From 631304b336c0c312fbc201523c0d8e658c05a2ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= <me@rgoncalves.se>
Date: Mon, 1 Jan 2024 13:29:19 +0100
Subject: feat(roles/relayd): generate ssl keys and dummy certificates

---
 roles/relayd/defaults/main.yml |  3 +++
 roles/relayd/tasks/main.yml    | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 2028ef1..998ff5c 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -5,6 +5,9 @@ relayd_rules: {}
 relayd_configuration_file: /etc/relayd.conf
 relayd_block_msg: aah!
 
+relayd_ssl_certificates_dir: /etc/ssl
+relayd_ssl_keys_dir: /etc/ssl/private
+
 relayd_tls_ciphers:
   - HIGH
   - "!AES128"
diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml
index 8dc2837..1346675 100644
--- a/roles/relayd/tasks/main.yml
+++ b/roles/relayd/tasks/main.yml
@@ -1,5 +1,42 @@
 ---
 
+- name: generate simple ssl key and self-signed certificate
+  ansible.builtin.command:
+    cmd: |
+      openssl req
+      -x509
+      -newkey rsa:4096
+      -nodes
+      -subj "/CN={{ item.domain }}"
+      -keyout {{ relayd_ssl_keys_dir }}/{{ item.domain }}.key
+      -out {{ relayd_ssl_certificates_dir }}/{{ item.domain }}.pem
+    creates: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
+  loop: "{{ relayd_rules }}"
+
+- name: apply restrictive permissions on ssl keys
+  ansible.builtin.file:
+    path: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
+    owner: 0
+    group: 0
+    mode: "0600"
+  loop: "{{ relayd_rules }}"
+
+- name: retrieve certificate files
+  ansible.builtin.stat:
+    path: "{{ relayd_ssl_certificates_dir }}/{{ item.domain }}.crt"
+  loop: "{{ relayd_rules }}"
+  register: relayd_result_stat_certificates
+
+- name: link pem files to certificate files if required
+  ansible.builtin.file:
+    src: "{{ relayd_ssl_certificates_dir }}/{{ item.item.domain }}.pem"
+    dest: "{{ item.invocation.module_args.path }}"
+    owner: 0
+    group: 0
+    state: link
+  when: not item.stat.exists
+  loop: "{{ relayd_result_stat_certificates.results }}"
+
 - name: generate relayd configuration
   ansible.builtin.template:
     src: relayd.conf.j2
-- 
cgit v1.2.3