ansible/ directory of the source repo:
certplane_broker— installs the broker binary, lays out config and TLS material, deploys the policy file, and manages the systemd service.certplane_agent— installs the agent binary, deploys CA bundles and config, performs first-time enrollment with a bootstrap token, and manages the systemd timer.
Layout
Add the roles to your control repo (roles/ symlinked or vendored). A minimal play:
site.yml
certplane_broker role
Required variables
group_vars/certplane_broker.yml
Useful variables (with defaults)
certplane_broker_secrets_provider is vault or openbao, also set certplane_broker_vault_address and one of certplane_broker_vault_token / certplane_broker_vault_token_file.
What the role does
- Creates the
certplanesystem user/group. - Copies the broker binary to
certplane_broker_binary_dest. - Creates
/etc/certplane,/etc/certplane/tls,/etc/certplane/ca,/var/lib/certplane, and/var/lib/certplane/acme. - Deploys TLS cert/key, agent CA bundle, ACME account key (if provided), and the policy file.
- Renders
broker.ymlfromtemplates/broker.yml.j2. - Installs and enables
certplane-broker.service. Any change to TLS material, the policy file, or the rendered config triggers a service restart.
certplane_agent role
Required variables
host_vars/edge01.yml
Useful variables (with defaults)
What the role does
- Creates the
certplanesystem user/group. - Installs the agent binary at
certplane_agent_binary_dest. - Deploys the issuer CA bundle, broker CA bundle, and (optionally) the
step-caroot bundle. - Renders
agent.ymlfromtemplates/agent.yml.j2. - Enrolls the host once. If
identity.crtdoes not exist andcertplane_agent_bootstrap_tokenis defined, the role writes the token (no_log: true) and runscertplane-agent ... enrollas thecertplaneuser. On success the token file is removed by the binary. - Installs
certplane-agent.service(oneshot,checkthenrun) andcertplane-agent.timer(boots after 1min, fires every 6h with 5min jitter). - Enables and starts the timer.
identity.crt exists, future runs of the role skip both the token deployment and the enroll command.
Recommended secrets handling
- Pass
certplane_agent_bootstrap_tokenfrom your inventory via Ansible Vault or a runtime lookup (step ca token). - Never check raw
step-catokens into git — they are short-lived but still single-use. - For DNS provider tokens consumed by the broker, prefer
secrets.provider: vault. See Vault and OpenBao secrets.