diff options
author | Romain Gonçalves <me@rgoncalves.se> | 2024-01-01 13:29:19 +0100 |
---|---|---|
committer | Romain Gonçalves <me@rgoncalves.se> | 2024-01-01 13:29:19 +0100 |
commit | 631304b336c0c312fbc201523c0d8e658c05a2ad (patch) | |
tree | fe25881efc9dc744b225bfad148f50c35fb8213c | |
parent | 420ed95b61e65439a20d6079c940aedfa8b82c29 (diff) | |
download | rules-631304b336c0c312fbc201523c0d8e658c05a2ad.tar.gz |
feat(roles/relayd): generate ssl keys and dummy certificates
-rw-r--r-- | roles/relayd/defaults/main.yml | 3 | ||||
-rw-r--r-- | roles/relayd/tasks/main.yml | 37 |
2 files changed, 40 insertions, 0 deletions
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml index 2028ef1..998ff5c 100644 --- a/roles/relayd/defaults/main.yml +++ b/roles/relayd/defaults/main.yml @@ -5,6 +5,9 @@ relayd_rules: {} relayd_configuration_file: /etc/relayd.conf relayd_block_msg: aah! +relayd_ssl_certificates_dir: /etc/ssl +relayd_ssl_keys_dir: /etc/ssl/private + relayd_tls_ciphers: - HIGH - "!AES128" diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml index 8dc2837..1346675 100644 --- a/roles/relayd/tasks/main.yml +++ b/roles/relayd/tasks/main.yml @@ -1,5 +1,42 @@ --- +- name: generate simple ssl key and self-signed certificate + ansible.builtin.command: + cmd: | + openssl req + -x509 + -newkey rsa:4096 + -nodes + -subj "/CN={{ item.domain }}" + -keyout {{ relayd_ssl_keys_dir }}/{{ item.domain }}.key + -out {{ relayd_ssl_certificates_dir }}/{{ item.domain }}.pem + creates: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key" + loop: "{{ relayd_rules }}" + +- name: apply restrictive permissions on ssl keys + ansible.builtin.file: + path: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key" + owner: 0 + group: 0 + mode: "0600" + loop: "{{ relayd_rules }}" + +- name: retrieve certificate files + ansible.builtin.stat: + path: "{{ relayd_ssl_certificates_dir }}/{{ item.domain }}.crt" + loop: "{{ relayd_rules }}" + register: relayd_result_stat_certificates + +- name: link pem files to certificate files if required + ansible.builtin.file: + src: "{{ relayd_ssl_certificates_dir }}/{{ item.item.domain }}.pem" + dest: "{{ item.invocation.module_args.path }}" + owner: 0 + group: 0 + state: link + when: not item.stat.exists + loop: "{{ relayd_result_stat_certificates.results }}" + - name: generate relayd configuration ansible.builtin.template: src: relayd.conf.j2 |