Make it possible to set custom permissions for certificate files

This is in preparation for a role using OpenSMTPD.
2023-05-09 22:07:44 +02:00 · 2023-05-09 22:07:44 +02:00 · f4a79fb4e2
commit f4a79fb4e2
parent 7bb741c8e3
3 changed files with 28 additions and 4 deletions
--- a/playbooks/roles/cert/defaults/main.yaml
+++ b/playbooks/roles/cert/defaults/main.yaml
@ -1,3 +1,7 @@
 cert__handlers: []
 cert__owner: root
 cert__group: root
+cert__fullchain_pem_permissions: "0660"
+cert__chain_pem_permissions: "0660"
+cert__cert_pem_permissions: "0660"
+cert__privkey_pem_permissions: "0600"
--- a/playbooks/roles/cert/meta/argument_specs.yaml
+++ b/playbooks/roles/cert/meta/argument_specs.yaml
@ -30,3 +30,23 @@ argument_specs:
        description: The zone to use for publishing the TXT record.
        required: true
        type: str
+      cert__fullchain_pem_permissions:
+        description: Permissons for the `fullchain.pem`.
+        type: str
+        required: false
+        default: "0660"
+      cert__chain_pem_permissions:
+        description: Permissons for the `chain.pem`.
+        type: str
+        required: false
+        default: "0660"
+      cert__cert_pem_permissions:
+        description: Permissons for the `cert.pem`.
+        type: str
+        required: false
+        default: "0660"
+      cert__privkey_pem_permissions:
+        description: Permissons for the `privkey.pem`.
+        type: str
+        required: false
+        default: "0600"
--- a/playbooks/roles/cert/tasks/deploy_cert.yaml
+++ b/playbooks/roles/cert/tasks/deploy_cert.yaml
@ -32,7 +32,7 @@
    type: RSA
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
-    mode: "0600"
+    mode: "{{ cert__privkey_pem_permissions }}"
  become: true

 - name: Ensure certificate signing request is created
@ -141,7 +141,7 @@
    path: "/etc/ansible_certs/certs/{{ item }}/cert.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
-    mode: "0660"
+    mode: "{{ cert__cert_pem_permissions }}"
  become: true

 - name: Ensure correct permissions for fullchain cert are set
@ -149,7 +149,7 @@
    path: "/etc/ansible_certs/certs/{{ item }}/fullchain.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
-    mode: "0660"
+    mode: "{{ cert__fullchain_pem_permissions }}"
  become: true

 - name: Get content of cert.pem
@ -170,5 +170,5 @@
    dest: "/etc/ansible_certs/certs/{{ item }}/chain.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
-    mode: "0660"
+    mode: "{{ cert__chain_pem_permissions }}"
  become: true