From f4a79fb4e2a62d4d997d64d9b56bd5e3c931839b Mon Sep 17 00:00:00 2001
From: julian <julian@jsts.xyz>
Date: Tue, 9 May 2023 22:07:44 +0200
Subject: [PATCH] Make it possible to set custom permissions for certificate
 files

This is in preparation for a role using OpenSMTPD.
---
 playbooks/roles/cert/defaults/main.yaml       |  4 ++++
 playbooks/roles/cert/meta/argument_specs.yaml | 20 +++++++++++++++++++
 playbooks/roles/cert/tasks/deploy_cert.yaml   |  8 ++++----
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/playbooks/roles/cert/defaults/main.yaml b/playbooks/roles/cert/defaults/main.yaml
index bcff4d3..f08b1e9 100644
--- a/playbooks/roles/cert/defaults/main.yaml
+++ b/playbooks/roles/cert/defaults/main.yaml
@@ -1,3 +1,7 @@
 cert__handlers: []
 cert__owner: root
 cert__group: root
+cert__fullchain_pem_permissions: "0660"
+cert__chain_pem_permissions: "0660"
+cert__cert_pem_permissions: "0660"
+cert__privkey_pem_permissions: "0600"
diff --git a/playbooks/roles/cert/meta/argument_specs.yaml b/playbooks/roles/cert/meta/argument_specs.yaml
index c543079..cee160e 100644
--- a/playbooks/roles/cert/meta/argument_specs.yaml
+++ b/playbooks/roles/cert/meta/argument_specs.yaml
@@ -30,3 +30,23 @@ argument_specs:
         description: The zone to use for publishing the TXT record.
         required: true
         type: str
+      cert__fullchain_pem_permissions:
+        description: Permissons for the `fullchain.pem`.
+        type: str
+        required: false
+        default: "0660"
+      cert__chain_pem_permissions:
+        description: Permissons for the `chain.pem`.
+        type: str
+        required: false
+        default: "0660"
+      cert__cert_pem_permissions:
+        description: Permissons for the `cert.pem`.
+        type: str
+        required: false
+        default: "0660"
+      cert__privkey_pem_permissions:
+        description: Permissons for the `privkey.pem`.
+        type: str
+        required: false
+        default: "0600"
diff --git a/playbooks/roles/cert/tasks/deploy_cert.yaml b/playbooks/roles/cert/tasks/deploy_cert.yaml
index 7a63664..328a9c3 100644
--- a/playbooks/roles/cert/tasks/deploy_cert.yaml
+++ b/playbooks/roles/cert/tasks/deploy_cert.yaml
@@ -32,7 +32,7 @@
     type: RSA
     owner: "{{ cert__owner }}"
     group: "{{ cert__group }}"
-    mode: "0600"
+    mode: "{{ cert__privkey_pem_permissions }}"
   become: true
 
 - name: Ensure certificate signing request is created
@@ -141,7 +141,7 @@
     path: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
     owner: "{{ cert__owner }}"
     group: "{{ cert__group }}"
-    mode: "0660"
+    mode: "{{ cert__cert_pem_permissions }}"
   become: true
 
 - name: Ensure correct permissions for fullchain cert are set
@@ -149,7 +149,7 @@
     path: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
     owner: "{{ cert__owner }}"
     group: "{{ cert__group }}"
-    mode: "0660"
+    mode: "{{ cert__fullchain_pem_permissions }}"
   become: true
 
 - name: Get content of cert.pem
@@ -170,5 +170,5 @@
     dest: "/etc/ansible_certs/certs/{{ item }}/chain.pem"
     owner: "{{ cert__owner }}"
     group: "{{ cert__group }}"
-    mode: "0660"
+    mode: "{{ cert__chain_pem_permissions }}"
   become: true