aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2024-01-01 13:29:19 +0100
committerRomain Gonçalves <me@rgoncalves.se>2024-01-01 13:29:19 +0100
commit631304b336c0c312fbc201523c0d8e658c05a2ad (patch)
treefe25881efc9dc744b225bfad148f50c35fb8213c
parent420ed95b61e65439a20d6079c940aedfa8b82c29 (diff)
downloadrules-631304b336c0c312fbc201523c0d8e658c05a2ad.tar.gz
feat(roles/relayd): generate ssl keys and dummy certificates
-rw-r--r--roles/relayd/defaults/main.yml3
-rw-r--r--roles/relayd/tasks/main.yml37
2 files changed, 40 insertions, 0 deletions
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 2028ef1..998ff5c 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -5,6 +5,9 @@ relayd_rules: {}
relayd_configuration_file: /etc/relayd.conf
relayd_block_msg: aah!
+relayd_ssl_certificates_dir: /etc/ssl
+relayd_ssl_keys_dir: /etc/ssl/private
+
relayd_tls_ciphers:
- HIGH
- "!AES128"
diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml
index 8dc2837..1346675 100644
--- a/roles/relayd/tasks/main.yml
+++ b/roles/relayd/tasks/main.yml
@@ -1,5 +1,42 @@
---
+- name: generate simple ssl key and self-signed certificate
+ ansible.builtin.command:
+ cmd: |
+ openssl req
+ -x509
+ -newkey rsa:4096
+ -nodes
+ -subj "/CN={{ item.domain }}"
+ -keyout {{ relayd_ssl_keys_dir }}/{{ item.domain }}.key
+ -out {{ relayd_ssl_certificates_dir }}/{{ item.domain }}.pem
+ creates: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
+ loop: "{{ relayd_rules }}"
+
+- name: apply restrictive permissions on ssl keys
+ ansible.builtin.file:
+ path: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
+ owner: 0
+ group: 0
+ mode: "0600"
+ loop: "{{ relayd_rules }}"
+
+- name: retrieve certificate files
+ ansible.builtin.stat:
+ path: "{{ relayd_ssl_certificates_dir }}/{{ item.domain }}.crt"
+ loop: "{{ relayd_rules }}"
+ register: relayd_result_stat_certificates
+
+- name: link pem files to certificate files if required
+ ansible.builtin.file:
+ src: "{{ relayd_ssl_certificates_dir }}/{{ item.item.domain }}.pem"
+ dest: "{{ item.invocation.module_args.path }}"
+ owner: 0
+ group: 0
+ state: link
+ when: not item.stat.exists
+ loop: "{{ relayd_result_stat_certificates.results }}"
+
- name: generate relayd configuration
ansible.builtin.template:
src: relayd.conf.j2
remember that computers suck.