# services using TLS.
+#
+# If set as 'default', the 'client-cert.crt' value is used.
+keylime_server_verifier_client_cert: default
+
+# The list of trusted server CA certificates.
+# The files in the list should be stored in the directory set in the 'tls_dir'
+# option.
+#
+# If set as 'default', the value is set as '[cacert.crt]'
+keylime_server_verifier_trusted_server_ca: default
+
+# Registrar.
+
+# The registrar server IP address and port.
+keylime_server_registrar_ip: 127.0.0.1
+keylime_server_registrar_port: 8890
+
+# An example of database_url value for using sqlite:
+#   sqlite:////var/lib/keylime/reg_data.sqlite
+# An example of database_url value for using mysql:
+#   mysql+pymysql://keylime:keylime@keylime_db:[port]/registrar?charset=utf8
+#
+# If set as 'sqlite' keyword, will use the configuration set by the file located
+# at "/var/lib/keylime/reg_data.sqlite".
+keylime_server_registrar_database_url: sqlite
+
+# If set as 'default', share the files with the verifier by using the
+# 'var/lib/keylime/cv_ca' directory, which should contain the files indicated by
+# the 'server_key', 'server_cert', and 'trusted_client_ca' options.
+keylime_server_registrar_tls_dir: default
+
+# If set as 'default', the value 'server-private.pem' is used.
+keylime_server_registrar_server_key: default
+# If left empty, the private key will not be encrypted.
+keylime_server_registrar_server_key_passphrase: default
+# If set as 'default', the value 'server-cert.crt' is used.
+keylime_server_registrar_server_cert: default
+# If set as 'default', the value is set as '[cacert.crt]'
+keylime_server_registrar_trusted_client_ca: default

examples/simple.yml

@@ -1,9 +1,10 @@
 # SPDX-License-Identifier: MIT
 ---
-- name: Example template role invocation
+- name: Example keylime_server role invocation
   hosts: all
   vars:
-    template_foo: example variable value
-    template_bar: false
+    keylime_server_verifier_ip: "{{ ansible_host }}"
+    keylime_server_registrar_ip: "{{ ansible_host }}"
+
   roles:
-    - linux-system-roles.template
+    - linux-system-roles.keylime_server

handlers/main.yml

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: MIT
 ---
-- name: Handler for template to restart services
+- name: Restart services
   service:
     name: "{{ item }}"
     state: restarted
-  loop: "{{ __template_services }}"
+  loop: "{{ __keylime_server_services }}"

meta/main.yml

@@ -1,68 +1,24 @@
 # SPDX-License-Identifier: MIT
 ---
 galaxy_info:
-  # Replace with role's author name:
-  author: John Doe <jdoe@corp.com>
-  # Replace with the real description of what is role's purpose:
-  description: Basic template for Linux system roles
-  # Replace with the company the role's author is member of:
-  company: John Doe, Inc.
-
-  # If the issue tracker for your role is not on github, uncomment the next
-  # line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
-
-  # Some suggested licenses:
-  # - BSD (default)
-  # - MIT
-  # - GPLv2
-  # - GPLv3
-  # - Apache
-  # - CC-BY
+  author: Sergio Correia <scorreia@redhat.com>
+  description: >
+    Ansible role for configuring Keylime attestation servers
+  company: Red Hat, Inc.
   license: MIT
-
   min_ansible_version: "2.9"
-
-  # Optionally specify the branch Galaxy will use when accessing the GitHub
-  # repo for this role. During role install, if no tags are available, Galaxy
-  # will use this branch. During import Galaxy will access files on this
-  # branch. If Travis integration is configured, only notifications for this
-  # branch will be accepted. Otherwise, in all cases, the repo's default branch
-  # (usually main) will be used.
-  # github_branch:
-
-  #
-  # platforms is a list of platforms, and each platform has a name and a list
-  # of versions.
-  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - "25"
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - "1.0"
-  #   - "7"
-  #   - "99.99"
   platforms:
-    # Replace the below with your platform list:
     - name: Fedora
       versions:
         - all
     - name: EL
       versions:
-        - all
+        - "9"
 
-  galaxy_tags: []
-  # List tags for your role here, one per line. A tag is a keyword that
-  # describes and categorizes the role. Users find roles by searching for tags.
-  # Be sure to remove the '[]' above, if you add tags to this list.
-  #
-  # NOTE: A tag is limited to a single word comprised of alphanumeric
-  #       characters. Maximum 20 tags per role.
+  galaxy_tags:
+    - centos
+    - fedora
+    - redhat
+    - keylime
 
 dependencies: []
-# List your role dependencies here, one per line. Be sure to remove the '[]'
-# above, if you add dependencies to this list.